firewall {
all-ping enable
broadcast-ping disable
group {
network-group fwgroup {
description ""
network 192.168.2.0/24
network 192.168.30.0/24
network 192.168.40.0/24
}
}
ipv6-name allow-all-6 {
default-action accept
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
}
ipv6-name allow-est-drop-inv-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
}
ipv6-name lan-local-6 {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol ipv6-icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name VLAN3_IN {
default-action accept
description ""
rule 1 {
action drop
description LAN
destination {
address 192.168.2.0/24
}
log disable
protocol all
}
}
name VLAN3_LOCAL {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name allow-all {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 2000 {
action accept
protocol all
}
}
name allow-est-drop-inv {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
}
name lan-local {
default-action drop
enable-default-log
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
rule 100 {
action accept
protocol icmp
}
rule 200 {
action accept
description "Allow HTTP/HTTPS"
destination {
port 80,443
}
protocol tcp
}
rule 600 {
action accept
description "Allow DNS"
destination {
port 53
}
protocol tcp_udp
}
rule 700 {
action accept
description "Allow DHCP"
destination {
port 67,68
}
protocol udp
}
rule 800 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
speed auto
}
ethernet eth1 {
address 192.168.2.1/24
description LAN
duplex auto
speed auto
vif 2 {
address 192.168.30.1/24
description VLAN2
mtu 1500
}
vif 3 {
address 192.168.40.1/24
description VLAN3
mtu 1500
}
}
ethernet eth2 {
address 192.168.20.1/24
description LAN2
duplex auto
speed auto
}
loopback lo {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
dns-server 8.8.8.8
lease 86400
start 192.168.2.150 {
stop 192.168.2.253
}
static-mapping 1022n {
ip-address 192.168.2.8
mac-address 00:14:38:e6:34:1c
}
static-mapping airport {
ip-address 192.168.2.4
mac-address d8:30:62:2e:fe:67
}
static-mapping airport2 {
ip-address 192.168.2.5
mac-address 7c:d1:c3:ca:20:24
}
static-mapping appletv {
ip-address 192.168.2.141
mac-address 58:55:ca:07:de:0a
}
static-mapping enermax {
ip-address 192.168.2.12
mac-address 00:23:54:91:7b:bd
}
static-mapping macbooklan {
ip-address 192.168.2.102
mac-address a8:20:66:38:52:81
}
static-mapping macbookwifi {
ip-address 192.168.2.100
mac-address 5c:96:9d:78:28:23
}
static-mapping mmini {
ip-address 192.168.2.101
mac-address c4:2c:03:0d:5b:b5
}
static-mapping nest {
ip-address 192.168.2.31
mac-address 18:b4:30:09:a7:ab
}
static-mapping newmmlan {
ip-address 192.168.2.103
mac-address a8:20:66:11:6b:6f
}
static-mapping obi {
ip-address 192.168.2.30
mac-address 9c:ad:ef:20:1c:b9
}
static-mapping ps3 {
ip-address 192.168.2.40
mac-address 00:15:c1:ce:d9:46
}
static-mapping ps3wifi {
ip-address 192.168.2.41
mac-address a8:e3:ee:11:c4:c7
}
static-mapping ps4lan {
ip-address 192.168.2.46
mac-address 70:9e:29:16:fc:83
}
static-mapping ps4wifi {
ip-address 192.168.2.47
mac-address b0:05:94:0e:ad:93
}
static-mapping qnap1 {
ip-address 192.168.2.20
mac-address 00:08:9b:c7:fa:58
}
static-mapping qnap2 {
ip-address 192.168.2.21
mac-address 00:08:9b:c7:fa:59
}
static-mapping roundhouse {
ip-address 192.168.2.2
mac-address 80:ea:96:e9:05:93
}
static-mapping sling {
ip-address 192.168.2.140
mac-address 00:13:b6:07:6e:83
}
static-mapping wiiU {
ip-address 192.168.2.44
mac-address 18:2a:7b:ce:0b:e6
}
static-mapping xbox360 {
ip-address 192.168.2.42
mac-address 00:25:ae:7c:1a:49
}
static-mapping xbox360wifi {
ip-address 192.168.2.43
mac-address 78:e4:00:39:5c:06
}
static-mapping xboxone {
ip-address 192.168.2.45
mac-address 50:1a:c5:28:ea:90
}
unifi-controller 192.168.2.7
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.20.2 {
stop 192.168.20.254
}
}
}
shared-network-name VLAN2 {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
dns-server 8.8.8.8
lease 86400
start 192.168.30.2 {
stop 192.168.30.253
}
unifi-controller 192.168.2.7
}
}
shared-network-name VLAN3 {
authoritative disable
subnet 192.168.40.0/24 {
default-router 192.168.40.1
dns-server 192.168.40.1
dns-server 8.8.8.8
lease 86400
start 192.168.40.2 {
stop 192.168.40.254
}
unifi-controller 192.168.2.7
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
listen-on eth1.2
listen-on eth1.3
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "Masquerade for WAN"
log disable
outbound-interface eth0
protocol all
source {
group {
network-group fwgroup
}
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user admin {
authentication {
encrypted-password
plaintext-password ""
}
full-name admin
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
smart-queue QOSS {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 110mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 10mbit
}
wan-interface eth0
}
}
zone-policy {
zone LAN {
default-action drop
description "LAN ZONE"
from WAN {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-est-drop-inv
}
}
from local {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
interface eth1
}
zone LAN2 {
default-action drop
description "LAN2 ZONE"
from WAN {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-est-drop-inv
}
}
from local {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
interface eth2
}
zone VIF3 {
default-action drop
from WAN {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-est-drop-inv
}
}
from local {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
interface vif3
interface eth1.3
}
zone WAN {
default-action drop
description "WAN ZONE"
from LAN {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
from LAN2 {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
from VIF3 {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-est-drop-inv
}
}
from local {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-all
}
}
interface eth0
}
zone local {
default-action drop
from LAN {
firewall {
ipv6-name lan-local-6
name lan-local
}
}
from LAN2 {
firewall {
ipv6-name lan-local-6
name lan-local
}
}
from VIF3 {
firewall {
ipv6-name lan-local-6
name lan-local
}
}
from WAN {
firewall {
ipv6-name allow-est-drop-inv-6
name allow-est-drop-inv
}
}
local-zone
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */attached is config