History Current Configuration ## Last changed: 2014-03-11 15:24:56 CET version 12.1X46-D15.3; groups { DEFAULT_DENY_AND_LOG { security { policies { from-zone <*> to-zone <*> { policy DENY_AND_LOG { match { source-address any; destination-address any; application any; } then { deny; log { session-init; } } } } } } } } system { host-name gw; domain-name local.dohd.org; time-zone Europe/Amsterdam; location country-code NL; root-authentication { encrypted-password ""; ## SECRET-DATA } name-server { 10.0.0.5; } services { ftp; ssh; xnm-clear-text; dhcp-local-server { dhcpv6 { overrides { interface-client-limit 100; } group dhcpv6_wired { interface vlan.10; } group dhcpv6_wireless { interface vlan.20; } group dhcpv6_testlan { interface vlan.40; } } group dhcpv4_wired { interface vlan.10; } group dhcpv4_wifi { interface vlan.20; } group dhcpv4_testlan { interface vlan.40; } group dhcpv4_infra { interface vlan.1; } group dhcpv4_guest { interface vlan.50; } group dhcpv4_tuner { interface vlan.60; } } web-management { https { system-generated-certificate; interface [ vlan.0 ge-0/0/0.0 vlan.10 vlan.20 vlan.40 vlan.5 0 ]; } } } syslog { archive size 100k files 3; user * { any emergency; } host 10.0.0.5 { security info; firewall info; conflict-log info; change-log info; facility-override local0; explicit-priority; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file session-deny-log { any any; match RT_FLOW_SESSION_DENY; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; archival { configuration { transfer-on-commit; archive-sites { "ftp://junos@10.0.0.5" password ""; ## SECRET-DATA } } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server 10.0.0.5; server 10.0.0.5 prefer; } } interfaces { ge-0/0/0 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members all; } native-vlan-id 1; } } } ip-0/0/0 { unit 0 { tunnel { source 83.162.240.2; destination 80.255.244.203; } family inet { address 10.0.12.1/30; } } inactive: unit 1 { description "HE ipv6 tunnel"; tunnel { source 83.162.240.2; destination 216.66.84.46; } family inet6 { address 2001:470:1f14:8b9::2/64; } } } ge-0/0/1 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-tuner; } } } } fe-0/0/2 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-wifi; } } } } fe-0/0/3 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-wifi; } } } } fe-0/0/4 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-wired; } } } } fe-0/0/5 { unit 0 { family ethernet-switching { port-mode access; vlan { members vlan-test; } } } } fe-0/0/6 { description "xs4all - glasvezel"; vlan-tagging; unit 6 { encapsulation ppp-over-ether; vlan-id 6; } } fe-0/0/7 { disable; unit 0 { description chello; family inet; } } pp0 { unit 0 { ppp-options { pap { local-name user; local-password ""; ## SECRET-DATA passive; } } pppoe-options { underlying-interface fe-0/0/6.6; idle-timeout 0; auto-reconnect 120; client; } family inet { mtu 1492; negotiate-address; } family inet6 { mtu 1492; unnumbered-address vlan.10; dad-disable; dhcpv6-client { client-type statefull; client-ia-type ia-pd; inactive: rapid-commit; inactive: update-router-advertisement { inactive: interface vlan.40; inactive: interface vlan.10; inactive: interface vlan.20; interface vlan.50; interface vlan.60; } client-identifier duid-type duid-ll; inactive: update-server; retransmission-attempt 9; } } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } unit 1 { family inet { address 10.0.16.1/24; } } unit 10 { description "Test network"; family inet { address 10.0.2.1/24; } family inet6 { mtu 1400; inactive: address 2001:470:d19e:1::1/64; address 2001:981:f06c:10::1/64; dad-disable; } } unit 20 { description "Wireless network"; family inet { address 10.0.1.1/24; } family inet6 { mtu 1400; inactive: address 2001:470:d19e:2::1/64; address 2001:981:f06c:20::1/64; dad-disable; } } unit 40 { description "Wired network"; family inet { address 10.0.0.1/24; } family inet6 { mtu 1400; inactive: address 2001:470:d19e::1/64; address 2001:981:f06c:40::1/64; dad-disable; } } unit 50 { family inet { address 10.0.5.1/24; } family inet6 { mtu 1400; inactive: address 2001:470:d19e:5::1/64; address 2001:981:f06c:50::1/64; dad-disable; } } unit 60 { description "Tuner TV network - temp"; family inet { address 10.0.6.1/24; } family inet6 { mtu 1400; address 2001:981:f06c:60::1/64; dad-disable; } } } } routing-options { rib inet6.0 { static { route ::/0 next-hop pp0.0; } } static { route 10.99.0.0/16 next-hop 10.0.12.2; route 10.0.8.0/24 next-hop 10.0.0.6; route 0.0.0.0/0 next-hop pp0.0; } } protocols { igmp { interface vlan.20 { static { group 239.255.255.250; } } } router-advertisement { interface vlan.10 { link-mtu; inactive: prefix 2001:470:d19e:1::/64; prefix 2001:981:f06c:10::/64; } interface vlan.20 { link-mtu; inactive: prefix 2001:470:d19e:2::/64; prefix 2001:981:f06c:20::/64; } interface vlan.40 { link-mtu; inactive: prefix 2001:470:d19e:0::/64; prefix 2001:981:f06c:40::/64; } } pim { interface vlan.1 { mode dense; } interface vlan.10 { mode dense; } interface vlan.20 { mode dense; } interface vlan.40 { mode dense; } interface vlan.50 { mode dense; } } lldp { interface ge-0/0/0.0; } igmp-snooping { vlan vlan-test; vlan vlan-wifi { interface ge-0/0/0.0 { static { group 239.255.255.250; } } } vlan vlan-wired { interface ge-0/0/0.0 { static { group 239.255.255.250; } } } } } security { ssh-known-hosts { host 10.0.0.5 { rsa-key AAAAB3NzaC1yc2EAAAABIwAAAQEA1DzLk5a3fSSW9axb3/qOqCxfyUph vLuwYTO5XsZdyxx+9wBBJnB3R7y3hsFYDalWeYuwliz6pNEuOP1+HIzCb4jkenxCC5T4DNYUWrQ1 UL5gThfa9caIyrm+u9jqTc6ah8Mw/4uZVhSjO/C1wX0tpQ/+rBZ4SfxjhzRuvb1Fqm5kQS8xxz/2 rnSFJ+VvKJtHoiq+BLf1D2S2har0039Es7358p7bakoyoe19QpPE3G5/ytMlT09GpvBmrxgL39ap AUxmOAPF/WQq3ulz+IYCfzZ06XM5A9Cx156EiN0EwhyuN7a2G5R/9kf+nGduu5eUVv+qYPRkcWL9 /f7DE+lnMQ==; } } ike { policy ike_pol_wizard_dyn_vpn { mode aggressive; proposal-set compatible; pre-shared-key ascii-text ""; ## SECRET-DATA } gateway gw_wizard_dyn_vpn { ike-policy ike_pol_wizard_dyn_vpn; dynamic { hostname gw; connections-limit 50; ike-user-type group-ike-id; } external-interface fe-0/0/7.0; xauth access-profile remote_access_profile; } } ipsec { policy ipsec_pol_wizard_dyn_vpn { perfect-forward-secrecy { keys group2; } proposal-set compatible; } vpn wizard_dyn_vpn { ike { gateway gw_wizard_dyn_vpn; ipsec-policy ipsec_pol_wizard_dyn_vpn; } } } alg { dns maximum-message-length 8192; rsh disable; ike-esp-nat { enable; } } dynamic-vpn { access-profile remote_access_profile; clients { wizard-dyn-group { remote-protected-resources { 74.115.212.0/24; 10.0.0.0/8; } ipsec-vpn wizard_dyn_vpn; user { xaa; } } } } forwarding-options { family { inet6 { mode flow-based; } } } flow { allow-dns-reply; tcp-mss { all-tcp { mss 1300; } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set OutgoingNAT { from zone trust; to zone untrust; rule Masquerade { match { source-address 10.0.0.0/16; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool eeyore { address 10.0.0.5/32; } pool nas { address 10.0.0.3/32; } pool wool { address 10.0.0.6/32; } pool wool-25 { address 10.0.0.6/32 port 25; } rule-set u2t-ip4-eeyore { from zone untrust; rule u2t-eeyore-ssh { match { destination-address 83.162.240.2/32; destination-port 22; } then { destination-nat { pool { eeyore; } } } } rule u2t-eeyore-smtp { match { destination-address 83.162.240.2/32; destination-port 25; } then { destination-nat { pool { eeyore; } } } } rule u2t-eeyore-http { match { destination-address 83.162.240.2/32; destination-port 80; } then { destination-nat { pool { eeyore; } } } } rule u2t-eeyore-https { match { destination-address 83.162.240.2/32; destination-port 443; } then { destination-nat { pool { eeyore; } } } } rule u2t-eeyore-imap { match { destination-address 83.162.240.2/32; destination-port 143; } then { destination-nat { pool { eeyore; } } } } rule u2t-eeyore-imap2 { match { destination-address 83.162.240.2/32; destination-port 993; } then { destination-nat { pool { eeyore; } } } } rule u2t-nas-ftp { match { source-address 0.0.0.0/0; destination-address 83.162.240.2/32; destination-port 21; } then { destination-nat { pool { nas; } } } } rule u2t-wool-smtp26 { match { destination-address 83.162.240.2/32; destination-port 26; } then { destination-nat { pool { wool-25; } } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { apply-groups DEFAULT_DENY_AND_LOG; policy u2t-ip4-incoming-eeyore { match { source-address any-ipv4; destination-address eeyore; application [ junos-ssh junos-smtp junos-http junos-http s junos-imap junos-imaps ]; } then { permit; log { session-init; } count; } } policy u2t-ipv6-eeyore-smtp { match { source-address any-ipv6; destination-address [ eeyore-smtp6 eeyore6 ]; application [ junos-smtp junos-icmp6-all junos-imap juno s-imaps ]; } then { permit; } } policy u2t-ipv6-eeyore-http { match { source-address any-ipv6; destination-address eeyore-http6; application [ junos-http junos-https ]; } then { permit; } } policy u2t-ipv6-eeyore6 { match { source-address any-ipv6; destination-address eeyore6; application [ junos-ssh junos-imap junos-imaps ]; } then { permit; } } policy u2t-ipv6-allowed { match { source-address any-ipv6; destination-address nw-lan6; application junos-ssh; } then { permit; count; } } policy u2t-ip4-incoming-nas { match { source-address any-ipv4; destination-address nas; application junos-ftp; } then { permit; log { session-init; } count; } } policy u2t-ipv6-nas-ftp { match { source-address any-ipv6; destination-address nas6; application junos-ftp; } then { permit; } } policy u2t-ipv4-wool-smtp26 { match { source-address mxterantula; destination-address wool; application smtp26; } then { permit; } } policy u2t-ipv6-wool-smtp { match { source-address mxterantula6; destination-address wool-smtp6; application junos-smtp; } then { permit; } } policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } } } } } zones { security-zone trust { address-book { address NW_WIFI 10.0.1.0/24; address NW_TEST 10.0.2.0/24; address NW_WIRED 10.0.0.0/24; address NW_INFRA 10.0.16.0/24; address NW_XAALAN 10.0.0.0/16; address eeyore 10.0.0.5/32; address eeyore-smtp6 2001:981:f06c:40::25/128; address eeyore-dns 2001:981:f06c:40::53/128; address eeyore-http6 2001:981:f06c:40::80/128; address eeyore6 2001:981:f06c:40::5/128; address nw-lan6 2001:981:f06c::/48; address gw-ipv6 2001:981:f06c:40::1/128; address nas 10.0.0.3/32; address nas6 2001:981:f06c:40::3/128; address wool 10.0.0.6/32; address wool-smtp6 2001:981:f06c:40::6/128; address-set eeyore-ipv6 { address eeyore-smtp6; address eeyore-http6; address eeyore6; } address-set 10.0.0.3/32 { address nas; } } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; vlan.1; vlan.10 { host-inbound-traffic { system-services { all; } } } vlan.20 { host-inbound-traffic { system-services { ssh; all; } } } vlan.40 { host-inbound-traffic { system-services { ssh; all; } } } ip-0/0/0.0; vlan.50 { host-inbound-traffic { system-services { ssh; all; } } } vlan.60 { host-inbound-traffic { system-services { all; ssh; } } } } } security-zone untrust { address-book { address ipupc 83.162.240.2/32; address cottonmgmt 80.255.244.203/32; address mxterantula 80.255.244.205/32; address mxterantula6 2001:4cb8:1:3111::25/128; } screen untrust-screen; host-inbound-traffic { system-services { ping; } protocols { all; } } interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { dhcp; ping; } } } inactive: ip-0/0/0.1 { host-inbound-traffic { system-services { ping; } } } pp0.0 { host-inbound-traffic { system-services { ping; dhcpv6; } } } } } } } firewall { family inet { filter fix-v6v4-tunnel { term t0001 { from { destination-address { 83.162.240.2/32; } protocol 41; } then packet-mode; } term t0002 { from { source-address { 83.162.240.2/32; } protocol 41; } then packet-mode; } term t9999 { then accept; } } } } access { profile remote_access_profile { client xaa { firewall-user { password ""; ## SECRET-DATA } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 10.0.10.1/24; xauth-attributes { primary-dns 10.0.0.5/32; secondary-dns 10.0.0.228/32; } } } pool wifi { family inet { network 10.0.1.0/24; range wifi { low 10.0.1.11; high 10.0.1.127; } dhcp-attributes { maximum-lease-time 7200; domain-name local.dohd.org; name-server { 10.0.0.5; 10.0.0.208; } router { 10.0.1.1; } } host welschap { hardware-address 00:18:4d:e0:a5:3f; ip-address 10.0.1.2; } host flipjeair3 { hardware-address 00:21:6a:22:fe:d4; ip-address 10.0.1.14; } host droopy { hardware-address 00:0d:f0:3c:42:d8; ip-address 10.0.1.17; } host peanutsair { hardware-address 00:04:23:70:7d:b0; ip-address 10.0.1.73; } host tweetyair { hardware-address 00:18:de:9e:83:35; ip-address 10.0.1.72; } host woodstockair { hardware-address 00:22:69:05:f4:f9; ip-address 10.0.1.76; } host htcxaa { hardware-address 38:e7:d8:d3:84:fe; ip-address 10.0.1.77; } host tv0 { hardware-address 18:8e:d5:35:e9:bb; ip-address 10.0.1.69; } host htceeyore { hardware-address 7c:61:93:3d:3d:c0; ip-address 10.0.1.78; } host blue0 { hardware-address 00:25:d1:07:61:57; ip-address 10.0.1.68; } host tuner { hardware-address 00:18:dd:22:0e:de; ip-address 10.0.1.13; } } } pool testlan { family inet { network 10.0.2.0/24; range testlan { low 10.0.2.11; high 10.0.2.127; } dhcp-attributes { maximum-lease-time 7200; domain-name local.dohd.org; name-server { 10.0.0.5; 10.0.0.208; } router { 10.0.2.1; } } } } pool wired { family inet { network 10.0.0.0/24; range wired { low 10.0.0.11; high 10.0.0.127; } dhcp-attributes { maximum-lease-time 7200; domain-name local.dohd.org; name-server { 10.0.0.5; 10.0.0.208; } router { 10.0.0.1; } } host owl { hardware-address 00:1c:c4:b9:64:9a; ip-address 10.0.0.2; } host pooh { hardware-address 00:02:2d:0a:54:e0; ip-address 10.0.0.13; } host linnie { hardware-address 00:a0:c9:dd:28:70; ip-address 10.0.0.14; } host voip { hardware-address 00:0e:08:ac:0d:8f; ip-address 10.0.0.74; } host flipje { hardware-address 00:08:02:db:eb:19; ip-address 10.0.0.21; } host peanuts { hardware-address 00:02:3f:bc:90:54; ip-address 10.0.0.73; } host tweety { hardware-address 00:15:58:7d:d2:0c; ip-address 10.0.0.72; } host ap1 { hardware-address d8:c7:c8:c7:4a:cd; ip-address 10.0.0.9; } host ap2 { hardware-address d8:c7:c8:c7:49:f7; ip-address 10.0.0.10; } host pap2t { hardware-address 00:23:69:7d:ce:28; ip-address 10.0.0.11; } } } pool infra { family inet { network 10.0.16.0/24; range infra { low 10.0.16.11; high 10.0.16.127; } dhcp-attributes { maximum-lease-time 7200; domain-name local.dohd.org; name-server { 10.0.0.5; 10.0.0.208; } router { 10.0.16.1; } } host ap1 { hardware-address d8:c7:c8:c7:4a:cd; ip-address 10.0.16.13; } host ap2 { hardware-address d8:c7:c8:c7:49:f7; ip-address 10.0.16.14; } } } pool guestlan { family inet { network 10.0.5.0/24; range guestlan { low 10.0.5.11; high 10.0.5.127; } dhcp-attributes { maximum-lease-time 7200; domain-name local.dohd.org; name-server { 10.0.0.5; 10.0.0.208; } router { 10.0.5.1; } } } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } applications { application smtp26 { protocol tcp; destination-port 26; } } vlans { default { vlan-id 1; l3-interface vlan.1; } vlan-test { vlan-id 10; l3-interface vlan.10; } vlan-trust { vlan-id 3; l3-interface vlan.0; } vlan-tuner { vlan-id 60; l3-interface vlan.60; } vlan-wifi { vlan-id 20; l3-interface vlan.20; } vlan-wifigast { vlan-id 50; l3-interface vlan.50; } vlan-wired { vlan-id 40; l3-interface vlan.40; } }