linuxrouter/router/core.json

{
  "general": {
    "wan_interface": "eno2",
    "log_max_kb": 1024,
    "log_errors_only": false,
    "dnsmasq_log_queries": false,
    "daily_execute_time_24hr_local": "02:30"
  },

  "upstream_dns": {
    "strict_order": false,
    "cache_size": 10000,
    "upstream_servers": [
      "1.1.1.1",
      "1.0.0.1",
      "2606:4700:4700::1111",
      "2606:4700:4700::1001"
    ]
  },

  "banned_ips": [
    { "description": "Example: single IPv4 ban",               "enabled": false, "ip": "94.130.52.18"        },
    { "description": "Example: ban IPv4 /24 by wildcard",      "enabled": false, "ip": "94.130.52.*"         },
    { "description": "Example: ban IPv4 /16 by wildcard",      "enabled": false, "ip": "94.130.*.*"          },
    { "description": "Example: ban IPv4 CIDR",                 "enabled": false, "ip": "94.130.0.0/16"       },
    { "description": "Example: ban IPv4 range in one quartet", "enabled": false, "ip": "94.130.52.1-20"      },
    { "description": "Example: ban IPv4 range and wildcard",   "enabled": false, "ip": "94.130-133.52.*"     },
    { "description": "Example: single IPv6 ban",               "enabled": false, "ip": "2a01:4f8:c17:b0f::2" },
    { "description": "Example: ban IPv6 /48 by wildcard",      "enabled": false, "ip": "2a01:4f8:c17:*"      },
    { "description": "Example: ban IPv6 CIDR",                 "enabled": false, "ip": "2a01:4f8::/32"       }
  ],

  "host_overrides": [
    {
      "description": "LAN DNS override for home server DDNS hostname",
      "enabled": true,
      "host": "myhome.ddns.net",
      "ip": "192.168.1.20"
    }
  ],

  "blocklists": [
    {
      "name": "oisd-big",
      "description": "OISD Big - ads, phishing, malware, telemetry",
      "save_as": "oisd-big.conf",
      "url": "https://big.oisd.nl/dnsmasq2",
      "format": "dnsmasq"
    },
    {
      "name": "hagezi-light",
      "description": "Hagezi Light - ads, tracking, metrics, badware",
      "save_as": "hagezi-light.conf",
      "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/light.txt",
      "format": "dnsmasq"
    },
    {
      "name": "hagezi-pro-plus",
      "description": "Hagezi Pro Plus - ads, tracking, porn, gambling combined",
      "save_as": "hagezi-pro-plus.conf",
      "url": "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.plus.txt",
      "format": "dnsmasq"
    }
  ],

  "inter_vlan_exceptions": [
    { "description": "IoT TV -> Plex",                  "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.10.3",    "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
    { "description": "IoT Streaming Box -> Plex",       "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.10.4",    "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
    { "description": "Kids -> Plex",                    "enabled": true,  "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 32400 },
    { "description": "Kids -> SMB",                     "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 445   },
    { "description": "Kids -> Game Server",             "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 25565 },
    { "description": "Kids -> Web Server HTTP",         "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 80    },
    { "description": "Kids -> Web Server HTTPS",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 443   },
    { "description": "Trusted -> Printer (RAW)",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
    { "description": "Trusted -> Printer (IPP)",        "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
    { "description": "Kids -> Printer (RAW)",           "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
    { "description": "Kids -> Printer (IPP)",           "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
    { "description": "Guest -> Printer (RAW)",          "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 9100  },
    { "description": "Guest -> Printer (IPP)",          "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.20.0/24", "dst_ip_or_subnet": "192.168.10.2",    "dst_port": 631   },
    { "description": "VPN -> SSH + Rsync",              "enabled": true,  "protocol": "tcp",  "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 22    },
    { "description": "VPN -> SMB",                      "enabled": false, "protocol": "tcp",  "src_ip_or_subnet": "192.168.40.0/24", "dst_ip_or_subnet": "192.168.1.20",    "dst_port": 445   },
    { "description": "Trusted -> Kids (LAN Gaming)",    "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.0/24",  "dst_ip_or_subnet": "192.168.30.0/24"                    },
    { "description": "Parent PC -> Kids (LAN Gaming)",  "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.1.50",    "dst_ip_or_subnet": "192.168.30.0/24"                    },
    { "description": "Kids -> Parent PC (LAN Gaming)",  "enabled": false, "protocol": "both", "src_ip_or_subnet": "192.168.30.0/24", "dst_ip_or_subnet": "192.168.1.50"                       }
  ],

  "port_forwarding": [
    { "description": "WireGuard VPN",    "enabled": true,  "protocol": "udp",  "dest_port": 51820, "nat_ip": "192.168.1.20", "nat_port": 51820 },
    { "description": "Plex Server",      "enabled": true,  "protocol": "both", "dest_port": 32400, "nat_ip": "192.168.1.20", "nat_port": 32400 },
    { "description": "Web Server HTTP",  "enabled": true,  "protocol": "tcp",  "dest_port": 80,    "nat_ip": "192.168.1.20", "nat_port": 80    },
    { "description": "Web Server HTTPS", "enabled": true,  "protocol": "tcp",  "dest_port": 443,   "nat_ip": "192.168.1.20", "nat_port": 443   },
    { "description": "Game Server",      "enabled": true,  "protocol": "tcp",  "dest_port": 25565, "nat_ip": "192.168.1.20", "nat_port": 25565 },
    { "description": "SSH",              "enabled": false, "protocol": "tcp",  "dest_port": 22,    "nat_ip": "192.168.1.20", "nat_port": 22    }
  ],

  "vlans": [

    {
      "vlan_id": 1,
      "name": "trusted",
      "interface": "enp6s0",
      "radius_default": false,
      "mdns_reflection": false,
      "use_blocklists": ["oisd-big", "hagezi-light"],
      "server_identities": [
        { "description": "Router/Gateway",               "ip": "192.168.1.1"  },
        { "description": "Home Server",                  "ip": "192.168.1.20", "hostname": "homeserver" },
        { "description": "UniFi Controller Inform Host", "ip": "192.168.1.10", "hostname": "unifi-controller" }
      ],
      "dhcp": {
        "subnet": "192.168.1.0",
        "subnet_mask": "255.255.255.0",
        "dynamic_pool_start": "192.168.1.100",
        "dynamic_pool_end": "192.168.1.245",
        "lease_time": "24h",
        "domain": "local",
        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
      },
      "reservations": [
        { "enabled": true, "description": "UniFi Switch",         "hostname": "unifi-switch",      "mac": "aa:bb:cc:dd:ee:01", "ip": "192.168.1.2",  "radius_client": true },
        { "enabled": true, "description": "UniFi AP (Kitchen)",   "hostname": "unifi-ap-kitchen",  "mac": "aa:bb:cc:dd:ee:02", "ip": "192.168.1.3",  "radius_client": true },
        { "enabled": true, "description": "UniFi AP (Lounge)",    "hostname": "unifi-ap-lounge",   "mac": "aa:bb:cc:dd:ee:03", "ip": "192.168.1.4",  "radius_client": true },
        { "enabled": true, "description": "UniFi AP (Upstairs)",  "hostname": "unifi-ap-upstairs", "mac": "aa:bb:cc:dd:ee:04", "ip": "192.168.1.5",  "radius_client": true },
        { "enabled": true, "description": "Home Server",          "hostname": "homeserver",        "mac": "aa:bb:cc:dd:ee:05", "ip": "192.168.1.20"                        },
        { "enabled": true, "description": "Desktop PC",           "hostname": "desktop-pc",        "mac": "aa:bb:cc:dd:ee:06", "ip": "192.168.1.50"                        }
      ],
      "port_wrangling": [
        { "description": "DNS wrangling - redirect Trusted DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.1.1" },
        { "description": "NTP wrangling - redirect Trusted NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.1.1" }
      ]
    },

    {
      "vlan_id": 10,
      "name": "iot",
      "interface": "enp6s0.10",
      "radius_default": false,
      "mdns_reflection": true,
      "use_blocklists": ["oisd-big", "hagezi-light"],
      "server_identities": [
        { "description": "Router/Gateway", "ip": "192.168.10.1" }
      ],
      "dhcp": {
        "subnet": "192.168.10.0",
        "subnet_mask": "255.255.255.0",
        "dynamic_pool_start": "192.168.10.100",
        "dynamic_pool_end": "192.168.10.245",
        "lease_time": "24h",
        "domain": "local",
        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
      },
      "reservations": [
        { "enabled": true, "description": "Network Printer",          "hostname": "printer",            "mac": "aa:bb:cc:dd:ee:10", "ip": "192.168.10.2"  },
        { "enabled": true, "description": "Smart TV",                 "hostname": "smart-tv",           "mac": "aa:bb:cc:dd:ee:11", "ip": "192.168.10.3"  },
        { "enabled": true, "description": "Streaming Box (Eth)",      "hostname": "streaming-box-eth",  "mac": "aa:bb:cc:dd:ee:12", "ip": "192.168.10.4"  },
        { "enabled": true, "description": "Streaming Box (Wifi)",     "hostname": "streaming-box-wifi", "mac": "aa:bb:cc:dd:ee:13", "ip": "192.168.10.4"  },
        { "enabled": true, "description": "Raspberry Pi",             "hostname": "rpi",                "mac": "aa:bb:cc:dd:ee:14", "ip": "192.168.10.12" },
        { "enabled": true, "description": "NAS",                      "hostname": "nas",                "mac": "aa:bb:cc:dd:ee:15", "ip": "192.168.10.14" },
        { "enabled": true, "description": "Doorbell Camera",          "hostname": "doorbell-camera",    "mac": "aa:bb:cc:dd:ee:16", "ip": "dynamic"       },
        { "enabled": true, "description": "Smart Speaker",            "hostname": "smart-speaker",      "mac": "aa:bb:cc:dd:ee:17", "ip": "dynamic"       }
      ],
      "port_wrangling": [
        { "description": "DNS wrangling - redirect IoT DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.10.1" },
        { "description": "NTP wrangling - redirect IoT NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.10.1" }
      ]
    },

    {
      "vlan_id": 20,
      "name": "guest",
      "interface": "enp6s0.20",
      "radius_default": true,
      "mdns_reflection": true,
      "use_blocklists": ["oisd-big", "hagezi-light"],
      "server_identities": [
        { "description": "Router/Gateway", "ip": "192.168.20.1" }
      ],
      "dhcp": {
        "subnet": "192.168.20.0",
        "subnet_mask": "255.255.255.0",
        "dynamic_pool_start": "192.168.20.100",
        "dynamic_pool_end": "192.168.20.245",
        "lease_time": "4h",
        "domain": "local",
        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
      },
      "reservations": [
        { "enabled": true, "description": "Family Member Phone 1", "hostname": "phone-1", "mac": "aa:bb:cc:dd:ee:20", "ip": "dynamic" },
        { "enabled": true, "description": "Family Member Phone 2", "hostname": "phone-2", "mac": "aa:bb:cc:dd:ee:21", "ip": "dynamic" }
      ],
      "port_wrangling": [
        { "description": "DNS wrangling - redirect Guest DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.20.1" },
        { "description": "NTP wrangling - redirect Guest NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.20.1" }
      ]
    },

    {
      "vlan_id": 30,
      "name": "kids",
      "interface": "enp6s0.30",
      "radius_default": false,
      "mdns_reflection": true,
      "use_blocklists": ["oisd-big", "hagezi-light", "hagezi-pro-plus"],
      "server_identities": [
        { "description": "Router/Gateway", "ip": "192.168.30.1" }
      ],
      "dhcp": {
        "subnet": "192.168.30.0",
        "subnet_mask": "255.255.255.0",
        "dynamic_pool_start": "192.168.30.100",
        "dynamic_pool_end": "192.168.30.245",
        "lease_time": "24h",
        "domain": "local",
        "explicit_overrides": { "gateway": "", "dns_server": "", "ntp_server": "" }
      },
      "reservations": [
        { "enabled": true, "description": "Child 1 Laptop",  "hostname": "child1-laptop",  "mac": "aa:bb:cc:dd:ee:30", "ip": "dynamic" },
        { "enabled": true, "description": "Child 2 Laptop",  "hostname": "child2-laptop",  "mac": "aa:bb:cc:dd:ee:31", "ip": "dynamic" },
        { "enabled": true, "description": "Child 3 Laptop",  "hostname": "child3-laptop",  "mac": "aa:bb:cc:dd:ee:32", "ip": "dynamic" },
        { "enabled": true, "description": "Child Tablet",    "hostname": "child-tablet",   "mac": "aa:bb:cc:dd:ee:33", "ip": "dynamic" }
      ],
      "port_wrangling": [
        { "description": "DNS wrangling - redirect Kids DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.30.1" },
        { "description": "NTP wrangling - redirect Kids NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.30.1" }
      ]
    },

    {
      "vlan_id": 40,
      "name": "vpn",
      "interface": "wg0",
      "radius_default": false,
      "mdns_reflection": false,
      "use_blocklists": ["oisd-big", "hagezi-light"],
      "vpn_information": {
        "listen_port": 51820,
        "gateway": "192.168.40.1",
        "domain": "local",
        "explicit_overrides": { "dns_server": "", "mtu": "" }
      },
      "reservations": [],
      "port_wrangling": [
        { "description": "DNS wrangling - redirect VPN DNS to local resolver",    "enabled": true,  "protocol": "both", "dest_port": 53,  "redirect_to": "192.168.40.1" },
        { "description": "NTP wrangling - redirect VPN NTP to local time server", "enabled": false, "protocol": "udp",  "dest_port": 123, "redirect_to": "192.168.40.1" }
      ]
    }

  ]

}