ip filter 1 pass * * esp * * ip filter 2 pass * * udp * 500,1701,4500,5060,10000-20000 ip filter 100000 reject 10.0.0.0/8 * * * * ip filter 100001 reject 172.16.0.0/12 * * * * ip filter 100002 reject 192.168.0.0/16 * * * * ip filter 100003 reject 192.168.1.0/24 * * * * ip filter 100010 reject * 10.0.0.0/8 * * * ip filter 100011 reject * 172.16.0.0/12 * * * ip filter 100012 reject * 192.168.0.0/16 * * * ip filter 100013 reject * 192.168.1.0/24 * * * ip filter 100020 reject * * udp,tcp 135 * ip filter 100021 reject * * udp,tcp * 135 ip filter 100022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 100023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 100024 reject * * udp,tcp 445 * ip filter 100025 reject * * udp,tcp * 445 ip filter 100026 restrict * * tcpfin * www,21,nntp ip filter 100027 restrict * * tcprst * www,21,nntp ip filter 100030 pass * 192.168.1.0/24 icmp * * ip filter 100031 pass * 192.168.1.0/24 established * * ip filter 100032 pass * 192.168.1.0/24 tcp * ident ip filter 100033 pass * 192.168.1.0/24 tcp ftpdata * ip filter 100034 pass * 192.168.1.0/24 tcp,udp * domain ip filter 100035 pass * 192.168.1.0/24 udp domain * ip filter 100036 pass * 192.168.1.0/24 udp * ntp ip filter 100037 pass * 192.168.1.0/24 udp ntp * ip filter 100080 pass * 192.168.1.254 esp * * ip filter 100081 pass * 192.168.1.254 udp * 500 0132不明なデバイスさん2017/09/09(土) 15:31:48.12ID:R04w2wBX フィルターその2 ip filter 100082 pass * 192.168.1.254 udp * 1701 ip filter 100083 pass * 192.168.1.254 udp * 4500 ip filter 100097 pass 192.168.1.254 * udp 1701 * ip filter 100098 reject-nolog * * established ip filter 100099 pass * * * * * ip filter 101000 reject 10.0.0.0/8 * * * * ip filter 101001 reject 172.16.0.0/12 * * * * ip filter 101002 reject 192.168.0.0/16 * * * * ip filter 101003 reject 192.168.1.0/24 * * * * ip filter 101010 reject * 10.0.0.0/8 * * * ip filter 101011 reject * 172.16.0.0/12 * * * ip filter 101012 reject * 192.168.0.0/16 * * * ip filter 101013 reject * 192.168.1.0/24 * * * ip filter 101020 reject * * udp,tcp 135 * ip filter 101021 reject * * udp,tcp * 135 ip filter 101022 reject * * udp,tcp netbios_ns-netbios_ssn * ip filter 101023 reject * * udp,tcp * netbios_ns-netbios_ssn ip filter 101024 reject * * udp,tcp 445 * ip filter 101025 reject * * udp,tcp * 445 ip filter 101026 restrict * * tcpfin * www,21,nntp ip filter 101027 restrict * * tcprst * www,21,nntp ip filter 101030 pass * 192.168.1.0/24 icmp * * ip filter 101031 pass * 192.168.1.0/24 established * * ip filter 101032 pass * 192.168.1.0/24 tcp * ident ip filter 101033 pass * 192.168.1.0/24 tcp ftpdata * ip filter 101034 pass * 192.168.1.0/24 tcp,udp * domain ip filter 101035 pass * 192.168.1.0/24 udp domain * ip filter 101036 pass * 192.168.1.0/24 udp * ntp ip filter 101037 pass * 192.168.1.0/24 udp ntp * ip filter 101051 pass xx.xx.xx.0/20 192.168.1.251 udp 5060,10000-20000 5060,10000-20000 0133不明なデバイスさん2017/09/09(土) 15:32:35.10ID:R04w2wBX フィルターその3(最後) 長文、連投失礼しました。
ip filter 101052 pass yy.yy.yy.0/24 192.168.1.251 udp 5060,10000-20000 5060,10000-20000 ip filter 101053 pass zz.zz.zz.zz 192.168.1.251 tcp * 10050 ip filter 101080 pass * 192.168.1.254 esp * * ip filter 101081 pass * 192.168.1.254 udp * 500 ip filter 101082 pass * 192.168.1.254 udp * 1701 ip filter 101083 pass * 192.168.1.254 udp * 4500 ip filter 101097 pass 192.168.1.254 * udp 1701 * ip filter 101098 reject-nolog * * established ip filter 101099 pass * * * * * ip filter 500000 restrict * * * * * ip filter dynamic 100080 * * ftp ip filter dynamic 100081 * * domain ip filter dynamic 100082 * * www ip filter dynamic 100083 * * smtp ip filter dynamic 100084 * * pop3 ip filter dynamic 100085 * * submission ip filter dynamic 100098 * * tcp ip filter dynamic 100099 * * udp ip filter dynamic 101080 * * ftp ip filter dynamic 101081 * * domain ip filter dynamic 101082 * * www ip filter dynamic 101083 * * smtp ip filter dynamic 101084 * * pop3 ip filter dynamic 101085 * * submission ip filter dynamic 101098 * * tcp ip filter dynamic 101099 * * udp 0134不明なデバイスさん2017/09/09(土) 15:48:51.64ID:R04w2wBX 他のipsec関連も含めてConfig貼り付けてみます。
ip route default gateway pp 2 filter 500000 gateway pp 1 ip route 192.168.2.0/24 gateway tunnel 2 ip lan1 address 192.168.1.254/24 ip lan1 proxyarp on
nat descriptor type 1000 masquerade nat descriptor masquerade static 1000 101 192.168.1.254 esp nat descriptor masquerade static 1000 102 192.168.1.254 udp 500 nat descriptor masquerade static 1000 103 192.168.1.254 udp 1701 nat descriptor masquerade static 1000 104 192.168.1.254 udp 4500 nat descriptor type 1100 masquerade nat descriptor masquerade static 1100 1 192.168.1.251 udp 5060 nat descriptor masquerade static 1100 2 192.168.1.251 udp 10000-20000 nat descriptor masquerade static 1100 3 192.168.1.251 tcp 10050 nat descriptor masquerade static 1100 101 192.168.1.254 esp nat descriptor masquerade static 1100 102 192.168.1.254 udp 500 nat descriptor masquerade static 1100 103 192.168.1.254 udp 1701 nat descriptor masquerade static 1100 104 192.168.1.254 udp 4500 ipsec auto refresh on ipsec transport 3 3 udp 1701 ipsec transport 4 4 udp 1701 ipsec transport 5 5 udp 1701 dns server pp 2 dns server select 500001 pp 1 any . restrict pp 1 dns server select 500002 pp 2 any . restrict pp 2 dns private address spoof on l2tp service on 0135不明なデバイスさん2017/09/09(土) 15:49:34.00ID:R04w2wBX pp select 1 pp keepalive interval 30 retry-interval=30 count=12 pp always-on on pppoe use lan2 pppoe auto connect on pppoe auto disconnect off pp auth accept pap chap pp auth myname xxx@xxx.ne.jp **** ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ip pp mtu 1500 ip pp secure filter in 100003 100020 100021 100022 100023 100024 100025 100030 100032 100080 100081 100082 100083 ip pp secure filter out 100013 100020 100021 100022 100023 100024 100025 100026 100027 100097 100098 100099 dynamic 100080 100081 100082 100083 100084 100085 100098 100099 ip pp intrusion detection in on ip pp intrusion detection in ip on reject=on ip pp intrusion detection in ip-option on reject=on ip pp intrusion detection in fragment on reject=on ip pp intrusion detection in icmp on reject=on ip pp intrusion detection in udp on reject=on ip pp intrusion detection in tcp on reject=on ip pp intrusion detection in default off ip pp intrusion detection out on ip pp intrusion detection out ftp on reject=on ip pp intrusion detection out winny on reject=on ip pp intrusion detection out share on reject=on ip pp intrusion detection out default off ip pp nat descriptor 1000 netvolante-dns use pp server=1 auto netvolante-dns hostname host pp server=1 **.**.netvolante.jp pp enable 1 0136不明なデバイスさん2017/09/09(土) 15:50:05.12ID:R04w2wBX pp select 2 pp keepalive interval 30 retry-interval=30 count=12 pp always-on on pppoe use lan3 pppoe auto connect on pppoe auto disconnect off pp auth accept pap chap pp auth myname yyy@yyy.ne.jp **** ppp lcp mru on 1454 ppp ipcp ipaddress on ppp ipcp msext on ppp ccp type none ip pp mtu 1500 ip pp secure filter in 101003 101020 101021 101022 101023 101024 101025 101030 101032 101051 101052 101053 101054 101055 101056 101057 101058 101059 101080 101081 101082 101083 ip pp secure filter out 101013 101020 101021 101022 101023 101024 101025 101026 101027 101097 101098 101099 dynamic 101080 101081 101082 101083 101084 101085 101098 101099 ip pp intrusion detection in on ip pp intrusion detection in ip on reject=on ip pp intrusion detection in ip-option on reject=on ip pp intrusion detection in fragment on reject=on ip pp intrusion detection in icmp on reject=on ip pp intrusion detection in udp on reject=on ip pp intrusion detection in tcp on reject=on ip pp intrusion detection in default off ip pp intrusion detection out on ip pp intrusion detection out ftp on reject=on ip pp intrusion detection out winny on reject=on ip pp intrusion detection out share on reject=on ip pp intrusion detection out default off ip pp nat descriptor 1100 netvolante-dns use pp server=1 auto netvolante-dns hostname host pp server=1 **.**.netvolante.jp pp enable 2 0137不明なデバイスさん2017/09/09(土) 15:51:11.84ID:R04w2wBX pp select anonymous pp name XXX pp bind tunnel3-tunnel5 pp auth request mschap-v2 pp auth username XXX-1 **** pp auth username XXX-2 **** pp auth username XXX-3 **** ppp ipcp ipaddress on ppp ipcp msext on ip pp remote address pool 192.168.1.249 192.168.1.248 192.168.1.247 192.168.1.246 192.168.1.245 ip pp mtu 1258 pp enable anonymous
ところで、追加回線のIP通知書に記載されてるDNSサーバってIPアドレス指定してなくて下記のようにpp指定なんだけどこれが普通? pp 2はlan 3と紐づいてて拠点AとIPsec接続 lan 2は追加回線のONUと繋がってる インターネットは追加回線の方がメインだけどpp 2が先に記述されてるのが気になる
netvolante-dns hostname host lan2 server=1 xxxx.aa0.netvolante.jp dns server pp 2 dns server dhcp lan2 dns server select 500001 pp 2 any . restrict pp 2 dns server select 500002 dhcp lan2 any . dns private address spoof on 0193不明なデバイスさん2017/09/18(月) 18:37:45.34ID:ggm68m/d だからデフォゲがLAN2の方になってるんだろ?