Vyatta — различия между версиями
Материал из pNp Wiki
Suser (обсуждение | вклад) |
Suser (обсуждение | вклад) (→Zone Based) |
||
| (не показаны 34 промежуточные версии этого же участника) | |||
| Строка 1: | Строка 1: | ||
==Настройка имени== | ==Настройка имени== | ||
Имя хоста | Имя хоста | ||
| − | set system host-name | + | set system host-name '''router''' |
Домен хоста | Домен хоста | ||
| − | set system domain-name | + | set system domain-name '''mynet.local |
| + | ''' | ||
==Настройка репозитория== | ==Настройка репозитория== | ||
| − | set system package repository community components main | + | configure |
| − | set system package repository community distribution stable | + | set system package repository community components '''main''' |
| − | set system package repository community url http://mirror. | + | set system package repository community distribution '''stable''' |
| + | set system package repository community url '''http://mirror.yandex.ru/debian/''' | ||
| + | commit | ||
| + | save | ||
==Настройка времени== | ==Настройка времени== | ||
Настройка часового пояса | Настройка часового пояса | ||
| − | set system time-zone Europe/Moscow | + | set system time-zone '''Europe/Moscow''' |
==Управление учётными записеми== | ==Управление учётными записеми== | ||
Смена пароля | Смена пароля | ||
| − | set system login user ubnt authentication plaintext-password mypassword | + | set system login user ubnt authentication plaintext-password '''mypassword''' |
| + | |||
==Настройка сети== | ==Настройка сети== | ||
Настройка интерфейса | Настройка интерфейса | ||
| − | set interfaces ethernet eth0 address 192.168.25.9/28 | + | set interfaces ethernet eth0 address '''192.168.25.9/28''' |
| − | set interfaces ethernet eth0 description local | + | set interfaces ethernet eth0 description '''local''' |
Настройка шлюза по умолчанию | Настройка шлюза по умолчанию | ||
| − | set system gateway-address 192.168.25.1 | + | set system gateway-address '''192.168.25.1''' |
Указание DNS серверов | Указание DNS серверов | ||
| − | set system name-server 8.8.8.8 | + | set system name-server '''8.8.8.8''' |
| + | Создание моста | ||
| + | set bridge '''br0''' | ||
| + | set ethernet '''eth1''' bridge-group bridge '''br0''' | ||
| + | set ethernet '''eth2''' bridge-group bridge '''br0''' | ||
==DNS cервер== | ==DNS cервер== | ||
Включение кэширующего DNS сервера на инрфейсе eth0 | Включение кэширующего DNS сервера на инрфейсе eth0 | ||
| − | set service dns forwarding listen-on eth0 | + | set service dns forwarding listen-on '''eth0''' |
Количество записей в кэшэ | Количество записей в кэшэ | ||
| − | set service dns forwarding cache-size 500 | + | set service dns forwarding cache-size '''500''' |
==DHCP сервер== | ==DHCP сервер== | ||
| − | edit service dhcp-server shared-network-name local | + | Настройка сервера |
| − | edit subnet 192.168. | + | edit service dhcp-server shared-network-name '''local''' |
| − | set start 192.168. | + | edit subnet '''192.168.1.0/24''' |
| − | set default-router 192.168. | + | set start '''192.168.1.100''' stop '''192.168.1.200''' |
| − | set dns-server 192.168. | + | set default-router '''192.168.1.1''' |
| − | set domain-name | + | set dns-server '''192.168.1.1''' |
| + | set domain-name '''mynet.local''' | ||
| + | |||
| + | Настройка привязки выдачи ip | ||
| + | set service dhcp‐server shared‐network‐name '''local''' subnet '''192.168.1.0/24''' static‐mapping '''myhost''' ip‐address '''192.168.1.10''' | ||
| + | set service dhcp‐server shared‐network‐name '''local''' subnet '''192.168.1.0/24''' static‐mapping '''myhost''' mac‐address '''00:15:c5:b4:22:77''' | ||
==SNMP== | ==SNMP== | ||
| − | set service snmp contact admin@ | + | set service snmp contact '''admin@ipnp.su''' |
| − | set service snmp description "main router" | + | set service snmp description '''"main router"''' |
Настраиваем прова доступа | Настраиваем прова доступа | ||
| − | edit service snmp community MyComunityRO | + | edit service snmp community '''MyComunityRO''' |
| − | set authorization ro | + | set authorization '''ro''' |
| − | set client 192.168.0.201 | + | set client '''192.168.0.201''' |
| − | set client 192.168.0.202 | + | set client '''192.168.0.202''' |
| − | edit service snmp community MyComunityRW | + | edit service snmp community '''MyComunityRW''' |
| − | set authorization rw | + | set authorization '''rw''' |
| − | set client 192.168.0.200 | + | set client '''192.168.0.200''' |
SNMP trap | SNMP trap | ||
| − | set service snmp trap-target 192.168.0.200 | + | set service snmp trap-target '''192.168.0.200 |
| + | ''' | ||
| + | |||
| + | ==OpenVPN== | ||
| + | Настройка клиента (авторизация по сертификатам) | ||
| + | edit interfaces openvpn '''vtun0''' | ||
| + | set mode client | ||
| + | set protocol '''udp''' | ||
| + | set encryption '''aes256''' | ||
| + | set remote-host '''ovpn.ipnp.su''' | ||
| + | set remote-port '''4000''' | ||
| + | set tls ca-cert-file '''/config/auth/ca.crt''' | ||
| + | set tls cert-file '''/config/auth/router.crt''' | ||
| + | set tls key-file '''/config/auth/router.key | ||
| + | ''' | ||
| + | Настройка сервера (авторизация по сертификатам) | ||
| + | edit interfaces openvpn '''vtun0''' | ||
| + | set mode server | ||
| + | set protocol '''udp''' | ||
| + | set local-port '''4000''' | ||
| + | set server subnet '''192.168.1.0/24''' | ||
| + | set encryption '''aes256''' | ||
| + | set tls dh-file '''/config/auth/dh2048.pem''' | ||
| + | set tls ca-cert-file '''/config/auth/ca.crt''' | ||
| + | set tls cert-file '''/config/auth/server.crt''' | ||
| + | set tls key-file '''/config/auth/server.key''' | ||
| + | |||
| + | ==Squid== | ||
| + | Настройка squid+squidGuard для блокировки доступа к определённым сайтам | ||
| + | * Включаем прозрачный squid на адресе 192.160.0.1 | ||
| + | set service webproxy listen‐address '''192.168.0.1''' transparent | ||
| + | * Имзеняем страницу (по умолчанию http://google.com) на которую будет отпралвен пользователь зайдя на сайт из чёрного списка. | ||
| + | set service webproxy url-filtering squidguard redirect-url '''http://www.ipnp.su''' | ||
| + | * Добавляем домены в чёрный список youtube.com и vk.com | ||
| + | set service webproxy url-filtering squidguard local-block '''youtube.com''' | ||
| + | set service webproxy url-filtering squidguard local-block '''vk.com''' | ||
| + | * Применяем настройки | ||
| + | сommit | ||
| + | * Сохраняем конфиг | ||
| + | save | ||
| + | |||
| + | ==NAT== | ||
| + | Настрока NAT (eth1 - внешний интерфейс,xxx.yyy.zzz.www инет адрес, 192.168.0.0/24 локальная сеть для которой нвстраивается NAT ) | ||
| + | configure | ||
| + | set service nat rule 5000 type source | ||
| + | set service nat rule 5000 source address '''192.168.0.0/24''' | ||
| + | set service nat rule 5000 outside-address address '''xxx.yyy.zzz.www''' | ||
| + | set service nat rule 5000 outbound-interface '''eth1''' | ||
| + | commit | ||
| + | save | ||
| + | |||
| + | ==DNAT (Port Forwarding)== | ||
| + | Пробросим tcp порт 3333 (внешний адрес 222.222.222.222 и интерфейс eth0) на внутренний ip 192.168.0.2 и порт 3389 | ||
| + | |||
| + | edit service nat | ||
| + | set rule 10 description '''rdp''' | ||
| + | set rule 10 destination address '''222.222.222.222''' | ||
| + | set rule 10 destination port '''3333''' | ||
| + | set rule 10 inbound-interface '''eth0''' | ||
| + | set rule 10 inside-address address '''192.168.0.2''' | ||
| + | set rule 10 inside-address port '''3389''' | ||
| + | set rule 10 protocol '''tcp''' | ||
| + | set rule 10 type destination | ||
| + | |||
| + | Для проброски портов зарезервированы номера правил 1-4999. | ||
==Настройка PPPoE клиента== | ==Настройка PPPoE клиента== | ||
Заходим в конфигурационный режим и выполняем следующие команды: | Заходим в конфигурационный режим и выполняем следующие команды: | ||
| − | set intefaces ethernet eth0 pppoe 0 user-id pppoeuser — имя пользователя | + | set intefaces ethernet eth0 pppoe 0 user-id '''pppoeuser''' — имя пользователя |
| − | set intefaces ethernet eth0 pppoe 0 password pppoepassword — пароль | + | set intefaces ethernet eth0 pppoe 0 password '''pppoepassword''' — пароль |
set intefaces ethernet eth0 pppoe 0 default-route auto — принимаем маршрут по умолчанию через pppoe0 после установки сессии от концентратора | set intefaces ethernet eth0 pppoe 0 default-route auto — принимаем маршрут по умолчанию через pppoe0 после установки сессии от концентратора | ||
set intefaces ethernet eth0 pppoe 0 name-server auto — принимаем ДНС-сервера от концентратора | set intefaces ethernet eth0 pppoe 0 name-server auto — принимаем ДНС-сервера от концентратора | ||
| + | |||
| + | ==Firewall== | ||
| + | ===Обычный=== | ||
| + | edit firewall name to-router | ||
| + | set rule 20 description "admin control" | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol tcp | ||
| + | set rule 20 source address 192.168.1.2 | ||
| + | set rule 20 destination port ssh | ||
| + | set rule 30 description "Accept ICMP Unreachable" | ||
| + | set rule 30 description "Accept ICMP" | ||
| + | set rule 30 action accept | ||
| + | set rule 30 protocol icmp | ||
| + | set rule 30 icmp type 3 | ||
| + | set rule 32 description "Accept ICMP Echo Request" | ||
| + | set rule 32 action accept | ||
| + | set rule 32 protocol icmp | ||
| + | set rule 32 icmp type 8 | ||
| + | set rule 34 description "Accept ICMP Time-Exceeded" | ||
| + | set rule 34 action accept | ||
| + | set rule 34 protocol icmp | ||
| + | set rule 34 icmp type 11 | ||
| + | |||
| + | Применяем группу правил to-router к инрерфейсу eth1, правила будут только принимать только для трафика предназначеного для роутера. | ||
| + | set interfaces ethernet '''eth1''' firewall '''local''' name '''to-router''' | ||
| + | ===Zone Based=== | ||
| + | eth0 - локалка, eth1 - инет | ||
| + | Задача: | ||
| + | Из интернета дать доступ по ssh на роутере, и проброшенному порту 3389 на 192.168.0.5:3389 и разрешить icmp\\ | ||
| + | Из локалки дать доступ к службам маршрутизатора: ssh, https, dns, dhcp и ntp и дать доступ всем клиентам на 80 и 443 портам, хостам 192.168.0.5 ещё доступ на 22 (ssh) и 3389 (rdp) и 5222 (xmpp); хостам 192.168.0.5 и 192.168.0.6 доступ на 110 и 25 порты. Самому маршрутизатору только разерешить icmp и доступ к внешним DNS серверами по протоколу UDP. | ||
| + | |||
| + | Создаем группы адрессов, сетей и портов: | ||
| + | |||
| + | set firewall group address-group admin_ip address 192.168.0.5 | ||
| + | |||
| + | edit firewall group address-group mail_ip | ||
| + | set address 192.168.0.5 | ||
| + | set address 192.168.0.10 | ||
| + | exit | ||
| + | |||
| + | set firewall group network-group lan_net | ||
| + | set network 192.168.0.0/24 | ||
| + | exit | ||
| + | |||
| + | edit firewall group port-group port_mail | ||
| + | set port 25 | ||
| + | set port 110 | ||
| + | exit | ||
| + | |||
| + | Создаем правила для файрвола: | ||
| + | |||
| + | edit firewall name router-lan | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | exit | ||
| + | |||
| + | edit firewall name router-wan | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | set rule 30 action accept | ||
| + | set rule 30 destination port dns | ||
| + | set rule 30 protocol udp | ||
| + | exit | ||
| + | |||
| + | edit firewall name lan-router | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | set rule 30 action accept | ||
| + | set rule 30 description "remote admin" | ||
| + | set rule 30 destination port ssh, https | ||
| + | set rule 30 protocol tcp | ||
| + | set rule 30 source group network-group lan_net | ||
| + | set rule 40 action accept | ||
| + | set rule 40 description "remote admin" | ||
| + | set rule 40 destination port dns,dhcp,ntp | ||
| + | set rule 40 protocol udp | ||
| + | set rule 40 source group network-group lan_net | ||
| + | exit | ||
| + | |||
| + | edit firewall name lan-wan | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | set rule 30 action accept | ||
| + | set rule 30 description "all users" | ||
| + | set rule 30 destination port http,https | ||
| + | set rule 30 protocol tcp | ||
| + | set rule 30 source group network-group lan_net | ||
| + | set rule 40 action accept | ||
| + | set rule 40 description "admin access" | ||
| + | set rule 40 destination port ssh,5222,3389 | ||
| + | set rule 40 protocol tcp | ||
| + | set rule 40 source group address-group admin_ip | ||
| + | set rule 50 action accept | ||
| + | set rule 50 description "mail users" | ||
| + | set rule 50 destination group port-group port_mail | ||
| + | set rule 50 protocol tcp | ||
| + | set rule 50 source group address-group mail_users_ip | ||
| + | exit | ||
| + | |||
| + | edit firewall name wan-router | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | set rule 30 action accept | ||
| + | set rule 30 description "remote admin" | ||
| + | set rule 30 destination port ssh | ||
| + | set rule 30 protocol tcp | ||
| + | exit | ||
| + | |||
| + | edit firewall name wan-lan | ||
| + | set default-action drop | ||
| + | set rule 10 action accept | ||
| + | set rule 10 state established enable | ||
| + | set rule 10 state related enable | ||
| + | set rule 20 action accept | ||
| + | set rule 20 protocol icmp | ||
| + | set rule 30 action accept | ||
| + | set rule 30 description "rdp admin pc" | ||
| + | set rule 30 destination address 192.168.0.5 | ||
| + | set rule 30 destination port 3389 | ||
| + | set rule 30 protocol tcp | ||
| + | exit | ||
| + | |||
| + | Создаём зоны lan и wan и привязываем их к интерфейсам и применяем к ним правила | ||
| + | |||
| + | set zone-policy zone lan | ||
| + | set zone-policy zone lan default-action drop | ||
| + | set zone-policy zone lan from router firewall name router-lan | ||
| + | set zone-policy zone lan from wan firewall name wan-lan | ||
| + | set zone-policy zone lan interface eth0 | ||
| + | |||
| + | set zone-policy zone router default-action drop | ||
| + | set zone-policy zone router from lan firewall name lan-router | ||
| + | set zone-policy zone router from wan firewall name wan-router | ||
| + | set zone-policy zone router local-zone | ||
| + | |||
| + | set zone-policy zone wan default-action drop | ||
| + | set zone-policy zone wan from lan firewall name lan-wan | ||
| + | set zone-policy zone wan from router firewall name router-wan | ||
| + | set zone-policy zone wan interface eth1 | ||
| + | |||
| + | ==Прочие== | ||
| + | * Подключение через консольный порт к EdgeRouter'у | ||
| + | screen /dev/ttyUSB0 115200 | ||
| + | |||
| + | |||
| + | |||
| + | [[Категория:ubiquiti]] | ||
Текущая версия на 13:50, 19 марта 2016
Содержание
Настройка имени
Имя хоста
set system host-name router
Домен хоста
set system domain-name mynet.local
Настройка репозитория
configure set system package repository community components main set system package repository community distribution stable set system package repository community url http://mirror.yandex.ru/debian/ commit save
Настройка времени
Настройка часового пояса
set system time-zone Europe/Moscow
Управление учётными записеми
Смена пароля
set system login user ubnt authentication plaintext-password mypassword
Настройка сети
Настройка интерфейса
set interfaces ethernet eth0 address 192.168.25.9/28 set interfaces ethernet eth0 description local
Настройка шлюза по умолчанию
set system gateway-address 192.168.25.1
Указание DNS серверов
set system name-server 8.8.8.8
Создание моста
set bridge br0 set ethernet eth1 bridge-group bridge br0 set ethernet eth2 bridge-group bridge br0
DNS cервер
Включение кэширующего DNS сервера на инрфейсе eth0
set service dns forwarding listen-on eth0
Количество записей в кэшэ
set service dns forwarding cache-size 500
DHCP сервер
Настройка сервера
edit service dhcp-server shared-network-name local edit subnet 192.168.1.0/24 set start 192.168.1.100 stop 192.168.1.200 set default-router 192.168.1.1 set dns-server 192.168.1.1 set domain-name mynet.local
Настройка привязки выдачи ip
set service dhcp‐server shared‐network‐name local subnet 192.168.1.0/24 static‐mapping myhost ip‐address 192.168.1.10 set service dhcp‐server shared‐network‐name local subnet 192.168.1.0/24 static‐mapping myhost mac‐address 00:15:c5:b4:22:77
SNMP
set service snmp contact admin@ipnp.su set service snmp description "main router"
Настраиваем прова доступа
edit service snmp community MyComunityRO set authorization ro set client 192.168.0.201 set client 192.168.0.202 edit service snmp community MyComunityRW set authorization rw set client 192.168.0.200
SNMP trap
set service snmp trap-target 192.168.0.200
OpenVPN
Настройка клиента (авторизация по сертификатам)
edit interfaces openvpn vtun0 set mode client set protocol udp set encryption aes256 set remote-host ovpn.ipnp.su set remote-port 4000 set tls ca-cert-file /config/auth/ca.crt set tls cert-file /config/auth/router.crt set tls key-file /config/auth/router.key
Настройка сервера (авторизация по сертификатам)
edit interfaces openvpn vtun0 set mode server set protocol udp set local-port 4000 set server subnet 192.168.1.0/24 set encryption aes256 set tls dh-file /config/auth/dh2048.pem set tls ca-cert-file /config/auth/ca.crt set tls cert-file /config/auth/server.crt set tls key-file /config/auth/server.key
Squid
Настройка squid+squidGuard для блокировки доступа к определённым сайтам
- Включаем прозрачный squid на адресе 192.160.0.1
set service webproxy listen‐address 192.168.0.1 transparent
- Имзеняем страницу (по умолчанию http://google.com) на которую будет отпралвен пользователь зайдя на сайт из чёрного списка.
set service webproxy url-filtering squidguard redirect-url http://www.ipnp.su
- Добавляем домены в чёрный список youtube.com и vk.com
set service webproxy url-filtering squidguard local-block youtube.com set service webproxy url-filtering squidguard local-block vk.com
- Применяем настройки
сommit
- Сохраняем конфиг
save
NAT
Настрока NAT (eth1 - внешний интерфейс,xxx.yyy.zzz.www инет адрес, 192.168.0.0/24 локальная сеть для которой нвстраивается NAT )
configure set service nat rule 5000 type source set service nat rule 5000 source address 192.168.0.0/24 set service nat rule 5000 outside-address address xxx.yyy.zzz.www set service nat rule 5000 outbound-interface eth1 commit save
DNAT (Port Forwarding)
Пробросим tcp порт 3333 (внешний адрес 222.222.222.222 и интерфейс eth0) на внутренний ip 192.168.0.2 и порт 3389
edit service nat set rule 10 description rdp set rule 10 destination address 222.222.222.222 set rule 10 destination port 3333 set rule 10 inbound-interface eth0 set rule 10 inside-address address 192.168.0.2 set rule 10 inside-address port 3389 set rule 10 protocol tcp set rule 10 type destination
Для проброски портов зарезервированы номера правил 1-4999.
Настройка PPPoE клиента
Заходим в конфигурационный режим и выполняем следующие команды:
set intefaces ethernet eth0 pppoe 0 user-id pppoeuser — имя пользователя set intefaces ethernet eth0 pppoe 0 password pppoepassword — пароль set intefaces ethernet eth0 pppoe 0 default-route auto — принимаем маршрут по умолчанию через pppoe0 после установки сессии от концентратора set intefaces ethernet eth0 pppoe 0 name-server auto — принимаем ДНС-сервера от концентратора
Firewall
Обычный
edit firewall name to-router set rule 20 description "admin control" set rule 20 action accept set rule 20 protocol tcp set rule 20 source address 192.168.1.2 set rule 20 destination port ssh set rule 30 description "Accept ICMP Unreachable" set rule 30 description "Accept ICMP" set rule 30 action accept set rule 30 protocol icmp set rule 30 icmp type 3 set rule 32 description "Accept ICMP Echo Request" set rule 32 action accept set rule 32 protocol icmp set rule 32 icmp type 8 set rule 34 description "Accept ICMP Time-Exceeded" set rule 34 action accept set rule 34 protocol icmp set rule 34 icmp type 11
Применяем группу правил to-router к инрерфейсу eth1, правила будут только принимать только для трафика предназначеного для роутера.
set interfaces ethernet eth1 firewall local name to-router
Zone Based
eth0 - локалка, eth1 - инет Задача: Из интернета дать доступ по ssh на роутере, и проброшенному порту 3389 на 192.168.0.5:3389 и разрешить icmp\\ Из локалки дать доступ к службам маршрутизатора: ssh, https, dns, dhcp и ntp и дать доступ всем клиентам на 80 и 443 портам, хостам 192.168.0.5 ещё доступ на 22 (ssh) и 3389 (rdp) и 5222 (xmpp); хостам 192.168.0.5 и 192.168.0.6 доступ на 110 и 25 порты. Самому маршрутизатору только разерешить icmp и доступ к внешним DNS серверами по протоколу UDP.
Создаем группы адрессов, сетей и портов:
set firewall group address-group admin_ip address 192.168.0.5 edit firewall group address-group mail_ip set address 192.168.0.5 set address 192.168.0.10 exit set firewall group network-group lan_net set network 192.168.0.0/24 exit edit firewall group port-group port_mail set port 25 set port 110 exit
Создаем правила для файрвола:
edit firewall name router-lan set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp exit edit firewall name router-wan set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp set rule 30 action accept set rule 30 destination port dns set rule 30 protocol udp exit edit firewall name lan-router set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp set rule 30 action accept set rule 30 description "remote admin" set rule 30 destination port ssh, https set rule 30 protocol tcp set rule 30 source group network-group lan_net set rule 40 action accept set rule 40 description "remote admin" set rule 40 destination port dns,dhcp,ntp set rule 40 protocol udp set rule 40 source group network-group lan_net exit
edit firewall name lan-wan set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp set rule 30 action accept set rule 30 description "all users" set rule 30 destination port http,https set rule 30 protocol tcp set rule 30 source group network-group lan_net set rule 40 action accept set rule 40 description "admin access" set rule 40 destination port ssh,5222,3389 set rule 40 protocol tcp set rule 40 source group address-group admin_ip set rule 50 action accept set rule 50 description "mail users" set rule 50 destination group port-group port_mail set rule 50 protocol tcp set rule 50 source group address-group mail_users_ip exit
edit firewall name wan-router set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp set rule 30 action accept set rule 30 description "remote admin" set rule 30 destination port ssh set rule 30 protocol tcp exit
edit firewall name wan-lan set default-action drop set rule 10 action accept set rule 10 state established enable set rule 10 state related enable set rule 20 action accept set rule 20 protocol icmp set rule 30 action accept set rule 30 description "rdp admin pc" set rule 30 destination address 192.168.0.5 set rule 30 destination port 3389 set rule 30 protocol tcp exit
Создаём зоны lan и wan и привязываем их к интерфейсам и применяем к ним правила
set zone-policy zone lan set zone-policy zone lan default-action drop set zone-policy zone lan from router firewall name router-lan set zone-policy zone lan from wan firewall name wan-lan set zone-policy zone lan interface eth0
set zone-policy zone router default-action drop set zone-policy zone router from lan firewall name lan-router set zone-policy zone router from wan firewall name wan-router set zone-policy zone router local-zone
set zone-policy zone wan default-action drop set zone-policy zone wan from lan firewall name lan-wan set zone-policy zone wan from router firewall name router-wan set zone-policy zone wan interface eth1
Прочие
- Подключение через консольный порт к EdgeRouter'у
screen /dev/ttyUSB0 115200
