firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { description "Allow established/related" state { established enable related enable rule 20 { action drop description "Drop invalid state" state { invalid enable name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { description "Allow established/related" state { established enable related enable rule 20 { action drop description "Drop invalid state" state { invalid enable
rule 21 { description "allow ping" protocol icmp rule 22 { description "allow outside web" destination { port 80,443 protocol tcp rule 30 { description IKE destination { port 500 protocol udp rule 40 { description ESP protocol esp rule 50 { description NAT-T destination { port 4500 protocol udp rule 60 { description L2TP destination { port 1701
ipsec { match-ipsec protocol udp receive-redirects disable send-redirects enable source-validation disable syn-cookies enable interfaces { ethernet eth0 { address dhcp description Internet duplex auto firewall { in { name WAN_IN local { name WAN_LOCAL speed auto ethernet eth1 { description Local duplex auto speed auto ethernet eth2 { description Local duplex auto speed auto ethernet eth3 { description Local duplex auto speed auto ethernet eth4 {
description Local duplex auto speed auto loopback lo { switch switch0 { address 192.168.10.1/24 description Local mtu 1500 switch-port { interface eth1 { interface eth2 { interface eth3 { interface eth4 { vlan-aware disable service { dhcp-server { disabled false hostfile-update disable shared-network-name LAN { authoritative disable subnet 192.168.10.0/24 { default-router 192.168.10.1 dns-server 8.8.8.8 dns-server 8.8.4.4 lease 86400 start 192.168.10.38 { stop 192.168.10.243 static-mapping DianePC { ip-address 192.168.10.41 mac-address 9x:x6:54:xx:2x:70 static-mapping GrandstreamUCM { ip-address 192.168.10.55 mac-address 00:0x:82:9b:x5:6e
use-dnsmasq disable dns { dynamic { interface eth0 { service dyndns { host-name XXXX.XXXXXXX.net login XXXXXXXX password **************** server domains.google.com web dyndns forwarding { cache-size 150 listen-on switch0 gui { http-port 80 https-port 443 older-ciphers enable nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade ssh { port 22 protocol-version v2 unms { disable system { host-name XXXX
login { user XXXXX { encrypted-password **************** plaintext-password **************** level admin name-server 127.0.0.1 ntp { server 0.ubnt.pool.ntp.org { server 1.ubnt.pool.ntp.org { server 2.ubnt.pool.ntp.org { server 3.ubnt.pool.ntp.org { syslog { global { facility all { level notice facility protocols { level debug time-zone UTC traffic-control { smart-queue 1 { download { ecn enable flows 1024 fq-quantum 1514 limit 10240 rate 30.9mbit upload { ecn enable flows 1024
fq-quantum 1514 limit 10240 rate 7.7mbit wan-interface eth0 vpn { ipsec { auto-firewall-nat-exclude enable esp-group FOO0 { esp-group FOO1 { esp-group FOO2 { ike-group FOO0 { dh-group 14 ike-group FOO1 { dh-group 14 ike-group FOO2 {
dh-group 14 site-to-site { peer XXXXXX.XXXX.net { mode pre-shared-secret pre-shared-secret **************** connection-type initiate description XXXX ike-group FOO2 local-address any tunnel 1 { esp-group FOO2 local { prefix 192.168.10.1/24 remote { prefix 192.168.1.1/24 peer XXX.XXXXXXX.net { mode pre-shared-secret pre-shared-secret **************** connection-type initiate description aky ike-group FOO0 local-address any tunnel 1 { esp-group FOO0 local { prefix 192.168.10.1/24 remote { prefix 192.168.4.1/24
peer XXXXXXX.XXXXXXXXX.net { mode pre-shared-secret pre-shared-secret **************** connection-type initiate description BattleLake ike-group FOO1 local-address any tunnel 1 { esp-group FOO1 local { prefix 192.168.10.1/24 remote { prefix 192.168.15.1/24 l2tp { remote-access { local-users { username andrew { password **************** mode local client-ip-pool { start 192.168.10.240 stop 192.168.10.249 dhcp-interface eth0 dns-servers { server-1 8.8.8.8 server-2 8.8.4.4 ipsec-settings { mode pre-shared-secret pre-shared-secret ****************
ike-lifetime 3600 mtu 1492