{ "firewall": { "all-ping": "enable", "broadcast-ping": "disable", "group": { "address-group": { "authorized_guests": { "description": "authorized guests MAC ad dresses" }, "guest_allow_dns_servers": { "description": "allow dns servers for gu ests" }, "guest_portal_address": { "description": "guest portal address" }, "guest_pre_allow": { "description": "allow addresses for gues ts" }, "guest_restricted": { "address": [ "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12" ], "description": "restricted addresses for guests" }, "unifi_controller_addresses": { "address": [ "192.168.1.119" ] } }, "ipv6-network-group": { "corporate_networkv6": { "description": "IPv6 corporate subnets" }, "guest_networkv6": { "description": "IPv6 guest subnets" } }, "network-group": { "captive_portal_subnets": { "description": "captive portal subnets" }, "corporate_network": { "description": "corporate subnets", "network": [ "192.168.1.0/24" ] }, "guest_network": { "description": "guest subnets" }, "remote_client_vpn_network": { "description": "remote client VPN subnet s" }, "remote_site_vpn_network": { "description": "remote site VPN subnets" }, "remote_user_vpn_network": { "description": "Remote User VPN subnets" } }, "port-group": { "guest_portal_ports": { "description": "guest portal ports" }, "guest_portal_redirector_ports": { "description": "guest portal redirector ports", "port": [ 39080, 39443 ] }, "unifi_controller_ports-tcp": { "description": "unifi tcp ports", "port": [ 8080 ] }, "unifi_controller_ports-udp": { "description": "unifi udp ports", "port": [ 3478 ] } } }, "ipv6-name": { "AUTHORIZED_GUESTSv6": { "default-action": "drop", "description": "authorization check packets from guest network" }, "GUESTv6_IN": { "default-action": "accept", "description": "packets from guest network", "rule": { "3001": { "action": "drop", "description": "drop packets to intranet", "destination": { "group": { "ipv6-network-gr oup": "corporate_networkv6" } } } } }, "GUESTv6_LOCAL": { "default-action": "drop", "description": "packets from guest network to ga teway", "rule": { "3001": { "action": "accept", "description": "allow DNS", "destination": { "port": "53" }, "protocol": "udp" }, "3002": { "action": "accept", "description": "allow ICMP", "protocol": "icmp" } } }, "GUESTv6_OUT": { "default-action": "accept", "description": "packets forward to guest network " }, "LANv6_IN": { "default-action": "accept", "description": "packets from intranet" }, "LANv6_LOCAL": { "default-action": "accept", "description": "packets from intranet to gateway " }, "LANv6_OUT": { "default-action": "accept", "description": "packets forward to intranet" }, "WANv6_IN": { "default-action": "drop", "description": "packets from internet to intrane t", "rule": { "3001": { "action": "accept", "description": "allow establishe d/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid sta te", "state": { "established": "disable" , "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WANv6_LOCAL": { "default-action": "drop", "description": "packets from internet to gateway ", "rule": { "3001": { "action": "accept", "description": "Allow neighbor a dvertisements", "icmpv6": { "type": "neighbor-advert isement" }, "protocol": "ipv6-icmp" }, "3002": { "action": "accept", "description": "Allow neighbor s olicitation", "icmpv6": { "type": "neighbor-solici tation" }, "protocol": "ipv6-icmp" }, "3003": { "action": "accept", "description": "allow establishe d/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3004": { "action": "accept", "description": "Allow DHCPv6", "destination": { "port": "546" }, "protocol": "udp", "source": { "port": "547" } }, "3005": { "action": "accept", "description": "Allow router adv ertisements", "icmpv6": { "type": "router-advertis ement" }, "protocol": "ipv6-icmp" }, "3006": { "action": "drop", "description": "drop invalid sta te", "state": { "established": "disable" , "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WANv6_OUT": { "default-action": "accept", "description": "packets to internet" } }, "name": { "AUTHORIZED_GUESTS": { "default-action": "drop", "description": "authorization check packets from guest network" }, "GUEST_IN": { "default-action": "accept", "description": "packets from guest network", "rule": { "3001": { "action": "accept", "description": "allow DNS packet s to external name servers", "destination": { "port": "53" }, "protocol": "tcp_udp" }, "3002": { "action": "accept", "description": "allow packets to captive portal", "destination": { "group": { "network-group": "captive_portal_subnets" }, "port": "443" }, "protocol": "tcp" }, "3003": { "action": "accept", "description": "allow packets to allow subnets", "destination": { "group": { "address-group": "guest_pre_allow" } } }, "3004": { "action": "drop", "description": "drop packets to restricted subnets", "destination": { "group": { "address-group": "guest_restricted" } } }, "3005": { "action": "drop", "description": "drop packets to intranet", "destination": { "group": { "network-group": "corporate_network" } } }, "3006": { "action": "drop", "description": "drop packets to remote user", "destination": { "group": { "network-group": "remote_user_vpn_network" } } }, "3007": { "action": "drop", "description": "allow authorized and drop unauthorized", "destination": { "group": { "address-group": "authorized_guests" } } } } }, "GUEST_LOCAL": { "default-action": "drop", "description": "packets from guest network to ga teway", "rule": { "3001": { "action": "accept", "description": "allow DNS", "destination": { "port": "53" }, "protocol": "tcp_udp" }, "3002": { "action": "accept", "description": "allow ICMP", "protocol": "icmp" }, "3003": { "action": "accept", "description": "allow to DHCP se rver", "destination": { "port": "67" }, "protocol": "udp", "source": { "port": "68" } } } }, "GUEST_OUT": { "default-action": "accept", "description": "packets forward to guest network " }, "LAN_IN": { "default-action": "accept", "description": "packets from intranet", "rule": { "6001": { "action": "accept", "description": "accounting defin ed network 192.168.1.0/24", "source": { "address": "192.168.1.0/ 24" } } } }, "LAN_LOCAL": { "default-action": "accept", "description": "packets from intranet to gateway " }, "LAN_OUT": { "default-action": "accept", "description": "packets forward to intranet", "rule": { "6001": { "action": "accept", "description": "accounting defin ed network 192.168.1.0/24", "destination": { "address": "192.168.1.0/ 24" } } } }, "WAN_IN": { "default-action": "drop", "description": "packets from internet to intrane t", "rule": { "3001": { "action": "accept", "description": "allow establishe d/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid sta te", "state": { "established": "disable" , "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WAN_LOCAL": { "default-action": "drop", "description": "packets from internet to gateway ", "rule": { "3001": { "action": "accept", "description": "allow establishe d/related sessions", "state": { "established": "enable", "invalid": "disable", "new": "disable", "related": "enable" } }, "3002": { "action": "drop", "description": "drop invalid sta te", "state": { "established": "disable" , "invalid": "enable", "new": "disable", "related": "disable" } } } }, "WAN_OUT": { "default-action": "accept", "description": "packets to internet" } }, "options": { "mss-clamp": { "interface-type": [ "pppoe", "pptp", "vti" ], "mss": "1452" }, "mss-clamp6": { "interface-type": [ "pppoe", "pptp" ], "mss": "1432" } }, "receive-redirects": "disable", "send-redirects": "enable", "source-validation": "strict", "syn-cookies": "enable" }, "interfaces": { "ethernet": { "eth0": { "description": "WAN", "firewall": { "in": { "ipv6-name": "WANv6_IN", "name": "WAN_IN" }, "local": { "ipv6-name": "WANv6_LOCAL", "name": "WAN_LOCAL" }, "out": { "ipv6-name": "WANv6_OUT", "name": "WAN_OUT" } }, "pppoe": { "0": { "default-route": "none", "dhcpv6-pd": { "no-dns": "''", "pd": { "0": { "interfa ce": { "eth1": "''" }, "prefix- length": "56" } }, "rapid-commit": "enable" }, "firewall": { "in": { "ipv6-name": "WA Nv6_IN", "name": "WAN_IN" }, "local": { "ipv6-name": "WA Nv6_LOCAL", "name": "WAN_LOC AL" }, "out": { "ipv6-name": "WA Nv6_OUT", "name": "WAN_OUT " } }, "ipv6": { "address": "autoconf", "enable": "''" }, "name-server": "none", "password": "****", "user-id": "****" } } }, "eth1": { "address": [ "192.168.1.1/24" ], "description": "LAN", "firewall": { "in": { "ipv6-name": "LANv6_IN", "name": "LAN_IN" }, "local": { "ipv6-name": "LANv6_LOCAL", "name": "LAN_LOCAL" }, "out": { "ipv6-name": "LANv6_OUT", "name": "LAN_OUT" } }, "ipv6": { "dup-addr-detect-transmits": "1", "router-advert": { "default-preference": "high", "managed-flag": "false", "max-interval": "600", "name-server": [ "fe80::76ac:b9ff:fe3f:e0 48" ], "other-config-flag": "false", "prefix": { "::/64": { "autonomous-flag ": "true", "on-link-flag": "true", "preferred-lifet ime": "14400", "valid-lifetime" : "86400" } }, "radvd-options": "DNSSL localdom ain {};", "send-advert": "true" } } }, "eth2": { "disable": "''" } }, "loopback": { "lo": "''" }, "pseudo-ethernet": { "peth0": { "address": [ "192.168.2.100/24" ], "description": "Zugriff auf Modem", "link": [ "eth0" ] } } }, "port-forward": { "auto-firewall": "disable", "hairpin-nat": "enable", "lan-interface": [ "eth1" ], "wan-interface": "pppoe0" }, "protocols": { "static": { "interface-route": { "0.0.0.0/0": { "next-hop-interface": { "pppoe0": { "distance": 1 } } } }, "interface-route6": { "::/0": { "next-hop-interface": { "pppoe0": { "distance": 1 } } } } } }, "service": { "dhcp-server": { "disabled": "false", "global-parameters": [ "class "denied" { match substring (har dware, 1, 6); deny booting; } subclass "denied" 74:ac:b9:3f:e0:47; sub class "denied" 74:ac:b9:3f:e0:48; subclass "denied" 74:ac:b9 :3f:e0:49;" ], "hostfile-update": "enable", "shared-network-name": { "net_LAN_eth1_192.168.1.0-24": { "authoritative": "enable", "description": "vlan1", "subnet": { "192.168.1.0/24": { "default-router": "192.1 68.1.1", "dns-server": [ "192.168.1.1" ], "domain-name": "localdom ain", "lease": "86400", "start": { "192.168.1.100": { "stop": "192.168.1.254" } } } } } }, "use-dnsmasq": "disable" }, "dns": { "forwarding": { "cache-size": "10000", "except-interface": [ "pppoe0" ], "options": [ "all-servers", "cname=unifi.localdomain,unifi", "server=8.8.8.8", "server=8.8.4.4", "host-record=unifi,192.168.1.119" ] } }, "gui": { "https-port": "443" }, "lldp": { "interface": { "eth0": { "disable": "''" } } }, "nat": { "rule": { "5000": { "destination": { "address": [ "192.168.2.1" ] }, "outbound-interface": [ "peth0" ], "type": "masquerade" }, "6001": { "description": "MASQ corporate_network t o WAN", "log": "disable", "outbound-interface": "pppoe0", "protocol": "all", "source": { "group": { "network-group": "corpor ate_network" } }, "type": "masquerade" }, "6002": { "description": "MASQ remote_user_vpn_net work to WAN", "log": "disable", "outbound-interface": "pppoe0", "protocol": "all", "source": { "group": { "network-group": "remote _user_vpn_network" } }, "type": "masquerade" }, "6003": { "description": "MASQ guest_network to WA N", "log": "disable", "outbound-interface": "pppoe0", "protocol": "all", "source": { "group": { "network-group": "guest_ network" } }, "type": "masquerade" } } }, "ssh": { "port": "22", "protocol-version": "v2" } }, "system": { "conntrack": { "modules": { "sip": "disable" }, "timeout": { "icmp": 30, "other": 600, "tcp": { "close": 10, "close-wait": 60, "established": 7440, "fin-wait": 120, "last-ack": 30, "syn-recv": 60, "syn-sent": 120, "time-wait": 120 }, "udp": { "other": 30, "stream": 180 } } }, "domain-name": "localdomain", "ip": { "override-hostname-ip": "192.168.1.1" }, "login": { "user": { "****": { "authentication": { "encrypted-password": ****" }, "level": "admin" } } }, "name-server": "127.0.0.1", "ntp": { "server": [ "0.ubnt.pool.ntp.org", "1.ubnt.pool.ntp.org", "2.ubnt.pool.ntp.org", "3.ubnt.pool.ntp.org" ] }, "offload": { "ipsec": "enable", "ipv4": { "forwarding": "enable", "gre": "enable", "pppoe": "enable", "vlan": "enable" }, "ipv6": { "forwarding": "enable", "vlan": "enable" } }, "static-host-mapping": { "host-name": { "setup.ubnt.com": { "alias": [ "setup" ], "inet": [ "192.168.1.1" ] } } }, "syslog": { "global": { "facility": { "all": { "level": "notice" }, "protocols": { "level": "debug" } } } }, "time-zone": "Europe/Berlin", "traffic-analysis": { "dpi": "enable", "export": "disable" } }, "unifi": { "mgmt": { "cfgversion": "1c5afd4fa52f30c8"