blob: 67af456f4692e60bd53f1e2ca195218cea1e442b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
|
set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options send-redirects 'enable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'disable'
set firewall global-options twa-hazards-protection 'enable'
set firewall ipv4 name test_tcp_flags rule 1 action 'drop'
set firewall ipv4 name test_tcp_flags rule 1 protocol 'tcp'
set firewall ipv4 name test_tcp_flags rule 1 tcp flags ack
set firewall ipv4 name test_tcp_flags rule 1 tcp flags not fin
set firewall ipv4 name test_tcp_flags rule 1 tcp flags not rst
set firewall ipv4 name test_tcp_flags rule 1 tcp flags syn
set high-availability vrrp group LAN address 192.168.0.1/24
set high-availability vrrp group LAN hello-source-address '192.168.0.250'
set high-availability vrrp group LAN interface 'eth1'
set high-availability vrrp group LAN peer-address '192.168.0.251'
set high-availability vrrp group LAN priority '200'
set high-availability vrrp group LAN vrid '1'
set high-availability vrrp sync-group failover-group member 'LAN'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 mtu '9000'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.0.250/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 ip source-validation 'strict'
set interfaces ethernet eth1 mtu '9000'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set interfaces openvpn vtun0 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 ip adjust-mss '1380'
set interfaces openvpn vtun0 ip source-validation 'strict'
set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '30'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'comp-lzo adaptive'
set interfaces openvpn vtun0 openvpn-option 'fast-io'
set interfaces openvpn vtun0 openvpn-option 'persist-key'
set interfaces openvpn vtun0 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 remote-host '192.0.2.10'
set interfaces openvpn vtun0 tls auth-key 'openvpn_vtun0_auth'
set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_1'
set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_2'
set interfaces openvpn vtun0 tls certificate 'openvpn_vtun0'
set interfaces openvpn vtun1 authentication password 'vyos1'
set interfaces openvpn vtun1 authentication username 'vyos1'
set interfaces openvpn vtun1 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun1 hash 'sha1'
set interfaces openvpn vtun1 ip adjust-mss '1380'
set interfaces openvpn vtun1 keep-alive failure-count '3'
set interfaces openvpn vtun1 keep-alive interval '30'
set interfaces openvpn vtun1 mode 'client'
set interfaces openvpn vtun1 openvpn-option 'comp-lzo adaptive'
set interfaces openvpn vtun1 openvpn-option 'tun-mtu 1500'
set interfaces openvpn vtun1 openvpn-option 'tun-mtu-extra 32'
set interfaces openvpn vtun1 openvpn-option 'mssfix 1300'
set interfaces openvpn vtun1 openvpn-option 'persist-key'
set interfaces openvpn vtun1 openvpn-option 'mute 10'
set interfaces openvpn vtun1 openvpn-option 'route-nopull'
set interfaces openvpn vtun1 openvpn-option 'fast-io'
set interfaces openvpn vtun1 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'udp'
set interfaces openvpn vtun1 remote-host '01.foo.com'
set interfaces openvpn vtun1 remote-port '1194'
set interfaces openvpn vtun1 tls auth-key 'openvpn_vtun1_auth'
set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_1'
set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_2'
set interfaces openvpn vtun2 authentication password 'vyos2'
set interfaces openvpn vtun2 authentication username 'vyos2'
set interfaces openvpn vtun2 disable
set interfaces openvpn vtun2 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun2 hash 'sha512'
set interfaces openvpn vtun2 ip adjust-mss '1380'
set interfaces openvpn vtun2 keep-alive failure-count '3'
set interfaces openvpn vtun2 keep-alive interval '30'
set interfaces openvpn vtun2 mode 'client'
set interfaces openvpn vtun2 openvpn-option 'tun-mtu 1500'
set interfaces openvpn vtun2 openvpn-option 'tun-mtu-extra 32'
set interfaces openvpn vtun2 openvpn-option 'mssfix 1300'
set interfaces openvpn vtun2 openvpn-option 'persist-key'
set interfaces openvpn vtun2 openvpn-option 'mute 10'
set interfaces openvpn vtun2 openvpn-option 'route-nopull'
set interfaces openvpn vtun2 openvpn-option 'fast-io'
set interfaces openvpn vtun2 openvpn-option 'remote-random'
set interfaces openvpn vtun2 openvpn-option 'reneg-sec 86400'
set interfaces openvpn vtun2 persistent-tunnel
set interfaces openvpn vtun2 protocol 'udp'
set interfaces openvpn vtun2 remote-host '01.myvpn.com'
set interfaces openvpn vtun2 remote-host '02.myvpn.com'
set interfaces openvpn vtun2 remote-host '03.myvpn.com'
set interfaces openvpn vtun2 remote-port '1194'
set interfaces openvpn vtun2 tls auth-key 'openvpn_vtun2_auth'
set interfaces openvpn vtun2 tls ca-certificate 'openvpn_vtun2_1'
set interfaces pppoe pppoe0 authentication password 'password'
set interfaces pppoe pppoe0 authentication username 'vyos'
set interfaces pppoe pppoe0 mtu '1500'
set interfaces pppoe pppoe0 source-interface 'eth0'
set interfaces wireguard wg0 address '192.168.10.1/24'
set interfaces wireguard wg0 ip adjust-mss '1380'
set interfaces wireguard wg0 peer blue allowed-ips '192.168.10.3/32'
set interfaces wireguard wg0 peer blue persistent-keepalive '20'
set interfaces wireguard wg0 peer blue preshared-key 'ztFDOY9UyaDvn8N3X97SFMDwIfv7EEfuUIPP2yab6UI='
set interfaces wireguard wg0 peer blue public-key 'G4pZishpMRrLmd96Kr6V7LIuNGdcUb81gWaYZ+FWkG0='
set interfaces wireguard wg0 peer green allowed-ips '192.168.10.21/32'
set interfaces wireguard wg0 peer green persistent-keepalive '25'
set interfaces wireguard wg0 peer green preshared-key 'LQ9qmlTh9G4nZu4UgElxRUwg7JB/qoV799aADJOijnY='
set interfaces wireguard wg0 peer green public-key '5iQUD3VoCDBTPXAPHOwUJ0p7xzKGHEY/wQmgvBVmaFI='
set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.14/32'
set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.16/32'
set interfaces wireguard wg0 peer pink persistent-keepalive '25'
set interfaces wireguard wg0 peer pink preshared-key 'Qi9Odyx0/5itLPN5C5bEy3uMX+tmdl15QbakxpKlWqQ='
set interfaces wireguard wg0 peer pink public-key 'i4qNPmxyy9EETL4tIoZOLKJF4p7IlVmpAE15gglnAk4='
set interfaces wireguard wg0 peer red allowed-ips '192.168.10.4/32'
set interfaces wireguard wg0 peer red persistent-keepalive '20'
set interfaces wireguard wg0 peer red preshared-key 'CumyXX7osvUT9AwnS+m2TEfCaL0Ptc2LfuZ78Sujuk8='
set interfaces wireguard wg0 peer red public-key 'ALGWvMJCKpHF2tVH3hEIHqUe9iFfAmZATUUok/WQzks='
set interfaces wireguard wg0 port '7777'
set interfaces wireguard wg0 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
set interfaces wireguard wg1 address '10.89.90.2/30'
set interfaces wireguard wg1 ip adjust-mss '1380'
set interfaces wireguard wg1 peer sam address '192.0.2.45'
set interfaces wireguard wg1 peer sam allowed-ips '10.1.1.0/24'
set interfaces wireguard wg1 peer sam allowed-ips '10.89.90.1/32'
set interfaces wireguard wg1 peer sam persistent-keepalive '20'
set interfaces wireguard wg1 peer sam port '1200'
set interfaces wireguard wg1 peer sam preshared-key 'XpFtzx2Z+nR8pBv9/sSf7I94OkZkVYTz0AeU5Q/QQUE='
set interfaces wireguard wg1 peer sam public-key 'v5zfKGvH6W/lfDXJ0en96lvKo1gfFxMUWxe02+Fj5BU='
set interfaces wireguard wg1 port '7778'
set interfaces wireguard wg1 private-key 'aGx+fvW916Ej7QRnBbW3QMoldhNv1u95/WHz45zDmF0='
set nat destination rule 50 destination port '49371'
set nat destination rule 50 inbound-interface name 'pppoe0'
set nat destination rule 50 protocol 'tcp_udp'
set nat destination rule 50 translation address '192.168.0.5'
set nat destination rule 51 destination port '58050-58051'
set nat destination rule 51 inbound-interface name 'pppoe0'
set nat destination rule 51 protocol 'tcp'
set nat destination rule 51 translation address '192.168.0.5'
set nat destination rule 52 destination port '22067-22070'
set nat destination rule 52 inbound-interface name 'pppoe0'
set nat destination rule 52 protocol 'tcp'
set nat destination rule 52 translation address '192.168.0.5'
set nat destination rule 53 destination port '34342'
set nat destination rule 53 inbound-interface name 'pppoe0'
set nat destination rule 53 protocol 'tcp_udp'
set nat destination rule 53 translation address '192.168.0.121'
set nat destination rule 54 destination port '45459'
set nat destination rule 54 inbound-interface name 'pppoe0'
set nat destination rule 54 protocol 'tcp_udp'
set nat destination rule 54 translation address '192.168.0.120'
set nat destination rule 55 destination port '22'
set nat destination rule 55 inbound-interface name 'pppoe0'
set nat destination rule 55 protocol 'tcp'
set nat destination rule 55 translation address '192.168.0.5'
set nat destination rule 56 destination port '8920'
set nat destination rule 56 inbound-interface name 'pppoe0'
set nat destination rule 56 protocol 'tcp'
set nat destination rule 56 translation address '192.168.0.5'
set nat destination rule 60 destination port '80,443'
set nat destination rule 60 inbound-interface name 'pppoe0'
set nat destination rule 60 protocol 'tcp'
set nat destination rule 60 translation address '192.168.0.5'
set nat destination rule 70 destination port '5001'
set nat destination rule 70 inbound-interface name 'pppoe0'
set nat destination rule 70 protocol 'tcp'
set nat destination rule 70 translation address '192.168.0.5'
set nat destination rule 80 destination port '25'
set nat destination rule 80 inbound-interface name 'pppoe0'
set nat destination rule 80 protocol 'tcp'
set nat destination rule 80 translation address '192.168.0.5'
set nat destination rule 90 destination port '8123'
set nat destination rule 90 inbound-interface name 'pppoe0'
set nat destination rule 90 protocol 'tcp'
set nat destination rule 90 translation address '192.168.0.7'
set nat destination rule 91 destination port '1880'
set nat destination rule 91 inbound-interface name 'pppoe0'
set nat destination rule 91 protocol 'tcp'
set nat destination rule 91 translation address '192.168.0.7'
set nat destination rule 500 destination address '!192.168.0.0/24'
set nat destination rule 500 destination port '53'
set nat destination rule 500 inbound-interface name 'eth1'
set nat destination rule 500 protocol 'tcp_udp'
set nat destination rule 500 source address '!192.168.0.1-192.168.0.5'
set nat destination rule 500 translation address '192.168.0.1'
set nat source rule 1000 outbound-interface name 'pppoe0'
set nat source rule 1000 translation address 'masquerade'
set nat source rule 2000 outbound-interface name 'vtun0'
set nat source rule 2000 source address '192.168.0.0/16'
set nat source rule 2000 translation address 'masquerade'
set nat source rule 3000 outbound-interface name 'vtun1'
set nat source rule 3000 translation address 'masquerade'
set policy prefix-list user1-routes rule 1 action 'permit'
set policy prefix-list user1-routes rule 1 prefix '192.168.0.0/24'
set policy prefix-list user2-routes rule 1 action 'permit'
set policy prefix-list user2-routes rule 1 prefix '10.1.1.0/24'
set policy route LAN-POLICY-BASED-ROUTING interface 'eth1'
set policy route LAN-POLICY-BASED-ROUTING rule 10 destination
set policy route LAN-POLICY-BASED-ROUTING rule 10 disable
set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10'
set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32'
set policy route LAN-POLICY-BASED-ROUTING rule 20 destination
set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100'
set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240'
set policy route-map rm-static-to-bgp rule 10 action 'permit'
set policy route-map rm-static-to-bgp rule 10 match ip address prefix-list 'user1-routes'
set policy route-map rm-static-to-bgp rule 100 action 'deny'
set policy route6 LAN6-POLICY-BASED-ROUTING interface 'eth1'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 destination
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 disable
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 set table '10'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 source address '2002::1'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 destination
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 set table '100'
set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 source address '2008::f'
set protocols bgp address-family ipv4-unicast redistribute connected route-map 'rm-static-to-bgp'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list export 'user1-routes'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list import 'user2-routes'
set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 10.89.90.1 password 'ericandre2020'
set protocols bgp neighbor 10.89.90.1 remote-as '64589'
set protocols bgp parameters log-neighbor-changes
set protocols bgp parameters router-id '10.89.90.2'
set protocols bgp system-as '64590'
set protocols static route 100.64.160.23/32 interface pppoe0
set protocols static route 100.64.165.25/32 interface pppoe0
set protocols static route 100.64.165.26/32 interface pppoe0
set protocols static route 100.64.198.0/24 interface vtun0
set protocols static table 10 route 0.0.0.0/0 interface vtun1
set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.10.5
set service conntrack-sync accept-protocol 'tcp'
set service conntrack-sync accept-protocol 'udp'
set service conntrack-sync accept-protocol 'icmp'
set service conntrack-sync disable-external-cache
set service conntrack-sync event-listen-queue-size '8'
set service conntrack-sync expect-sync 'all'
set service conntrack-sync failover-mechanism vrrp sync-group 'failover-group'
set service conntrack-sync interface eth1 peer '192.168.0.251'
set service conntrack-sync sync-queue-size '8'
set service dhcp-server high-availability name 'DHCP02'
set service dhcp-server high-availability remote '192.168.0.251'
set service dhcp-server high-availability source-address '192.168.0.250'
set service dhcp-server high-availability status 'primary'
set service dhcp-server shared-network-name LAN authoritative
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-search 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic start '192.168.0.200'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic stop '192.168.0.240'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio ip-address '192.168.0.107'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio mac '00:50:01:dc:91:14'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV ip-address '192.168.0.104'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV mac '00:50:01:31:b5:f6'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus ip-address '192.168.0.60'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus mac '00:50:01:58:ac:95'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 ip-address '192.168.0.109'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 mac '00:50:01:bc:ac:51'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 ip-address '192.168.0.11'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 mac '00:50:01:70:b9:4d'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 ip-address '192.168.0.12'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 mac '00:50:01:70:b7:4f'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV ip-address '192.168.0.101'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV mac '00:50:01:ba:62:79'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand ip-address '192.168.0.110'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand mac '00:50:01:af:c5:d2'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
set service dns forwarding allow-from '192.168.0.0/16'
set service dns forwarding cache-size '8192'
set service dns forwarding dnssec 'off'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding name-server 100.64.0.1
set service dns forwarding name-server 100.64.0.2
set service ntp allow-client address '192.168.0.0/16'
set service ntp server nz.pool.ntp.org prefer
set service snmp community AwesomeCommunity authorization 'ro'
set service snmp community AwesomeCommunity client '127.0.0.1'
set service snmp community AwesomeCommunity network '192.168.0.0/24'
set service ssh access-control allow user 'vyos'
set service ssh client-keepalive-interval '60'
set service ssh listen-address '192.168.0.1'
set service ssh listen-address '192.168.10.1'
set service ssh listen-address '192.168.0.250'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'vyos'
set system ip arp table-size '1024'
set system login user vyos authentication encrypted-password '$6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0'
set system login user vyos authentication plaintext-password ''
set system name-server '192.168.0.1'
set system name-server 'pppoe0'
set system option ctrl-alt-delete 'ignore'
set system option reboot-on-panic
set system option startup-beep
set system static-host-mapping host-name host60.vyos.net inet '192.168.0.60'
set system static-host-mapping host-name host104.vyos.net inet '192.168.0.104'
set system static-host-mapping host-name host107.vyos.net inet '192.168.0.107'
set system static-host-mapping host-name host109.vyos.net inet '192.168.0.109'
set system sysctl parameter net.core.default_qdisc value 'fq'
set system sysctl parameter net.ipv4.tcp_congestion_control value 'bbr'
set system syslog global facility all level 'info'
set system syslog host 192.168.0.252 facility all level 'debug'
set system syslog host 192.168.0.252 protocol 'udp'
set system task-scheduler task Update-Blacklists executable path '/config/scripts/vyos-foo-update.script'
set system task-scheduler task Update-Blacklists interval '3h'
set system time-zone 'Pacific/Auckland'
|