73 lines
2.2 KiB
YAML
73 lines
2.2 KiB
YAML
|
unifi_site: default
|
||
|
unifi_gateway_config:
|
||
|
firewall:
|
||
|
name:
|
||
|
WAN_LOCAL:
|
||
|
rule:
|
||
|
20:
|
||
|
action: accept
|
||
|
description: WireGuard
|
||
|
destination:
|
||
|
port: "{{ wireguard.usg.wg0.listen_port }}"
|
||
|
protocol: udp
|
||
|
group:
|
||
|
network-group:
|
||
|
remote_user_vpn_network:
|
||
|
description: Remote User VPN subnets
|
||
|
network:
|
||
|
- 10.253.1.0/24
|
||
|
address-group:
|
||
|
RougeDns:
|
||
|
description: IoT
|
||
|
address: 10.0.0.210-10.0.0.230
|
||
|
service:
|
||
|
nat:
|
||
|
rule:
|
||
|
1:
|
||
|
description: Redirect DNS queries to pihole
|
||
|
destination:
|
||
|
address: "!10.0.0.31"
|
||
|
port: "53"
|
||
|
inbound-interface: eth1
|
||
|
inside-address:
|
||
|
address: "10.0.0.31"
|
||
|
port: "53"
|
||
|
log: enable
|
||
|
protocol: tcp_udp
|
||
|
type: destination
|
||
|
source:
|
||
|
group:
|
||
|
address-group: RougeDns
|
||
|
5002:
|
||
|
description: Translate reply back
|
||
|
destination:
|
||
|
address: 10.0.0.31
|
||
|
port: "53"
|
||
|
outbound-interface: eth0
|
||
|
protocol: tcp_udp
|
||
|
type: masquerade
|
||
|
interfaces:
|
||
|
wireguard:
|
||
|
wg0:
|
||
|
address: "{{ wireguard.usg.wg0.address }}"
|
||
|
firewall:
|
||
|
in:
|
||
|
name: LAN_IN
|
||
|
local:
|
||
|
name: LAN_LOCAL
|
||
|
out:
|
||
|
name: LAN_OUT
|
||
|
listen-port: "{{ wireguard.usg.wg0.listen_port }}"
|
||
|
mtu: "1500"
|
||
|
peer:
|
||
|
- key: "{{ wireguard.usg.wg0.peers.phone.public }}"
|
||
|
allowed-ips: "{{ wireguard.usg.wg0.peers.phone.allowed_ips }}"
|
||
|
persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
|
||
|
endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
|
||
|
- key: "{{ wireguard.usg.wg0.peers.travel.public }}"
|
||
|
allowed-ips: "{{ wireguard.usg.wg0.peers.travel.allowed_ips }}"
|
||
|
persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
|
||
|
endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
|
||
|
private-key: /config/auth/wireguard/wg.key
|
||
|
route-allowed-ips: "true"
|