{ "network_interfaces": { "wan_interface": "eno2", "lan_interface": "enp6s0" }, "upstream_dns": { "strict_order": false, "cache_size": 10000, "upstream_servers": [ "1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001" ] }, "banned_ips": [ { "description": "Example: single IPv4 ban", "enabled": false, "ip": "94.130.52.18" }, { "description": "Example: ban IPv4 /24 by wildcard", "enabled": false, "ip": "94.130.52.*" }, { "description": "Example: ban IPv4 /16 by wildcard", "enabled": false, "ip": "94.130.*.*" }, { "description": "Example: ban IPv4 CIDR", "enabled": false, "ip": "94.130.0.0/16" }, { "description": "Example: ban IPv4 range in one quartet", "enabled": false, "ip": "94.130.52.1-20" }, { "description": "Example: ban IPv4 range and wildcard", "enabled": false, "ip": "94.130-133.52.*" }, { "description": "Example: single IPv6 ban", "enabled": false, "ip": "2a01:4f8:c17:b0f::2" }, { "description": "Example: ban IPv6 /48 by wildcard", "enabled": false, "ip": "2a01:4f8:c17:*" }, { "description": "Example: ban IPv6 CIDR", "enabled": false, "ip": "2a01:4f8::/32" } ], "host_overrides": [ { "description": "LAN DNS override for home server DDNS hostname", "enabled": true, "host": "myhome.ddns.net", "ip": "192.168.1.20" } ], "inter_vlan_exceptions": [ { "description": "IoT TV -> Plex", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.10.3", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 32400, "dest_port_end": 32400 }, { "description": "IoT Streaming Box -> Plex", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.10.4", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 32400, "dest_port_end": 32400 }, { "description": "Kids -> Plex", "enabled": true, "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 32400, "dest_port_end": 32400 }, { "description": "Kids -> SMB", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 445, "dest_port_end": 445 }, { "description": "Kids -> Game Server", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 25565, "dest_port_end": 25565 }, { "description": "Kids -> Web Server HTTP", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 80, "dest_port_end": 80 }, { "description": "Kids -> Web Server HTTPS", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 443, "dest_port_end": 443 }, { "description": "Trusted -> Printer (RAW)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.1.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 9100, "dest_port_end": 9100 }, { "description": "Trusted -> Printer (IPP)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.1.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 631, "dest_port_end": 631 }, { "description": "Kids -> Printer (RAW)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 9100, "dest_port_end": 9100 }, { "description": "Kids -> Printer (IPP)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 631, "dest_port_end": 631 }, { "description": "Guest -> Printer (RAW)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 9100, "dest_port_end": 9100 }, { "description": "Guest -> Printer (IPP)", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2", "dest_port_start": 631, "dest_port_end": 631 }, { "description": "VPN -> SSH + Rsync", "enabled": true, "protocol": "tcp", "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 22, "dest_port_end": 22 }, { "description": "VPN -> SMB", "enabled": false, "protocol": "tcp", "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20", "dest_port_start": 445, "dest_port_end": 445 }, { "description": "Trusted -> Kids (LAN Gaming)", "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.0/24", "dst_ip_or_subnet": "192.168.30.0/24" }, { "description": "Parent PC -> Kids (LAN Gaming)", "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.50", "dst_ip_or_subnet": "192.168.30.0/24" }, { "description": "Kids -> Parent PC (LAN Gaming)", "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.50" } ], "port_forwarding": [ { "description": "WireGuard VPN", "enabled": true, "protocol": "udp", "dest_port": 51820, "nat_ip": "192.168.1.20", "nat_port": 51820 }, { "description": "Plex Server", "enabled": true, "protocol": "both", "dest_port": 32400, "nat_ip": "192.168.1.20", "nat_port": 32400 }, { "description": "Web Server HTTP", "enabled": true, "protocol": "tcp", "dest_port": 80, "nat_ip": "192.168.1.20", "nat_port": 80 }, { "description": "Web Server HTTPS", "enabled": true, "protocol": "tcp", "dest_port": 443, "nat_ip": "192.168.1.20", "nat_port": 443 }, { "description": "Game Server", "enabled": true, "protocol": "tcp", "dest_port": 25565, "nat_ip": "192.168.1.20", "nat_port": 25565 }, { "description": "SSH", "enabled": false, "protocol": "tcp", "dest_port": 22, "nat_ip": "192.168.1.20", "nat_port": 22 } ], "vlans": [ { "vlan_id": 1, "name": "trusted", "subnet": "192.168.1.0", "subnet_mask": 24, "is_vpn": false, "dnsmasq_log_queries": false, "radius_default": false, "mdns_reflection": false, "use_blocklists": [ "oisd-big", "hagezi-light" ], "server_identities": [ { "description": "Router/Gateway", "ip": "192.168.1.1" }, { "description": "Home Server", "ip": "192.168.1.20", "hostname": "homeserver" }, { "description": "UniFi Controller Inform Host", "ip": "192.168.1.10", "hostname": "unifi-controller" } ], "dhcp_information": { "dynamic_pool_start": "192.168.1.100", "dynamic_pool_end": "192.168.1.245", "lease_time": "4h", "domain": "lan", "explicit_overrides": { "gateway": "", "dns_servers": "", "ntp_servers": "" } } }, { "vlan_id": 10, "name": "iot", "subnet": "192.168.10.0", "subnet_mask": 24, "is_vpn": false, "dnsmasq_log_queries": false, "radius_default": false, "mdns_reflection": true, "use_blocklists": [ "oisd-big", "hagezi-light" ], "server_identities": [ { "description": "Router/Gateway", "ip": "192.168.10.1" } ], "dhcp_information": { "dynamic_pool_start": "192.168.10.100", "dynamic_pool_end": "192.168.10.245", "lease_time": "4h", "domain": "lan", "explicit_overrides": { "gateway": "", "dns_servers": "", "ntp_servers": "" } } }, { "vlan_id": 20, "name": "guest", "subnet": "192.168.20.0", "subnet_mask": 24, "is_vpn": false, "dnsmasq_log_queries": false, "radius_default": true, "mdns_reflection": true, "use_blocklists": [ "oisd-big", "hagezi-light" ], "server_identities": [ { "description": "Router/Gateway", "ip": "192.168.20.1" } ], "dhcp_information": { "dynamic_pool_start": "192.168.20.100", "dynamic_pool_end": "192.168.20.245", "lease_time": "4h", "domain": "lan", "explicit_overrides": { "gateway": "", "dns_servers": "", "ntp_servers": "" } } }, { "vlan_id": 30, "name": "kids", "subnet": "192.168.30.0", "subnet_mask": 24, "is_vpn": false, "dnsmasq_log_queries": false, "radius_default": false, "mdns_reflection": true, "use_blocklists": [ "oisd-big", "hagezi-light", "hagezi-pro-plus" ], "server_identities": [ { "description": "Router/Gateway", "ip": "192.168.30.1" } ], "dhcp_information": { "dynamic_pool_start": "192.168.30.100", "dynamic_pool_end": "192.168.30.245", "lease_time": "4h", "domain": "lan", "explicit_overrides": { "gateway": "", "dns_servers": "", "ntp_servers": "" } } }, { "vlan_id": 40, "name": "vpn", "subnet": "192.168.40.0", "subnet_mask": 24, "is_vpn": true, "dnsmasq_log_queries": false, "radius_default": false, "mdns_reflection": false, "use_blocklists": [ "oisd-big", "hagezi-light" ], "server_identities": [ { "description": "Router/Gateway", "ip": "192.168.40.1" } ], "vpn_information": { "listen_port": 51820, "server_endpoint": "", "domain": "lan", "explicit_overrides": { "gateway": "", "dns_servers": "", "mtu": "" } }, "peers": [] } ], "ddns": { "general": { "log_max_kb": 1024, "log_errors_only": false, "timer_interval": "10m" }, "providers": [ { "description": "No-IP Account", "provider": "noip", "enabled": true, "username": "your-username", "password": "your-password", "hostnames": [ "yoursubdomain.ddns.net", "yourothersubdomain.ddns.net" ] }, { "description": "Cloudflare Account", "provider": "cloudflare", "enabled": true, "api_token": "your-cloudflare-api-token", "hostnames": [ "yourdomain.com", "yoursubdomain.yourdomain.com", "yourothersubdomain.yourdomain.com" ] }, { "description": "DuckDNS Account", "provider": "duckdns", "enabled": false, "api_token": "your-duckdns-api-token", "hostnames": [ "yoursubdomain.duckdns.org", "yourothersubdomain.duckdns.org" ] } ], "ip_check_services": [ { "type": "http", "url": "https://api.ipify.org" }, { "type": "http", "url": "https://ifconfig.me/ip" }, { "type": "http", "url": "https://icanhazip.com" }, { "type": "http", "url": "https://api4.my-ip.io/ip" }, { "type": "http", "url": "https://ipv4.icanhazip.com" }, { "type": "http", "url": "https://checkip.amazonaws.com" }, { "type": "http", "url": "https://1.1.1.1/cdn-cgi/trace" }, { "type": "http", "url": "https://ipinfo.io/ip" }, { "type": "http", "url": "https://ipecho.net/plain" }, { "type": "http", "url": "https://ident.me" }, { "type": "http", "url": "https://myip.dnsomatic.com" }, { "type": "http", "url": "https://wtfismyip.com/text" }, { "type": "dig", "url": "@1.1.1.1 ch txt whoami.cloudflare" }, { "type": "dig", "url": "whoami.akamai.net @ns1-1.akamaitech.net" }, { "type": "dig", "url": "-4 TXT o-o.myaddr.l.google.com @ns1.google.com" }, { "type": "dig", "url": "-4 @ns3.cloudflare.com whoami.cloudflare.com txt" } ] }, "dns_blocking": { "general": { "log_max_kb": 1024, "log_errors_only": false, "daily_execute_time_24hr_local": "02:30" }, "blocklists": [ { "name": "oisd-big", "description": "OISD Big (ads, phishing, malware, telemetry)", "bl_type": "community" "save_as": "oisd-big.conf", "url": "https://big.oisd.nl/dnsmasq2", }, { "name": "hagezi-light", "description": "Hagezi Light (ads, tracking, metrics, badware)", "bl_type": "community" "save_as": "hagezi-light.conf", "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/light.txt", }, { "name": "hagezi-pro-plus", "description": "Hagezi Pro Plus (ads, tracking, porn, gambling)", "bl_type": "community" "save_as": "hagezi-pro-plus.conf", "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.plus.txt", } ] }, "dhcp_reservations": [ { "enabled": true, "description": "UniFi Switch", "hostname": "unifi-switch", "mac": "aa:bb:cc:dd:ee:01", "ip": "192.168.1.2", "radius_client": true, "vlan": "trusted" }, { "enabled": true, "description": "UniFi AP (Kitchen)", "hostname": "unifi-ap-kitchen", "mac": "aa:bb:cc:dd:ee:02", "ip": "192.168.1.3", "radius_client": true, "vlan": "trusted" }, { "enabled": true, "description": "UniFi AP (Lounge)", "hostname": "unifi-ap-lounge", "mac": "aa:bb:cc:dd:ee:03", "ip": "192.168.1.4", "radius_client": true, "vlan": "trusted" }, { "enabled": true, "description": "UniFi AP (Upstairs)", "hostname": "unifi-ap-upstairs", "mac": "aa:bb:cc:dd:ee:04", "ip": "192.168.1.5", "radius_client": true, "vlan": "trusted" }, { "enabled": true, "description": "Home Server", "hostname": "homeserver", "mac": "aa:bb:cc:dd:ee:05", "ip": "192.168.1.20", "vlan": "trusted" }, { "enabled": true, "description": "Desktop PC", "hostname": "desktop-pc", "mac": "aa:bb:cc:dd:ee:06", "ip": "192.168.1.50", "vlan": "trusted" }, { "enabled": true, "description": "Network Printer", "hostname": "printer", "mac": "aa:bb:cc:dd:ee:10", "ip": "192.168.10.2", "vlan": "iot" }, { "enabled": true, "description": "Smart TV", "hostname": "smart-tv", "mac": "aa:bb:cc:dd:ee:11", "ip": "192.168.10.3", "vlan": "iot" }, { "enabled": true, "description": "Streaming Box (Eth)", "hostname": "streaming-box-eth", "mac": "aa:bb:cc:dd:ee:12", "ip": "192.168.10.4", "vlan": "iot" }, { "enabled": true, "description": "Streaming Box (Wifi)", "hostname": "streaming-box-wifi", "mac": "aa:bb:cc:dd:ee:13", "ip": "192.168.10.4", "vlan": "iot" }, { "enabled": true, "description": "Raspberry Pi", "hostname": "rpi", "mac": "aa:bb:cc:dd:ee:14", "ip": "192.168.10.12", "vlan": "iot" }, { "enabled": true, "description": "NAS", "hostname": "nas", "mac": "aa:bb:cc:dd:ee:15", "ip": "192.168.10.14", "vlan": "iot" }, { "enabled": true, "description": "Doorbell Camera", "hostname": "doorbell-camera", "mac": "aa:bb:cc:dd:ee:16", "ip": "", "vlan": "iot" }, { "enabled": true, "description": "Smart Speaker", "hostname": "smart-speaker", "mac": "aa:bb:cc:dd:ee:17", "ip": "", "vlan": "iot" }, { "enabled": true, "description": "Family Member Phone 1", "hostname": "phone-1", "mac": "aa:bb:cc:dd:ee:20", "ip": "", "vlan": "guest" }, { "enabled": true, "description": "Family Member Phone 2", "hostname": "phone-2", "mac": "aa:bb:cc:dd:ee:21", "ip": "", "vlan": "guest" }, { "enabled": true, "description": "Child 1 Laptop", "hostname": "child1-laptop", "mac": "aa:bb:cc:dd:ee:30", "ip": "", "vlan": "kids" }, { "enabled": true, "description": "Child 2 Laptop", "hostname": "child2-laptop", "mac": "aa:bb:cc:dd:ee:31", "ip": "", "vlan": "kids" }, { "enabled": true, "description": "Child 3 Laptop", "hostname": "child3-laptop", "mac": "aa:bb:cc:dd:ee:32", "ip": "", "vlan": "kids" }, { "enabled": true, "description": "Child Tablet", "hostname": "child-tablet", "mac": "aa:bb:cc:dd:ee:33", "ip": "", "vlan": "kids" } ], "port_wrangling": [ { "description": "DNS wrangling - redirect Trusted DNS to local resolver", "enabled": true, "protocol": "both", "dest_port": 53, "redirect_to": "192.168.1.1", "vlan": "trusted" }, { "description": "NTP wrangling - redirect Trusted NTP to local time server", "enabled": false, "protocol": "udp", "dest_port": 123, "redirect_to": "192.168.1.1", "vlan": "trusted" }, { "description": "DNS wrangling - redirect IoT DNS to local resolver", "enabled": true, "protocol": "both", "dest_port": 53, "redirect_to": "192.168.10.1", "vlan": "iot" }, { "description": "NTP wrangling - redirect IoT NTP to local time server", "enabled": false, "protocol": "udp", "dest_port": 123, "redirect_to": "192.168.10.1", "vlan": "iot" }, { "description": "DNS wrangling - redirect Guest DNS to local resolver", "enabled": true, "protocol": "both", "dest_port": 53, "redirect_to": "192.168.20.1", "vlan": "guest" }, { "description": "NTP wrangling - redirect Guest NTP to local time server", "enabled": false, "protocol": "udp", "dest_port": 123, "redirect_to": "192.168.20.1", "vlan": "guest" }, { "description": "DNS wrangling - redirect Kids DNS to local resolver", "enabled": true, "protocol": "both", "dest_port": 53, "redirect_to": "192.168.30.1", "vlan": "kids" }, { "description": "NTP wrangling - redirect Kids NTP to local time server", "enabled": false, "protocol": "udp", "dest_port": 123, "redirect_to": "192.168.30.1", "vlan": "kids" }, { "description": "DNS wrangling - redirect VPN DNS to local resolver", "enabled": true, "protocol": "both", "dest_port": 53, "redirect_to": "192.168.40.1", "vlan": "vpn" }, { "description": "NTP wrangling - redirect VPN NTP to local time server", "enabled": false, "protocol": "udp", "dest_port": 123, "redirect_to": "192.168.40.1", "vlan": "vpn" } ], "radius": { "general": { "logging": false, "log_max_kb": 1024 }, "options": { "mac_format": "aabbccddeeff", "apply_to": "all", "ap_ips": [] } } }