{ "firewall": { "all-ping": "enable", "broadcast-ping": "disable", "group": { "address-group": { "authorized_guests": { "description": "authorized guests MAC addresses" }, "guest_allow_addresses": { "description": "allow addresses for guests" }, "guest_allow_dns_servers": { "description": "allow dns servers for guests" }, "guest_portal_address": { "description": "guest portal address" }, "guest_restricted_addresses": { "address": [ "192.168.0.0/16", "172.16.0.0/12", "10.0.0.0/8" ], "description": "restricted addresses for guests" }, "unifi_controller_addresses": "''" }, "ipv6-network-group": { "corporate_networkv6": { "description": "IPv6 corporate subnets" }, "guest_networkv6": { "description": "IPv6 guest subnets" } }, "network-group": { "captive_portal_subnets": { "description": "captive portal subnets" }, "corporate_network": { "description": "corporate subnets", "network": [ "192.168.1.0/24", "192.168.10.0/24" ] }, "guest_allow_subnets": { "description": "allow subnets for guests" }, "guest_network": { "description": "guest subnets" }, "guest_restricted_subnets": { "description": "restricted subnets for guests" }, "remote_client_vpn_network": { "description": "remote client VPN subnets" }, "remote_site_vpn_network": { "description": "remote site VPN subnets" }, "remote_user_vpn_network": { "description": "Remote User VPN subnets" } }, "port-group": { "guest_portal_ports": { "description": "guest portal ports" }, "guest_portal_redirector_ports": { "description": "guest portal redirector ports", "port": [ "39080", "39443" ] }, "unifi_controller_ports-tcp": { "description": "unifi tcp ports", "port": [ "8080" ] }, "unifi_controller_ports-udp": { "description": "unifi udp ports", "port": [ "3478" ] } } }, "ip-src-route": "disable", "ipv6-name": { "AUTHORIZED_GUESTSv6": { "default-action": "drop", "description": "authorization check packets from guest network" }, "GUESTv6_IN": { "default-action": "accept", "description": "packets from guest network", "rule": { "3001": { "action": "drop", "description": "drop packets to intranet", "destination": { "group": { "ipv6-network-group": "corporate_networkv6" } } } } }, "GUESTv6_LOCAL": { "default-action": "drop", "description": "packets from guest network to gateway", "rule": { "3001": { "action": "accept", "description": "allow DNS", "destination": { "port": "53" }, "protocol": "udp" }, "3002": { "action": "accept", "description": "allow ICMP", "protocol": "icmp" } } }, "GUESTv6_OUT": { "default-action": "accept", "description": "packets forward to guest network" }, "LANv6_IN": { "default-action": "accept", "description": "packets from intranet" }, "LANv6_LOCAL": { "default-action": "accept", "description": "packets from intranet to gateway" }, "LANv6_OUT": { "default-action": "accept", "description": "packets forward to intranet" }, "WAN_IN-6": { "default-action": "drop", "description": "packets from internet to intranet", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "related": "enable" } }, "3002": { "action": "drop" }, "3003": { "action": "accept", "description": "allow ICMPv6", "protocol": "icmpv6" } } }, "WAN_LOCAL-6": { "default-action": "drop", "description": "packets from internet to gateway", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop Invalid state", "state": { "invalid": "enable" } }, "3003": { "action": "accept", "description": "allow ICMPv6", "protocol": "icmpv6" }, "3004": { "action": "accept", "description": "allow DHCPv6 client/server", "destination": { "port": "546" }, "protocol": "udp", "source": { "port": "547" } } } }, "WAN_OUT-6": { "default-action": "accept", "description": "packets to internet" }, "WANv6_IN": { "default-action": "drop", "description": "packets from internet to intranet", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WANv6_LOCAL": { "default-action": "drop", "description": "packets from internet to gateway", "rule": { "3001": { "action": "accept", "description": "Allow neighbor advertisements", "icmpv6": { "type": "neighbor-advertisement" }, "protocol": "ipv6-icmp" }, "3002": { "action": "accept", "description": "Allow neighbor solicitation", "icmpv6": { "type": "neighbor-solicitation" }, "protocol": "ipv6-icmp" }, "3003": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3004": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WANv6_OUT": { "default-action": "accept", "description": "packets to internet" } }, "ipv6-receive-redirects": "disable", "ipv6-src-route": "disable", "log-martians": "enable", "name": { "AUTHORIZED_GUESTS": { "default-action": "drop", "description": "authorization check packets from guest network" }, "GUEST_IN": { "default-action": "accept", "description": "packets from guest network", "rule": { "3001": { "action": "accept", "description": "allow DNS packets to external name servers", "destination": { "port": "53" }, "protocol": "tcp_udp" }, "3002": { "action": "accept", "description": "allow packets to captive portal", "destination": { "group": { "network-group": "captive_portal_subnets" }, "port": "443" }, "protocol": "tcp" }, "3003": { "action": "accept", "description": "allow packets to allow subnets", "destination": { "group": { "address-group": "guest_allow_addresses" } } }, "3004": { "action": "drop", "description": "drop packets to restricted subnets", "destination": { "group": { "address-group": "guest_restricted_addresses" } } }, "3005": { "action": "drop", "description": "drop packets to intranet", "destination": { "group": { "network-group": "corporate_network" } } }, "3006": { "action": "drop", "description": "drop packets to remote user", "destination": { "group": { "network-group": "remote_user_vpn_network" } } }, "3007": { "action": "drop", "description": "authorized guests white list", "destination": { "group": { "address-group": "authorized_guests" } } } } }, "GUEST_LOCAL": { "default-action": "drop", "description": "packets from guest network to gateway", "rule": { "3001": { "action": "accept", "description": "allow DNS", "destination": { "port": "53" }, "protocol": "tcp_udp" }, "3002": { "action": "accept", "description": "allow ICMP", "protocol": "icmp" }, "3003": { "action": "accept", "description": "allow to DHCP server", "destination": { "port": "67" }, "protocol": "udp", "source": { "port": "68" } } } }, "GUEST_OUT": { "default-action": "accept", "description": "packets forward to guest network" }, "LAN_IN": { "default-action": "accept", "description": "packets from intranet", "rule": { "6001": { "action": "accept", "description": "accounting defined network 192.168.1.0/24", "source": { "address": "192.168.1.0/24" } }, "6002": { "action": "accept", "description": "accounting defined network 192.168.10.0/24", "source": { "address": "192.168.10.0/24" } } } }, "LAN_LOCAL": { "default-action": "accept", "description": "packets from intranet to gateway" }, "LAN_OUT": { "default-action": "accept", "description": "packets forward to intranet", "rule": { "6001": { "action": "accept", "description": "accounting defined network 192.168.1.0/24", "destination": { "address": "192.168.1.0/24" } }, "6002": { "action": "accept", "description": "accounting defined network 192.168.10.0/24", "destination": { "address": "192.168.10.0/24" } } } }, "WAN_IN": { "default-action": "drop", "description": "packets from internet to intranet", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WAN_LOCAL": { "default-action": "drop", "description": "packets from internet to gateway", "rule": { "3001": { "action": "accept", "description": "allow established/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid state", "state": { "established": "disable", "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WAN_OUT": { "default-action": "accept", "description": "packets to internet" } }, "options": { "mss-clamp": { "interface-type": [ "pppoe", "pptp", "vti" ], "mss": "1452" }, "mss-clamp6": { "interface-type": [ "pppoe", "pptp" ], "mss": "1452" } }, "receive-redirects": "disable", "send-redirects": "enable", "source-validation": "strict", "syn-cookies": "enable" }, "interfaces": { "ethernet": { "eth0": { "address": [ "192.168.1.1/24" ], "description": "LAN", "duplex": "auto", "firewall": { "in": { "ipv6-name": "LANv6_IN", "name": "LAN_IN" }, "local": { "ipv6-name": "LANv6_LOCAL", "name": "LAN_LOCAL" }, "out": { "ipv6-name": "LANv6_OUT", "name": "LAN_OUT" } }, "ipv6": { "dup-addr-detect-transmits": "1", "router-advert": { "cur-hop-limit": "64", "link-mtu": "0", "managed-flag": "false", "max-interval": "600", "other-config-flag": "false", "prefix": { "::/64": { "autonomous-flag": "true", "on-link-flag": "true", "valid-lifetime": "2592000" } }, "reachable-time": "0", "retrans-timer": "0", "send-advert": "true" } }, "speed": "auto" }, "eth1": { "description": "LAN2", "duplex": "auto", "firewall": { "in": { "ipv6-name": "LANv6_IN", "name": "LAN_IN" }, "local": { "ipv6-name": "LANv6_LOCAL", "name": "LAN_LOCAL" }, "out": { "ipv6-name": "LANv6_OUT", "name": "LAN_OUT" } }, "speed": "auto", "vif": { "832": { "address": [ "192.168.10.1/24" ], "firewall": { "in": { "ipv6-name": "LANv6_IN", "name": "LAN_IN" }, "local": { "ipv6-name": "LANv6_LOCAL", "name": "LAN_LOCAL" }, "out": { "ipv6-name": "LANv6_OUT", "name": "LAN_OUT" } } } } }, "eth2": { "description": "WAN", "duplex": "auto", "speed": "auto", "vif": { "832": { "address": [ "dhcp" ], "description": "WAN", "dhcp-options": { "client-option": [ "retry 60;", "send vendor-class-identifier "sagem";", "send user-class "\\053FSVDSL_livebox.Internet.softathome.Livebox4";", "send rfc3118-auth 00:00:00:00:00:00:00:00:00:00:00:1a:09:00:00:05:58:01:03:41:01:0D:66:74:69:2F:7A:33:75:65:68:33:71:3c:12:31:32:33:34:35:36:37:38:39:30:31:32:33:34:35:36:03:13:41:0c:11:18:5a:63:04:71:63:97:a6:f4:d0:82:2e:6e:9d;", "request subnet-mask, routers, domain-name-servers, domain-name, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, rfc3118-auth;" ], "default-route": "update", "default-route-distance": "1", "name-server": "update" }, "egress-qos": "0:0 1:0 2:0 3:0 4:0 5:0 6:6 7:0", "firewall": { "in": { "ipv6-name": "WAN_IN-6", "name": "WAN_IN" }, "local": { "ipv6-name": "WAN_LOCAL-6", "name": "WAN_LOCAL" }, "out": { "ipv6-name": "WAN_OUT-6", "name": "WAN_OUT" } }, "ipv6": { "address": { "autoconf": "''" }, "dup-addr-detect-transmits": "1" } } } }, "eth3": { "disable": "''", "duplex": "auto", "speed": "auto" } }, "loopback": { "lo": "''" } }, "port-forward": { "auto-firewall": "disable", "hairpin-nat": "enable", "lan-interface": [ "eth0", "eth1.832" ], "wan-interface": "eth2.832" }, "service": { "dhcp-server": { "disabled": "false", "global-parameters": [ "class "denied" { match substring (hardware, 1, 6); deny booting; } subclass "denied" b4:fb:e4:8e:7b:d0; subclass "denied" b4:fb:e4:8e:7b:d1; subclass "denied" b4:fb:e4:8e:7b:d2; subclass "denied" b4:fb:e4:8e:7b:d3;" ], "hostfile-update": "enable", "shared-network-name": { "net_LAN_eth0_192.168.1.0-24": { "authoritative": "enable", "description": "vlan1", "subnet": { "192.168.1.0/24": { "default-router": "192.168.1.1", "dns-server": [ "192.168.1.1" ], "domain-name": "localdomain", "lease": "86400", "start": { "192.168.1.6": { "stop": "192.168.1.253" } } } } }, "net_LIVEBOX_eth1_192.168.10.0-24": { "authoritative": "enable", "description": "vlan832", "subnet": { "192.168.10.0/24": { "default-router": "192.168.10.1", "dns-server": [ "80.10.246.1", "81.253.149.9" ], "lease": "86400", "start": { "192.168.10.6": { "stop": "192.168.10.254" } } } } } }, "static-arp": "disable", "use-dnsmasq": "disable" }, "dns": { "forwarding": { "cache-size": "10000", "except-interface": [ "eth2.832" ], "options": [ "ptr-record=1.1.168.192.in-addr.arpa,USGPRO4", "host-record=unifi,127.0.0.1" ] } }, "gui": { "http-port": "80", "https-port": "443", "older-ciphers": "enable" }, "lldp": { "interface": { "eth2": { "disable": "''" } } }, "nat": { "rule": { "6001": { "description": "MASQ corporate_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "corporate_network" } }, "type": "masquerade" }, "6002": { "description": "MASQ remote_user_vpn_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "remote_user_vpn_network" } }, "type": "masquerade" }, "6003": { "description": "MASQ guest_network to WAN", "log": "disable", "outbound-interface": "eth2.832", "protocol": "all", "source": { "group": { "network-group": "guest_network" } }, "type": "masquerade" } } }, "snmp": { "community": { "public": { "authorization": "ro" } } }, "ssh": { "port": "22", "protocol-version": "v2" } }, "system": { "conntrack": { "expect-table-size": "2048", "hash-size": "32768", "modules": { "sip": { "disable": "''" } }, "table-size": "262144", "timeout": { "icmp": "30", "other": "600", "tcp": { "close": "10", "close-wait": "60", "established": "7440", "fin-wait": "120", "last-ack": "30", "syn-recv": "60", "syn-sent": "120", "time-wait": "120" }, "udp": { "other": "30", "stream": "180" } } }, "domain-name": "localdomain", "host-name": "USGPRO4", "ip": { "override-hostname-ip": "192.168.1.1" }, "login": { "user": { "admin": { "authentication": { "encrypted-password": "$6$pzjWUBja$S5zBcM/AQHxTHoGHcsRQDO6/YAjgQyK4rn.YNLnxC2XneF9zpppkJUct3VGUyN2chf1XTMM24.6wmo1Oo3KpO/" }, "level": "admin" } } }, "ntp": { "server": { "0.ubnt.pool.ntp.org": "''", "1.ubnt.pool.ntp.org": "''", "2.ubnt.pool.ntp.org": "''", "3.ubnt.pool.ntp.org": "''" } }, "offload": { "ipsec": "enable", "ipv4": { "forwarding": "enable", "gre": "enable", "pppoe": "enable", "vlan": "enable" }, "ipv6": { "forwarding": "enable", "vlan": "enable" } }, "static-host-mapping": { "host-name": { "setup.ubnt.com": { "alias": [ "setup" ], "inet": [ "192.168.1.1" ] } } }, "syslog": { "global": { "facility": { "all": { "level": "notice" }, "protocols": { "level": "debug" } } } }, "time-zone": "Europe/Paris", "traffic-analysis": { "dpi": "enable", "export": "disable" } }, "unifi": { "mgmt": { "cfgversion": "c26c38b6ae26ec12" } } }