From 6bf700fde2f9338e801ff8c59de825ea4f9e0184 Mon Sep 17 00:00:00 2001 From: nils Date: Wed, 27 Nov 2024 17:20:36 +0000 Subject: [PATCH] commit --- config.boot-vyos | 395 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 395 insertions(+) create mode 100644 config.boot-vyos diff --git a/config.boot-vyos b/config.boot-vyos new file mode 100644 index 0000000..37cc700 --- /dev/null +++ b/config.boot-vyos @@ -0,0 +1,395 @@ +firewall { + global-options { + state-policy { + established { + action "accept" + } + related { + action "accept" + } + } + } + ipv4 { + name lan2local { + default-action "accept" + } + name lan2wan { + default-action "accept" + } + name local2lan { + default-action "accept" + } + name local2wan { + default-action "accept" + } + name wan2lan { + default-action "drop" + default-log + rule 100 { + action "accept" + description "Allow HTTP and HTTPS to lan" + destination { + port "http,https" + } + protocol "tcp" + } + rule 200 { + action "accept" + protocol "icmp" + } + } + name wan2local { + default-action "drop" + default-log + rule 100 { + action "accept" + description "Allow HTTP and HTTPS" + destination { + port "http,https" + } + protocol "tcp" + } + } + } + ipv6 { + forward { + filter { + rule 100 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "wan2lan" + } + } + } + input { + filter { + rule 100 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "wan2local" + } + } + } + name lan2local { + default-action "accept" + } + name lan2wan { + default-action "accept" + } + name local2lan { + default-action "accept" + } + name local2wan { + default-action "accept" + } + name wan2lan { + rule 100 { + action "accept" + description "Allow HTTP and HTTPS to lan" + destination { + port "http,https" + } + protocol "tcp" + } + rule 200 { + action "accept" + protocol "ipv6-icmp" + } + } + name wan2local { + rule 200 { + action "accept" + protocol "ipv6-icmp" + } + rule 300 { + action "accept" + destination { + port "546" + } + protocol "udp" + source { + port "547" + } + } + } + } + zone lan { + from local { + firewall { + ipv6-name "local2lan" + name "local2lan" + } + } + from wan { + firewall { + ipv6-name "wan2lan" + name "wan2lan" + } + } + interface "eth1" + } + zone local { + from lan { + firewall { + ipv6-name "lan2local" + name "lan2local" + } + } + from wan { + firewall { + ipv6-name "wan2local" + name "wan2local" + } + } + local-zone + } + zone wan { + from lan { + firewall { + ipv6-name "lan2wan" + name "lan2wan" + } + } + from local { + firewall { + ipv6-name "local2wan" + name "local2wan" + } + } + interface "pppoe0" + } +} +interfaces { + ethernet eth0 { + hw-id "00:e0:67:2c:81:b4" + offload { + gro + gso + sg + tso + } + } + ethernet eth1 { + address "10.0.0.254/24" + hw-id "00:e0:67:2c:81:b5" + offload { + gro + gso + sg + tso + } + } + ethernet eth2 { + hw-id "00:e0:67:2c:81:b6" + offload { + gro + gso + sg + tso + } + } + ethernet eth3 { + hw-id "00:e0:67:2c:81:b7" + offload { + gro + gso + sg + tso + } + } + loopback lo { + } + pppoe pppoe0 { + authentication { + password "CVDQ72qfcB" + username "prem-vdsl.de/12006575-1%11" + } + dhcpv6-options { + pd 0 { + interface eth1 { + address "100" + } + } + } + ipv6 { + address { + autoconf + } + } + source-interface "eth0" + } +} +nat { + destination { + rule 100 { + description "wan to k8s" + destination { + port "http,https" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "10.0.1.0" + } + } + } + source { + rule 100 { + description "nat for internet at home" + outbound-interface { + name "pppoe0" + } + source { + address "10.0.0.0/24" + } + translation { + address "masquerade" + } + } + } +} +protocols { + static { + route 10.0.1.0/24 { + next-hop 10.0.0.253 { + interface "eth1" + } + } + } +} +service { + dhcp-server { + hostfile-update + shared-network-name home.stinnesbeck.com { + authoritative + option { + domain-name "home.stinnesbeck.com" + } + subnet 10.0.0.0/24 { + option { + default-router "10.0.0.254" + name-server "10.0.0.254" + } + range clients { + start "10.0.0.100" + stop "10.0.0.199" + } + static-mapping nils-sy-nas { + ip-address "10.0.0.250" + mac "00:11:32:dd:2f:2b" + } + static-mapping talos-50m-nc7 { + description "Kubernetes Laptop Lenovo" + ip-address "10.0.0.253" + mac "54:e1:ad:75:c8:04" + } + subnet-id "1" + } + } + } + dns { + forwarding { + allow-from "10.0.0.0/24" + authoritative-domain stinnesbeck.com { + records { + a ci { + address "10.0.1.0" + } + a git { + address "10.0.1.0" + } + a pw { + address "10.0.1.0" + } + a traefik { + address "10.0.1.0" + } + } + } + listen-address "10.0.0.254" + system + } + } + ntp { + allow-client { + address "127.0.0.0/8" + address "169.254.0.0/16" + address "10.0.0.0/8" + address "172.16.0.0/12" + address "192.168.0.0/16" + address "::1/128" + address "fe80::/10" + address "fc00::/7" + } + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + router-advert { + interface eth1 { + link-mtu "1492" + prefix ::/64 { + valid-lifetime "172800" + } + } + } + ssh { + port "22" + } +} +system { + config-management { + commit-archive { + location "git+https://nils:0013d29811ffb7ee783bf7c581b3fd0a87a0936f@git.stinnesbeck.com/nils/vyos_config" + } + commit-revisions "100" + } + console { + device ttyS0 { + speed "115200" + } + } + host-name "vyos" + login { + user nils { + authentication { + encrypted-password "$6$rounds=656000$rsZk8wL54kEl9FOC$GyN9J0WKcrqOHn1ehs63/jSjcbwRBYHQvHKn2JfCYAWuKAT4C6rTGb56U7iBuAUpBplzPLkDlH34S1bK6gkcJ1" + public-keys nils { + key "AAAAB3NzaC1yc2EAAAADAQABAAACAQCzn3TRRfOh8jFBpBUme7FgUoe3/WJnB+esrkBc1cEcsPYbsfXsRJfv4mk+vVshN2n53vp5XwPcaF73lPMv8NpNx/JdaGky19rz8b22tBlDe6NGckWfJEUSfcGve74JhSOlt3iBTe2q8251Z6Lg8FCBKUor6bembMi32s2PTbQkWuV/ZsEvTc5Y0wg+Wm5qPahsUyAiwYew9Lt5v0fEv3PF0NBQqo7unIHH7ETVubbzOp1OGG8umZLpH/qId9ZcvU3jr56InUO4bMddt9Rho5LBL1z8l/5N2Zr4XXptStxIMjtjV+Whg7eEPJ8+TcpYWVFsyP3fKTA2CcKkpOt095iFqWWyo+ucK4XLNbPu8+0nefFUZFsu6WNFVMO2mtnUSEzptrJHdixa/3+0TntFM2oS637N0odNMfx0OnEIfGhbhdZo4dFsbOmeN/gNVZiKquvVPN1bMGNtYe1H1nx0C0TWmxybfv+GNxkuzXxZF/QY7oOsBoddgJFkBkhVmBSV05Mt3Vd10RXoUqqCQXJstdUmCBxd+BpxksoOvbaKrUxXJxkgVabu4BsowO8w3pgrJz0eFct/9fTHj6vSQSeMlW6wqXMlkW+wx3dVGZghYglCi+htryDQj+Dd0TMBXkuBjsM+JE+fSl3MGPoERSttDd2y21TiTv6HRhTKVOmJyWJRvw==" + type "ssh-rsa" + } + } + } + } + name-server "1.1.1.1" + name-server "1.0.0.1" + static-host-mapping { + host-name git.stinnesbeck.com { + inet "10.0.1.0" + } + } + syslog { + global { + facility all { + level "info" + } + facility local7 { + level "debug" + } + } + } +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" +// Release version: 1.5-rolling-202411270007