firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group NG_ADMIN_2 { address xxx.xxx.100.100 address xxx.xxx.100.133 } network-group NG_ADMIN { description "admin networks" network xxx.xxx.100.0/24 network xxx.xxx.200.0/24 network xxx.xxx.100.0/24 network xxx.xxx.100.0/24 network xxx.xxx.99.0/24 } network-group NG_FROM_ZENIT { description "external zenit addresses" network xxx.xxx.83.0/24 network xxx.xxx.253.148/30 network xxx.xxx.229.160/30 } network-group NG_LOCAL { description "rfc1918, local-link multicast and broadcast" network xxx.xxx.0.0/8 network xxx.xxx.0.0/12 network xxx.xxx.0.0/16 network xxx.xxx.0.0/8 network xxx.xxx.0.0/16 network xxx.xxx.255.254/31 } network-group NG_MGMT { description "cisco management network" network xxx.xxx.0.0/16 } network-group NG_VKS { description "videoconferencing network" network xxx.xxx.0.0/16 } network-group NG_VOIP { description "voip network" network xxx.xxx.0.0/16 network xxx.xxx.0.0/16 network xxx.xxx.0.0/16 network xxx.xxx.50.64/29 network xxx.xxx.251.4/32 network xxx.xxx.251.7/32 network xxx.xxx.251.8/32 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name FW_FROM_INET { default-action drop description "access to inet interface" rule 5 { action drop destination { address !xxx.xxx.229.162 } } rule 10 { action accept state { established enable related enable } } rule 20 { action accept source { group { network-group NG_FROM_ZENIT } } } rule 30 { action accept description IPSEC destination { port 500 } protocol udp } rule 32 { action accept description IPSEC destination { port 4500 } protocol udp } rule 34 { action accept description IPSEC protocol ah } rule 36 { action accept description IPSEC protocol esp } rule 40 { action accept description "FOR L2TP" destination { port 1701 } protocol udp } rule 50 { action accept description PING-REQUEST icmp { code 0 type 8 } protocol icmp } rule 60 { action accept description "Wireguard tunnel" destination { port 32878 } protocol udp } rule 70 { action accept description "OpenVPN tunnel" destination { port 32879 } protocol udp } } options { interface tun01 { adjust-mss 1360 } interface vti01 { adjust-mss 1396 } interface vti02 { adjust-mss 1396 } interface vti03 { adjust-mss 1396 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { hw-id XX:XX:XX:XX:XX:3a vif 63 { address xxx.xxx.230.29/24 description "BEELINE L2" } vif 80 { address xxx.xxx.221.29/29 description "MTS L3" } vif 496 { address xxx.xxx.229.162/24 description "ENFORTA INET via RADIO" firewall { local { name FW_FROM_INET } } vrf INET-VRF } vif 999 { address xxx.xxx.0.7/24 description LAN ip { ospf { authentication { md5 { key-id 1 { md5-key xxxxxx } } } cost 7 dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } policy { route PR_DSMARKER } } } ethernet eth1 { address xxx.xxx.1.1/31 description "PTP LINK TO PRIMARY ROUTER" hw-id XX:XX:XX:XX:XX:84 ip { ospf { authentication { md5 { key-id 1 { md5-key xxxxxx } } } bfd cost 5 dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } } loopback lo { address xxx.xxx.73.50/32 description "+LOOPBACK OSPF RID" } openvpn vtun01 { description "temp access for zotov" device-type tun encryption { cipher bf256 } hash sha256 local-address xxx.xxx.70.130 { } local-port 32879 mode site-to-site persistent-tunnel protocol tcp-passive remote-address xxx.xxx.70.131 tls { auth-file /config/auth/inet.secret ca-cert-file xxxxxx cert-file xxxxxx dh-file xxxxxx key-file xxxxxx role passive } } vti vti01 { address xxx.xxx.81.175/31 description "IPSEC TO CROC VIA BEELINE" ip { ospf { authentication { md5 { key-id 1 { md5-key xxxxxx } } } bfd cost 40 dead-interval 40 hello-interval 10 mtu-ignore network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1436 traffic-policy { out HTB7-POLICY } } vti vti02 { address xxx.xxx.81.177/31 description "IPSEC TO CROC VIA MTS" ip { ospf { authentication { md5 { key-id 1 { md5-key xxxxxx } } } cost 40 dead-interval 40 hello-interval 10 mtu-ignore network point-to-point priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1436 traffic-policy { out HTB7-POLICY } } vti vti03 { address xxx.xxx.81.179/31 description "IPSEC TO CROC VIA ENFORTA" ip { ospf { authentication { md5 { key-id 1 { md5-key xxxxxx } } } bfd cost 150 dead-interval 40 hello-interval 10 mtu-ignore priority 1 retransmit-interval 5 transmit-delay 1 } } mtu 1436 traffic-policy { out HTB7-POLICY } } wireguard wg0 { address xxx.xxx.70.128/31 description "tempopary remote access zotov" disable peer to-zotov { allowed-ips xxx.xxx.0.0/0 pubkey mPwi/BbLPcd0Q/PKuSF5WVY8fHFh1G4Qxhyxcx8h4H4= } port 32878 private-key zotov-local } } policy { route PR_DSMARKER { description "mark all traffic to diffserv agreement" rule 1000 { description "AF41 - ICMP PING" icmp { code 0 type 8 } protocol icmp set { dscp 34 } } rule 1001 { description "AF41 - ICMP PONG" icmp { code 0 type 0 } protocol icmp set { dscp 34 } } rule 1010 { description "AF41 - RDP" destination { port 3389 } protocol tcp set { dscp 34 } } rule 1011 { description "AF41 - RDP" protocol tcp set { dscp 34 } source { port 3389 } } rule 1020 { description "AF41 - SSH" protocol tcp set { dscp 34 } source { port 22 } } rule 1021 { description "AF41 - SSH" destination { port 22 } protocol tcp set { dscp 34 } } rule 1100 { description "AF42 - DNS/UDP" protocol udp set { dscp 36 } source { port 53 } } rule 1101 { description "AF42 - DNS/UDP" destination { port 53 } protocol udp set { dscp 36 } } rule 1102 { description "AF42 - NTP/UDP" protocol udp set { dscp 36 } source { port 123 } } rule 1103 { description "AF42 - NTP/UDP" destination { port 123 } protocol udp set { dscp 36 } } rule 1104 { description "AF42 - KRB/UDP" protocol udp set { dscp 36 } source { port 88 } } rule 1105 { description "AF42 - KRB/UDP" destination { port 88 } protocol udp set { dscp 36 } } rule 1106 { description "AF42 - SNMPTRAP" protocol udp set { dscp 36 } source { port 162 } } rule 1107 { description "AF42 - SNMPTRAP" destination { port 162 } protocol udp set { dscp 36 } } rule 1200 { description "AF43 - VCC/VIDEO" destination { group { network-group NG_VKS } } set { dscp 38 } source { group { network-group NG_VKS } } } rule 2000 { description "AF31 - LDAP" protocol tcp set { dscp 24 } source { port 389 } } rule 2001 { description "AF31 - LDAP" destination { port 389 } protocol tcp set { dscp 24 } } rule 2002 { description "AF31 - SNMP" protocol udp set { dscp 24 } source { port 161 } } rule 2003 { description "AF31 - SNMP" destination { port 161 } protocol udp set { dscp 24 } } rule 2100 { description "AF32 - DNS/TCP" protocol tcp set { dscp 26 } source { port 53 } } rule 2101 { description "AF32 - DNS/TCP" destination { port 53 } protocol tcp set { dscp 26 } } rule 7000 { description "CS7 - ICMP EXCL PING" protocol icmp set { dscp 56 } } rule 7001 { description "CS6 - OSPF" protocol ospf set { dscp 48 } } rule 7002 { description "CS6 - BFD" destination { port 3784-3785 } protocol udp set { dscp 48 } } rule 7100 { description "EF- VOIP" destination { group { network-group NG_VOIP } } set { dscp 46 } source { group { network-group NG_VOIP } } } rule 9999 { set { dscp 0 } } } } protocols { bfd { peer xxxxx.tld { } peer xxxxx.tld { } peer xxxxx.tld { } } ospf { area xxx.xxx.12.0 { authentication md5 network xxx.xxx.81.174/31 network xxx.xxx.81.176/31 network xxx.xxx.0.0/24 network xxx.xxx.81.178/31 network xxx.xxx.1.0/31 network xxx.xxx.73.50/32 } log-adjacency-changes { detail } parameters { abr-type cisco router-id xxx.xxx.73.50 } passive-interface default passive-interface-exclude eth0.999 passive-interface-exclude vti01 passive-interface-exclude vti02 passive-interface-exclude vti03 passive-interface-exclude eth1 } static { route xxx.xxx.0.0/0 { next-hop xxx.xxx.0.2 { distance 200 } } route xxx.xxx.148.110/32 { next-hop xxx.xxx.229.1 { next-hop-vrf INET-VRF } } route xxx.xxx.221.16/29 { next-hop xxx.xxx.221.25 { } } route xxx.xxx.83.144/29 { next-hop xxx.xxx.229.1 { next-hop-vrf INET-VRF } } route xxx.xxx.83.215/32 { next-hop xxx.xxx.229.1 { next-hop-vrf INET-VRF } } } vrf INET-VRF { static { route xxx.xxx.0.0/0 { next-hop xxx.xxx.229.1 { } } } } } service { lldp { legacy-protocols { cdp } } snmp { description "backup router" location xxxxxx 12a str 1" v3 { engineid fc0000000000000000000002 group mongroup { mode ro seclevel priv view allview } user xxxxxx { auth { encrypted-password xxxxxx type md5 } group mongroup privacy { encrypted-password xxxxxx type des } } view allview { oid 1 { exclude .xxx.xxx.6.1.xxx.xxx.4.21 } } } } ssh { port 22 } } system { config-management { commit-revisions 30 } console { device ttyS0 { speed 115200 } } domain-name xxxxxx host-name xxxxxx ipv6 { disable } login { radius { server xxxxx.tld { key xxxxxx port 1812 timeout 10 } source-address xxx.xxx.73.50 } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } full-name xxxxxx } } name-server xxx.xxx.0.125 name-server xxx.xxx.0.25 name-server xxx.xxx.100.111 ntp { listen-address xxx.xxx.0.7 server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } options { reboot-on-panic } proxy { port 3128 url http://xxx.xxx.0.88 } syslog { global { archive { file 20 size 1024 } facility all { level info } facility protocols { level debug } } } time-zone Europe/Moscow } traffic-policy { shaper HTB7-POLICY { bandwidth 180mbit class 10 { bandwidth 15% burst 15k ceiling 90% description "CS1 - AF1[123]" match MATCH-AF11 { ip { dscp AF11 } } match MATCH-AF12 { ip { dscp AF12 } } match MATCH-AF13 { ip { dscp AF13 } } priority 1 queue-type fair-queue } class 20 { bandwidth 20% burst 15k ceiling 90% description "CS2 - AF2[123]" match MATCH-AF21 { ip { dscp AF21 } } match MATCH-AF22 { ip { dscp AF22 } } match MATCH-AF23 { ip { dscp AF23 } } priority 2 queue-type fair-queue } class 30 { bandwidth 30% burst 15k ceiling 95% description "CS3 - AF3[123]" match MATCH-AF31 { ip { dscp AF31 } } match MATCH-AF32 { ip { dscp AF32 } } match MATCH-AF33 { ip { dscp AF33 } } priority 3 queue-type fair-queue } class 40 { bandwidth 20% burst 15k ceiling 95% description "CS4 - AF4[123]" match MATCH-AF41 { ip { dscp AF41 } } match MATCH-AF42 { ip { dscp AF42 } } match MATCH-AF43 { ip { dscp AF43 } } priority 4 queue-type fair-queue } class 50 { bandwidth 10% burst 15k ceiling 12% description CS5/EF match MATCH-CS5 { ip { dscp CS5 } } match MATCH-EF { ip { dscp EF } } priority 5 queue-limit 10 queue-type drop-tail } class 60 { bandwidth 2% burst 15k ceiling 4% description "INTERNETWORK - we will remark once again locally-generated packets" match MATCH-BFD { ip { protocol udp } } match MATCH-BFD1 { ip { destination { port 3784 } } } match MATCH-BFD2 { ip { destination { port 3785 } } } match MATCH-CS6 { ip { dscp CS6 } } match MATCH-OSPF { ip { protocol ospf } } priority 6 queue-limit 10 queue-type drop-tail set-dscp CS6 } class 70 { bandwidth 2% burst 15k ceiling 4% description CS7 match MATCH-CS7 { ip { dscp CS7 } } priority 7 queue-limit 10 queue-type drop-tail set-dscp CS7 } default { bandwidth 5% burst 15k ceiling 90% priority 0 queue-type fair-queue set-dscp 0 } } } vpn { ipsec { esp-group ESP01 { compression disable lifetime 3600 mode tunnel pfs disable proposal 1 { encryption aes256 hash sha1 } } ike-group IKE00 { close-action restart dead-peer-detection { action restart interval 15 timeout 120 } ikev2-reauth no key-exchange ikev2 lifetime 86400 proposal 1 { dh-group 14 encryption aes256 hash sha256 } } ike-group IKE01 { close-action none dead-peer-detection { action restart interval 10 timeout 120 } ikev2-reauth no key-exchange ikev2 lifetime 86400 proposal 1 { dh-group 14 encryption aes256 hash sha256 } } logging { log-level 0 log-modes ike log-modes knl log-modes cfg } nat-traversal disable site-to-site { peer xxxxx.tld { authentication { id ntop2-m-gw.domain.tld mode pre-shared-secret pre-shared-secret xxxxxx remote-id ccr38.domain.tld } connection-type initiate description MTS-TO-CCR38 force-encapsulation disable ike-group IKE00 ikev2-reauth inherit local-address xxx.xxx.221.29 vti { bind vti02 esp-group ESP01 } } peer xxxxx.tld { authentication { id ntop2-b-gw.domain.tld mode pre-shared-secret pre-shared-secret xxxxxx remote-id ccr38.domain.tld } connection-type initiate description BEELINE-TO-CCR38 force-encapsulation disable ike-group IKE01 ikev2-reauth inherit local-address xxx.xxx.230.29 vti { bind vti01 esp-group ESP01 } } peer xxxxx.tld { authentication { id ntop2-e-gw.domain.tld mode pre-shared-secret pre-shared-secret xxxxxx remote-id ccr38.domain.tld } connection-type initiate description ENFORTA-INET-TO-CCR38 ike-group IKE01 ikev2-reauth inherit local-address xxx.xxx.229.162 vti { bind vti03 esp-group ESP01 } } } } } vrf { bind-to-all name INET-VRF { table 200 } } // Warning: Do not remove the following line. // vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@13:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@19:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" // Release version: 1.3-rolling-202010200146