WAN to DMZ works - LAN to DMZ doesn't

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ-to-LAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "State invalid"
state {
invalid enable
}
}
}
name DMZ-to-LOCAL {
default-action drop
rule 10 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "State invalid"
log enable
state {
invalid enable
}
}
rule 30 {
action accept
description "HTTP access"
destination {
port 80
}
log disable
protocol tcp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action accept
description "Allow DNS querries"
destination {
port 53
}
disable
log disable
protocol tcp_udp
state {
new enable
}
}
}
name DMZ-to-VLAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "State invalid"
state {
invalid enable
}
}
}
name DMZ-to-WAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
destination {
}
log enable
protocol all
source {
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name LAN-to-DMZ {
default-action drop
enable-default-log
rule 10 {
action accept
description "Established/related connections"
destination {
}
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LAN-to-LOCAL {
default-action drop
rule 10 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
rule 30 {
action accept
description "HTTP access"
destination {
port 80
}
log disable
protocol tcp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action accept
description "Allow HTTPS GUI"
destination {
port 443
}
log enable
protocol tcp
state {
new enable
}
}
rule 50 {
action accept
description "Allow DNS querries"
destination {
port 53
}
disable
log disable
protocol tcp_udp
state {
new enable
}
}
rule 60 {
action accept
description "SSH access"
destination {
port 22
}
protocol tcp
state {
new enable
}
}
}
name LAN-to-VLAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
destination {
}
protocol all
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LAN-to-WAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LOCAL-to-DMZ {
default-action drop
enable-default-log
rule 10 {
action accept
description "Established/related connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "HTTP access"
destination {
address 192.168.2.45
port 80
}
disable
log enable
protocol tcp
source {
port 80
}
state {
established disable
invalid disable
new enable
related disable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LOCAL-to-LAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LOCAL-to-VLAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name LOCAL-to-WAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name VLAN-to-DMZ {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
destination {
}
protocol all
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name VLAN-to-LAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name VLAN-to-LOCAL {
default-action drop
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name VLAN-to-WAN {
default-action drop
enable-default-log
rule 1 {
action accept
description "Established/related connections"
protocol all
state {
established enable
new enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN-to-DMZ {
default-action drop
enable-default-log
rule 10 {
action accept
description "Established/related connections"
destination {
}
log enable
protocol all
source {
}
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "HTTP Web access to DMZ"
destination {
address 192.168.2.45
port 80
}
log enable
protocol tcp
source {
group {
}
}
}
rule 30 {
action drop
description "State invalid"
protocol all
state {
invalid enable
}
}
rule 40 {
action accept
description "HTTPS access"
destination {
address 192.168.2.45
port 443
}
disable
log enable
protocol tcp
state {
new enable
}
}
rule 50 {
action drop
description "Limit inbound SSH connections"
destination {
port ssh
}
disable
log disable
protocol tcp
recent {
count 3
time 30
}
state {
new enable
}
}
rule 60 {
action accept
description "SSH access"
destination {
address 192.168.2.45
port 22
}
disable
log enable
protocol tcp
state {
new enable
}
}
}
name WAN-to-LAN {
default-action drop
description "WAN to internal"
enable-default-log
rule 1 {
action accept
description "Allow established/related"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN-to-LOCAL {
default-action drop
enable-default-log
rule 10 {
action accept
description "Established/related connections"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "State invalid"
state {
invalid enable
}
}
}
name WAN-to-VLAN {
default-action drop
description "WAN to VLAN internal"
enable-default-log
rule 1 {
action accept
description "Allow established/related"
protocol all
state {
established enable
related enable
}
}
rule 2 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 152.115.xxx.yyy/24
description WAN
duplex auto
poe {
output off
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
poe {
output off
}
speed auto
vif 100 {
address 192.168.100.1/24
description "Guest/IoT VLAN"
mtu 1500
traffic-policy {
out Download
}
}
}
ethernet eth2 {
address 192.168.2.1/24
description DMZ
duplex auto
firewall {
out {
name DMZ-to-WAN
}
}
poe {
output off
}
speed auto
}
ethernet eth3 {
description Local3
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
description Local4
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address dhcp
description Switch
mtu 1500
switch-port {
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name GuestVLAN100 {
authoritative disable
subnet 192.168.100.0/24 {
default-router 192.168.100.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.100.50 {
stop 192.168.100.200
}
}
}
shared-network-name LAN1 {
authoritative disable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 83.136.89.6
dns-server 83.136.89.4
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 83.136.89.6
dns-server 83.136.89.4
lease 86400
start 192.168.2.21 {
stop 192.168.2.240
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
listen-on eth1
listen-on eth2
}
}
gui {
http-port 80
https-port 443
listen-address 192.168.1.1
older-ciphers enable
}
nat {
rule 200 {
description "WAN to DMZ"
destination {
port 80
}
inbound-interface eth0
inside-address {
address 192.168.2.45
port 80
}
log enable
protocol tcp_udp
source {
}
type destination
}
rule 222 {
description "HTTPS Web access to DMZ"
destination {
port 443
}
disable
inbound-interface eth2
inside-address {
address 192.168.2.45
port 443
}
log enable
protocol tcp
type destination
}
rule 600 {
description "SSH access to DMZ"
destination {
port 1337
}
disable
inbound-interface eth2
inside-address {
address 192.168.2.45
port 22
}
log enable
protocol tcp
type destination
}
rule 5000 {
description "WAN MASQ"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5001 {
description "DMZ to WAN"
destination {
}
log enable
outbound-interface eth2
outside-address {
address 152.115.xxx.yyy
port 80
}
protocol tcp_udp
source {
address 192.168.2.45
port 80
}
type source
}
}
ssh {
port 22
protocol-version v2
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
}
}
system {
gateway-address 152.115.xxx.yyy
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $xxxxxxxxxxyyyyyyyyyyyyy
plaintext-password ""
}
full-name ubnt
level admin
}
}
name-server 83.136.89.6
name-server 83.136.89.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Copenhagen
}
traffic-policy {
shaper Download {
bandwidth auto
class 100 {
bandwidth 50mbit
burst 15k
match addr {
ip {
source {
address 192.168.100.0/24
}
}
}
queue-type fair-queue
}
default {
bandwidth 100mbit
burst 15k
queue-type fair-queue
}
}
shaper Upload {
bandwidth auto
class 100 {
bandwidth 50mbit
burst 15k
match addr {
ip {
source {
address 192.168.100.0/24
}
}
}
queue-type fair-queue
}
default {
bandwidth 100mbit
burst 15k
queue-type fair-queue
}
}
}
zone-policy {
zone DMZ {
default-action reject
from LAN {
firewall {
name LAN-to-DMZ
}
}
from LOCAL {
firewall {
name LOCAL-to-DMZ
}
}
from VLAN {
firewall {
name VLAN-to-DMZ
}
}
from WAN {
firewall {
name WAN-to-DMZ
}
}
interface eth2
}
zone LAN {
default-action drop
from DMZ {
firewall {
name DMZ-to-LAN
}
}
from LOCAL {
firewall {
name LOCAL-to-LAN
}
}
from VLAN {
firewall {
name VLAN-to-LAN
}
}
from WAN {
firewall {
name WAN-to-LAN
}
}
interface eth1
}
zone LOCAL {
default-action reject
from DMZ {
firewall {
name DMZ-to-LOCAL
}
}
from LAN {
firewall {
name LAN-to-LOCAL
}
}
from VLAN {
firewall {
name VLAN-to-LOCAL
}
}
from WAN {
firewall {
name WAN-to-LOCAL
}
}
interface local-zone
}
zone VLAN {
default-action drop
from DMZ {
firewall {
name DMZ-to-VLAN
}
}
from LAN {
firewall {
name LAN-to-VLAN
}
}
from LOCAL {
firewall {
name LOCAL-to-VLAN
}
}
from WAN {
firewall {
name WAN-to-VLAN
}
}
interface eth1.100
}
zone WAN {
default-action reject
from DMZ {
firewall {
name DMZ-to-WAN
}
}
from LAN {
firewall {
name LAN-to-WAN
}
}
from LOCAL {
firewall {
name LOCAL-to-WAN
}
}
from VLAN {
firewall {
name VLAN-to-WAN
}
}
interface eth0
}
}

WAN to DMZ works - LAN to DMZ doesn't

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112