Page MenuHomeVyOS Platform
Files F972551

config.boot
All Users
Actions

Authored By
vzotov
Oct 23 2020, 12:02 PM
Size
26 KB
Referenced Files
None
Subscribers
None

config.boot
View Options

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group NG_ADMIN_2 {
address xxx.xxx.100.100
address xxx.xxx.100.133
}
network-group NG_ADMIN {
description "admin networks"
network xxx.xxx.100.0/24
network xxx.xxx.200.0/24
network xxx.xxx.100.0/24
network xxx.xxx.100.0/24
network xxx.xxx.99.0/24
}
network-group NG_FROM_ZENIT {
description "external zenit addresses"
network xxx.xxx.83.0/24
network xxx.xxx.253.148/30
network xxx.xxx.229.160/30
}
network-group NG_LOCAL {
description "rfc1918, local-link multicast and broadcast"
network xxx.xxx.0.0/8
network xxx.xxx.0.0/12
network xxx.xxx.0.0/16
network xxx.xxx.0.0/8
network xxx.xxx.0.0/16
network xxx.xxx.255.254/31
}
network-group NG_MGMT {
description "cisco management network"
network xxx.xxx.0.0/16
}
network-group NG_VKS {
description "videoconferencing network"
network xxx.xxx.0.0/16
}
network-group NG_VOIP {
description "voip network"
network xxx.xxx.0.0/16
network xxx.xxx.0.0/16
network xxx.xxx.0.0/16
network xxx.xxx.50.64/29
network xxx.xxx.251.4/32
network xxx.xxx.251.7/32
network xxx.xxx.251.8/32
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FW_FROM_INET {
default-action drop
description "access to inet interface"
rule 5 {
action drop
destination {
address !xxx.xxx.229.162
}
}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
source {
group {
network-group NG_FROM_ZENIT
}
}
}
rule 30 {
action accept
description IPSEC
destination {
port 500
}
protocol udp
}
rule 32 {
action accept
description IPSEC
destination {
port 4500
}
protocol udp
}
rule 34 {
action accept
description IPSEC
protocol ah
}
rule 36 {
action accept
description IPSEC
protocol esp
}
rule 40 {
action accept
description "FOR L2TP"
destination {
port 1701
}
protocol udp
}
rule 50 {
action accept
description PING-REQUEST
icmp {
code 0
type 8
}
protocol icmp
}
rule 60 {
action accept
description "Wireguard tunnel"
destination {
port 32878
}
protocol udp
}
rule 70 {
action accept
description "OpenVPN tunnel"
destination {
port 32879
}
protocol udp
}
}
options {
interface tun01 {
adjust-mss 1360
}
interface vti01 {
adjust-mss 1396
}
interface vti02 {
adjust-mss 1396
}
interface vti03 {
adjust-mss 1396
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
hw-id XX:XX:XX:XX:XX:3a
vif 63 {
address xxx.xxx.230.29/24
description "BEELINE L2"
}
vif 80 {
address xxx.xxx.221.29/29
description "MTS L3"
}
vif 496 {
address xxx.xxx.229.162/24
description "ENFORTA INET via RADIO"
firewall {
local {
name FW_FROM_INET
}
}
vrf INET-VRF
}
vif 999 {
address xxx.xxx.0.7/24
description LAN
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
cost 7
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
policy {
route PR_DSMARKER
}
}
}
ethernet eth1 {
address xxx.xxx.1.1/31
description "PTP LINK TO PRIMARY ROUTER"
hw-id XX:XX:XX:XX:XX:84
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 5
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
}
loopback lo {
address xxx.xxx.73.50/32
description "+LOOPBACK OSPF RID"
}
openvpn vtun01 {
description "temp access for zotov"
device-type tun
encryption {
cipher bf256
}
hash sha256
local-address xxx.xxx.70.130 {
}
local-port 32879
mode site-to-site
persistent-tunnel
protocol tcp-passive
remote-address xxx.xxx.70.131
tls {
auth-file /config/auth/inet.secret
ca-cert-file xxxxxx
cert-file xxxxxx
dh-file xxxxxx
key-file xxxxxx
role passive
}
}
vti vti01 {
address xxx.xxx.81.175/31
description "IPSEC TO CROC VIA BEELINE"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 40
dead-interval 40
hello-interval 10
mtu-ignore
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
vti vti02 {
address xxx.xxx.81.177/31
description "IPSEC TO CROC VIA MTS"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
cost 40
dead-interval 40
hello-interval 10
mtu-ignore
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
vti vti03 {
address xxx.xxx.81.179/31
description "IPSEC TO CROC VIA ENFORTA"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 150
dead-interval 40
hello-interval 10
mtu-ignore
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
wireguard wg0 {
address xxx.xxx.70.128/31
description "tempopary remote access zotov"
disable
peer to-zotov {
allowed-ips xxx.xxx.0.0/0
pubkey mPwi/BbLPcd0Q/PKuSF5WVY8fHFh1G4Qxhyxcx8h4H4=
}
port 32878
private-key zotov-local
}
}
policy {
route PR_DSMARKER {
description "mark all traffic to diffserv agreement"
rule 1000 {
description "AF41 - ICMP PING"
icmp {
code 0
type 8
}
protocol icmp
set {
dscp 34
}
}
rule 1001 {
description "AF41 - ICMP PONG"
icmp {
code 0
type 0
}
protocol icmp
set {
dscp 34
}
}
rule 1010 {
description "AF41 - RDP"
destination {
port 3389
}
protocol tcp
set {
dscp 34
}
}
rule 1011 {
description "AF41 - RDP"
protocol tcp
set {
dscp 34
}
source {
port 3389
}
}
rule 1020 {
description "AF41 - SSH"
protocol tcp
set {
dscp 34
}
source {
port 22
}
}
rule 1021 {
description "AF41 - SSH"
destination {
port 22
}
protocol tcp
set {
dscp 34
}
}
rule 1100 {
description "AF42 - DNS/UDP"
protocol udp
set {
dscp 36
}
source {
port 53
}
}
rule 1101 {
description "AF42 - DNS/UDP"
destination {
port 53
}
protocol udp
set {
dscp 36
}
}
rule 1102 {
description "AF42 - NTP/UDP"
protocol udp
set {
dscp 36
}
source {
port 123
}
}
rule 1103 {
description "AF42 - NTP/UDP"
destination {
port 123
}
protocol udp
set {
dscp 36
}
}
rule 1104 {
description "AF42 - KRB/UDP"
protocol udp
set {
dscp 36
}
source {
port 88
}
}
rule 1105 {
description "AF42 - KRB/UDP"
destination {
port 88
}
protocol udp
set {
dscp 36
}
}
rule 1106 {
description "AF42 - SNMPTRAP"
protocol udp
set {
dscp 36
}
source {
port 162
}
}
rule 1107 {
description "AF42 - SNMPTRAP"
destination {
port 162
}
protocol udp
set {
dscp 36
}
}
rule 1200 {
description "AF43 - VCC/VIDEO"
destination {
group {
network-group NG_VKS
}
}
set {
dscp 38
}
source {
group {
network-group NG_VKS
}
}
}
rule 2000 {
description "AF31 - LDAP"
protocol tcp
set {
dscp 24
}
source {
port 389
}
}
rule 2001 {
description "AF31 - LDAP"
destination {
port 389
}
protocol tcp
set {
dscp 24
}
}
rule 2002 {
description "AF31 - SNMP"
protocol udp
set {
dscp 24
}
source {
port 161
}
}
rule 2003 {
description "AF31 - SNMP"
destination {
port 161
}
protocol udp
set {
dscp 24
}
}
rule 2100 {
description "AF32 - DNS/TCP"
protocol tcp
set {
dscp 26
}
source {
port 53
}
}
rule 2101 {
description "AF32 - DNS/TCP"
destination {
port 53
}
protocol tcp
set {
dscp 26
}
}
rule 7000 {
description "CS7 - ICMP EXCL PING"
protocol icmp
set {
dscp 56
}
}
rule 7001 {
description "CS6 - OSPF"
protocol ospf
set {
dscp 48
}
}
rule 7002 {
description "CS6 - BFD"
destination {
port 3784-3785
}
protocol udp
set {
dscp 48
}
}
rule 7100 {
description "EF- VOIP"
destination {
group {
network-group NG_VOIP
}
}
set {
dscp 46
}
source {
group {
network-group NG_VOIP
}
}
}
rule 9999 {
set {
dscp 0
}
}
}
}
protocols {
bfd {
peer xxxxx.tld {
}
peer xxxxx.tld {
}
peer xxxxx.tld {
}
}
ospf {
area xxx.xxx.12.0 {
authentication md5
network xxx.xxx.81.174/31
network xxx.xxx.81.176/31
network xxx.xxx.0.0/24
network xxx.xxx.81.178/31
network xxx.xxx.1.0/31
network xxx.xxx.73.50/32
}
log-adjacency-changes {
detail
}
parameters {
abr-type cisco
router-id xxx.xxx.73.50
}
passive-interface default
passive-interface-exclude eth0.999
passive-interface-exclude vti01
passive-interface-exclude vti02
passive-interface-exclude vti03
passive-interface-exclude eth1
}
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.0.2 {
distance 200
}
}
route xxx.xxx.148.110/32 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
route xxx.xxx.221.16/29 {
next-hop xxx.xxx.221.25 {
}
}
route xxx.xxx.83.144/29 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
route xxx.xxx.83.215/32 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
}
vrf INET-VRF {
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.229.1 {
}
}
}
}
}
service {
lldp {
legacy-protocols {
cdp
}
}
snmp {
description "backup router"
location xxxxxx 12a str 1"
v3 {
engineid fc0000000000000000000002
group mongroup {
mode ro
seclevel priv
view allview
}
user xxxxxx {
auth {
encrypted-password xxxxxx
type md5
}
group mongroup
privacy {
encrypted-password xxxxxx
type des
}
}
view allview {
oid 1 {
exclude .xxx.xxx.6.1.xxx.xxx.4.21
}
}
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 30
}
console {
device ttyS0 {
speed 115200
}
}
domain-name xxxxxx
host-name xxxxxx
ipv6 {
disable
}
login {
radius {
server xxxxx.tld {
key xxxxxx
port 1812
timeout 10
}
source-address xxx.xxx.73.50
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
full-name xxxxxx
}
}
name-server xxx.xxx.0.125
name-server xxx.xxx.0.25
name-server xxx.xxx.100.111
ntp {
listen-address xxx.xxx.0.7
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
options {
reboot-on-panic
}
proxy {
port 3128
url http://xxx.xxx.0.88
}
syslog {
global {
archive {
file 20
size 1024
}
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Europe/Moscow
}
traffic-policy {
shaper HTB7-POLICY {
bandwidth 180mbit
class 10 {
bandwidth 15%
burst 15k
ceiling 90%
description "CS1 - AF1[123]"
match MATCH-AF11 {
ip {
dscp AF11
}
}
match MATCH-AF12 {
ip {
dscp AF12
}
}
match MATCH-AF13 {
ip {
dscp AF13
}
}
priority 1
queue-type fair-queue
}
class 20 {
bandwidth 20%
burst 15k
ceiling 90%
description "CS2 - AF2[123]"
match MATCH-AF21 {
ip {
dscp AF21
}
}
match MATCH-AF22 {
ip {
dscp AF22
}
}
match MATCH-AF23 {
ip {
dscp AF23
}
}
priority 2
queue-type fair-queue
}
class 30 {
bandwidth 30%
burst 15k
ceiling 95%
description "CS3 - AF3[123]"
match MATCH-AF31 {
ip {
dscp AF31
}
}
match MATCH-AF32 {
ip {
dscp AF32
}
}
match MATCH-AF33 {
ip {
dscp AF33
}
}
priority 3
queue-type fair-queue
}
class 40 {
bandwidth 20%
burst 15k
ceiling 95%
description "CS4 - AF4[123]"
match MATCH-AF41 {
ip {
dscp AF41
}
}
match MATCH-AF42 {
ip {
dscp AF42
}
}
match MATCH-AF43 {
ip {
dscp AF43
}
}
priority 4
queue-type fair-queue
}
class 50 {
bandwidth 10%
burst 15k
ceiling 12%
description CS5/EF
match MATCH-CS5 {
ip {
dscp CS5
}
}
match MATCH-EF {
ip {
dscp EF
}
}
priority 5
queue-limit 10
queue-type drop-tail
}
class 60 {
bandwidth 2%
burst 15k
ceiling 4%
description "INTERNETWORK - we will remark once again locally-generated packets"
match MATCH-BFD {
ip {
protocol udp
}
}
match MATCH-BFD1 {
ip {
destination {
port 3784
}
}
}
match MATCH-BFD2 {
ip {
destination {
port 3785
}
}
}
match MATCH-CS6 {
ip {
dscp CS6
}
}
match MATCH-OSPF {
ip {
protocol ospf
}
}
priority 6
queue-limit 10
queue-type drop-tail
set-dscp CS6
}
class 70 {
bandwidth 2%
burst 15k
ceiling 4%
description CS7
match MATCH-CS7 {
ip {
dscp CS7
}
}
priority 7
queue-limit 10
queue-type drop-tail
set-dscp CS7
}
default {
bandwidth 5%
burst 15k
ceiling 90%
priority 0
queue-type fair-queue
set-dscp 0
}
}
}
vpn {
ipsec {
esp-group ESP01 {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE00 {
close-action restart
dead-peer-detection {
action restart
interval 15
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ike-group IKE01 {
close-action none
dead-peer-detection {
action restart
interval 10
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
logging {
log-level 0
log-modes ike
log-modes knl
log-modes cfg
}
nat-traversal disable
site-to-site {
peer xxxxx.tld {
authentication {
id ntop2-m-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description MTS-TO-CCR38
force-encapsulation disable
ike-group IKE00
ikev2-reauth inherit
local-address xxx.xxx.221.29
vti {
bind vti02
esp-group ESP01
}
}
peer xxxxx.tld {
authentication {
id ntop2-b-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description BEELINE-TO-CCR38
force-encapsulation disable
ike-group IKE01
ikev2-reauth inherit
local-address xxx.xxx.230.29
vti {
bind vti01
esp-group ESP01
}
}
peer xxxxx.tld {
authentication {
id ntop2-e-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description ENFORTA-INET-TO-CCR38
ike-group IKE01
ikev2-reauth inherit
local-address xxx.xxx.229.162
vti {
bind vti03
esp-group ESP01
}
}
}
}
}
vrf {
bind-to-all
name INET-VRF {
table 200
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202010200146

File Metadata

Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
ac/ac/31bca08e094c5ffcdfe740904536
Default Alt Text
config.boot (26 KB)

Event Timeline