dan/openwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ee41bf8810ce1c39446ff51f0bf56a70a1d8b51
openwrt/config/firewall
Dan Head 4ee41bf881 chore: initial repo setup with baseline config backup 
- Pull current config from router (OpenWRT 24.10.2)
- Add backup, safe-apply, and push-all scripts
- Add CLAUDE.md with workflow rules and context
- Add network-map.md with current topology and planned VLANs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 23:37:53 +01:00

260 lines
5.2 KiB
Plaintext
Raw Blame History

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '10.0.0.2'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '10.0.0.2'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Everlost'
list proto 'tcp'
option src 'wan'
option src_dport '22563'
option dest_ip '10.0.0.2'
option dest_port '22563'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Home Assistant'
list proto 'tcp'
option src 'wan'
option src_dport '22553'
option dest_ip '10.0.0.11'
option dest_port '22553'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Frigate'
list proto 'tcp'
option src 'wan'
option src_dport '22583'
option dest_ip '10.0.0.12'
option dest_port '22583'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Jester'
list proto 'tcp'
option src 'wan'
option src_dport '22573'
option dest_ip '10.0.0.21'
option dest_port '22573'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Wayfaerer'
list proto 'tcp'
option src 'wan'
option src_dport '22593'
option dest_ip '10.0.0.22'
option dest_port '22593'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.0.2'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex - Jester'
list proto 'tcp'
option src 'wan'
option src_dport '32400'
option dest_ip '10.0.0.21'
option dest_port '32400'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex - Wayfaerer'
list proto 'tcp'
option src 'wan'
option src_dport '32450'
option dest_ip '10.0.0.22'
option dest_port '32450'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'guest'
option masq '1'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option src 'guest'
option name 'Guest DHCP and DNS'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option src 'guest'
option dest 'lan'
option name 'Guest Pihole access'
option src_port '53'
list dest_ip '10.0.0.2'
option dest_port '54'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Gitea'
list proto 'tcp'
option src 'wan'
option src_dport '2222'
option dest_ip '10.0.0.2'
option dest_port '2222'
Reference in New Issue View Git Blame Copy Permalink