| | 2 | |
| | 3 | file:/etc/dhclient.conf |
| | 4 | {{{ |
| | 5 | interface "re0vlan4" { |
| | 6 | request routers,classless-routes; |
| | 7 | send dhcp-class-identifier "IPTV_RG"; |
| | 8 | } |
| | 9 | }}} |
| | 10 | |
| | 11 | |
| | 12 | file:/etc/rc.conf |
| | 13 | {{{ |
| | 14 | hostname="routerZW.vanderzwet.net" |
| | 15 | sshd_enable="YES" |
| | 16 | |
| | 17 | gateway_enable="YES" |
| | 18 | ipv6_gateway_enable="YES" |
| | 19 | ipv6_cpe_wanif="ng0" |
| | 20 | |
| | 21 | |
| | 22 | ifconfig_re0="up -wol -arp" |
| | 23 | vlans_re0="re0vlan4 re0vlan6" |
| | 24 | create_args_re0vlan4="vlan 4" |
| | 25 | create_args_re0vlan6="vlan 6 -arp" |
| | 26 | |
| | 27 | # IPTV VLAN |
| | 28 | ifconfig_re0vlan4="DHCP" |
| | 29 | |
| | 30 | # Internet VLAN |
| | 31 | ifconfig_re0_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" |
| | 32 | ifconfig_re0vlan6_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv" |
| | 33 | |
| | 34 | # Wireless Leiden |
| | 35 | ifconfig_re1="172.17.107.20/24" |
| | 36 | |
| | 37 | # Local Area Network |
| | 38 | ifconfig_re2="192.168.178.1/24" |
| | 39 | ifconfig_re2_alias0="80.127.152.25/29" |
| | 40 | ifconfig_re2_ipv6="inet6 2001:984:ac89:ffff::1" |
| | 41 | |
| | 42 | # Routing Wireless Leiden |
| | 43 | static_routes="wleiden" |
| | 44 | route_wleiden="-net 172.16.0.0/12 172.17.107.1" |
| | 45 | |
| | 46 | # PPPoE Tunnel for INET |
| | 47 | mpd_enable="YES" |
| | 48 | |
| | 49 | # DHCP for IPv6 (started via mpd5 - linkup script) |
| | 50 | dhcp6c_enable="NO" |
| | 51 | dhcp6c_interfaces="ng0" |
| | 52 | |
| | 53 | # IPv6 on LAN |
| | 54 | rtadvd_enable="YES" |
| | 55 | rtadvd_interfaces="re2" |
| | 56 | |
| | 57 | # IPv6 on WAN |
| | 58 | rtsold_enable="YES" |
| | 59 | |
| | 60 | # IPv4 on LAN |
| | 61 | dhcpd_enable="YES" |
| | 62 | dhcpd_ifaces="re2" |
| | 63 | |
| | 64 | # Firewall ACL |
| | 65 | firewall_type="open" |
| | 66 | firewall_enable="YES" |
| | 67 | firewall_script="/etc/firewall.sh" |
| | 68 | |
| | 69 | # NAT for LAN |
| | 70 | natd_enable="YES" |
| | 71 | natd_flags="-f /etc/natd.conf" |
| | 72 | |
| | 73 | # IPTV Multicast proxy |
| | 74 | igmpproxy_enable="YES" |
| | 75 | |
| | 76 | # Caching DNS Server |
| | 77 | unbound_enable="YES" |
| | 78 | }}} |
| | 79 | |
| | 80 | |
| | 81 | file:/boot/loader.conf |
| | 82 | {{{ |
| | 83 | # Force output to run trough the comconsole, no exceptions |
| | 84 | console="comconsole" |
| | 85 | |
| | 86 | # PC Engines Alix APU board default serial settings cannot changed so 115200 it is. |
| | 87 | comconsole_speed="115200" |
| | 88 | |
| | 89 | ip_mroute_load="YES" |
| | 90 | }}} |
| | 91 | |
| | 92 | file:/usr/local/etc/mpd5/linkup.sh |
| | 93 | {{{ |
| | 94 | #!/bin/sh |
| | 95 | # |
| | 96 | |
| | 97 | test -z "$1" && exit 1 |
| | 98 | |
| | 99 | if [ "$2" = "inet" ] |
| | 100 | then |
| | 101 | /usr/bin/renice -n -5 $PPID |
| | 102 | fi |
| | 103 | |
| | 104 | if [ "$2" = "inet6" ] |
| | 105 | then |
| | 106 | /sbin/ifconfig "$1" inet6 accept_rtadv -nud -no_radr |
| | 107 | (sleep 3; /usr/local/etc/rc.d/dhcp6c onerestart) & |
| | 108 | |
| | 109 | |
| | 110 | fi |
| | 111 | |
| | 112 | exit 0 |
| | 113 | }}} |
| | 114 | |
| | 115 | file:/usr/local/etc/mpd5/linkdown.sh |
| | 116 | {{{ |
| | 117 | #!/bin/sh |
| | 118 | # |
| | 119 | |
| | 120 | test -z "$1" && exit 1 |
| | 121 | |
| | 122 | if [ "$2" = "inet" ] |
| | 123 | then |
| | 124 | /usr/bin/renice -n +5 $PPID |
| | 125 | fi |
| | 126 | |
| | 127 | if [ "$2" = "inet6" ] |
| | 128 | then |
| | 129 | /usr/local/etc/rc.d/dhcp6c stop |
| | 130 | fi |
| | 131 | }}} |
| | 132 | |
| | 133 | file:/usr/local/etc/mpd5/mpd.conf |
| | 134 | {{{ |
| | 135 | startup: |
| | 136 | # configure mpd users |
| | 137 | set user foo bar admin |
| | 138 | set user foo1 bar1 |
| | 139 | # configure the console |
| | 140 | set console self 127.0.0.1 5005 |
| | 141 | set console open |
| | 142 | # configure the web server |
| | 143 | set web self 0.0.0.0 5006 |
| | 144 | set web open |
| | 145 | |
| | 146 | # |
| | 147 | # Default configuration is "dialup" |
| | 148 | |
| | 149 | default: |
| | 150 | load pppoe_client |
| | 151 | |
| | 152 | pppoe_client: |
| | 153 | # |
| | 154 | # PPPoE client: only outgoing calls, auto reconnect, |
| | 155 | # ipcp-negotiated address, one-sided authentication, |
| | 156 | # default route points on ISP's end |
| | 157 | # |
| | 158 | |
| | 159 | create bundle static B1 |
| | 160 | set iface up-script /usr/local/etc/mpd5/linkup.sh |
| | 161 | set iface down-script /usr/local/etc/mpd5/linkdown.sh |
| | 162 | set ipcp ranges 0.0.0.0/0 0.0.0.0/0 |
| | 163 | set bundle enable ipv6cp |
| | 164 | set iface route default |
| | 165 | load nat |
| | 166 | |
| | 167 | |
| | 168 | create link static P1 pppoe |
| | 169 | set link action bundle B1 |
| | 170 | set link latency 1200 |
| | 171 | set link bandwidth 100000000 |
| | 172 | set link max-redial 0 |
| | 173 | set link keep-alive 10 60 |
| | 174 | #set link mtu 1492 |
| | 175 | #set ppooe max-payload 1500 |
| | 176 | |
| | 177 | set auth authname FB7490@xs4all.nl |
| | 178 | set auth password FB7490 |
| | 179 | |
| | 180 | set pppoe iface re0vlan6 |
| | 181 | set pppoe service "" |
| | 182 | open |
| | 183 | }}} |
| | 184 | |
| | 185 | file:/etc/rtadvd.conf |
| | 186 | {{{ |
| | 187 | re2:\ |
| | 188 | :addr="2001:984:ac89:ffff::":prefixlen#64:\ |
| | 189 | :rdnss="2001:984:ac89:ffff::1":\ |
| | 190 | :dnssl="vanderzwet.net": |
| | 191 | }}} |
| | 192 | |
| | 193 | file:/usr/local/etc/dhcpd.conf |
| | 194 | {{{ |
| | 195 | default-lease-time 600; |
| | 196 | max-lease-time 7200; |
| | 197 | |
| | 198 | authoritative; |
| | 199 | |
| | 200 | log-facility local7; |
| | 201 | |
| | 202 | subnet 192.168.178.0 netmask 255.255.255.0 { |
| | 203 | range 192.168.178.50 192.168.178.200; |
| | 204 | option routers 192.168.178.1; |
| | 205 | option domain-name "thuis.vanderzwet.net"; |
| | 206 | option domain-name-servers 192.168.178.1; |
| | 207 | option vendor-class-identifier "IPTV_RG"; |
| | 208 | option broadcast-address 192.168.178.255; |
| | 209 | } |
| | 210 | }}} |
| | 211 | |
| | 212 | file:/usr/local/etc/unbound.conf |
| | 213 | {{{ |
| | 214 | |
| | 215 | server: |
| | 216 | |
| | 217 | verbosity: 1 |
| | 218 | |
| | 219 | interface: 127.0.0.1 |
| | 220 | interface: ::1 |
| | 221 | interface: 192.168.178.1 |
| | 222 | interface: 2001:984:ac89:ffff::1 |
| | 223 | interface: 172.17.107.20 |
| | 224 | |
| | 225 | access-control: 192.168.178.0/24 allow |
| | 226 | access-control: 172.16.0.0/12 allow |
| | 227 | access-control: 2001:984:ac89::/48 allow |
| | 228 | |
| | 229 | |
| | 230 | |
| | 231 | python: |
| | 232 | |
| | 233 | remote-control: |
| | 234 | |
| | 235 | include: /usr/local/etc/unbound/forward.conf |
| | 236 | include: /usr/local/etc/unbound/lan-zones.conf |
| | 237 | |
| | 238 | }}} |
| | 239 | |
| | 240 | file:/etc/resolv.conf |
| | 241 | {{{ |
| | 242 | search vanderzwet.net |
| | 243 | nameserver 127.0.0.1 |
| | 244 | |
| | 245 | nameserver 194.109.6.66 |
| | 246 | nameserver 194.109.9.99 |
| | 247 | nameserver 194.109.104.104 |
| | 248 | nameserver 2001:888:0:6::66 |
| | 249 | nameserver 2001:888:0:9::99 |
| | 250 | }}} |
| | 251 | |
| | 252 | file:/etc/firewall.sh |
| | 253 | {{{ |
| | 254 | case ${firewall_type} in |
| | 255 | [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) |
| | 256 | case ${natd_enable} in |
| | 257 | [Yy][Ee][Ss]) |
| | 258 | ${fwcmd} add 50 divert natd ip4 from not 80.127.152.25/29 to not 80.127.152.25/29 via ng0 |
| | 259 | |
| | 260 | ${fwcmd} add 51 divert 8669 ip4 from 10.201.184.0/22 to me via re0vlan4 |
| | 261 | ${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 10.201.184.0/22 via re0vlan4 |
| | 262 | |
| | 263 | ${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 213.75.112.0/21 via re0vlan4 |
| | 264 | ${fwcmd} add 51 divert 8669 ip4 from 213.75.112.0/21 to me via re0vlan4 |
| | 265 | |
| | 266 | ${fwcmd} add 52 divert 8670 ip4 from 192.168.178.0/24 to 172.16.0.0/12 out via re1 |
| | 267 | ${fwcmd} add 52 divert 8670 ip4 from 172.16.0.0/12 to me in via re1 |
| | 268 | |
| | 269 | ;; |
| | 270 | esac |
| | 271 | |
| | 272 | # Allow DHCPv6 |
| | 273 | ${fwcmd} add pass udp from fe80::/10 to me 546 |
| | 274 | |
| | 275 | # Allow TCP through if setup succeeded |
| | 276 | ${fwcmd} add pass tcp from any to any established |
| | 277 | ${fwcmd} add pass ipv6 from any to any established |
| | 278 | |
| | 279 | # Allow IP fragments to pass through |
| | 280 | ${fwcmd} add pass all from any to any frag |
| | 281 | |
| | 282 | # Wireless Leiden Special |
| | 283 | ${fwcmd} add pass tcp from any to 80.127.152.27/32 dst-port 9000-9100 in via ng0 setup |
| | 284 | |
| | 285 | # Allow setup of incoming TCP stuff to VAS |
| | 286 | for i in 25 53 80 443 465 993 1022; do |
| | 287 | ${fwcmd} add pass tcp from any to 80.127.152.24/29 dst-port ${i} in via ng0 setup |
| | 288 | ${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 setup proto tcp |
| | 289 | done |
| | 290 | # Allow setup of incoming UDP stuff to VAS |
| | 291 | for i in 53 123; do |
| | 292 | ${fwcmd} add pass udp from any to 80.127.152.24/29 dst-port ${i} in via ng0 |
| | 293 | ${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 proto udp |
| | 294 | done |
| | 295 | |
| | 296 | # TCP Access to Router |
| | 297 | for i in 1022; do |
| | 298 | ${fwcmd} add pass tcp from any to me dst-port ${i} in via ng0 setup |
| | 299 | ${fwcmd} add pass ip6 from any to me dst-port ${i} in via ng0 setup proto tcp |
| | 300 | done |
| | 301 | |
| | 302 | # Allow UDP on VAS |
| | 303 | ${fwcmd} add check-state |
| | 304 | ${fwcmd} add pass udp from 80.127.152.24/29 to any out via ng0 proto udp keep-state |
| | 305 | ${fwcmd} add pass ip6 from 2001:984:ac89::/48 to any out via ng0 proto udp keep-state |
| | 306 | |
| | 307 | # Allow UDP on Router |
| | 308 | ${fwcmd} add pass udp from me to any out via ng0 proto udp keep-state |
| | 309 | ${fwcmd} add pass ip6 from me to any out via ng0 proto udp keep-state |
| | 310 | |
| | 311 | # Reject&Log all setup of incoming connections from the outside |
| | 312 | ${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 setup proto tcp |
| | 313 | ${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 proto udp |
| | 314 | ${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 setup proto tcp |
| | 315 | ${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 proto udp |
| | 316 | |
| | 317 | # Access limit to Router |
| | 318 | ${fwcmd} add deny log ip4 from any to me in via ng0 setup proto tcp |
| | 319 | ${fwcmd} add deny log ip4 from any to me in via ng0 proto udp |
| | 320 | ${fwcmd} add deny log ip6 from any to me in via ng0 setup proto tcp |
| | 321 | ${fwcmd} add deny log ip6 from any to me in via ng0 proto udp |
| | 322 | |
| | 323 | # Allow setup of any other TCP connection |
| | 324 | ${fwcmd} add pass tcp from any to any setup |
| | 325 | |
| | 326 | # Allow DNS queries out in the world |
| | 327 | #${fwcmd} add pass udp from me to any 53 keep-state |
| | 328 | |
| | 329 | # Allow NTP queries out in the world |
| | 330 | #${fwcmd} add pass udp from me to any 123 keep-state |
| | 331 | |
| | 332 | # Everything else is denied by default, unless the |
| | 333 | # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel |
| | 334 | # config file. |
| | 335 | case ${firewall_nat_enable} in |
| | 336 | [Yy][Ee][Ss]) |
| | 337 | if [ -n "${firewall_nat_interface}" ]; then |
| | 338 | if echo "${firewall_nat_interface}" | \ |
| | 339 | grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then |
| | 340 | firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" |
| | 341 | else |
| | 342 | firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" |
| | 343 | fi |
| | 344 | ${fwcmd} nat 123 config log ${firewall_nat_flags} |
| | 345 | ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} |
| | 346 | fi |
| | 347 | ;; |
| | 348 | esac |
| | 349 | esac |
| | 350 | }}} |
