{ "firewall": { "all-ping": "enable", "broadcast-ping": "disable", "group": { "address-group": { "authorized_guests": { "description": "authorized guests MAC addresses" }, "guest_allow_addresses": { "description": "allow addresses for guests" }, "guest_allow_dns_servers": { "description": "allow dns servers for guests" }, "guest_portal_address": { "description": "guest portal address" }, "guest_restricted_addresses": { "address": [ "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8" ], "description": "restricted addresses for guests" }, "unifi_controller_addresses": "''" }, "network-group": { "captive_portal_subnets": { "description": "captive portal subnets" }, "corporate_network": { "description": "corporate subnets", "network": [ "10.9.0.0/20" ] }, "guest_allow_subnets": { "description": "allow subnets for guests" }, "guest_network": { "description": "guest subnets" }, "guest_restricted_subnets": { "description": "restricted subnets for guests" }, "remote_client_vpn_network": { "description": "remote client VPN subnets" }, "remote_site_vpn_network": { "description": "remote site VPN subnets" }, "remote_user_vpn_network": { "description": "remote user vpn subnets", "network": [ "192.168.200.0/24" ] } }, "port-group": { "guest_portal_ports": { "description": "guest portal ports" }, "guest_portal_redirector_ports": { "description": "guest portal redirector ports", "port": [ "39080", "39443" ] }, "unifi_controller_ports-tcp": { "description": "unifi tcp ports", "port": [ "8080" ] }, "unifi_controller_ports-udp": { "description": "unifi udp ports", "port": [ "3478" ] } } }, "ip-src-route": "disable", "ipv6-receive-redirects": "disable", "ipv6-src-route": "disable", "log-martians": "enable", "name": { "AUTHORIZED_GUESTS": { "default-action": "drop", "description": "authorization check packets from guest network" }, "GUEST_IN": { "default-action": "accept", "description": "packets from guest network", "rule": { "3001": { "action": "accept", "description": "allow DNS packets to external name servers", "destination": { "port": "53" }, "protocol": "udp" }, "3002": { "action": "accept", "description": "allow packets to captive portal", "destination": { "group": { "network-group": "captive_portal_subnets" }, "port": "443" }, "protocol": "tcp" }, "3003": { "action": "accept", "description": "allow packets to allow subnets", "destination": { "group": { "address-group": "guest_allow_addresses" } } }, "3004": { "action": "drop", "description": "drop packets to restricted subnets", "destination": { "group": { "address-group": "guest_restricted_addresses" } } }, "3005": { "action": "drop", "description": "drop packets to intranet", "destination": { "group": { "network-group": "corporate_network" } } }, "3006": { "action": "drop", "description": "drop packets to remote user", "destination": { "group": { "network-group": "remote_user_vpn_network" } } }, "3007": { "action": "drop", "description": "authorized guests white list", "destination": { "group": { "address-group": "authorized_guests" } } } } }, "GUEST_LOCAL": { "default-action": "drop", "description": "packets from guest network to gateway", "rule": { "3001": { "action": "accept", "description": "allow DNS", "destination": { "port": "53" }, "protocol": "udp" }, "3002": { "action": "accept", "description": "allow ICMP", "protocol": "icmp" } } }, "GUEST_OUT": { "default-action": "accept", "description": "packets forward to guest network" }, "LAN_IN": { "default-action": "accept", "description": "packets from intranet", "rule": { "6001": { "action": "accept", "description": "accounting defined network 10.9.0.0/20", "source": { "address": "10.9.0.0/20" } } } }, "LAN_LOCAL": { "default-action": "accept", "description": "packets from intranet to gateway" }, "LAN_OUT": { "default-action": "accept", "description": "packets forward to intranet", "rule": { "6001": { "action": "accept", "description": "accounting defined network 10.9.0.0/20", "destination": { "address": "10.9.0.0/20" } } } }, "WAN_IN": { "default-action": "drop", "description": "packets from internet to intranet", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WAN_LOCAL": { "default-action": "drop", "description": "packets from internet to gateway", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } }, "3003": { "action": "accept", "description": "allow L2TP ISAKMP", "destination": { "port": "500" }, "protocol": "udp" }, "3004": { "action": "accept", "description": "allow L2TP NAT-T", "destination": { "port": "4500" }, "protocol": "udp" }, "3005": { "action": "accept", "description": "allow L2TP ESP", "protocol": "esp" }, "3006": { "action": "accept", "description": "allow L2TP", "destination": { "port": "1701" }, "ipsec": { "match-ipsec": "''" }, "protocol": "udp" } } }, "WAN_OUT": { "default-action": "accept", "description": "packets to internet" } }, "options": { "mss-clamp": { "interface-type": [ "pppoe", "pptp", "vti" ], "mss": "1452" } }, "receive-redirects": "disable", "send-redirects": "enable", "source-validation": "disable", "syn-cookies": "enable" }, "interfaces": { "ethernet": { "eth0": { "address": [ "10.9.0.1/20" ], "duplex": "auto", "firewall": { "in": { "name": "LAN_IN" }, "local": { "name": "LAN_LOCAL" }, "out": { "name": "LAN_OUT" } }, "speed": "auto" }, "eth1": { "disable": "''", "duplex": "auto", "speed": "auto" }, "eth2": { "duplex": "auto", "speed": "auto", "vif": { "832": { "address": [ "dhcp" ], "dhcp-options": { "client-option": [ "retry 60;", "send vendor-class-identifier "sagem";", "send user-class "\\053FSVDSL_livebox.Internet.softathome.Livebox4";", "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2F:62:63:64:62:68:75:76;", "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;" ], "default-route": "update", "default-route-distance": "1", "name-server": "update" }, "egress-qos": "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0", "firewall": { "in": { "name": "WAN_IN" }, "local": { "name": "WAN_LOCAL" }, "out": { "name": "WAN_OUT" } } } } }, "eth3": { "disable": "''", "duplex": "auto", "firewall": { "in": { "name": "WAN_IN" }, "local": { "name": "WAN_LOCAL" }, "out": { "name": "WAN_OUT" } }, "speed": "auto" } }, "loopback": { "lo": "''" } }, "port-forward": { "auto-firewall": "disable", "hairpin-nat": "enable", "lan-interface": [ "eth0" ], "wan-interface": "eth2.832" }, "service": { "dhcp-server": { "disabled": "false", "hostfile-update": "enable", "shared-network-name": { "net_LAN_10.9.0.0-20": { "authoritative": "enable", "description": "vlan1", "subnet": { "10.9.0.0/20": { "default-router": "10.9.0.1", "dns-server": [ "10.9.0.1" ], "domain-name": "localdomain", "lease": "86400", "start": { "10.9.0.10": { "stop": "10.9.9.254" } }, "static-mapping": { "00-0a-f7-7b-cc-6f": { "ip-address": "10.9.0.2", "mac-address": "00:0a:f7:7b:cc:6f" } } } } } }, "use-dnsmasq": "disable" }, "dns": { "forwarding": { "cache-size": "10000", "except-interface": [ "eth2.832" ], "options": [ "host-record=unifi,127.0.0.1" ] } }, "gui": { "https-port": "443" }, "lldp": { "interface": { "eth2": { "disable": "''" }, "eth3": { "disable": "''" } } }, "nat": { "rule": { "6001": { "description": "MASQ corporate_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "corporate_network" } }, "type": "masquerade" }, "6002": { "description": "MASQ remote_user_vpn_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "remote_user_vpn_network" } }, "type": "masquerade" }, "6003": { "description": "MASQ guest_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "guest_network" } }, "type": "masquerade" } } }, "ssh": { "port": "22", "protocol-version": "v2" } }, "system": { "conntrack": { "expect-table-size": "2048", "hash-size": "32768", "modules": { "sip": { "disable": "''" } }, "table-size": "262144", "timeout": { "icmp": "30", "other": "600", "tcp": { "close": "10", "close-wait": "60", "established": "7440", "fin-wait": "120", "last-ack": "30", "syn-recv": "60", "syn-sent": "120", "time-wait": "120" }, "udp": { "other": "30", "stream": "180" } } }, "domain-name": "localdomain", "host-name": "ubnt", "ip": { "override-hostname-ip": "10.9.0.1" }, "login": { "user": { "admin": { "authentication": { "encrypted-password": "************************************************************************************" }, "level": "admin" } } }, "ntp": { "server": { "0.ubnt.pool.ntp.org": "''", "1.ubnt.pool.ntp.org": "''", "2.ubnt.pool.ntp.org": "''", "3.ubnt.pool.ntp.org": "''" } }, "offload": { "ipsec": "enable", "ipv4": { "forwarding": "enable", "pppoe": "enable", "vlan": "enable" }, "ipv6": { "forwarding": "enable", "vlan": "enable" } }, "static-host-mapping": { "host-name": { "setup.ubnt.com": { "alias": [ "setup" ], "inet": [ "10.9.0.1" ] } } }, "syslog": { "global": { "facility": { "all": { "level": "notice" }, "protocols": { "level": "debug" } } } }, "time-zone": "Europe/Brussels", "traffic-analysis": { "dpi": "enable" } }, "unifi": { "mgmt": { "cfgversion": "9bf7c65bc0914436" } }, "vpn": { "ipsec": { "auto-firewall-nat-exclude": "disable", "ipsec-interfaces": { "interface": [ "eth2.832" ] }, "nat-networks": { "allowed-network": { "0.0.0.0/0": "''" } }, "nat-traversal": "enable" }, "l2tp": { "remote-access": { "authentication": { "mode": "radius", "radius-server": { "10.9.0.1": { "key": "******************************", "port": "1812" } } }, "client-ip-pool": { "start": "192.168.200.1", "stop": "192.168.200.254" }, "dhcp-interface": "eth2.832", "dns-servers": { "server-1": "10.9.0.1" }, "ipsec-settings": { "authentication": { "mode": "pre-shared-secret", "pre-shared-secret": "**************************" }, "ike-lifetime": "3600" } } } } }