Vyatta

Материал из RSU WiKi
Перейти к: навигация, поиск
Pen.pngЭта статья находится в процессе написания.
Если вы считаете, что её стоило бы доработать как можно быстрее, пожалуйста, скажите об этом.
Tower of babel.png外國 language!
В статье используется несколько языков. Необходимо использовать один. Совсем неплохо, если это будет русский.
Vyatta logo.png
Vyatta — сетевая операционная система, основанная на Debian GNU/Linux. Работает на оборудовании x86 и позволяет использовать обычный персональный компьютер или сервер в качестве маршрутизатора, межсетевого экрана или VPN-концентратора. Vyatta также может работать в виртуальной машине, предоставляя традиционные сетевые сервисы для виртуальной инфраструктуры (официально поддерживаются VMware ESX Server и Citrix XenServer, теоретически может работать в любом гипервизоре).

Разработчиком является компания Vyatta inc., расположенная в городе Белмонт, Калифорния. Она позиционирует Vyatta как конкурента продуктам Cisco уровня ISR 1800 — VXR 7200[1].

Vyatta inc. также предоставляет услуги по технической поддержке своих продуктов, консультации по их настройке и продаёт аппаратное обеспечение с предустановленной Vyatta. По заявлению разработчиков, название продукта происходит от санскритского слова «открытый»[2].

Содержание

Задача

Создать высокоэффективную, надежную, гибкую и масштабируемую сетевую инфраструктуру для обеспечения работы BGP, VPN и NAT с минимальными денежными затратами. Данным условиям полностью удовлетворяет система из программных маршрутизаторов, работающих на серверах стандартной архитектуры.

Описываемая система работает на базе трех маршрутизаторов на ОС Vyatta, установленных в Vmware vSphere на сервере IBM x3550 M3. Поддерживаются 2 интернет канала (100+10 мбит/с), маршрутизация трафика между подсетями с фильтрацией портов и QoS. Для выхода в интернет используется NAT. Фильтрация нежелательных ресурсов осуществляется на DNS-сервере.

Установка

Новая установка

What do you need for ?

  • Any x86 based (PC) computer (you can read more on the Vyatta site)
  • One Network engineer for experiments (He must be crazy (-8 )
  • Access to the Internet (to initialy download .iso, documentation)
  • 10-30 minutes to Basic install (install, configuring IP, access)
  • Any of Virtual product if you want to try it on Virtual Environment (VmWare Workstation or Player for example)
  1. Download .iso from vyatta.org
  2. Creating CD from ISO (or using .iso as CD in Virtual ENV)
  3. Boot from CD until "login:"
  4. Use default login/password (for 6.2 the default is vyatta/vyatta)
  5. type "install-image" and press enter
  6. wait until it finished
  7. Remove CD (or disable boot from it)
  8. wait until it successfully boot ("login:")
  9. use vyatta/vyatta
  10. you will be in operation mode ($)
  11. type "show show interfaces ethernet" to find your interfaces names. Remember it (for example eth0)
  12. type "configure" and press enter. You will be in configuration mode (#).
  13. create user crazy with password crazypwd
    1. type "set system login user crazy level admin "
    2. type "set system login user crazy authentication plaintext-password crazypwd "
    3. type "show system login" or "show system" to show system configuration
  14. configuring ip address of our interface. Eth0 - is the name, which we remember.
    1. type "set interface ethernet eth0 description "My first interface" "
    2. type "set interface ethernet eth0 address 192.168.0.1/24 "
  15. enable ssh by typing "set service ssh"
  16. look to overal configuration by "show"
  17. Commit and save

There are three different configs in the vyatta: Current (running) config. This config is used for any real operation like forwarding traffic, access, ... This is opertaion config. Saved (stored) config. This config is used then router is booting after power-on or reboot cmd. Really, this is the fie on the file system. Temporary config. This config is used then we make any configuration changes. It (config) is unique for any configuring session.

There are some commads in vyatta to work with configs:

in configuration mode:

commit command is moving temporary config to current. But not to save it to the disk. there is one interesting command commit-confirm save command is saving current config to disk for the next boot.

in operation mode:

show configuration
show configuration commands
    1. commit our changes by typing "commit"
    2. save our new committed configuration to disk by "save" command
    3. exit to operation mode by "exit"

9999 Profit

Обновление

Upgrade Options

You have two options for upgrading Vyatta system software:

  • An image-based upgrade. This is the supported upgrade method for physical hardware systems. An image-based upgrade is a simple matter of downloading a new system image and adding it along with previous versions of the system using the add system image command. You can perform this procedure on a physical hardware system—whether it was previously disk-based or image-based. The system automatically migrates your configuration to the installed image and selects it to run on the next system reboot. The procedure for performing an image-based upgrade is in the section “Image-Based Upgrades” on page 17.
  • Upgrade for a virtualized environment. The virtual environment supplied with each new Vyatta release is tuned to ensure the most optimal settings for components such as Ethernet drivers. For this reason, Vyatta recommends that upgrades to virtual systems be clean installs followed by a configuration file migration from the old system to the new system. The procedure for upgrading in a virtual environment is provided in the section “Upgrading in a Virtual Environment” on page 19.

Upgrading in a Virtual Environment

Upgrading in a virtual environment involves two steps:

  1. Install a fresh virtualized environment.
  2. Migrate your configuration.
Install the new virtualized Vyatta system

Install a new virtualized Vyatta system by following the installation instructions for your virtual environment:

  • To install a new VMware environment, follow the instructions in the section “Installing on VMware” on page 9.
  • To install a new XenServer environment, follow the instructions in the section “Installing on XenServer” on page 11.
Migrate the configuration
  1. In configuration mode on the old system, use the save command to save the current configuration.
  2. For all Ethernet interfaces, remove the hardware ID values using the delete interfaces ethernet ethx hw-id command to remove the hardware ID values, then commit and save the configuration to a name other than config.boot (for example, save oldconfig).
  3. Use the load command to return the original configuration to the old system.
  4. Use the set service ssh command and then the commit command to configure the system to allow for SCP file transfer.
  5. In configuration mode on the new system, assign an IP address to an interface residing on the same subnet as one on the old system (for example, set interfaces ethernet eth0 address 192.168.1.99/24), and then commit the change.
  6. Copy the saved configuration (the one with the hardware UDs removed) from the old system to the new system. For example, if the old system is at 192.168.1.20, the saved configuration file is name oldconfig, and the username vyatta is available on the old system, issue the scp command as follows
    scp /config/oldconfig vyatta@192.168.1.20:/config/oldconfig
  7. Load the copied configuration using the load command (for example, load oldconfig). At this point, the configuration on the new system should match that on the old system (except for the hardware IDs).
  8. Shut down the old system using the shutdown command.

Настройка

Общие сведения

Правила именования записей в ДНС для маршрутизаторов и коммутаторов

Основная статья: Правила именования записей в ДНС для маршрутизаторов и коммутаторов

При добавлении в сеть нового маршрутизатора или коммутатора возникает вопрос какое имя ему прописать в ДНС. Можно для каждого устройства придумывать название отдельно, а можно придерживаться логичной и удобной схемы описанной ниже.

Преимущества данной схемы:

  • Каждое устройство имеет короткое имя которое можно быстро набрать в консоли
  • По имени устройства легко определить назначение (тип) устройства и его расположение
  • Имя зависит от функции выполняемой устройством, а не от модели/производителя и при замере коммутатора AT на Cisco не нужно ничего переименовывать в ДНС и запоминать новое название

Включаем SSH

set service ssh
commit
save

Резервное копирование конфигурационного файла

set system config-management commit-archive location 'ftp://backup-vyatta:backuppwd@backup.example.com'
set system config-management commit-revisions '20'

Поддерживается сохранение по TFTP, FTP и SCP.

Vyatta Firewall

Основная статья: Vyatta Firewall
Vyatta Firewall instances.png
На сетевой интерфейс Vyatt'ы можно повесить три цепочки:
  • IN: Входящий на интерфейс трафик (в сторону vyatta) не предназначенный для роутера (трафик между хостами, подключенными к роутеру)
  • OUT: Уходящий с интерфейса трафик (со стороны vyatta) не предназначенный для роутера (трафик между хостами, подключенными к роутеру)
  • LOCAL: входящие соединения на сам роутер

Состояния соединений имеют следующий вид:

  • NEW: the packet starts a new connection(like SYN segments for TCP connections).
  • RELATED: the packet starts a new connection while this connection is associated with an existing connection(say the FTP data channel)or maybe be an ICMP error packet.
  • ESTABLISHED: the packet is part from a connection already established.
  • INVALID: the packet is not associated with any known connections.

Vyatta и горячее резервирование

Балансировка нагрузки и резервные каналы во Vyatta

Пограничный маршрутизатор (BGP, OSPF)

Маршрутизатор поддерживает AS64512, подключен к BGP двумя каналами: основным и резервным, к роутеру внутри сети по OSPF.

Маршрутизатор для клиентов (NAT, OSPF, Routing, Firewall, QoS)

Открываем SSH для машин в DMZ с защитой от перебора паролей (BruteForce)

set firewall name outside_in rule 115 action 'drop'
set firewall name outside_in rule 115 description 'Limit SSH against BruteForce'
set firewall name outside_in rule 115 destination address '198.51.100.0/24'
set firewall name outside_in rule 115 destination port 'ssh'
set firewall name outside_in rule 115 protocol 'tcp'
set firewall name outside_in rule 115 recent count 4
set firewall name outside_in rule 115 recent time 60
set firewall name outside_in rule 115 state new enable

set firewall name outside_in rule 120 action 'accept'
set firewall name outside_in rule 120 description 'permit ssh for all RealIP'
set firewall name outside_in rule 120 destination address '198.51.100.0/24'
set firewall name outside_in rule 120 destination port 'ssh'
set firewall name outside_in rule 120 protocol 'tcp'

Основная статья: Борьба с брутфорсом SSH

Блокируем SMB

set firewall name local_in_wifi rule 1020 action 'drop'
set firewall name local_in_wifi rule 1020 description 'Drop SMB packets for Wi-Fi (172.18/16)'
set firewall name local_in_wifi rule 1020 destination port '137,138,139,445'
set firewall name local_in_wifi rule 1020 protocol 'tcp_udp'

Открываем RDP на машину в DMZ

set firewall group address-group remote-admins address 198.51.100.165
set firewall group address-group remote-admins address 203.0.113.227
delete firewall name outside_in rule 5061
set firewall name outside_in rule 5061 action 'accept'
set firewall name outside_in rule 5061 description 'INPUT From Outside. Permit RDP access to IIS web server'
set firewall name outside_in rule 5061 destination address '192.0.2.136/32'
set firewall name outside_in rule 5061 destination port '3389'
set firewall name outside_in rule 5061 protocol 'tcp'
set firewall name outside_in rule 5061 source group address-group remote-admins

DHCP

  • client transmitts requests from its source port 68 to server on port 67
  • server sends reply from its source port 67 to client on port 68
DHCP-Relay [3]

Статьи по механизму dhcp relay:

The dhcp-relay must listen on all involved interfaces. If the DHCP server is connected to an interface other than eth0, you'll need to configure the 'set service dhcp-relay interface <ethx>' on that interface as well [4].

service {
    dhcp-relay {
        interface eth0.181  <-- тут абоненты
        interface eth0.182  <-- тут абоненты
        interface eth0.185  <-- тут абоненты
        interface eth0.186  <-- тут абоненты
        interface eth0.2    <-- а вот тут dhcp-сервер
        relay-options {
            relay-agents-packets forward
        }
        server 172.16.0.2
        server 172.16.0.3
    }

Say you enable the DHCP relay on Vyatta to relay DHCP requests received from DHCP clients on the eth1 interface to a DHCP server located on the eth0 interface [5].

set firewall name eth1local rule 10 action accept
set firewall name eth1local rule 10 protocol udp
set firewall name eth1local rule 10 destination port 67
set firewall name eth1local rule 10 source port 68
set firewall name eth1local rule 10 state new enable
set firewall name eth1local rule 10 state established enable
set firewall name eth1local rule 10 state related enable
set interfaces ethernet eth1 firewall local name eth1local

Now, although the bellow firewall rule may appear logical, it does not have any effect(in fact I could have applied it as a general drop rule(delete the protocol, source etc.) and it would not drop the replies from the DHCP server):

set firewall name eth0local rule 10 action accept
set firewall name eth0local rule 10 protocol udp
set firewall name eth0local rule 10 destination port 67
set firewall name eth0local rule 10 source port 67
set firewall name eth0local rule 10 state established enable
set firewall name eth0local rule 10 state related enable
set interfaces ethernet eth0 firewall local name eth0local

Для правильной работы данного примера важно учесть следующий момент: DHCP-сервер получает пакеты от Роутера (релея) с адресом источника 192.168.1.1, поэтому на DHCP-сервере сеть 192.168.1.0 должна быть в таблице маршрутизации.

Сервер VPN (PPTP, L2TP)

VPN (Virtual Private Network — виртуальная частная сеть[6]) — обобщённое название технологий, позволяющих обеспечить одно или несколько сетевых соединений (логическую сеть) поверх другой сети (например, Интернет). Несмотря на то, что коммуникации осуществляются по сетям с меньшим неизвестным уровнем доверия (например, по публичным сетям), уровень доверия к построенной логической сети не зависит от уровня доверия к базовым сетям благодаря использованию средств криптографии (шифрования, аутентификации, инфраструктуры открытых ключей, средств для защиты от повторов и изменений передаваемых по логической сети сообщений).

Настройка PPTP

At work clipart.pngЭто незавершённая статья, требующая доработки.
Илья, ты обещал!!!
vpn {
    pptp {
        remote-access {
            authentication {
                mode radius
                radius-server RADIUS_SERVER_IP {
                    key !secretkey!
                }
            }
            client-ip-pool {
                start IP_ADDRESS
                stop IP_ADDRESS
            }
            dns-servers {
                server-1 DNS_SERVER_IP_1
                server-2 DNS_SERVER_IP_2
            }
            outside-address OUTSIDE_ADDRESS_IP
        }
    }
}

Настройка L2TP/IPSec

Генерацию всех необходимых сертификатов и ключей производим по инструкции: Using XCA to configure the PKI part needed for L2TP/IPsec VPN connections using certificates for IKE main mode authentification

vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network aa.bb.cc.0/24 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius-server RADIUS_SERVER_IP {
                    key RADIUS_SERVER_KEY
                }
            }
            client-ip-pool {
                start IP_ADDRESS
                stop IP_ADDRESS
            }
            dns-servers {
                server-1 DNS_SERVER_IP_1
                server-2 DNS_SERVER_IP_2
            }
            ipsec-settings {
                authentication {
                    mode x509
                    x509 {
                        ca-cert-file /config/auth/Vyatta_L2TP_CA.crt
                        server-cert-file /config/auth/L2TP_vpn_srv.crt
                        server-key-file /config/auth/L2TP_vpn_srv_SSLKEY.pem
                        server-key-password KEY_PASSWORD
                    }
                }
                ike-lifetime 3600
            }
            outside-address IP_ADDRESS
            outside-nexthop IP_ADDRESS
        }
    }
}

настройка NAT для функционирования VPN:

service {
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address aa.bb.cc.0/24
            }
            type masquerade
        }
    }
}

настройка статических маршрутов:

protocols {
    static {
        route 172.16.0.0/16 {
            next-hop 172.20.1.1 {
            }
        }
        route 172.20.0.0/16 {
            next-hop 172.20.1.1 {
            }
        }
    }
}

При экспорте приватного серверного ключа программой XCA, экспорт производится в формате PKCS#8, который несовместим с традиционным форматом SSL, используемым Vyatta. Конвертацию ключа производим следующим образом:

openssl rsa -in 'exportedXCAprivatekey' -out 'SSLeaycompatibleformat'

Настройка Firewall на пограничном маршрутизаторе

Подробная и большая статья: http://www.carbonwind.net/VyattaOFR/Firewall/Firewall.htm

Если VPN сервер находится внутри DMZ за пограничным маршрутизатом (на базе Vyatta) необходимы следующие настройки. Предположим, что VPN сервер имеет адрес 198.51.100.100.

PPTP
set firewall name outside_in rule 5080 action 'accept'
set firewall name outside_in rule 5080 description 'INPUT From Outside. Permit TCP access to VPN Server'
set firewall name outside_in rule 5080 destination address '198.51.100.100/32'
set firewall name outside_in rule 5080 destination port '1723'
set firewall name outside_in rule 5080 protocol 'tcp'

set firewall name outside_in rule 5082 action 'accept'
set firewall name outside_in rule 5082 description 'INPUT From Outside. Permit GRE access to VPN Server'
set firewall name outside_in rule 5082 destination address '198.51.100.100/32'
set firewall name outside_in rule 5082 protocol 'gre'
set firewall name outside_in rule 5082 state established 'enable'
set firewall name outside_in rule 5082 state new 'enable'
set firewall name outside_in rule 5082 state related 'enable'

set firewall name outside_out rule 1180 action 'accept'
set firewall name outside_out rule 1180 description '******************* vpn.example.com Server  access to Internet *********************'
set firewall name outside_out rule 1180 'disable'
set firewall name outside_out rule 1181 action 'accept'
set firewall name outside_out rule 1181 description 'vpn.example.com PPTP Server  permit access to GRE'
set firewall name outside_out rule 1181 protocol 'gre'
set firewall name outside_out rule 1181 source address '198.51.100.100/32'
L2TP/IPsec
set firewall name outside_in rule 5090 action 'accept'
set firewall name outside_in rule 5090 description 'INPUT From Outside. Permit L2TP access to VPN Server'
set firewall name outside_in rule 5090 destination address '198.51.100.100/32'
set firewall name outside_in rule 5090 destination port '500,1701,4500'
set firewall name outside_in rule 5090 protocol 'udp'

set firewall name outside_in rule 5092 action 'accept'
set firewall name outside_in rule 5092 description 'INPUT From Outside. Permit ESP access to VPN Server'
set firewall name outside_in rule 5092 destination address '198.51.100.100/32'
set firewall name outside_in rule 5092 protocol 'esp'
set firewall name outside_in rule 5092 state established 'enable'
set firewall name outside_in rule 5092 state new 'enable'
set firewall name outside_in rule 5092 state related 'enable'

set firewall name outside_out rule 1183 action 'accept'
set firewall name outside_out rule 1183 description 'vpn.rsu.edu.ru L2TP Server  permit access to ESP'
set firewall name outside_out rule 1183 protocol 'esp'
set firewall name outside_out rule 1183 source address '198.51.100.100/32'

set firewall name outside_in rule 5094 action 'accept'
set firewall name outside_in rule 5094 description 'INPUT From Outside. Permit AH access to VPN Server'
set firewall name outside_in rule 5094 destination address '198.51.100.100/32'
set firewall name outside_in rule 5094 protocol 'ah'
set firewall name outside_in rule 5094 state established 'enable'
set firewall name outside_in rule 5094 state new 'enable'
set firewall name outside_in rule 5094 state related 'enable'

set firewall name outside_out rule 1185 action 'accept'
set firewall name outside_out rule 1185 description 'vpn.rsu.edu.ru L2TP Server  permit access to AH'
set firewall name outside_out rule 1185 protocol 'ah'
set firewall name outside_out rule 1185 source address '198.51.100.100/32'

set firewall name outside_out rule 1188 action 'accept'
set firewall name outside_out rule 1188 description 'vpn.rsu.edu.ru L2TP Server  permit access to ISAKMP'
set firewall name outside_out rule 1188 protocol 'udp'
set firewall name outside_out rule 1188 destination port '500,4500'
set firewall name outside_out rule 1188 source address '198.51.100.100/32'

Администрирование

Основы работы с командной строкой

Отключение правила firewall:

set firewall name RULENAME rule RULENUMBER disable

Смотрим конкретное правило:

show configuration commands | match 5070

Смотрим вхождение IP-адреса:

show configuration commands | match 91.203.181.130
show configuration commands | match 91.203.181.128

Сохраняем конф. файл в отдельное место:

save ~/111015.cfg
Saving configuration to '/home/user/111015.cfg'

BGP

Просмотр статистики BGP:

show ip bgp summary

Проверяем, что отдаем соседям:

show ip bgp neighbors 192.0.2.190  advertised-routes
show ip bgp neighbors 203.0.113.99 advertised-routes

Отключаем одного из соседей [7]:

set protocols bgp asn neighbor id shutdown 

Включаем обратно:

delete protocols bgp asn neighbor id shutdown

Вот эти строчки добавляют хост в BGP:

set protocols bgp 47124 network 91.203.180.252/32 route-map 'RmExportComm'
set protocols static route 91.203.180.252/32 next-hop '91.203.180.254'

Пример конфига с группами адресов в правилах

firewall {
     group {
         address-group proxy-a {
             address 10.125.3.2
         }
         network-group proxy-n {
             network 213.226.63.0/24
             network 10.0.0.0/8
             network 93.155.130.0/23
             network 93.155.162.0/24
             network 93.155.169.0/24
         }
     }
     name eth0.523.local {
         default-action accept
         rule 1 {
             action accept
             destination {
                 port 8080
             }
             protocol tcp
             source {
                 group {
                     address-group proxy-a
                 }
             }
         }
         rule 2 {
             action accept
             destination {
                 port 8080
             }
             protocol tcp
             source {
                 group {
                     network-group proxy-n
                 }
             }
         }
         rule 3 {
             action drop
             destination {
                 port 8080
             }
             protocol tcp
         }
     }
 }

Troubleshooting

Вместо tcpdump в vyatta используется консольная версия утилиты wireshark под названием tshark. Пример для просмотра dhcp-пакетов при помощи фильтрации[8]:

sudo tshark -i eth0 -R bootp -V

Если вылетает ошибка вида

tshark: The file "/tmp/wiresharkXXXXYyPmsg" could not be opened: Uncompression error: buffer error.

необходимо удалить временные файлы tshark'a:

sudo rm -f /tmp/wireshark*

Ищем запущенный процесс:

ps -ef | grep dhcrelay | grep -v grep

Находим необходимые правила файрвола:

show configuration commands | match "set firewall name" | match "default-action"

Включаем логирование:

set firewall name local_in_vif2 enable-default-log
set firewall name local_in_vif3 enable-default-log
set firewall name local_in_vif128 enable-default-log
set firewall name local_out_lan enable-default-log
set firewall name self_in enable-default-log
set firewall name vyatta_self_lan enable-default-log
set firewall name vyatta_self_wifi enable-default-log

Смотрим интересующее:

tail -f /var/log/messages| grep PROTO=UDP

Looking Glass

На сервере устанавливаем Looking Glass и подключаем его к пограничному маршрутизатору:

Инструкция:

На vyatta-border:

set system login user lg authentication plaintext-password 
set system login user lg full-name 'Looking Glass Account'
set system login user lg level 'operator'
set system login user lg authentication public-keys ...
set system login user lg authentication public-keys wwwrun@noc.example.com key "keyphrase"
set system login user lg authentication public-keys wwwrun@noc.example.com key type ssh-dss

На linux-сервере:

cpan
install CGI::Carp
install CGI::Application

Проверяем, что функционирует public-key auth:

ssh -o strictHostKeyChecking=no -l lg -i /srv/www/vyatta_id_dsa br-router.example.com

Appendixes

A: Конфигурационные файлы

br.example.com

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name self_in {
        default-action drop
        rule 110 {
            action accept
            description "permit icmp"
            protocol icmp
        }
        rule 115 {
            action drop
            description "Limit SSH against BruteForce"
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 120 {
            action accept
            description "Permit SSH"
            destination {
                port 22
            }
            protocol tcp
        }
        rule 210 {
            action accept
            description "Permit BGP"
            destination {
                port 179
            }
            protocol tcp
        }
        rule 220 {
            action accept
            description "Permit NTP"
            destination {
                port 123
            }
            protocol udp
        }
        rule 230 {
            action accept
            description "Permit NTP"
            destination {
                port 161
            }
            protocol udp
        }
        rule 900 {
            action accept
            description "Permit TCP-established for back traffic"
            protocol tcp
            state {
                established enable
                invalid disable
                related enable
            }
        }
        rule 991 {
            action drop
            description "Logging drop TCP"
            disable
            log enable
            protocol tcp
        }
        rule 992 {
            action drop
            description "Logging drop UDP"
            disable
            protocol udp
        }
        rule 993 {
            action drop
            description "Logging drop ICMP"
            disable
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        smp_affinity auto
        speed auto
        vif 7 {
            address 91.203.180.43/27
            description "Interconnect with GW.EXAMPLE.COM"
        }
    }
    ethernet eth1 {
        duplex auto
        smp_affinity auto
        speed auto
        vif 153 {
            address 31.44.55.6/30
            description "-- To Westcall BGP Router"
            firewall {
                local {
                    name self_in
                }
            }
        }
        vif 154 {
            address 94.231.116.118/30
            description "-- To Nlink BGP Router"
            firewall {
                local {
                    name self_in
                }
            }
        }
    }
    loopback lo {
        address 91.203.181.1/32
        description "org-vyatta-br-1 loopback"
    }
}
policy {
    community-list 1 {
        rule 5 {
            action permit
            description "Match export-community"
            regex 64512:0
        }
        rule 10 {
            action permit
            description "Match ADV-UPSTREAM-NLINK"
            regex 64512:1101
        }
    }
    community-list 2 {
        rule 5 {
            action permit
            description "Match ADV-UPSTREAM-WCALL"
            regex 64512:1102
        }
    }
    prefix-list NlinkIn {
        description "Nlink IN. Permit only le 20"
        rule 40 {
            action permit
            prefix 0.0.0.0/0
        }
        rule 50 {
            action deny
            ge 20
            prefix 0.0.0.0/0
        }
        rule 100 {
            action permit
            le 20
            prefix 0.0.0.0/0
        }
    }
    prefix-list pl-default {
        rule 10 {
            action permit
            description "Permit only 0/0"
            prefix 0.0.0.0/0
        }
    }
    prefix-list pl-red-nlink {
        rule 10 {
            action permit
            description "Routes adv to NLINK via redistr"
            le 25
            prefix 91.203.180.0/22
        }
    }
    prefix-list pl-red-ospf {
        rule 30 {
            action permit
            description "-- loopbacks"
            le 32
            prefix 91.203.181.0/27
        }
    }
    prefix-list pl-red-wcall {
        rule 10 {
            action permit
            description "Routes adv to WCall via redistr"
            prefix 91.203.180.0/22
        }
    }
    prefix-list pl-wcall-in {
        rule 10 {
            action deny
            description "Permit le NN except 0/0"
            prefix 0.0.0.0/0
        }
        rule 100 {
            action permit
            le 16
            prefix 0.0.0.0/0
        }
    }
    route-map NlinkIn {
        rule 100 {
            action permit
            description "Set Nlink-in-community"
            on-match {
                next
            }
            set {
                community "64512:16 additive"
            }
        }
        rule 1000 {
            action permit
            description "Permit all"
        }
    }
    route-map NlinkOut {
        rule 1000 {
            action permit
            description "Permit only export community"
            match {
                community {
                    community-list 1
                }
            }
            set {
                comm-list {
                    comm-list 1
                    delete
                }
            }
        }
    }
    route-map RmExportComm {
        rule 5 {
            action permit
            description "Set export-community"
            on-match {
                next
            }
            set {
                community "64512:0 additive"
            }
        }
        rule 10 {
            action permit
            description "Set place-of-redistr-community"
            set {
                community "64512:8 additive"
            }
        }
    }
    route-map rm-red-ospf {
        rule 100 {
            action permit
            description "redistribute to ospf rm"
            match {
                ip {
                    address {
                        prefix-list pl-red-ospf
                    }
                }
            }
        }
        rule 9999 {
            action deny
        }
    }
    route-map rm-redistr-tbgp {
        rule 10 {
            action permit
            description "Set ADV-UPSTREAM-ANY"
            on-match {
                next
            }
            set {
                community "64512:1199 additive"
            }
        }
        rule 20 {
            action permit
            description "Add NLINK out for NLINK"
            match {
                ip {
                    address {
                        prefix-list pl-red-nlink
                    }
                }
            }
            on-match {
                next
            }
            set {
                community "64512:1101 additive"
            }
        }
        rule 30 {
            action permit
            description "Add out for WestCall"
            match {
                ip {
                    address {
                        prefix-list pl-red-wcall
                    }
                }
            }
            on-match {
                next
            }
            set {
                community "64512:1102 additive"
            }
        }
        rule 100 {
            action permit
            description "ADD POO"
            set {
                community "64512:8 additive"
            }
        }
    }
    route-map rm-wcomm-in {
        rule 800 {
            action permit
            match {
                ip {
                    address {
                        prefix-list pl-default
                    }
                }
            }
            set {
                community "64512:17 additive"
                local-preference 50
            }
        }
        rule 900 {
            action permit
            description "Set WCall in-community"
            match {
                ip {
                    address {
                        prefix-list pl-wcall-in
                    }
                }
            }
            set {
                community "64512:17 additive"
            }
        }
    }
    route-map rm-wcomm-out {
        rule 900 {
            action permit
            description "Permit ADV-UPSREAM-WCALL"
            match {
                community {
                    community-list 2
                }
            }
        }
    }
}
protocols {
    bgp 64512 {
        neighbor 31.44.55.5 {
            nexthop-self
            prefix-list {
            }
            remote-as 47659
            route-map {
                export rm-wcomm-out
                import rm-wcomm-in
            }
            soft-reconfiguration {
                inbound
            }
        }
        neighbor 94.231.116.117 {
            nexthop-self
            prefix-list {
                import NlinkIn
            }
            remote-as 41854
            route-map {
                export NlinkOut
                import NlinkIn
            }
        }
        network 91.203.180.0/22 {
            route-map rm-redistr-tbgp
        }
        network 91.203.180.0/24 {
            route-map rm-redistr-tbgp
        }
        network 91.203.180.128/25 {
        }
        network 91.203.181.0/24 {
            route-map rm-redistr-tbgp
        }
        parameters {
            router-id 94.231.116.118
        }
    }
    ospf {
        area 0 {
            network 91.203.180.32/27
        }
        default-information {
            originate {
                always
                metric 200
                metric-type 2
            }
        }
        passive-interface default
        passive-interface-exclude eth0.7
        redistribute {
            connected {
                metric-type 2
                route-map rm-red-ospf
            }
            static {
                metric-type 2
                route-map rm-red-ospf
            }
        }
    }
    static {
        route 0.0.0.0/0 {
            next-hop 94.231.116.117 {
                distance 250
            }
        }
        route 91.203.180.0/22 {
            blackhole {
            }
        }
        route 91.203.180.0/24 {
            blackhole {
            }
        }
        route 91.203.181.0/24 {
            blackhole {
            }
        }
    }
}
service {
    snmp {
        community public {
            authorization ro
            client 172.16.0.230
        }
        contact noc@example.com
        location RF
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name org-vyatta-br-1
    login {
        user admin1 {
            authentication {
                encrypted-password ZZZZZ
            }
            full-name "Admin Account"
            level admin
        }
        user operator1 {
            authentication {
                encrypted-password ZZZZZ
            }
            full-name "Operator Account"
            level operator
        }
    }
    name-server 208.67.220.220
    name-server 8.8.8.8
    ntp {
        server 0.vyatta.pool.ntp.org {
        }
        server 1.vyatta.pool.ntp.org {
        }
        server 2.vyatta.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}

gw.example.com

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group rsu-lan-dns {
            address 172.16.0.2
            address 172.16.0.3
            description "University DNS Servers (LAN)"
        }
        network-group rsu-lan-nets {
            description "University LANs"
            network 172.16.0.0/16
            network 172.20.0.0/16
        }
        network-group rzn-nets {
            description "IP-subnets of Ryazan Region"
            network 172.16.0.0/12
            network 91.203.180.0/22
            network 212.26.227.56/29
            network 212.26.224.0/19
            network 95.106.0.0/17
            network 193.34.8.0/22
            network 78.31.72.0/21
            network 109.195.160.0/20
            network 188.187.228.0/24
            network 176.241.224.0/21
            network 89.106.192.0/21
            network 80.72.112.0/20
            network 86.110.160.0/19
            network 93.189.8.0/22
            network 95.83.128.0/18
            network 178.255.120.0/21
            network 176.104.192.0/19
            network 91.219.188.0/22
            network 31.44.48.0/20
            network 92.39.136.0/21
            network 109.69.72.0/22
            network 176.212.160.0/21
            network 88.86.64.0/23
            network 176.96.224.0/19
            network 176.212.180.0/22
            network 94.231.112.0/20
            network 91.203.64.0/22
        }
        port-group cgp-tcp-ports-in {
            description "TCP ports for CommunigatePro inbound connections"
            port 25
            port 80
            port 119
            port 443
            port 465
            port 587
            port 993
            port 995
            port 3478
            port 3479
            port 5060
            port 5061
            port 5222
            port 5223
            port 5269
            port 11024
            port 11025
            port 60000-60999
        }
        port-group cgp-udp-ports-in {
            description "UDP ports for CommunigatePro inbound connections"
            port 3478
            port 3479
            port 5060
            port 5061
            port 5222
            port 5223
            port 5269
            port 60000-60999
        }
        port-group ftp-ports {
            description "FTP ports (for vsftpd in SLES 10/11)"
            port 20
            port 21
            port 30000-30100
        }
        port-group voip-ports {
            description "VoIP ports for SIP protocol"
            port 5060
            port 5061
            port 10000-20000
            port 60000-60999
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify fw_marker_local_in {
        default-action accept
        rule 110 {
            action modify
            description "telnet access to DMZ"
            modify {
                dscp 29
            }
            protocol tcp
            source {
                address 91.203.180.128/25
                port 23
            }
        }
        rule 112 {
            action accept
            protocol tcp
            source {
                address 91.203.180.128/25
                port 23
            }
        }
        rule 113 {
            action modify
            description "ssh access to infrastructure"
            modify {
                dscp 29
            }
            protocol tcp
            source {
                address 91.203.180.128/25
                port 22
            }
        }
        rule 114 {
            action modify
            modify {
                mark 100
            }
            protocol tcp
            source {
                address 91.203.180.128/25
                port 22
            }
        }
        rule 115 {
            action accept
            protocol tcp
            source {
                address 91.203.180.128/25
                port 22
            }
        }
        rule 120 {
            action modify
            description "Icmp access to DMZ"
            modify {
                dscp 27
            }
            protocol icmp
            source {
                address 91.203.180.128/25
            }
        }
        rule 121 {
            action modify
            description "Icmp access to DMZ"
            modify {
                mark 100
            }
            protocol icmp
            source {
                address 91.203.180.128/25
            }
        }
        rule 122 {
            action accept
            description "Icmp access to DMZ"
            protocol icmp
            source {
                address 91.203.180.128/25
            }
        }
        rule 134 {
            action accept
            protocol tcp_udp
            source {
                address 91.203.180.128/25
                port 53
            }
        }
        rule 135 {
            action accept
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 210 {
            action modify
            description "HTTP MID-1"
            destination {
                port 80
            }
            modify {
                dscp 17
            }
            protocol tcp
        }
        rule 211 {
            action modify
            destination {
                port 80
            }
            modify {
                mark 200
            }
            protocol tcp
        }
        rule 212 {
            action accept
            destination {
                port 80
            }
            protocol tcp
        }
        rule 220 {
            action modify
            description "HTTPS MID-1"
            destination {
                port 443
            }
            modify {
                dscp 17
            }
            protocol tcp
        }
        rule 221 {
            action modify
            destination {
                port 443
            }
            modify {
                mark 200
            }
            protocol tcp
        }
        rule 222 {
            action accept
            destination {
                port 443
            }
            protocol tcp
        }
        rule 230 {
            action modify
            description ICMP
            modify {
                dscp 19
            }
            protocol icmp
        }
        rule 231 {
            action modify
            modify {
                mark 200
            }
            protocol icmp
        }
        rule 232 {
            action accept
            protocol icmp
        }
        rule 240 {
            action modify
            description ICQ
            destination {
                port 5190
            }
            modify {
                dscp 21
            }
            protocol tcp
        }
        rule 241 {
            action modify
            destination {
                port 5190
            }
            modify {
                mark 200
            }
            protocol tcp
        }
        rule 242 {
            action accept
            destination {
                port 5190
            }
            protocol tcp
        }
        rule 250 {
            action modify
            description "User specific WoW port"
            destination {
                port 1119
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 251 {
            action modify
            destination {
                port 3724
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 252 {
            action modify
            destination {
                port 4000
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 253 {
            action modify
            destination {
                port 6112
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 254 {
            action modify
            destination {
                port 6113
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 255 {
            action modify
            destination {
                port 6114
            }
            modify {
                dscp 23
            }
            protocol tcp
        }
        rule 256 {
            action modify
            destination {
                port 3724
            }
            modify {
                dscp 23
            }
            protocol udp
        }
        rule 260 {
            action modify
            destination {
                port 1119
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 261 {
            action modify
            destination {
                port 3724
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 262 {
            action modify
            destination {
                port 4000
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 263 {
            action modify
            destination {
                port 6112
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 264 {
            action modify
            destination {
                port 6113
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 265 {
            action modify
            destination {
                port 6114
            }
            modify {
                mark 150
            }
            protocol tcp
        }
        rule 266 {
            action modify
            destination {
                port 3724
            }
            modify {
                mark 150
            }
            protocol udp
        }
        rule 270 {
            action accept
            destination {
                port 1119
            }
            protocol tcp
        }
        rule 271 {
            action accept
            destination {
                port 3724
            }
            protocol tcp
        }
        rule 272 {
            action accept
            destination {
                port 4000
            }
            protocol tcp
        }
        rule 273 {
            action accept
            destination {
                port 6112
            }
            protocol tcp
        }
        rule 274 {
            action accept
            destination {
                port 6113
            }
            protocol tcp
        }
        rule 275 {
            action accept
            destination {
                port 6114
            }
            protocol tcp
        }
        rule 276 {
            action accept
            destination {
                port 3724
            }
            protocol udp
        }
        rule 910 {
            action modify
            description P2P
            modify {
                dscp 0
            }
            p2p {
                bittorrent
            }
        }
        rule 911 {
            action modify
            modify {
                mark 900
            }
            p2p {
                all
            }
            protocol tcp_udp
        }
        rule 912 {
            action accept
            p2p {
                all
            }
            protocol tcp_udp
        }
        rule 990 {
            action modify
            description "All other"
            modify {
                dscp 0
            }
            protocol all
        }
        rule 991 {
            action modify
            modify {
                mark 900
            }
            protocol all
        }
        rule 992 {
            action accept
            protocol all
        }
    }
    modify fw_marker_wan_in {
        default-action accept
        rule 110 {
            action modify
            description "telnet access to DMZ"
            destination {
                address 91.203.180.128/25
                port 23
            }
            modify {
                dscp 29
            }
            protocol tcp
        }
        rule 112 {
            action accept
            destination {
                address 91.203.180.128/25
                port 23
            }
            protocol tcp
        }
        rule 113 {
            action modify
            description "ssh access to infrastructure"
            destination {
                address 91.203.180.128/25
                port 22
            }
            modify {
                dscp 29
            }
            protocol tcp
        }
        rule 114 {
            action modify
            destination {
                address 91.203.180.128/25
                port 22
            }
            modify {
                mark 100
            }
            protocol tcp
        }
        rule 115 {
            action accept
            destination {
                address 91.203.180.128/25
                port 22
            }
            protocol tcp
        }
        rule 120 {
            action modify
            description "Icmp access to DMZ"
            destination {
                address 91.203.180.128/25
            }
            modify {
                dscp 27
            }
            protocol icmp
        }
        rule 121 {
            action modify
            description "Icmp access to DMZ"
            destination {
                address 91.203.180.128/25
            }
            modify {
                mark 100
            }
            protocol icmp
        }
        rule 122 {
            action accept
            description "Icmp access to DMZ"
            destination {
                address 91.203.180.128/25
            }
            protocol icmp
        }
        rule 210 {
            action modify
            description "HTTP MID-1"
            modify {
                dscp 17
            }
            protocol tcp
            source {
                port 80
            }
        }
        rule 211 {
            action modify
            modify {
                mark 200
            }
            protocol tcp
            source {
                port 80
            }
        }
        rule 212 {
            action accept
            protocol tcp
            source {
                port 80
            }
        }
        rule 220 {
            action modify
            description "HTTPS MID-1"
            modify {
                dscp 17
            }
            protocol tcp
            source {
                port 443
            }
        }
        rule 221 {
            action modify
            modify {
                mark 200
            }
            protocol tcp
            source {
                port 443
            }
        }
        rule 222 {
            action accept
            protocol tcp
            source {
                port 443
            }
        }
        rule 230 {
            action modify
            description ICMP
            modify {
                dscp 19
            }
            protocol icmp
        }
        rule 231 {
            action modify
            modify {
                mark 200
            }
            protocol icmp
        }
        rule 232 {
            action accept
            protocol icmp
        }
        rule 240 {
            action modify
            description ICQ
            modify {
                dscp 21
            }
            protocol tcp
            source {
                port 5190
            }
        }
        rule 241 {
            action modify
            modify {
                mark 200
            }
            protocol tcp
            source {
                port 5190
            }
        }
        rule 242 {
            action accept
            protocol tcp
            source {
                port 5190
            }
        }
        rule 250 {
            action modify
            description "User specific WoW port"
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 1119
            }
        }
        rule 251 {
            action modify
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 3724
            }
        }
        rule 252 {
            action modify
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 4000
            }
        }
        rule 253 {
            action modify
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 6112
            }
        }
        rule 254 {
            action modify
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 6113
            }
        }
        rule 255 {
            action modify
            modify {
                dscp 23
            }
            protocol tcp
            source {
                port 6114
            }
        }
        rule 256 {
            action modify
            modify {
                dscp 23
            }
            protocol udp
            source {
                port 3724
            }
        }
        rule 260 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 1119
            }
        }
        rule 261 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 3724
            }
        }
        rule 262 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 4000
            }
        }
        rule 263 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 6112
            }
        }
        rule 264 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 6113
            }
        }
        rule 265 {
            action modify
            modify {
                mark 150
            }
            protocol tcp
            source {
                port 6114
            }
        }
        rule 266 {
            action modify
            modify {
                mark 150
            }
            protocol udp
            source {
                port 3724
            }
        }
        rule 270 {
            action accept
            protocol tcp
            source {
                port 1119
            }
        }
        rule 271 {
            action accept
            protocol tcp
            source {
                port 3724
            }
        }
        rule 272 {
            action accept
            protocol tcp
            source {
                port 4000
            }
        }
        rule 273 {
            action accept
            protocol tcp
            source {
                port 6112
            }
        }
        rule 274 {
            action accept
            protocol tcp
            source {
                port 6113
            }
        }
        rule 275 {
            action accept
            protocol tcp
            source {
                port 6114
            }
        }
        rule 276 {
            action accept
            protocol udp
            source {
                port 3724
            }
        }
        rule 910 {
            action modify
            description P2P
            modify {
                dscp 0
            }
            p2p {
                bittorrent
            }
        }
        rule 911 {
            action modify
            modify {
                mark 900
            }
            p2p {
                all
            }
            protocol tcp_udp
        }
        rule 912 {
            action accept
            p2p {
                all
            }
            protocol tcp_udp
        }
        rule 990 {
            action modify
            description "All other"
            modify {
                dscp 0
            }
            protocol all
        }
        rule 991 {
            action modify
            modify {
                mark 900
            }
            protocol all
        }
        rule 992 {
            action accept
            protocol all
        }
    }
    name local_in_vif2 {
        default-action drop
        rule 300 {
            action accept
            description "permit DHCP, DHCP-Realy traffic"
            destination {
                port 67,68
            }
            protocol udp
            source {
                port 67,68
            }
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 1000 {
            action accept
            description "**** Permit LAN ****"
            disable
        }
        rule 1010 {
            action accept
            source {
                group {
                    network-group rsu-lan-nets
                }
            }
            state {
                established enable
                new enable
                related enable
            }
        }
    }
    name local_in_vif3 {
        default-action drop
        rule 1000 {
            action accept
            description "**** Permit DMZ ****"
            disable
        }
        rule 1010 {
            action accept
            source {
                address 91.203.180.128/25
            }
            state {
                established enable
                new enable
                related enable
            }
        }
    }
    name local_in_vif4 {
        default-action drop
        rule 1000 {
            action accept
            description "**** Permit BUGH ****"
            disable
        }
        rule 1010 {
            action accept
            source {
                address 172.30.0.0/16
            }
            state {
                established enable
                new enable
                related enable
            }
        }
    }
    name local_in_vif128 {
        default-action drop
        rule 300 {
            action accept
            description "permit DHCP-Realy established for Wi-Fi (172.18/16)"
            destination {
                port 67,68
            }
            protocol udp
            source {
                port 67,68
            }
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 1000 {
            action accept
            description "**** Permit Wi-Fi ****"
            disable
        }
        rule 1010 {
            action accept
            source {
                address 172.18.0.0/16
            }
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 1020 {
            action drop
            description "Drop unwanted packets (smtp, smb) for Wi-Fi subnet (172.18/16)"
            destination {
                port 25,137,138,139,445
            }
            protocol tcp_udp
        }
    }
    name local_out_bugh {
        default-action drop
        description "**** BUGH OUT (vif4) ****"
        rule 100 {
            action accept
            description "permit icmp"
            protocol icmp
        }
        rule 200 {
            action accept
            description "permit TCP, UDP established for BUGH"
            destination {
                address 172.30.0.0/16
            }
            protocol tcp_udp
            state {
                established enable
                related enable
            }
        }
        rule 1000 {
            action accept
            description "******** Permit VoIP to BUGH ********"
            disable
        }
        rule 1010 {
            action accept
            description "permit VoIP access to BUGH from 172.16/16, 172.20/16 (rsu-lan-nets)"
            destination {
                address 172.30.0.0/16
                group {
                    port-group voip-ports
                }
            }
            protocol tcp_udp
            source {
                group {
                    network-group rsu-lan-nets
                }
            }
        }
        rule 8000 {
            action accept
            description "******** EXCEPTION LOCAL to LOCAL ********"
            disable
        }
    }
    name local_out_lan {
        default-action drop
        description "**** LAN OUT (vif2) ****"
        rule 100 {
            action accept
            description "permit icmp"
            protocol icmp
        }
        rule 200 {
            action accept
            description "permit TCP, UDP established for LAN (172.16/16, 172.20/16)"
            destination {
                group {
                    network-group rsu-lan-nets
                }
            }
            protocol tcp_udp
            state {
                established enable
                related enable
            }
        }
        rule 300 {
            action accept
            description "permit DHCP-Realy established for Wi-Fi (172.18/16)"
            destination {
                port 67,68
            }
            protocol udp
            source {
                port 67,68
            }
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 1000 {
            action accept
            description "******** Permit VoIP to LAN ********"
            disable
        }
        rule 1010 {
            action accept
            description "permit VoIP access to LAN from 172.30/16 (BUGH)"
            destination {
                group {
                    network-group rsu-lan-nets
                    port-group voip-ports
                }
            }
            protocol tcp_udp
        }
        rule 1050 {
            action accept
            description "permit access to 172.20.1/24 (SRV-subnet) from 172.30/16 (BUGH)"
            destination {
                address 172.20.1.0/24
            }
            source {
                address 172.30.0.0/16
            }
        }
        rule 7000 {
            action accept
            description "******** Permit DMZ to SRV ********"
            disable
        }
        rule 7200 {
            action accept
            description "permit http, https access from DMZ to SRV"
            destination {
                address 172.20.1.0/24
                port 80,443
            }
            protocol tcp
            source {
                address 91.203.180.128/25
            }
        }
        rule 8000 {
            action accept
            description "******** EXCEPTION LOCAL to LOCAL ********"
            disable
        }
        rule 8200 {
            action accept
            description "EXCEPTION L2L Wi-Fi access to LAN-PROXY (172.20.1.8)"
            destination {
                address 172.20.1.8/32
                port 80,443,3128,8080
            }
            protocol tcp
            source {
                address 172.18.0.0/16
            }
        }
        rule 8300 {
            action accept
            description "EXCEPTION L2L CommuniGate access to LAN"
            destination {
                group {
                    network-group rsu-lan-nets
                }
            }
            source {
                address 91.203.180.144/28
            }
        }
        rule 8350 {
            action accept
            description "EXCEPTION L2L access to LAN DNS-Servers"
            destination {
                group {
                    address-group rsu-lan-dns
                }
            }
            protocol tcp_udp
        }
        rule 8450 {
            action accept
            description "EXCEPTION L2L access from www.rsu.edu.ru (DMZ) to SRV-subnet SNMP services"
            destination {
                address 172.20.1.0/24
                port 161,162
            }
            protocol udp
            source {
                address 91.203.180.131/32
            }
        }
    name outside_in {
        default-action drop
        rule 110 {
            action accept
            description "permit icmp"
            protocol icmp
        }
        rule 115 {
            action drop
            description "Limit SSH against BruteForce"
            destination {
                address 91.203.180.0/22
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 120 {
            action accept
            description "permit ssh for all RealIP"
            destination {
                address 91.203.180.0/22
                port 22
            }
            protocol tcp
            source {
                group {
                    network-group rzn-nets
                }
            }
        }
        rule 200 {
            action accept
            description "permit tcp established for Real_IP"
            destination {
                address 91.203.180.0/22
            }
            protocol tcp_udp
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description "permit established and related connections for NAT"
            destination {
                address 172.16.0.0/12
            }
            protocol tcp_udp
            state {
                established enable
                related enable
            }
        }
        rule 5000 {
            action accept
            description "******************* External Access *********************"
            disable
        }
        rule 5002 {
            action accept
            description "INPUT From Outside. Permit ICMP"
            destination {
                address 91.203.180.128/25
            }
            protocol icmp
        }
        rule 5005 {
            action accept
            description "INPUT From Outside. Permit HTTP queries to Primary DNS Server"
            destination {
                address 91.203.180.129/32
                port 80
            }
            protocol tcp
        }
        rule 5007 {
            action accept
            description "INPUT From Outside. Permit DNS queries to Primary DNS Server (tcp, udp)"
            destination {
                address 91.203.180.129/32
                port 53
            }
            protocol tcp_udp
        }
        rule 5011 {
            action accept
            description "INPUT From Outside. Permit HTTP Access to WEB-Proxy"
            destination {
                address 91.203.180.130/32
                port 80
            }
            protocol tcp
        }
        rule 5020 {
            action accept
            description "INPUT From Outside. Permit HTTP, HTTPS access to WWW.RSU.EDU.RU"
            destination {
                address 91.203.180.131/32
                port 80,443
            }
            protocol tcp
        }
        rule 5022 {
            action accept
            description "INPUT From Outside. Permit FTP, access to WWW.RSU.EDU.RU from networks of Ryazan Region"
            destination {
                address 91.203.180.131/32
                group {
                    port-group ftp-ports
                }
            }
            protocol tcp
            source {
                group {
                    network-group rzn-nets
                }
            }
        }
        rule 5030 {
            action accept
            description "INPUT From Outside. Permit HTTP access to iis.rsu.edu.ru Second ISS Server"
            destination {
                address 91.203.180.132/32
                port 80
            }
            protocol tcp
        }
        rule 5040 {
            action accept
            description "INPUT From Outside. Permit access to om.rsu.edu.ru OpenMeetings server"
            destination {
                address 91.203.180.133/32
                port 80,443,1935,4445,5080,8088,8443
            }
            protocol tcp
        }
        rule 5041 {
            action accept
            description "INPUT From Outside. Permit access to om.rsu.edu.ru OpenMeetings server"
            destination {
                address 91.203.180.133/32
                port 1935
            }
            protocol udp
        }
        rule 5052 {
            action accept
            description "INPUT From Outside. Permit FTP, access to DEIMOS.RSU.EDU.RU from networks of Ryazan Region"
            destination {
                address 91.203.180.134/32
                group {
                    port-group ftp-ports
                }
            }
            protocol tcp
            source {
                group {
                    network-group rzn-nets
                }
            }
        }
        rule 5060 {
            action accept
            description "INPUT From Outside. Permit ssh, http, https, mysql access to CVS server IVT"
            destination {
                address 91.203.180.135/32
                port 22,80,443,3306
            }
            protocol tcp
        }
        rule 5065 {
            action accept
            description "INPUT From Outside. Permit HTTP, HTTPS access to PEOPLE.RSU.EDU.RU"
            destination {
                address 91.203.180.137/32
                port 80,443
            }
            protocol tcp
        }
        rule 5066 {
            action accept
            description "INPUT From Outside. Permit FTP, access to PEOPLE.RSU.EDU.RU from networks of Ryazan Region"
            destination {
                address 91.203.180.137/32
                group {
                    port-group ftp-ports
                }
            }
            protocol tcp
            source {
                group {
                    network-group rzn-nets
                }
            }
        }
        rule 5070 {
            action accept
            description "INPUT From Outside.Permit access to Communigates servers"
            destination {
                address 91.203.180.144/28
                group {
                    port-group cgp-tcp-ports-in
                }
            }
            protocol tcp
        }
        rule 5072 {
            action accept
            description "INPUT From Outside.Permit UDP access to Communigates servers"
            destination {
                address 91.203.180.144/28
                group {
                    port-group cgp-udp-ports-in
                }
            }
            protocol udp
        }
        rule 5080 {
            action accept
            description "INPUT From Outside. Permit TCP access to VPN Server"
            destination {
                address 91.203.180.212/32
                port 1723
            }
            protocol tcp
        }
        rule 5082 {
            action accept
            description "INPUT From Outside. Permit GRE access to VPN Server"
            destination {
                address 91.203.180.212/32
            }
            protocol gre
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 5090 {
            action accept
            description "INPUT From Outside. Permit L2TP access to VPN Server"
            destination {
                address 91.203.180.212/32
                port 500,1701,4500,5500
            }
            protocol udp
        }
        rule 5092 {
            action accept
            description "INPUT From Outside. Permit ESP access to VPN Server"
            destination {
                address 91.203.180.212/32
            }
            protocol esp
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 5094 {
            action accept
            description "INPUT From Outside. Permit AH access to VPN Server"
            destination {
                address 91.203.180.212/32
            }
            protocol ah
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 8000 {
            action accept
            description "******************* EXCEPTION  *********************"
            disable
        }
        rule 9000 {
            action accept
            description "permit icmp"
            log disable
            protocol icmp
        }
    }
    name outside_out {
        default-action drop
        rule 110 {
            action accept
            description "Permit ICMP"
            protocol icmp
        }
        rule 1000 {
            action accept
            description "******************* DMZ access to Internet *********************"
            disable
        }
        rule 1011 {
            action accept
            description "permit tcp established for DMZ"
            protocol tcp_udp
            source {
                address 91.203.180.128/25
            }
            state {
                established enable
                related enable
            }
        }
        rule 1102 {
            action accept
            description "Main DMZ Permition (ftp, http, https)"
            destination {
                port 21,22,80,443
            }
            protocol tcp
            source {
                address 91.203.180.128/25
            }
        }
        rule 1103 {
            action accept
            description "Main DMZ Permition (ntp, https)"
            destination {
                port 123,443
            }
            protocol udp
            source {
                address 91.203.180.128/25
            }
        }
        rule 1105 {
            action accept
            description "Primary DNS server permit access to port 53 (dns) and upper TCP, UDP ports"
            destination {
                port 53,1024-65535
            }
            protocol tcp_udp
            source {
                address 91.203.180.129/32
            }
        }
        rule 1110 {
            action accept
            description "******************* Web proxy access to Internet *********************"
            disable
        }
        rule 1112 {
            action accept
            description "Web Proxy permit access to http, upper tcp port"
            destination {
                port 81,82,88,1024-65535
            }
            protocol tcp
            source {
                address 91.203.180.130/32
            }
        }
        rule 1120 {
            action accept
            description "******************* web server access to Internet *********************"
            disable
        }
        rule 1121 {
            action accept
            description "web server permit access to tcp"
            destination {
                port 83,873,1024-65535
            }
            protocol tcp
            source {
                address 91.203.180.131/32
            }
        }
        rule 1130 {
            action accept
            description "******************* iis.rsu.edu.ru Second ISS Server access to Internet *********************"
            disable
        }
        rule 1131 {
            action accept
            description "iis.rsu.edu.ru permit access to tcp"
            destination {
                port 50000-50100
            }
            protocol tcp
            source {
                address 91.203.180.132/32
            }
        }
        rule 1150 {
            action accept
            description "******************* CVS server IVT  access to Internet *********************"
            disable
        }
        rule 1151 {
            action accept
            description "CVS server IVT  permit access to tcp"
            destination {
                port 1024-65535
            }
            protocol tcp
            source {
                address 91.203.180.135/32
            }
        }
        rule 1160 {
            action accept
            description "******************* Communigates servers access to Internet *********************"
            disable
        }
        rule 1161 {
            action accept
            description "Communigates servers permit access to tcp"
            destination {
                port 25,110,119,587,993,995,1024-65535
            }
            protocol tcp
            source {
                address 91.203.180.144/28
            }
        }
        rule 1162 {
            action accept
            description "Communigates servers permit access to udp"
            destination {
                port 1024-65535
            }
            protocol udp
            source {
                address 91.203.180.144/28
            }
        }
        rule 1180 {
            action accept
            description "******************* vpn.rsu.edu.ru Server  access to Internet *********************"
            disable
        }
        rule 1181 {
            action accept
            description "vpn.rsu.edu.ru PPTP Server  permit access to GRE"
            protocol gre
            source {
                address 91.203.180.212/32
            }
        }
        rule 1183 {
            action accept
            description "vpn.rsu.edu.ru L2TP Server  permit access to ESP"
            protocol esp
            source {
                address 91.203.180.212/32
            }
        }
        rule 1185 {
            action accept
            description "vpn.rsu.edu.ru L2TP Server  permit access to AH"
            protocol ah
            source {
                address 91.203.180.212/32
            }
        }
        rule 1188 {
            action accept
            description "vpn.rsu.edu.ru L2TP Server  permit access to ISAKMP"
            destination {
                port 500,4500
            }
            protocol udp
            source {
                address 91.203.180.212/32
            }
        }
        rule 2000 {
            action accept
            description "******************* NAT users access to Internet *********************"
            disable
        }
        rule 2100 {
            action accept
            description "******************* NAT Access for all users  *********************"
            disable
        }
        rule 2110 {
            action accept
            description "Permit NAT for all UNPRIV TCP, UDP (Experimental feature)"
            destination {
                port 1024-65535
            }
            protocol tcp_udp
            source {
                address 172.16.0.0/12
            }
        }
        rule 2130 {
            action accept
            description "Permit NAT for all to whois, https"
            destination {
                port 43,443
            }
            protocol tcp
            source {
                address 172.16.0.0/12
            }
        }
        rule 2200 {
            action accept
            description "******************* NAT for WiFi users access to Internet *********************"
            disable
        }
        rule 2210 {
            action accept
            description "WiFi users permit ssh, http, https, pop-ssl, smtp-ssl, imap to outside"
            destination {
                port 22,80,443,465,587,993
            }
            protocol tcp
            source {
                address 172.18.0.0/16
            }
        }
        rule 2220 {
            action accept
            description "WiFi users permit upper ports to outside"
            destination {
                port 1024-65535
            }
            protocol tcp_udp
            source {
                address 172.18.0.0/16
            }
        }
        rule 2900 {
            action accept
            description "******************* NAT EXCEPTION to Internet *********************"
            disable
        }
    }
    name vyatta_self_inet {
        default-action accept
        description "**** Vyatta Self (default accept, block SSH bruteforce) ****"
        rule 115 {
            action drop
            description "Limit SSH against BruteForce"
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
    }
    name vyatta_self_lan {
        default-action accept
        description "**** Vyatta Self (default accept, block SSH bruteforce) ****"
        rule 115 {
            action drop
            description "Limit SSH against BruteForce"
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 1000 {
            action accept
            description "******** Permit DHCP-Relay ********"
            disable
        }
        rule 1010 {
            action accept
            destination {
                port 67,68
            }
            protocol udp
            source {
                port 67,68
            }
            state {
                established enable
                new enable
                related enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.101/24
        description "LAN (via hp5304)"
        duplex auto
        smp_affinity auto
        speed auto
        traffic-policy {
            out tp_out_aggr
        }
        vif 2 {
            address 172.16.0.4/16
            description "Primary LAN"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif2
                }
                local {
                    name vyatta_self_lan
                }
                out {
                    name local_out_lan
                }
            }
        }
        vif 3 {
            address 91.203.180.254/25
            description "-- DMZ"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif3
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
        vif 181 {
            address 172.18.1.1/24
            description "Public Wi-Fi DMZ subnet for B1"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif128
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
        vif 182 {
            address 172.18.2.1/24
            description "Public Wi-Fi DMZ subnet for B2"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif128
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
        vif 185 {
            address 172.18.5.1/24
            description "Public Wi-Fi DMZ subnet for B5"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif128
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
        vif 186 {
            address 172.18.6.1/24
            description "Public Wi-Fi DMZ subnet for B6"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif128
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
        vif 1811 {
            address 172.18.11.1/24
            description "Public Wi-Fi DMZ subnet for D2"
            firewall {
                in {
                    modify fw_marker_local_in
                    name local_in_vif128
                }
                local {
                    name vyatta_self_lan
                }
            }
        }
    }
    ethernet eth1 {
        description "-- Outside via HP5304 d1"
        duplex auto
        smp_affinity auto
        speed auto
        vif 7 {
            address 91.203.180.42/27
            description "interconnect"
            firewall {
                in {
                    modify fw_marker_wan_in
                    name outside_in
                }
                local {
                    name vyatta_self_inet
                }
                out {
                    name outside_out
                }
            }
            traffic-policy {
                out tp_out_aggr
            }
        }
    }
    loopback lo {
        address 91.203.181.2/32
        description "Vyatta R1 loopback"
    }
}
nat {
    source {
        rule 290 {
            description "NAT MASQ all from local network 172.16.0.0/12  any but not 91.203.180.0/24"
            destination {
                address !91.203.180.0/24
            }
            outbound-interface eth1.7
            source {
                address 172.16.0.0/12
            }
            translation {
                address 91.203.181.65
            }
        }
    }
}
policy {
    community-list 1 {
        rule 5 {
            action permit
            description "Match export-community"
            regex 47124:0
        }
    }
    prefix-list NlinkIn {
        description "Nlink IN. Permit only le 20"
        rule 50 {
            action deny
            ge 20
            prefix 0.0.0.0/0
        }
        rule 100 {
            action permit
            le 20
            prefix 0.0.0.0/0
        }
    }
    prefix-list pl-red-ospf {
        description "-- Prefix list redistribute to ospf"
        rule 10 {
            action permit
            prefix 91.203.180.128/25
        }
        rule 20 {
            action permit
            le 32
            prefix 91.203.181.64/27
        }
        rule 30 {
            action permit
            description "-- loopbacks"
            le 32
            prefix 91.203.181.0/27
        }
    }
    route-map NlinkIn {
        rule 100 {
            action permit
            description "Set Nlink-in-community"
            on-match {
                next
            }
            set {
                community "47124:16 additive"
            }
        }
        rule 1000 {
            action permit
            description "Permit all"
        }
    }
    route-map NlinkOut {
        rule 1000 {
            action permit
            description "Permit only export community"
            match {
                community {
                    community-list 1
                }
            }
            set {
                comm-list {
                    comm-list 1
                    delete
                }
            }
        }
    }
    route-map RmExportComm {
        rule 5 {
            action permit
            description "Set export-community"
            on-match {
                next
            }
            set {
                community "47124:0 additive"
            }
        }
        rule 10 {
            action permit
            description "Set place-of-redistr-community"
            set {
                community "47124:8 additive"
            }
        }
    }
    route-map rm-red-ospf {
        rule 100 {
            action permit
            description "redistribute to ospf rm"
            match {
                ip {
                    address {
                        prefix-list pl-red-ospf
                    }
                }
            }
        }
        rule 9999 {
            action deny
        }
    }
}
protocols {
    ospf {
        area 0 {
            network 91.203.180.32/27
        }
        passive-interface default
        passive-interface-exclude eth1.7
        redistribute {
            connected {
                metric-type 2
                route-map rm-red-ospf
            }
            static {
                metric-type 2
                route-map rm-red-ospf
            }
        }
    }
    static {
        route 91.203.181.64/27 {
            blackhole {
            }
        }
        route 91.203.183.0/24 {
            next-hop 91.203.180.212 {
            }
        }
        route 172.20.0.0/16 {
            next-hop 172.16.0.1 {
            }
        }
    }
}
service {
    dhcp-relay {
        interface eth0.181
        interface eth0.182
        interface eth0.185
        interface eth0.186
        interface eth0.2
        interface eth0.1811
        relay-options {
            hop-count 10
            max-size 576
            relay-agents-packets forward
        }
        server 172.16.0.2
        server 172.16.0.3
    }
    snmp {
        community public {
            authorization ro
            client 192.168.0.99
        }
        contact noc@example.com
        location RU
    }
    ssh {
        port 22
        protocol-version all
    }
}
system {
    config-management {
        commit-archive {
            location ftp://backup-vyatta:backuppwd@backup.example.edu.ru
        }
        commit-revisions 20
    }
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name rsu-vyatta-gw-1
    login {
        user admin1 {
            authentication {
                encrypted-password XXXXXXXXXXXXXXXXXXX
            }
            full-name "Admin 1"
            level admin
        }
        user admin2 {
            authentication {
                encrypted-password XXXXXXXXXXXXXXXXXXXXXXXXX
            }
            full-name "Admin 2"
            level admin
        }
    }
    name-server 172.16.0.2
    name-server 172.16.0.3
    ntp {
        server 0.vyatta.pool.ntp.org {
        }
        server 1.vyatta.pool.ntp.org {
        }
        server 2.vyatta.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository squeeze {
            components main
            distribution squeeze
            password ""
            url http://ftp.de.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}
traffic-policy {
    shaper tp_out_aggr {
        bandwidth 100mbit
        class 100 {
            bandwidth 3%
            burst 50k
            ceiling 5%
            description "Controll traffic"
            match mCtrl {
                mark 100
            }
            priority 1
            queue-type fair-queue
        }
        class 150 {
            bandwidth 10%
            burst 50k
            ceiling 30%
            description "User critical Game"
            match mGame {
                mark 150
            }
            priority 3
            queue-type fair-queue
        }
        class 200 {
            bandwidth 70%
            burst 50k
            ceiling 90%
            description "users traffic http,icq,icmp"
            match mUser {
                mark 200
            }
            priority 4
            queue-type fair-queue
        }
        class 910 {
            bandwidth 5%
            burst 50k
            ceiling 70%
            description "BE traffic"
            match m900 {
                mark 900
            }
            priority 7
            queue-type fair-queue
        }
        default {
            bandwidth 5%
            burst 40mb
            ceiling 80%
            priority 7
            queue-type fair-queue
        }
    }
    shaper tp_shaper_out {
        bandwidth 100mbit
        default {
            bandwidth 1%
            burst 15k
            ceiling 100%
            queue-type fair-queue
        }
    }
}

vpn.example.com

interfaces {
    /* White_1 */
    ethernet eth0 {
        address 91.203.180.212/25
        description White_1
        disable-link-detect
        duplex auto
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        hw-id 00:50:56:b4:a0:d1
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    pseudo-ethernet peth0 {
        address 91.203.183.1/24
        description "VPN virtual Ethernet interface"
        link eth0
    }
}
protocols {
    static {
    }
}
service {
    https {
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 91.203.183.0/24
            }
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    config-management {
        commit-archive {
            location ftp://backup-vyatta:backuppwd@backup.example.com
        }
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    domain-name rsu.edu.ru
    gateway-address 91.203.180.254
    host-name vpn
    login {
        user admin {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 91.203.180.129
    name-server 172.16.0.3
    ntp {
        server ntp.example.com {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ****************
            url http://packages.vyatta.com/vyatta
            username ""
        }
    }
    static-host-mapping {
        host-name vpn {
            inet 127.0.0.1
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Moscow
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 91.203.183.0/24 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                mode radius
                radius-server 91.203.180.145 {
                    key ****************
                }
            }
            client-ip-pool {
                start 91.203.183.2
                stop 91.203.183.32
            }
            dns-servers {
                server-1 91.203.180.129
                server-2 172.16.0.3
            }
            ipsec-settings {
                authentication {
                    mode x509
                    x509 {
                        ca-cert-file /config/auth/RSU_VPN_L2TP_CA.crt
                        server-cert-file /config/auth/L2TP_VPN_SRV.crt
                        server-key-file /config/auth/L2TP_VPN_SRV.SSL.pem
                        server-key-password ****************
                    }
                }
                ike-lifetime 3600
            }
            outside-address 91.203.180.212
            outside-nexthop 91.203.180.254
        }
    }
    pptp {
        remote-access {
            authentication {
                mode radius
                radius-server 91.203.180.145 {
                    key ****************
                }
            }
            client-ip-pool {
                start 91.203.183.33
                stop 91.203.183.254
            }
            dns-servers {
                server-1 91.203.180.129
                server-2 172.16.0.3
            }
            outside-address 91.203.180.212
        }
    }
}

B: Список IP-сетей г. Рязани

set firewall group network-group rzn-nets network '31.44.48.0/20'
set firewall group network-group rzn-nets network '78.31.72.0/21'
set firewall group network-group rzn-nets network '80.72.112.0/20'
set firewall group network-group rzn-nets network '86.110.160.0/19'
set firewall group network-group rzn-nets network '88.86.64.0/23'
set firewall group network-group rzn-nets network '89.106.192.0/21'
set firewall group network-group rzn-nets network '91.219.188.0/22'
set firewall group network-group rzn-nets network '91.203.64.0/22'
set firewall group network-group rzn-nets network '91.203.180.0/22'
set firewall group network-group rzn-nets network '92.39.136.0/21'
set firewall group network-group rzn-nets network '93.189.8.0/22'
set firewall group network-group rzn-nets network '94.231.112.0/20'
set firewall group network-group rzn-nets network '95.83.128.0/18'
set firewall group network-group rzn-nets network '95.106.0.0/17'
set firewall group network-group rzn-nets network '109.69.72.0/22'
set firewall group network-group rzn-nets network '109.195.160.0/20'
set firewall group network-group rzn-nets network '176.96.224.0/19'
set firewall group network-group rzn-nets network '176.241.224.0/21'
set firewall group network-group rzn-nets network '176.212.180.0/22'
set firewall group network-group rzn-nets network '176.212.160.0/21'
set firewall group network-group rzn-nets network '176.104.192.0/19'
set firewall group network-group rzn-nets network '176.213.192.0/22'
set firewall group network-group rzn-nets network '178.255.120.0/21'
set firewall group network-group rzn-nets network '188.187.228.0/24'
set firewall group network-group rzn-nets network '193.34.8.0/22'
set firewall group network-group rzn-nets network '212.26.224.0/19'

Примечания

  1. Cisco Replacement Guide
  2. About Vyatta
  3. http://www.carbonwind.net/VyattaOFR/Firewall/Firewall.htm#toUu
  4. dhcp-relay not working for vlans? [Solved]
  5. Vyatta VC5 - Simple Firewall and NAT Rules
  6. Устоявшийся термин; правильнее «виртуальная закрытая сеть». Слово private, в числе прочего, имеет значение «персональный», «секретный», «закрытый», и негосударственная (частная) собственность тут ни к чему.
  7. Vyatta System BGP REFERENCE GUIDE
  8. http://wiki.wireshark.org/DisplayFilters

См. также

Cсылки

Личные инструменты
Пространства имён

Варианты
Действия
Навигация
Инструменты