RTX1200設定ファイル(BIGLOBE光時代)
お世話になっております。エフアイテックの梶です。先月迎えたお魚(うずまきヤッコ)とすっぽんがかわいくて仕方がありません。ご飯をよく食べ、まるまる肥えています。やはり海水魚には独特の魅力があります。先日からもめていた光インターネットの件ですが、結局SB光に変更せざるを得ない状況となりました。勧誘?の電話をしてきた「インターネットサポートセンター」は連絡しても「おかけになった電話番号は~……」といった状態で、まんまと騙された感じです。ただこういった手法は、結構あるそうでSB側も頭を悩ませている状態とのこと、色々とフォローを親身になってくれました。(そこはうれしかったです)ということで、結論として、現在IPoE(v4&v6)+DDNSでの運用には成功しております。設定ファイルはまたいずれご紹介します。今回はシリーズ最後に、以前使っていたCONFをお見せします。皆さんの参考になればと思います。なお自動で生成されるフィルターとかそのままにしていますので、無駄も多いです。(長文ですがコメントを参考にしてください)お付き合いありがとうございました。------------------------------------------------------------clear configuration # 今の設定をクリア## System configuration#description 100 "Fi-Tech VPN Router Ver1.00"login password encrypted user_password # 一般ユーザーパスワードadministrator password encrypted admin_password # 管理者パスワード## IP configuration#ip route default gateway pp 1 filter 10000 10001 10003 10004 10005 gateway tunnel 1 filter 10002 gateway 192.168.1.1 filter 10006 # 種別にてDefault Gateway切替ip filter source-route on # Source-Routeオプション付きパケットの破棄ip filter directed-broadcast on # smurf attackの防御ip stealth pp1 # WAN側へのICMPパケット応答をしない## IPv6 configuration## 光電話契約の場合は以下ipv6 route default gateway dhcp lan2ipv6 prefix 1 dhcp-prefix@lan2::/64 ## VLAN Port Mapping configuration## 家庭LANと仕事LANを切り分けvlan port mapping lan1.1 vlan1 # メインLANvlan port mapping lan1.2 vlan1 # メインLANvlan port mapping lan1.3 vlan1 # メインLANvlan port mapping lan1.4 vlan1 # メインLANvlan port mapping lan1.5 vlan1 # メインLANvlan port mapping lan1.6 vlan1 # メインLANvlan port mapping lan1.7 vlan2 # 家庭LANvlan port mapping lan1.8 vlan2 # 家庭LAN## LAN configuration#lan type lan1 port-based-option=divide-network # lan1をVLAN用に設定description vlan1 "Main LAN"ip vlan1 address 192.168.11.254/24ip vlan1 secure filter in 100000 100001 100002 100003 100004 100005 100006 100007 100099ip vlan1 proxyarp on # PPTPでアドレスが被るので記述するip vlan1 wol relay broadcast # Magic Packetの中継(broadcast)ipv6 vlan1 address dhcp-prefix@lan2::1/64ipv6 vlan1 rtadv send 1 o_flag=onipv6 vlan1 dhcp service serverdescription vlan2 "FamilyLAN"ip vlan2 address 192.168.20.254/24ip vlan2 secure filter in 100000 100001 100002 100003 100004 100005 100006 100007 100050 100051 100052 100053 100054 100055 100056 100099description lan2 "To Home GW"ip lan2 address 192.168.1.2/24ip lan2 secure filter in 200000 200001 200010 200011 200020 200021 200022 200023 200024 200025 200026 200027 200030 200031 200032 200033 200034 200035 200036 200037 200040 200041 200042 200043 200044 200045 200046 200047 200050 200051 200052 200053 200054 200055 200056 200057 200500ip lan2 secure filter out 200020 200021 200022 200023 200024 200025 200026 200027 200099 dynamic 200080 200081 200082 200083 200084 200085 200098 200099ipv6 lan2 address dhcpipv6 lan2 dhcp service clientdescription lan3 "Debug Port" # デバッグ用ポート(設定調査用ポート)ip lan3 address 192.168.2.254/24lan shutdown lan3ngn type lan2 ntt # 光電話契約の場合いる### BRI 1 ##### PP configuration#pp disable all### PP 1 ###pp select 1description pp "Biglobe PPPoE"pp keepalive interval 30 retry-interval=30 count=12pp always-on onpppoe use lan2pppoe auto disconnect offpp auth accept pap chappp auth myname username@biglobe.ne.jp passwordppp lcp mru on 1454ppp ipcp ipaddress onppp ipcp msext onppp ccp type noneip pp secure filter in 200097 200098 200000 200001 200002 200003 200004 200005 200010 200011 200012 200013 200014 200015 200020 200021 200022 200023 200024 200025 200026 200027 200501ip pp secure filter out 200010 200011 200012 200013 200014 200015 200020 200021 200022 200023 200024 200025 200026 200027 200099 dynamic 200080 200081 200082 200083 200084 200085 200098 200099ip pp intrusion detection in on reject=onip pp nat descriptor 1000netvolante-dns use pp server=1 auto # DDNS関係netvolante-dns hostname host pp server=1 suppon01.aa0.netvolante.jp # DDNS関係pp enable 1### PP anonymous ### PPTPサーバー関係pp select anonymousdescription pp "PPTP Server"pp bind tunnel1pp auth request mschap-v2 # Windows7以降は本設定pp auth username vpn_uservpn_passwordppp ipcp ipaddress onppp ipcp msext onppp ccp type mppe-anyip pp remote address pool 192.168.11.10-192.168.11.19ip pp mtu 1280pptp service type serverpp enable anonymous## TUNNEL configuration#no tunnel enable all### TUNNEL 1 ###tunnel select 1description tunnel "Remote < = > Fi-Tech PPTP"tunnel encapsulation pptptunnel enable 1## IP filter configuration## IPv4 Default Gateway Filter for switching(これは条件によってデフォゲを切り替え)# PPPoE、Tunnel、IPoEの3つの出口を使用します# Default Gateway 切替用フィルタip filter 10000 pass * * tcp 1723 * # PPTP制御(PPPoE)ip filter 10001 pass * * gre * * # PPTPカプセリング(PPPoE)ip filter 10002 pass 192.168.11.10-192.168.11.19 * * * * # PPTPクライアント(tunnel1)ip filter 10003 pass 192.168.11.1-192.168.11.9 * * * * # PPPoE接続用IP(PPPoE)ip filter 10004 pass 192.168.2.0/24 * * * * # メンテナンス用(PPPoE)ip filter 10005 pass 192.168.11.254 * * * * # ルーター本体(PPPoE)ip filter 10006 pass * * * * * # その他(IPoE接続)# Windows ファイル共有パケット流出防止ip filter 100000 reject * * udp,tcp 135 *ip filter 100001 reject * * udp,tcp * 135ip filter 100002 reject * * udp,tcp netbios_ns-netbios_dgm *ip filter 100003 reject * * udp,tcp * netbios_ns-netbios_dgmip filter 100004 reject * * udp,tcp netbios_ssn *ip filter 100005 reject * * udp,tcp * netbios_ssnip filter 100006 reject * * udp,tcp 445 *ip filter 100007 reject * * udp,tcp * 445# vlan2の制約設定(vlan1,lan3へのアクセス禁止,ルーター,ONUの設定をさせない)ip filter 100050 reject 192.168.20.0/24 192.168.11.0/24 * * *ip filter 100051 reject 192.168.20.0/24 192.168.2.0/24 * * *ip filter 100052 reject 192.168.20.1-192.168.20.253 192.168.1.2 tcp * wwwip filter 100053 reject 192.168.20.1-192.168.20.253 192.168.1.2 udp * tftpip filter 100054 reject 192.168.20.1-192.168.20.253 192.168.20.254 tcp * wwwip filter 100055 reject 192.168.20.1-192.168.20.253 192.168.20.254 udp * tftpip filter 100056 reject 192.168.20.1-192.168.20.253 192.168.1.1 tcp * www# 全入力許可ip filter 100099 pass * * * * *# LAN2,及びppに対するルールip filter 200000 reject 10.0.0.0/8 * * * *ip filter 200001 reject 172.16.0.0/12 * * * *ip filter 200002 reject 192.168.0.0/16 * * * *ip filter 200003 reject 192.168.11.0/24 * * * *ip filter 200004 reject 192.168.20.0/24 * * * *ip filter 200005 reject 192.168.2.0/24 * * * *ip filter 200010 reject * 10.0.0.0/8 * * *ip filter 200011 reject * 172.16.0.0/12 * * *ip filter 200012 reject * 192.168.0.0/16 * * *ip filter 200013 reject * 192.168.11.0/24 * * *ip filter 200014 reject * 192.168.20.0/24 * * *ip filter 200015 reject * 192.168.2.0/24 * * *ip filter 200020 reject * * udp,tcp 135 *ip filter 200021 reject * * udp,tcp * 135ip filter 200022 reject * * udp,tcp netbios_ns-netbios_ssn *ip filter 200023 reject * * udp,tcp * netbios_ns-netbios_ssnip filter 200024 reject * * udp,tcp 445 *ip filter 200025 reject * * udp,tcp * 445ip filter 200026 restrict * * tcpfin * www,21,nntpip filter 200027 restrict * * tcprst * www,21,nntpip filter 200030 pass * 192.168.11.0/24 icmp * *ip filter 200031 pass * 192.168.11.0/24 established * *ip filter 200032 pass * 192.168.11.0/24 tcp * identip filter 200033 pass * 192.168.11.0/24 tcp ftpdata *ip filter 200034 pass * 192.168.11.0/24 tcp,udp * domainip filter 200035 pass * 192.168.11.0/24 udp domain *ip filter 200036 pass * 192.168.11.0/24 udp * ntpip filter 200037 pass * 192.168.11.0/24 udp ntp *ip filter 200040 pass * 192.168.20.0/24 icmp * *ip filter 200041 pass * 192.168.20.0/24 established * *ip filter 200042 pass * 192.168.20.0/24 tcp * identip filter 200043 pass * 192.168.20.0/24 tcp ftpdata *ip filter 200044 pass * 192.168.20.0/24 tcp,udp * domainip filter 200045 pass * 192.168.20.0/24 udp domain *ip filter 200046 pass * 192.168.20.0/24 udp * ntpip filter 200047 pass * 192.168.20.0/24 udp ntp *ip filter 200050 pass * 192.168.2.0/24 icmp * *ip filter 200051 pass * 192.168.2.0/24 established * *ip filter 200052 pass * 192.168.2.0/24 tcp * identip filter 200053 pass * 192.168.2.0/24 tcp ftpdata *ip filter 200054 pass * 192.168.2.0/24 tcp,udp * domainip filter 200055 pass * 192.168.2.0/24 udp domain *ip filter 200056 pass * 192.168.2.0/24 udp * ntpip filter 200057 pass * 192.168.2.0/24 udp ntp *#ip filter 200096 pass * * tcp * www # 外部からのGUI許可(臨時)ip filter 200097 pass * * tcp * 1723 # PPTPパケットの通過ip filter 200098 pass * * gre * * # PPTPパケットの通過ip filter 200099 pass * * * * *ip filter 500000 restrict * * * * *## IP dynamic filter configuration#ip filter dynamic 200080 * * ftpip filter dynamic 200081 * * domainip filter dynamic 200082 * * wwwip filter dynamic 200083 * * smtpip filter dynamic 200084 * * pop3ip filter dynamic 200085 * * submissionip filter dynamic 200098 * * tcpip filter dynamic 200099 * * udp## IP forward filter configuration### NAT Descriptor configuration#nat descriptor type 1000 masqueradenat descriptor address outer 1000 ipcp # 可変IPの場合はこうする(大事)nat descriptor address inner 1000 192.168.11.254 192.168.11.1-192.168.11.9 192.168.2.1-192.168.2.254nat descriptor masquerade static 1000 1 192.168.11.254 tcp 1723 # PPTP対応nat descriptor masquerade static 1000 2 192.168.11.254 gre * # PPTP対応## SYSLOG configuration#syslog notice offsyslog debug off## TFTP configuration#tftp host any## TELNETD configuration#telnetd host any## DHCP configuration#dhcp service serverdhcp server rfc2131 compliant except remain-silentdhcp scope 1 192.168.11.20-192.168.11.191/24 gateway 192.168.11.254 # vlan1dhcp scope 2 192.168.20.2-192.168.20.191/24 gateway 192.168.20.254 # vlan2dhcp scope 3 192.168.2.2-192.168.2.191/24 gateway 192.168.2.254 # lan3## DHCPC configuration### DNS configuration#dns server dhcp lan2dns server select 500001 lan2 any . restrict lan2dns server select 500002 pp 1 a . restrict pp 1dns domain fi-tech.localdns private address spoof on## SNMP configuration#snmp sysname yamaha-rtx1200-00a0de378bb2## Schedule configuration#schedule at 1 */Sun 00:00:00 * ntpdate ntp.nict.jp syslog## PPTP configuration#pptp service on## HTTPD configuration#httpd host any## Operation configuration#mail server name 1 "Fi-tech Mail Server"mail server smtp 1 smtp.fi-tech.jp port=587 smtp-auth mail_addrmail_pass plainmail template 1 1 From:admin@fi-tech.jp To:user@fi-tech.jp "Subject:RTX1200 Report" notify-wait-time=1mail notify 1 1 trigger intrusion * in/out## Statistics configuration#statistics cpu onstatistics memory onsave