Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
knb:wireguard-offloader [2020/05/10 16:32] – HW & FW Basis lqb | knb:wireguard-offloader [2020/07/07 06:04] (aktuell) – lqb | ||
---|---|---|---|
Zeile 4: | Zeile 4: | ||
===== Ubiquiti EdgeRouter X (ER-X) ===== | ===== Ubiquiti EdgeRouter X (ER-X) ===== | ||
* eth0: PoE IN | * eth0: PoE IN | ||
- | * eth4: PoE OUT (Passive 24V Passthrugh) | + | * eth4: PoE OUT (Passive 24V Passthrough) |
* [[https:// | * [[https:// | ||
- | * Wireguard Debian Package ([[https:// | + | * Wireguard Debian Package ([[https:// |
===== Ubiquiti EdgePoint R6 (EP‑R6) ===== | ===== Ubiquiti EdgePoint R6 (EP‑R6) ===== | ||
* eth0: PoE IN | * eth0: PoE IN | ||
Zeile 12: | Zeile 12: | ||
* eth5: SFP Port | * eth5: SFP Port | ||
* [[https:// | * [[https:// | ||
- | * Wireguard Debian Package ([[https:// | + | * Wireguard Debian Package ([[https:// |
+ | |||
+ | |||
+ | ===== / | ||
+ | |||
+ | Daten müssen bei FFMUC erfragt und in die Variablen eingepflegt werden. | ||
+ | |||
+ | mk_config.boot.sh: | ||
+ | <code bash> | ||
+ | # | ||
+ | |||
+ | # | ||
+ | |||
+ | HOST_NAME=" | ||
+ | HOST_IPV4=" | ||
+ | HOST_IPV6=" | ||
+ | HOST_IPV6_PREFIX=" | ||
+ | |||
+ | DHCP_SUBNET=" | ||
+ | DHCP_START=" | ||
+ | DHCP_STOP=" | ||
+ | DHCP_DEFAULT_ROUTER=" | ||
+ | DHCP_DNS=" | ||
+ | |||
+ | WG0_IPV4=" | ||
+ | WG0_IPV6=" | ||
+ | WG0_ENDPOINT=" | ||
+ | WG0_PRIVATE_KEY=" | ||
+ | |||
+ | WG1_IPV4=" | ||
+ | WG1_IPV6=" | ||
+ | WG1_ENDPOINT=" | ||
+ | WG1_PRIVATE_KEY=" | ||
+ | |||
+ | BGP_AS=" | ||
+ | BGP_NEIGHBOR1_IPV4=" | ||
+ | BGP_NEIGHBOR1_IPv6=" | ||
+ | BGP_NEIGHBOR2_IPv4=" | ||
+ | BGP_NEIGHBOR2_IPv6=" | ||
+ | BGP_NEXTHOP_IPV4=" | ||
+ | BGP_NEXTHOP_IPV6=" | ||
+ | |||
+ | SNMP_COMMUNITY=" | ||
+ | SNMP_CONTACT=" | ||
+ | SNMP_DESCRIPTION=" | ||
+ | SNMP_LOCATION=" | ||
+ | |||
+ | CLIENT1_IPV4=" | ||
+ | CLIENT1_IPV6=" | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | cat<< | ||
+ | firewall { | ||
+ | all-ping enable | ||
+ | broadcast-ping disable | ||
+ | ipv6-name VPN6_IN { | ||
+ | default-action drop | ||
+ | rule 10 { | ||
+ | action accept | ||
+ | description " | ||
+ | log disable | ||
+ | protocol all | ||
+ | state { | ||
+ | established enable | ||
+ | invalid disable | ||
+ | new disable | ||
+ | related enable | ||
+ | } | ||
+ | } | ||
+ | rule 20 { | ||
+ | action accept | ||
+ | description " | ||
+ | log disable | ||
+ | protocol icmpv6 | ||
+ | } | ||
+ | rule 30 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 22 | ||
+ | } | ||
+ | disable | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 40 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 80 | ||
+ | } | ||
+ | disable | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 50 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 443 | ||
+ | } | ||
+ | disable | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 1010 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | address $CLIENT1_IPV6 | ||
+ | port 22 | ||
+ | } | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 9000 { | ||
+ | action accept | ||
+ | description " | ||
+ | disable | ||
+ | protocol all | ||
+ | } | ||
+ | rule 9090 { | ||
+ | action drop | ||
+ | description " | ||
+ | protocol all | ||
+ | } | ||
+ | } | ||
+ | ipv6-receive-redirects disable | ||
+ | ipv6-src-route disable | ||
+ | ip-src-route disable | ||
+ | log-martians enable | ||
+ | name VPN_IN { | ||
+ | default-action reject | ||
+ | description "VPN to internal" | ||
+ | rule 10 { | ||
+ | action accept | ||
+ | description " | ||
+ | log disable | ||
+ | protocol all | ||
+ | state { | ||
+ | established enable | ||
+ | invalid disable | ||
+ | new disable | ||
+ | related enable | ||
+ | } | ||
+ | } | ||
+ | rule 20 { | ||
+ | action accept | ||
+ | description " | ||
+ | log disable | ||
+ | protocol icmp | ||
+ | } | ||
+ | rule 30 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 22 | ||
+ | } | ||
+ | disable | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 40 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 80 | ||
+ | } | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 50 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | port 443 | ||
+ | } | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 1010 { | ||
+ | action accept | ||
+ | description " | ||
+ | destination { | ||
+ | address $CLIENT1_IPV4 | ||
+ | port 22 | ||
+ | } | ||
+ | disable | ||
+ | log disable | ||
+ | protocol tcp | ||
+ | } | ||
+ | rule 9000 { | ||
+ | action accept | ||
+ | description " | ||
+ | disable | ||
+ | protocol all | ||
+ | } | ||
+ | rule 9090 { | ||
+ | action drop | ||
+ | description " | ||
+ | log disable | ||
+ | protocol all | ||
+ | } | ||
+ | } | ||
+ | options { | ||
+ | mss-clamp { | ||
+ | interface-type wg | ||
+ | mss 1366 | ||
+ | } | ||
+ | mss-clamp6 { | ||
+ | interface-type wg | ||
+ | mss 1366 | ||
+ | } | ||
+ | } | ||
+ | receive-redirects disable | ||
+ | send-redirects enable | ||
+ | source-validation disable | ||
+ | syn-cookies enable | ||
+ | } | ||
+ | interfaces { | ||
+ | ethernet eth0 { | ||
+ | address dhcp | ||
+ | duplex auto | ||
+ | speed auto | ||
+ | } | ||
+ | ethernet eth1 { | ||
+ | duplex auto | ||
+ | poe { | ||
+ | output off | ||
+ | } | ||
+ | speed auto | ||
+ | } | ||
+ | ethernet eth2 { | ||
+ | duplex auto | ||
+ | poe { | ||
+ | output off | ||
+ | } | ||
+ | speed auto | ||
+ | } | ||
+ | ethernet eth3 { | ||
+ | duplex auto | ||
+ | poe { | ||
+ | output off | ||
+ | } | ||
+ | speed auto | ||
+ | } | ||
+ | ethernet eth4 { | ||
+ | duplex auto | ||
+ | poe { | ||
+ | output off | ||
+ | } | ||
+ | speed auto | ||
+ | } | ||
+ | loopback lo { | ||
+ | } | ||
+ | switch switch0 { | ||
+ | address $HOST_IPV4 | ||
+ | address $HOST_IPV6 | ||
+ | firewall { | ||
+ | out { | ||
+ | ipv6-name VPN6_IN | ||
+ | name VPN_IN | ||
+ | } | ||
+ | } | ||
+ | ipv6 { | ||
+ | dup-addr-detect-transmits 1 | ||
+ | router-advert { | ||
+ | cur-hop-limit 64 | ||
+ | link-mtu 0 | ||
+ | managed-flag false | ||
+ | max-interval 600 | ||
+ | other-config-flag false | ||
+ | prefix $HOST_IPV6_PREFIX { | ||
+ | autonomous-flag true | ||
+ | on-link-flag true | ||
+ | valid-lifetime 2592000 | ||
+ | } | ||
+ | reachable-time 0 | ||
+ | retrans-timer 0 | ||
+ | send-advert true | ||
+ | } | ||
+ | } | ||
+ | mtu 1500 | ||
+ | switch-port { | ||
+ | interface eth1 { | ||
+ | } | ||
+ | interface eth2 { | ||
+ | } | ||
+ | interface eth3 { | ||
+ | } | ||
+ | interface eth4 { | ||
+ | } | ||
+ | vlan-aware disable | ||
+ | } | ||
+ | } | ||
+ | wireguard wg0 { | ||
+ | address $WG0_IPV4 | ||
+ | address $WG0_IPV6 | ||
+ | listen-port 51822 | ||
+ | mtu 1406 | ||
+ | peer 3maAGagRC6if+yZdRj8FoT80TP/ | ||
+ | allowed-ips 0.0.0.0/0 | ||
+ | allowed-ips ::/0 | ||
+ | endpoint $WG0_ENDPOINT | ||
+ | persistent-keepalive 25 | ||
+ | } | ||
+ | private-key $WG0_PRIVATE_KEY | ||
+ | route-allowed-ips false | ||
+ | } | ||
+ | wireguard wg1 { | ||
+ | address $WG1_IPV4 | ||
+ | address $WG1_IPV6 | ||
+ | listen-port 51823 | ||
+ | mtu 1406 | ||
+ | peer VRHnZKr3T5/ | ||
+ | allowed-ips 0.0.0.0/0 | ||
+ | allowed-ips ::/0 | ||
+ | endpoint $WG1_ENDPOINT | ||
+ | persistent-keepalive 25 | ||
+ | } | ||
+ | private-key $WG1_PRIVATE_KEY | ||
+ | route-allowed-ips false | ||
+ | } | ||
+ | } | ||
+ | protocols { | ||
+ | bgp $BGP_AS { | ||
+ | address-family { | ||
+ | ipv6-unicast { | ||
+ | redistribute { | ||
+ | connected { | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | maximum-paths { | ||
+ | ebgp 4 | ||
+ | } | ||
+ | neighbor $BGP_NEIGHBOR1_IPV4 { | ||
+ | remote-as 65132 | ||
+ | soft-reconfiguration { | ||
+ | inbound | ||
+ | } | ||
+ | } | ||
+ | neighbor $BGP_NEIGHBOR2_IPv4 { | ||
+ | remote-as 65132 | ||
+ | soft-reconfiguration { | ||
+ | inbound | ||
+ | } | ||
+ | } | ||
+ | neighbor $BGP_NEIGHBOR1_IPv6 { | ||
+ | address-family { | ||
+ | ipv6-unicast { | ||
+ | } | ||
+ | } | ||
+ | remote-as 65132 | ||
+ | soft-reconfiguration { | ||
+ | inbound | ||
+ | } | ||
+ | } | ||
+ | neighbor $BGP_NEIGHBOR2_IPv6 { | ||
+ | address-family { | ||
+ | ipv6-unicast { | ||
+ | } | ||
+ | } | ||
+ | remote-as 65132 | ||
+ | soft-reconfiguration { | ||
+ | inbound | ||
+ | } | ||
+ | } | ||
+ | redistribute { | ||
+ | connected { | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | static { | ||
+ | route 172.22.0.0/ | ||
+ | next-hop 192.168.179.1 { | ||
+ | description LAN | ||
+ | } | ||
+ | } | ||
+ | route 195.30.94.26/ | ||
+ | next-hop 192.168.179.1 { | ||
+ | description " | ||
+ | } | ||
+ | } | ||
+ | route 195.30.193.34/ | ||
+ | next-hop 192.168.179.1 { | ||
+ | description " | ||
+ | } | ||
+ | } | ||
+ | route6 2001: | ||
+ | blackhole { | ||
+ | } | ||
+ | } | ||
+ | route6 2001: | ||
+ | blackhole { | ||
+ | } | ||
+ | } | ||
+ | table 11 { | ||
+ | route 0.0.0.0/0 { | ||
+ | next-hop $BGP_NEXTHOP_IPV4 { | ||
+ | } | ||
+ | } | ||
+ | route6 ::/0 { | ||
+ | next-hop $BGP_NEXTHOP_IPV6 { | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | service { | ||
+ | dhcp-server { | ||
+ | disabled false | ||
+ | hostfile-update disable | ||
+ | shared-network-name internal { | ||
+ | authoritative disable | ||
+ | subnet $DHCP_SUBNET { | ||
+ | default-router $DHCP_DEFAULT_ROUTER | ||
+ | dns-server $DHCP_DNS | ||
+ | lease 600 | ||
+ | start $DHCP_START { | ||
+ | stop $DHCP_STOP | ||
+ | } | ||
+ | unifi-controller 195.30.94.28 | ||
+ | } | ||
+ | } | ||
+ | static-arp disable | ||
+ | use-dnsmasq disable | ||
+ | } | ||
+ | dns { | ||
+ | forwarding { | ||
+ | cache-size 10000 | ||
+ | listen-on switch0 | ||
+ | } | ||
+ | } | ||
+ | gui { | ||
+ | http-port 80 | ||
+ | https-port 443 | ||
+ | older-ciphers enable | ||
+ | } | ||
+ | snmp { | ||
+ | community $SNMP_COMMUNITY { | ||
+ | authorization ro | ||
+ | } | ||
+ | contact $SNMP_CONTACT | ||
+ | description $SNMP_DESCRIPTION | ||
+ | location $SNMP_LOCATION | ||
+ | } | ||
+ | ssh { | ||
+ | port 22 | ||
+ | protocol-version v2 | ||
+ | } | ||
+ | unms { | ||
+ | disable | ||
+ | } | ||
+ | } | ||
+ | system { | ||
+ | flow-accounting { | ||
+ | disable-memory-table | ||
+ | ingress-capture post-dnat | ||
+ | interface eth0 | ||
+ | netflow { | ||
+ | enable-egress { | ||
+ | engine-id 51 | ||
+ | } | ||
+ | engine-id 50 | ||
+ | mode daemon | ||
+ | server 167.71.92.38 { | ||
+ | port 2055 | ||
+ | } | ||
+ | timeout { | ||
+ | expiry-interval 60 | ||
+ | flow-generic 60 | ||
+ | icmp 60 | ||
+ | max-active-life 60 | ||
+ | tcp-fin 10 | ||
+ | tcp-generic 60 | ||
+ | tcp-rst 10 | ||
+ | udp 60 | ||
+ | } | ||
+ | version 9 | ||
+ | } | ||
+ | syslog-facility daemon | ||
+ | } | ||
+ | host-name $HOST_NAME | ||
+ | login { | ||
+ | user ubnt { | ||
+ | authentication { | ||
+ | encrypted-password \$5\$trVYj6jdWHatLKF6\$BruP2qvNOWNQ2BcoY4EscxECQdHxNWeHrTA1chhzYe0 | ||
+ | plaintext-password "" | ||
+ | } | ||
+ | full-name "" | ||
+ | level admin | ||
+ | } | ||
+ | } | ||
+ | ntp { | ||
+ | server 0.ubnt.pool.ntp.org { | ||
+ | } | ||
+ | server 1.ubnt.pool.ntp.org { | ||
+ | } | ||
+ | server 2.ubnt.pool.ntp.org { | ||
+ | } | ||
+ | server 3.ubnt.pool.ntp.org { | ||
+ | } | ||
+ | } | ||
+ | syslog { | ||
+ | global { | ||
+ | facility all { | ||
+ | level notice | ||
+ | } | ||
+ | facility protocols { | ||
+ | level debug | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | time-zone UTC | ||
+ | traffic-analysis { | ||
+ | custom-category XBOX { | ||
+ | name XBOX | ||
+ | } | ||
+ | dpi enable | ||
+ | export enable | ||
+ | } | ||
+ | } | ||
+ | traffic-control { | ||
+ | optimized-queue { | ||
+ | policy global | ||
+ | policy queues | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | /* Warning: Do not remove the following line. */ | ||
+ | /* === vyatta-config-version: | ||
+ | /* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */ | ||
+ | EOF | ||
+ | |||
+ | </ | ||
+ | |||