firewall { all-ping enable broadcast-ping disable group { network-group PRIVATE_NETWORKS { description "Private IPv4-Netze" network 172.16.0.0/12 network 192.168.0.0/16 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name GUEST_IN { default-action accept description "Guest traffic to WAN" rule 1 { action reject destination { group { network-group PRIVATE_NETWORKS } } log disable protocol all } } name WAN_IN { default-action reject description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } } name WAN_LOCAL { default-action reject description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action reject description "reject invalid state" state { invalid enable } } rule 21 { action accept description ssh destination { port 22 } protocol tcp } rule 23 { action accept description icmp protocol icmp } rule 26 { action accept description OpenVPN destination { port 1194 } protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { bridge br0 { address 192.168.23.1/24 address 2A00:C380:DEAD::1/64 aging 300 bridged-conntrack disable hello-time 2 ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 10 other-config-flag false prefix 2A00:C380:DEAD::/64 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } max-age 20 priority 32768 promiscuous disable stp false } ethernet eth0 { address 2a00:C380:0:DEAD::2/64 address 31.209.95.114/30 duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed auto } ethernet eth1 { duplex auto speed auto vif 1 { address 10.196.0.5/17 address 2A00:C380:DEAD:BEEF::1/64 description Freifunk firewall { in { name GUEST_IN } } ipv6 { dup-addr-detect-transmits 1 router-advert { cur-hop-limit 64 link-mtu 0 managed-flag false max-interval 10 other-config-flag false prefix 2A00:C380:DEAD:BEEF::/64 { autonomous-flag true on-link-flag true valid-lifetime 2592000 } reachable-time 0 retrans-timer 0 send-advert true } } } vif 2 { bridge-group { bridge br0 } description Management } } ethernet eth2 { duplex auto speed auto } loopback lo { } openvpn vtun0 { bridge-group { bridge br0 } device-type tap mode server openvpn-option "--server-bridge 192.168.23.1 255.255.255.0 192.168.23.40 192.168.23.49" server { subnet 192.168.23.0/24 } tls { ca-cert-file /config/auth/openvpn/ca.crt cert-file /config/auth/openvpn/gw-breminale.digineo.de.crt dh-file /config/auth/openvpn/dh2048.pem key-file /config/auth/openvpn/gw-breminale.digineo.de.key } } } protocols { static { route 0.0.0.0/0 { next-hop 31.209.95.113 { } } route 91.250.71.5/32 { next-hop 192.168.23.68 { } } route6 ::/0 { next-hop 2a00:C380:0:DEAD::1 { } } } } service { dhcp-server { disabled false hostfile-update disable shared-network-name Freifunk { authoritative enable subnet 10.196.0.0/17 { default-router 10.196.0.5 dns-server 10.196.0.5 dns-server 8.8.8.8 lease 518400 start 10.196.50.0 { stop 10.196.100.255 } } } shared-network-name Management { authoritative enable subnet 192.168.23.0/24 { default-router 192.168.23.1 dns-server 192.168.23.1 dns-server 8.8.8.8 lease 518400 start 192.168.23.50 { stop 192.168.23.250 } static-mapping NanoStation1 { ip-address 192.168.23.10 mac-address 04:18:d6:0c:bb:2a } static-mapping NanoStation2 { ip-address 192.168.23.11 mac-address dc:9f:db:20:ef:51 } static-mapping Server { ip-address 192.168.23.3 mac-address d0:50:99:1b:63:99 } static-mapping hp1820-8g { ip-address 192.168.23.2 mac-address 44:31:92:50:41:39 } } } } dns { forwarding { cache-size 1000 listen-on br0 listen-on eth1.1 } } gui { https-port 443 } nat { rule 5000 { description "Masquerade eth0" log disable outbound-interface eth0 protocol all type masquerade } } ssh { disable-password-authentication port 22 protocol-version v2 } } system { domain-name digineo.de host-name gw-breminale login { user ubnt { authentication { encrypted-password $6$fEhPRBi3w/xbT$Vu/cAqFdoWHopPea76ijSFZNSjOLEx1aQuARafzAcDgbNKx2q6y5BGQyWLhYCO5PudMsH0VdExsycjBM0NrQM. plaintext-password "" public-keys breminale { key AAAAB3NzaC1yc2EAAAADAQABAAACAQDpQCO+IrWOwabZgxNQsESucaTnb+Tw0D5d9qEuWSlciQZjFgHc8HoFrOCWpOw+JBQikt44U3ZpUEKfArLaWoZjqzR7N/MeLYfBIm1D9jtmydxCEJHplsj2KwVRWVALN3kKlIBZe6ltOTyKVNKyh/xTRiESbYss5hl5gGxCSRrr4IhNKFseIBtaSgT6ysxUQnRxsPUHTz916/bvOP4JMu6yfhD9Zt2y2yWnz4F9zBc8mVbhB8i35D1ok3K8m+Zj9FYKu2m+95o/phOS/VPEj/8+ZjmGvMxrm08duH6grKIRbR96tBPHTk8FCHDqQU3fE85pqqcw2zovtSaqYkxfCvJvS/cLmU7quvzZGGvuxcI1IcrdD+txm8tAUnJiTu1h18NMoK6hZ4bCgjhPoBpoUMdy+lfXdpLfv/ZGiPhJUOtbMJOyVCzwbmHs9NeBl/bQ2FkMHQ6jjGQSSN04KHRbptEYLmgNHxgpnepmaeJemSHFSs9yDbEfVvo+Qj/6+FfAviMk4eKIOibDFgth0CzEBW1H4r7wm5E1P8DeIOaf1/Oqf9Ho1Up4YcRxN1vtqI3L7Yanv4riHey4C61alo8t58D8SVRbogKfb0GBWalP2ABdI/fXNeLK92wG4jM6Tu4MqmQ5dkbg66uvhMVKL43hdf2pG2ZW2GNtm+IfbfQJI+99SQ== type ssh-rsa } } full-name ubnt level admin } } name-server 8.8.8.8 name-server 8.8.4.4 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { ipsec enable ipv4 { forwarding enable gre enable vlan enable } ipv6 { forwarding enable vlan enable } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone UTC } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */ /* Release version: v1.7.0.4783374.150622.1534 */