firewall { all-ping enable broadcast-ping disable group { network-group Nets4-BlackList { description "Blacklisted IPv4 Sources" } network-group Nets6-BlackList { description "Blacklisted IPv6 Sources" } network-group PRIVATE_NETS { description "" network 172.16.0.0/16 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Blacklisted IPv6 Sources" log disable protocol all source { group { network-group Nets6-BlackList } } } rule 30 { action drop description "Blacklisted IPv4 Sources" log disable protocol all source { group { network-group Nets4-BlackList } } } rule 40 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { duplex auto poe { output off } speed auto } ethernet eth1 { duplex auto poe { output off } speed auto } ethernet eth2 { description Trunck duplex auto poe { output off } speed auto } ethernet eth3 { address 172.16.4.254/24 description Mairie duplex auto poe { output off } speed auto } ethernet eth4 { description Wifi duplex auto poe { output off } speed auto } ethernet eth5 { description Admin disable duplex auto poe { output off } speed auto } ethernet eth6 { description VoIP duplex auto poe { output off } speed auto } ethernet eth7 { description Local duplex auto poe { output off } speed auto } ethernet eth8 { description Local2 duplex auto poe { output off } speed auto } ethernet eth9 { address dhcp description Internet duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } mac c0:ff:d4:a3:a9:77 poe { output off } speed auto } ethernet eth10 { description "Fibre Pompiers Ecole" duplex auto speed auto } ethernet eth11 { duplex auto speed auto } loopback lo { } switch switch0 { mtu 1500 switch-port { interface eth2 { vlan { vid 3 vid 5 } } vlan-aware enable } vif 3 { address 172.16.3.254/24 description "Ecole Principale" mtu 1500 } vif 5 { address 172.16.5.254/24 description Wifi mtu 1500 } } } port-forward { auto-firewall enable hairpin-nat disable rule 1 { description Synology forward-to { address 172.16.3.200 port 6320 } original-port 6320 protocol tcp_udp } rule 2 { description OpenVPN forward-to { address 172.16.3.200 port 1195 } original-port 1195 protocol udp } wan-interface eth9 } service { dhcp-server { disabled false hostfile-update disable shared-network-name Admin { authoritative disable subnet 172.16.6.0/24 { default-router 172.16.6.254 dns-server 172.16.6.254 dns-server 8.8.8.8 lease 86400 start 172.16.6.10 { stop 172.16.6.250 } } } shared-network-name Batiment-A { authoritative disable subnet 172.16.1.0/24 { default-router 172.16.1.254 dns-server 172.16.1.254 dns-server 8.8.8.8 lease 86400 start 172.16.1.10 { stop 172.16.1.250 } } } shared-network-name Ecole-principale { authoritative disable subnet 172.16.3.0/24 { default-router 172.16.3.254 dns-server 172.16.3.254 dns-server 8.8.8.8 lease 86400 start 172.16.3.5 { stop 172.16.3.249 } } } shared-network-name Mairie { authoritative disable subnet 172.16.4.0/24 { default-router 172.16.4.254 dns-server 172.16.4.254 dns-server 8.8.8.8 lease 86400 start 172.16.4.10 { stop 172.16.4.250 } } } shared-network-name Maternelle { authoritative disable subnet 172.16.2.0/24 { default-router 172.16.2.254 dns-server 172.16.2.254 lease 86400 start 172.16.2.10 { stop 172.16.2.250 } } } shared-network-name VoIP { authoritative disable subnet 172.16.7.0/24 { default-router 172.16.7.254 dns-server 172.16.7.254 lease 86400 start 172.16.7.10 { stop 172.16.7.250 } } } shared-network-name Wifi { authoritative disable subnet 172.16.5.0/24 { default-router 172.16.5.254 dns-server 172.16.5.254 dns-server 8.8.8.8 lease 86400 start 172.16.5.10 { stop 172.16.5.250 } } } static-arp disable use-dnsmasq disable } dns { forwarding { cache-size 150 listen-on eth8 listen-on switch0 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth9 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { host-name ubnt login { user mickael { authentication { encrypted-password $6$bcPOpUzAVa$kCRpvd9ge54deAfYkM/Av5edZHRGyFi6cmqV3/JrSUgoy33YIaY6Eupv3to6y437nhOCXr8KDWdO/KmZSthEh1 } level admin } } name-server 8.8.8.8 ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } syslog { global { facility all { level notice } facility protocols { level debug } } } task-scheduler { task Update-Blacklists { executable { path /config/scripts/updBlackList.sh } interval 12h } } time-zone Europe/Paris traffic-analysis { dpi enable export enable } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:u /* Release version: v1.10.8.5142457.181120.1810 */