Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F972551
config.boot
All Users
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
vzotov
Oct 23 2020, 12:02 PM
2020-10-23 12:02:02 (UTC+0)
Size
26 KB
Referenced Files
None
Subscribers
None
config.boot
View Options
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group NG_ADMIN_2 {
address xxx.xxx.100.100
address xxx.xxx.100.133
}
network-group NG_ADMIN {
description "admin networks"
network xxx.xxx.100.0/24
network xxx.xxx.200.0/24
network xxx.xxx.100.0/24
network xxx.xxx.100.0/24
network xxx.xxx.99.0/24
}
network-group NG_FROM_ZENIT {
description "external zenit addresses"
network xxx.xxx.83.0/24
network xxx.xxx.253.148/30
network xxx.xxx.229.160/30
}
network-group NG_LOCAL {
description "rfc1918, local-link multicast and broadcast"
network xxx.xxx.0.0/8
network xxx.xxx.0.0/12
network xxx.xxx.0.0/16
network xxx.xxx.0.0/8
network xxx.xxx.0.0/16
network xxx.xxx.255.254/31
}
network-group NG_MGMT {
description "cisco management network"
network xxx.xxx.0.0/16
}
network-group NG_VKS {
description "videoconferencing network"
network xxx.xxx.0.0/16
}
network-group NG_VOIP {
description "voip network"
network xxx.xxx.0.0/16
network xxx.xxx.0.0/16
network xxx.xxx.0.0/16
network xxx.xxx.50.64/29
network xxx.xxx.251.4/32
network xxx.xxx.251.7/32
network xxx.xxx.251.8/32
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FW_FROM_INET {
default-action drop
description "access to inet interface"
rule 5 {
action drop
destination {
address !xxx.xxx.229.162
}
}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
source {
group {
network-group NG_FROM_ZENIT
}
}
}
rule 30 {
action accept
description IPSEC
destination {
port 500
}
protocol udp
}
rule 32 {
action accept
description IPSEC
destination {
port 4500
}
protocol udp
}
rule 34 {
action accept
description IPSEC
protocol ah
}
rule 36 {
action accept
description IPSEC
protocol esp
}
rule 40 {
action accept
description "FOR L2TP"
destination {
port 1701
}
protocol udp
}
rule 50 {
action accept
description PING-REQUEST
icmp {
code 0
type 8
}
protocol icmp
}
rule 60 {
action accept
description "Wireguard tunnel"
destination {
port 32878
}
protocol udp
}
rule 70 {
action accept
description "OpenVPN tunnel"
destination {
port 32879
}
protocol udp
}
}
options {
interface tun01 {
adjust-mss 1360
}
interface vti01 {
adjust-mss 1396
}
interface vti02 {
adjust-mss 1396
}
interface vti03 {
adjust-mss 1396
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
hw-id XX:XX:XX:XX:XX:3a
vif 63 {
address xxx.xxx.230.29/24
description "BEELINE L2"
}
vif 80 {
address xxx.xxx.221.29/29
description "MTS L3"
}
vif 496 {
address xxx.xxx.229.162/24
description "ENFORTA INET via RADIO"
firewall {
local {
name FW_FROM_INET
}
}
vrf INET-VRF
}
vif 999 {
address xxx.xxx.0.7/24
description LAN
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
cost 7
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
policy {
route PR_DSMARKER
}
}
}
ethernet eth1 {
address xxx.xxx.1.1/31
description "PTP LINK TO PRIMARY ROUTER"
hw-id XX:XX:XX:XX:XX:84
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 5
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
}
loopback lo {
address xxx.xxx.73.50/32
description "+LOOPBACK OSPF RID"
}
openvpn vtun01 {
description "temp access for zotov"
device-type tun
encryption {
cipher bf256
}
hash sha256
local-address xxx.xxx.70.130 {
}
local-port 32879
mode site-to-site
persistent-tunnel
protocol tcp-passive
remote-address xxx.xxx.70.131
tls {
auth-file /config/auth/inet.secret
ca-cert-file xxxxxx
cert-file xxxxxx
dh-file xxxxxx
key-file xxxxxx
role passive
}
}
vti vti01 {
address xxx.xxx.81.175/31
description "IPSEC TO CROC VIA BEELINE"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 40
dead-interval 40
hello-interval 10
mtu-ignore
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
vti vti02 {
address xxx.xxx.81.177/31
description "IPSEC TO CROC VIA MTS"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
cost 40
dead-interval 40
hello-interval 10
mtu-ignore
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
vti vti03 {
address xxx.xxx.81.179/31
description "IPSEC TO CROC VIA ENFORTA"
ip {
ospf {
authentication {
md5 {
key-id 1 {
md5-key xxxxxx
}
}
}
bfd
cost 150
dead-interval 40
hello-interval 10
mtu-ignore
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
traffic-policy {
out HTB7-POLICY
}
}
wireguard wg0 {
address xxx.xxx.70.128/31
description "tempopary remote access zotov"
disable
peer to-zotov {
allowed-ips xxx.xxx.0.0/0
pubkey mPwi/BbLPcd0Q/PKuSF5WVY8fHFh1G4Qxhyxcx8h4H4=
}
port 32878
private-key zotov-local
}
}
policy {
route PR_DSMARKER {
description "mark all traffic to diffserv agreement"
rule 1000 {
description "AF41 - ICMP PING"
icmp {
code 0
type 8
}
protocol icmp
set {
dscp 34
}
}
rule 1001 {
description "AF41 - ICMP PONG"
icmp {
code 0
type 0
}
protocol icmp
set {
dscp 34
}
}
rule 1010 {
description "AF41 - RDP"
destination {
port 3389
}
protocol tcp
set {
dscp 34
}
}
rule 1011 {
description "AF41 - RDP"
protocol tcp
set {
dscp 34
}
source {
port 3389
}
}
rule 1020 {
description "AF41 - SSH"
protocol tcp
set {
dscp 34
}
source {
port 22
}
}
rule 1021 {
description "AF41 - SSH"
destination {
port 22
}
protocol tcp
set {
dscp 34
}
}
rule 1100 {
description "AF42 - DNS/UDP"
protocol udp
set {
dscp 36
}
source {
port 53
}
}
rule 1101 {
description "AF42 - DNS/UDP"
destination {
port 53
}
protocol udp
set {
dscp 36
}
}
rule 1102 {
description "AF42 - NTP/UDP"
protocol udp
set {
dscp 36
}
source {
port 123
}
}
rule 1103 {
description "AF42 - NTP/UDP"
destination {
port 123
}
protocol udp
set {
dscp 36
}
}
rule 1104 {
description "AF42 - KRB/UDP"
protocol udp
set {
dscp 36
}
source {
port 88
}
}
rule 1105 {
description "AF42 - KRB/UDP"
destination {
port 88
}
protocol udp
set {
dscp 36
}
}
rule 1106 {
description "AF42 - SNMPTRAP"
protocol udp
set {
dscp 36
}
source {
port 162
}
}
rule 1107 {
description "AF42 - SNMPTRAP"
destination {
port 162
}
protocol udp
set {
dscp 36
}
}
rule 1200 {
description "AF43 - VCC/VIDEO"
destination {
group {
network-group NG_VKS
}
}
set {
dscp 38
}
source {
group {
network-group NG_VKS
}
}
}
rule 2000 {
description "AF31 - LDAP"
protocol tcp
set {
dscp 24
}
source {
port 389
}
}
rule 2001 {
description "AF31 - LDAP"
destination {
port 389
}
protocol tcp
set {
dscp 24
}
}
rule 2002 {
description "AF31 - SNMP"
protocol udp
set {
dscp 24
}
source {
port 161
}
}
rule 2003 {
description "AF31 - SNMP"
destination {
port 161
}
protocol udp
set {
dscp 24
}
}
rule 2100 {
description "AF32 - DNS/TCP"
protocol tcp
set {
dscp 26
}
source {
port 53
}
}
rule 2101 {
description "AF32 - DNS/TCP"
destination {
port 53
}
protocol tcp
set {
dscp 26
}
}
rule 7000 {
description "CS7 - ICMP EXCL PING"
protocol icmp
set {
dscp 56
}
}
rule 7001 {
description "CS6 - OSPF"
protocol ospf
set {
dscp 48
}
}
rule 7002 {
description "CS6 - BFD"
destination {
port 3784-3785
}
protocol udp
set {
dscp 48
}
}
rule 7100 {
description "EF- VOIP"
destination {
group {
network-group NG_VOIP
}
}
set {
dscp 46
}
source {
group {
network-group NG_VOIP
}
}
}
rule 9999 {
set {
dscp 0
}
}
}
}
protocols {
bfd {
peer xxxxx.tld {
}
peer xxxxx.tld {
}
peer xxxxx.tld {
}
}
ospf {
area xxx.xxx.12.0 {
authentication md5
network xxx.xxx.81.174/31
network xxx.xxx.81.176/31
network xxx.xxx.0.0/24
network xxx.xxx.81.178/31
network xxx.xxx.1.0/31
network xxx.xxx.73.50/32
}
log-adjacency-changes {
detail
}
parameters {
abr-type cisco
router-id xxx.xxx.73.50
}
passive-interface default
passive-interface-exclude eth0.999
passive-interface-exclude vti01
passive-interface-exclude vti02
passive-interface-exclude vti03
passive-interface-exclude eth1
}
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.0.2 {
distance 200
}
}
route xxx.xxx.148.110/32 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
route xxx.xxx.221.16/29 {
next-hop xxx.xxx.221.25 {
}
}
route xxx.xxx.83.144/29 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
route xxx.xxx.83.215/32 {
next-hop xxx.xxx.229.1 {
next-hop-vrf INET-VRF
}
}
}
vrf INET-VRF {
static {
route xxx.xxx.0.0/0 {
next-hop xxx.xxx.229.1 {
}
}
}
}
}
service {
lldp {
legacy-protocols {
cdp
}
}
snmp {
description "backup router"
location xxxxxx 12a str 1"
v3 {
engineid fc0000000000000000000002
group mongroup {
mode ro
seclevel priv
view allview
}
user xxxxxx {
auth {
encrypted-password xxxxxx
type md5
}
group mongroup
privacy {
encrypted-password xxxxxx
type des
}
}
view allview {
oid 1 {
exclude .xxx.xxx.6.1.xxx.xxx.4.21
}
}
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 30
}
console {
device ttyS0 {
speed 115200
}
}
domain-name xxxxxx
host-name xxxxxx
ipv6 {
disable
}
login {
radius {
server xxxxx.tld {
key xxxxxx
port 1812
timeout 10
}
source-address xxx.xxx.73.50
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
}
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
}
full-name xxxxxx
}
}
name-server xxx.xxx.0.125
name-server xxx.xxx.0.25
name-server xxx.xxx.100.111
ntp {
listen-address xxx.xxx.0.7
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
options {
reboot-on-panic
}
proxy {
port 3128
url http://xxx.xxx.0.88
}
syslog {
global {
archive {
file 20
size 1024
}
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Europe/Moscow
}
traffic-policy {
shaper HTB7-POLICY {
bandwidth 180mbit
class 10 {
bandwidth 15%
burst 15k
ceiling 90%
description "CS1 - AF1[123]"
match MATCH-AF11 {
ip {
dscp AF11
}
}
match MATCH-AF12 {
ip {
dscp AF12
}
}
match MATCH-AF13 {
ip {
dscp AF13
}
}
priority 1
queue-type fair-queue
}
class 20 {
bandwidth 20%
burst 15k
ceiling 90%
description "CS2 - AF2[123]"
match MATCH-AF21 {
ip {
dscp AF21
}
}
match MATCH-AF22 {
ip {
dscp AF22
}
}
match MATCH-AF23 {
ip {
dscp AF23
}
}
priority 2
queue-type fair-queue
}
class 30 {
bandwidth 30%
burst 15k
ceiling 95%
description "CS3 - AF3[123]"
match MATCH-AF31 {
ip {
dscp AF31
}
}
match MATCH-AF32 {
ip {
dscp AF32
}
}
match MATCH-AF33 {
ip {
dscp AF33
}
}
priority 3
queue-type fair-queue
}
class 40 {
bandwidth 20%
burst 15k
ceiling 95%
description "CS4 - AF4[123]"
match MATCH-AF41 {
ip {
dscp AF41
}
}
match MATCH-AF42 {
ip {
dscp AF42
}
}
match MATCH-AF43 {
ip {
dscp AF43
}
}
priority 4
queue-type fair-queue
}
class 50 {
bandwidth 10%
burst 15k
ceiling 12%
description CS5/EF
match MATCH-CS5 {
ip {
dscp CS5
}
}
match MATCH-EF {
ip {
dscp EF
}
}
priority 5
queue-limit 10
queue-type drop-tail
}
class 60 {
bandwidth 2%
burst 15k
ceiling 4%
description "INTERNETWORK - we will remark once again locally-generated packets"
match MATCH-BFD {
ip {
protocol udp
}
}
match MATCH-BFD1 {
ip {
destination {
port 3784
}
}
}
match MATCH-BFD2 {
ip {
destination {
port 3785
}
}
}
match MATCH-CS6 {
ip {
dscp CS6
}
}
match MATCH-OSPF {
ip {
protocol ospf
}
}
priority 6
queue-limit 10
queue-type drop-tail
set-dscp CS6
}
class 70 {
bandwidth 2%
burst 15k
ceiling 4%
description CS7
match MATCH-CS7 {
ip {
dscp CS7
}
}
priority 7
queue-limit 10
queue-type drop-tail
set-dscp CS7
}
default {
bandwidth 5%
burst 15k
ceiling 90%
priority 0
queue-type fair-queue
set-dscp 0
}
}
}
vpn {
ipsec {
esp-group ESP01 {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE00 {
close-action restart
dead-peer-detection {
action restart
interval 15
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ike-group IKE01 {
close-action none
dead-peer-detection {
action restart
interval 10
timeout 120
}
ikev2-reauth no
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
logging {
log-level 0
log-modes ike
log-modes knl
log-modes cfg
}
nat-traversal disable
site-to-site {
peer xxxxx.tld {
authentication {
id ntop2-m-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description MTS-TO-CCR38
force-encapsulation disable
ike-group IKE00
ikev2-reauth inherit
local-address xxx.xxx.221.29
vti {
bind vti02
esp-group ESP01
}
}
peer xxxxx.tld {
authentication {
id ntop2-b-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description BEELINE-TO-CCR38
force-encapsulation disable
ike-group IKE01
ikev2-reauth inherit
local-address xxx.xxx.230.29
vti {
bind vti01
esp-group ESP01
}
}
peer xxxxx.tld {
authentication {
id ntop2-e-gw.domain.tld
mode pre-shared-secret
pre-shared-secret xxxxxx
remote-id ccr38.domain.tld
}
connection-type initiate
description ENFORTA-INET-TO-CCR38
ike-group IKE01
ikev2-reauth inherit
local-address xxx.xxx.229.162
vti {
bind vti03
esp-group ESP01
}
}
}
}
}
vrf {
bind-to-all
name INET-VRF {
table 200
}
}
// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1"
// Release version: 1.3-rolling-202010200146
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
ac/ac/31bca08e094c5ffcdfe740904536
Default Alt Text
config.boot (26 KB)
Attached To
Mode
T3011: router becomes unreachable for few minutes when vti interfaces goes down
Attached
Detach File
Event Timeline
Log In to Comment