/ip firewall address-list add address=172.22.0.0/16 comment="Voneus VPN" list=allow-management add address=185.134.196.128/28 comment=FAELIX list=allow-management add address=46.227.200.128/28 comment=FAELIX list=allow-management add address=100.64.0.0/10 comment=RFC6598 list=customer-private add address=46.227.207.251 comment=core.librenms.lon.faelix.twh.voneus.net list=allow-snmp add address=46.227.207.250 comment=fttp.librenms.lon.faelix.twh.voneus.net list=allow-snmp add address=46.227.203.248 comment=fwa.librenms.lon.faelix.twh.voneus.net list=allow-snmp add address=46.227.203.91 comment=librenms01.man.faelix.man.voneus.net list=allow-snmp add address=185.134.197.214 comment=oob.librenms.gen.faelix.che.voneus.net list=allow-snmp add address=185.134.197.197 comment=overlord.librenms.gen.faelix.che.voneus.net list=allow-snmp add address=46.227.203.249 comment=systems.librenms.lon.faelix.twh.voneus.net list=allow-snmp add address=46.227.202.238 comment=vnms.librenms.man.faelix.man.voneus.net list=allow-snmp add address=192.0.2.1 comment=placeholder disabled=yes list=no-cgnat-to add address=192.0.2.2 comment=example disabled=yes list=provisioning /ipv6 firewall address-list add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management add address=2a01:9e00:a217:fa00::/56 comment=FAELIX list=allow-management add address=2a01:9e01:a217:fa00::/56 comment=FAELIX list=allow-management add address=2001:db9::/32 comment="Voneus VPN" disabled=yes list=allow-management {% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %} add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public {% endif %}{% endfor %} {% for prefix in 'accept-ipv6-40-48-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %} add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public {% endif %}{% endfor %} {% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_prefixes %}{% if prefix.prefix|ipv6 %} add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public {% endif %}{% endfor %} {% for prefix in 'accept-ipv6-48-52-from-aggregation'|get_netbox_tagged_aggregates %}{% if prefix.prefix|ipv6 %} add address={{ prefix.prefix }} comment="{{ prefix.description }}" list=customer-public {% endif %}{% endfor %} add address=2001:db9::/32 comment=example disabled=yes list=provisioning /ip firewall filter add action=fasttrack-connection chain=forward comment="forward existing connections" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="forward existing connections" connection-state=established,related add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec add action=accept chain=forward comment="forward DNAT traffic" connection-nat-state=dstnat disabled=yes in-interface-list=uplink-and-linknet add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet add action=fasttrack-connection chain=input comment="allow established connections to router's control plane" connection-state=established,related hw-offload=yes add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=tcp add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet-and-provisioning-cpe protocol=udp add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp add action=accept chain=input comment="allow ICMP" protocol=icmp add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp add action=drop chain=input comment="protect router's control plane" {%- set nat_source_ips = [] %} {%- for interface in device_interfaces %} {%- if interface.name in ('loopback',) %} {%- for address in interface|get_addresses %} {%- if address|ipv4 %} {#- sanity-check for public IPv4 addresses -#} {%- set address0 = address.address.split(".",0)|int %} {%- set address1 = address.address.split(".",1)|int %} {%- if not ( ( address0 == 10 ) or ( ( address0 == 172 ) and ( address1 >=16 ) and ( address1 <= 31 ) ) or ( ( address0 == 192 ) and ( address1 == 168 ) ) or ( ( address0 == 100 ) and ( address1 >= 64 ) and ( address1 <= 127 ) ) or ( ( address0 == 169 ) and ( address1 == 254 ) ) ) %} {%- do nat_source_ips.append(address.address.split("/")[0]) %} {%- endif %} {%- endif %} {%- endfor %} {%- endif %} {%- endfor %} /ip firewall nat add action=return chain=srcnat src-address-list=public-addresses add action=return chain=srcnat dst-address-list=no-cgnat-to {%- for nat_source_ip in nat_source_ips|sort %} add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="CGNAT" {%- endfor %} add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1 /ipv6 firewall filter add action=accept chain=forward comment="forward existing connections" connection-state=established,related add action=accept chain=forward comment="forward customer traffic to uplinks and linknets" in-interface-list=customer-and-linknet out-interface-list=uplink-and-linknet add action=accept chain=forward comment="forward traffic arriving from management interfaces" in-interface-list=mgmt add action=accept chain=forward comment="forward IPsec encapsulated traffic" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec add action=drop chain=forward comment="prevent customers from reaching protected subnets" in-interface-list=customer-and-linknet src-address-list=block-customer add action=drop chain=forward comment="prevent customers from reaching protected subnets" dst-address-list=block-customer in-interface-list=customer-and-linknet add chain=forward comment="forward traffic between linknets" in-interface-list=linknet out-interface-list=linknet add action=accept chain=forward comment="forward ICMPv6" protocol=icmp add action=drop chain=forward comment="block traffic from uplinks and linknets" in-interface-list=uplink-and-linknet add action=accept chain=input comment="allow established connections to router's control plane" connection-state=established,related add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=tcp add action=accept chain=input comment="allow DNS" dst-port=53 in-interface-list=customer-and-linknet protocol=udp add action=accept chain=input comment="allow SNMP" dst-port=161 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-snmp add action=accept chain=input comment="allow NTP" dst-port=123 in-interface-list=customer-and-linknet protocol=udp add action=accept chain=input comment="allow management interfaces to access router's control plane" in-interface-list=mgmt add action=accept chain=input comment="allow public management IPs access to router's control plane" in-interface-list=uplink-and-linknet src-address-list=allow-management add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet protocol=ipsec-esp src-address-list=allow-ipsec add action=accept chain=input comment="allow IPsec" disabled=yes dst-port=500,4500 in-interface-list=uplink-and-linknet protocol=udp src-address-list=allow-ipsec add action=accept chain=input comment="allow IPsec" disabled=yes in-interface-list=uplink-and-linknet ipsec-policy=in,ipsec add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-port=179 in-interface-list=uplink-and-linknet protocol=tcp add action=accept chain=input comment="allow ICMP" protocol=icmpv6 add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp add action=drop chain=input comment="protect router's control plane"