Hi,
I am looking for help to get the right definitations for Zone rules in the below config.boot file.
DMZ, LAN, WAN is working properly - almost.
I can't get from inside LAN to DMZ through public IP - don't know why...
I can't get the VLAN to permit access out through the firewall - again don't know why.
Al help is appreciated
firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name DMZ-to-LAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name DMZ-to-LOCAL { default-action drop rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" log enable state { invalid enable } } rule 600 { action accept description "Allow DNS querries" destination { port 53 } protocol tcp_udp state { new enable } } } name DMZ-to-WAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable new enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name GuestVLAN100 { default-action accept description "" rule 20 { action accept description "Apple TV" destination { address 192.168.1.38 } log disable protocol all source { mac-address 04:18:d6:86:a9:7a } } rule 30 { action drop destination { address 192.168.0.0/16 } log disable protocol all source { address 192.168.100.0/24 } } } name LAN-to-DMZ { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable new enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name LAN-to-LOCAL { default-action drop rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" log enable state { invalid enable } } rule 100 { action accept description "Allow HTTP GUI" destination { port 80 } log enable protocol tcp state { new enable } } rule 200 { action accept description "Allow HTTPS GUI" destination { port 443 } log enable protocol tcp state { new enable } } rule 600 { action accept description "Allow DNS querries" destination { port 53 } protocol tcp_udp state { new enable } } rule 800 { action accept description "SSH management" destination { port 22 } protocol tcp state { new enable } } } name LAN-to-WAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable new enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name LOCAL-to-DMZ { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name LOCAL-to-LAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name LOCAL-to-WAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable new enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name WAN-to-DMZ { default-action drop enable-default-log rule 10 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 20 { action accept description "HTTP access" destination { address 192.168.2.45 port 80 } log enable protocol tcp state { new enable } } rule 30 { action accept description "HTTPS access" destination { address 192.168.2.45 port 443 } log enable protocol tcp state { new enable } } rule 40 { action drop description "Limit inbound SSH connections" destination { port ssh } protocol tcp recent { count 3 time 30 } state { new enable } } rule 50 { action accept description "SSH access" destination { address 192.168.2.45 port 22 } log enable protocol tcp state { new enable } } rule 60 { action drop description "State invalid" state { invalid enable } } } name WAN-to-LAN { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } name WAN-to-LOCAL { default-action drop enable-default-log rule 1 { action accept description "Established/related connections" protocol all state { established enable related enable } } rule 2 { action drop description "State invalid" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address 152.115.xx.xxx/24 description WAN duplex auto poe { output off } speed auto } ethernet eth1 { address 192.168.1.1/24 description LAN duplex auto poe { output off } speed auto vif 100 { address 192.168.100.1/24 description VLAN firewall { out { name GuestVLAN100 } } mtu 1500 traffic-policy { out Download } } } ethernet eth2 { address 192.168.2.1/24 description DMZ duplex auto poe { output off } speed auto } ethernet eth3 { description "Local 3" duplex auto poe { output off } speed auto } ethernet eth4 { description "Local 4" duplex auto poe { output off } speed auto } loopback lo { } switch switch0 { address dhcp description "Local 2" mtu 1500 switch-port { interface eth3 { } interface eth4 { } vlan-aware disable } } } service { dhcp-server { disabled false dynamic-dns-update { enable true } hostfile-update disable shared-network-name DMZ_DHCP { authoritative disable subnet 192.168.2.0/24 { default-router 192.168.2.1 dns-server 192.168.2.1 lease 86400 start 192.168.2.100 { stop 192.168.2.254 } } } shared-network-name GuestVLAN100 { authoritative disable subnet 192.168.100.0/24 { default-router 192.168.100.1 dns-server 192.168.100.1 lease 86400 start 192.168.100.50 { stop 192.168.100.200 } } } shared-network-name LAN_DHCP { authoritative disable subnet 192.168.1.0/24 { default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 start 192.168.1.100 { stop 192.168.1.254 } static-mapping ALLAN-NY { ip-address 192.168.1.38 mac-address 9c:5c:8e:76:38:d2 } unifi-controller 192.168.1.38 } } use-dnsmasq disable } dns { forwarding { cache-size 200 listen-on eth1 listen-on eth2 } } gui { http-port 80 https-port 443 listen-address 192.168.1.1 older-ciphers enable } nat { rule 100 { description "Web access to DMZ" destination { port 80 } inbound-interface eth0 inside-address { address 192.168.2.45 port 80 } log enable protocol tcp type destination } rule 200 { description "Web access to DMZ" destination { port 314 } inbound-interface eth0 inside-address { address 192.168.2.45 port 443 } log enable protocol tcp type destination } rule 600 { description "SSH access to DMZ" destination { port 1337 } inbound-interface eth0 inside-address { address 192.168.2.45 port 22 } log enable protocol tcp type destination } rule 5000 { description "WAN masquerade" log disable outbound-interface eth0 protocol all type masquerade } rule 5011 { description "Masquerade hairpin eth1" destination { address 192.168.1.1/24 } log disable outbound-interface eth1 protocol tcp source { address 192.168.1.1/24 } type masquerade } } ssh { port 22 protocol-version v2 } upnp { listen-on eth1 { outbound-interface eth0 } } } system { gateway-address 152.115.xx.xxx host-name ubnt login { user ubnt { authentication { encrypted-password $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. plaintext-password "" } level admin } } name-server 83.136.89.6 name-server 83.136.89.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Copenhagen } traffic-policy { shaper Download { bandwidth auto class 100 { bandwidth 50mbit burst 15k match addr { ip { source { address 192.168.100.0/24 } } } queue-type fair-queue } default { bandwidth 100mbit burst 15k queue-type fair-queue } } shaper Upload { bandwidth auto class 100 { bandwidth 50mbit burst 15k match addr { ip { source { address 192.168.100.0/24 } } } queue-type fair-queue } default { bandwidth 100mbit burst 15k queue-type fair-queue } } } zone-policy { zone DMZ { default-action reject from LAN { firewall { name LAN-to-DMZ } } from LOCAL { firewall { name LOCAL-to-DMZ } } from WAN { firewall { name WAN-to-DMZ } } interface eth2 } zone LAN { default-action drop from DMZ { firewall { name DMZ-to-LAN } } from LOCAL { firewall { name LOCAL-to-LAN } } from WAN { firewall { name WAN-to-LAN } } interface eth1 } zone LOCAL { default-action reject from DMZ { firewall { name DMZ-to-LOCAL } } from LAN { firewall { name LAN-to-LOCAL } } from WAN { firewall { name WAN-to-LOCAL } } local-zone } zone WAN { default-action reject from DMZ { firewall { name DMZ-to-WAN } } from LAN { firewall { name LAN-to-WAN } } from LOCAL { firewall { name LOCAL-to-WAN } } interface eth0 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.9.0.4901118.160804.1131 */