@igvferbij deze mijn config met 2 VLANs. De wifi access-point heeft 2 netwerken en tagged de pakketten naar VLAN 192.168.3.x of 192.168.101.x Linux EdgeRouter 3.10.107-UBNT #1 SMP Fri Feb 21 10:42:32 UTC 2020 mips Welcome to EdgeOS Last login: Fri Jul 10 16:13:50 2020 *******@EdgeRouter:~$ show configuration firewall { all-ping enable broadcast-ping disable ipv6-name WANv6_IN { default-action drop description "WAN inbound traffic forwarded to LAN" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "allow ICMPv6" protocol ipv6-icmp } } ipv6-name WANv6_LOCAL { default-action drop description "WAN inbound traffic to the router" enable-default-log rule 10 { action accept description "Allow established/related sessions" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 30 { action accept description "Allow IPv6 icmp" protocol ipv6-icmp } rule 40 { action accept description "allow dhcpv6" destination { port 546 } protocol udp source { port 547 } } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } } name WAN_LOCAL { default-action drop description "WAN to router" rule 10 { action accept description "Allow established/related" state { established enable related enable } } rule 20 { action drop description "Drop invalid state" state { invalid enable } } rule 21 { action accept description "remote web management" destination { port 443 } log enable protocol tcp } } name guest_in { default-action accept description "allow guest to DNS (pihole)" rule 1 { action accept description DNS destination { address 192.168.3.11 port 53 } log disable protocol tcp_udp } rule 2 { action drop description other destination { address 192.168.3.11/24 } log disable protocol all } } name guest_local { default-action drop description "No guest acces to edgerouter" } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { address dhcp description Internet dhcpv6-pd { pd 0 { interface eth3 { host-address ::1 prefix-id :3 service slaac } interface eth4 { host-address ::1 prefix-id :4 service slaac } interface switch0 { host-address ::1 prefix-id :1 service slaac } interface switch0.3 { host-address ::1 prefix-id :5 service slaac } prefix-length 60 } prefix-only rapid-commit enable } duplex auto firewall { in { ipv6-name WANv6_IN name WAN_IN } local { ipv6-name WANv6_LOCAL name WAN_LOCAL } } ipv6 { address { autoconf } dup-addr-detect-transmits 1 } speed auto } ethernet eth1 { description "not used" duplex auto speed auto } ethernet eth2 { description voip duplex auto speed auto } ethernet eth3 { description uplink duplex auto speed auto } ethernet eth4 { description wifiAP duplex auto poe { output pthru } speed auto } loopback lo { } switch switch0 { description Local mtu 1500 switch-port { interface eth1 { vlan { pvid 3 } } interface eth2 { vlan { pvid 3 } } interface eth3 { vlan { pvid 3 } } interface eth4 { vlan { pvid 3 vid 101 } } vlan-aware enable } vif 3 { address 192.168.3.1/24 description "Private LAN" ipv6 { address { autoconf } dup-addr-detect-transmits 1 } } vif 101 { address 192.168.101.1/24 description "guest network" firewall { in { name guest_in } local { name guest_local } } } } } port-forward { auto-firewall enable hairpin-nat enable lan-interface switch0.3 rule 1 { description VoIP forward-to { address 192.168.3.9 port 5004-5020 } original-port *****-***** protocol tcp_udp } rule 2 { description SIP forward-to { address 192.168.3.9 port 5060 } original-port ***** protocol tcp_udp } rule 3 { description WebManagement forward-to { address 192.168.3.8 port 5001 } original-port ***** protocol tcp } rule 4 { description ResilioSync forward-to { address 192.168.3.8 port 28888 } original-port ***** protocol tcp_udp } rule 5 { description LetsEncrypt forward-to { address 192.168.3.8 port 80 } original-port 80 protocol tcp } rule 6 { description WebGUI forward-to { address 192.168.3.1 port 443 } original-port ***** protocol tcp } rule 7 { description Domoticz forward-to { address 192.168.3.11 port 18443 } original-port ***** protocol tcp } rule 8 { description FTP forward-to { address 192.168.3.8 port 21 } original-port ***** protocol tcp } rule 9 { description ssh/TELNET forward-to { address 192.168.3.11 port 22-23 } original-port *****-****** protocol tcp_udp } rule 10 { description "FTP PASV" forward-to { address 192.168.3.8 port 55536-55543 } original-port *****-***** protocol tcp } rule 11 { description BitTorrent forward-to { address 192.168.3.8 port 16881 } original-port ***** protocol tcp_udp } rule 12 { description "Download station" forward-to { address 192.168.3.8 port 5000 } original-port ***** protocol tcp } rule 13 { description gigaset forward-to { address 192.168.3.9 port 80 } original-port ***** protocol tcp_udp } wan-interface eth0 } service { dhcp-server { disabled false hostfile-update disable shared-network-name DHCP_for_guests { authoritative disable subnet 192.168.101.0/24 { default-router 192.168.101.1 dns-server 192.168.3.11 dns-server 192.168.3.1 lease 3600 start 192.168.101.11 { stop 192.168.101.30 } } } shared-network-name LAN2 { authoritative enable subnet 192.168.3.0/24 { default-router 192.168.3.1 dns-server 192.168.3.11 dns-server 192.168.3.1 lease 86400 start 192.168.3.100 { stop 192.168.3.199 } static-mapping C475IP { ip-address 192.168.3.9 mac-address **:**:**:**:**:** } static-mapping Orka { ip-address 192.168.3.7 mac-address **:**:**:**:**:** } static-mapping RaspberryPi { ip-address 192.168.3.11 mac-address **:**:**:**:**:** } static-mapping Whale { ip-address 192.168.3.8 mac-address **:**:**:**:**:** } unifi-controller 192.168.3.11 } } static-arp disable use-dnsmasq disable } dns { dynamic { interface eth0 { service custom-noip { host-name ***************.hopto.org login ************ password **************** protocol noip } web dyndns } } forwarding { cache-size 150 listen-on switch0.101 listen-on switch0.3 } } gui { http-port 80 https-port 443 older-ciphers enable } nat { rule 5010 { description "masquerade for WAN" outbound-interface eth0 type masquerade } } ssh { port 22 protocol-version v2 } unms { disable } } system { domain-name **************.hopto.org host-name EdgeRouter login { user *********** { authentication { encrypted-password **************** plaintext-password **************** } full-name ********* level admin } user ************ { authentication { encrypted-password **************** plaintext-password **************** } full-name ************ level admin } } ntp { server 0.ubnt.pool.ntp.org { } server 1.ubnt.pool.ntp.org { } server 2.ubnt.pool.ntp.org { } server 3.ubnt.pool.ntp.org { } } offload { hwnat enable ipsec enable } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Brussels traffic-analysis { dpi enable export enable } }
... Meer weergeven
