Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
首页 注册 登录
V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
c0c0c0
V2EX  ›  宽带症候群

分享一个 h3c 防火墙配置

  •   
  •   c0c0c0 · 1 天前 · 624 次点击

    实现了以下功能:

    • 三个 wan 口,分别是 pppoe 静态 IP DHCP
    • 实现了内外网分流
    • 实现了内网互通 防火墙和 ikuai/openwrt 的配置很不一样,踩了很多坑,折腾一周才弄好,很多 ai 都没法解决,只能自己去社区去查资料
      为啥要折腾这个,一个是便宜,400 块就可以买到,二是 pve 的 ikuai 分流老是有问题,我觉得商业产品可能更稳定一些,三是因为在公司有公网,加个防火墙配置策略也安全一点
    #
 version 7.1.064, Release 9660P52
#
 sysname H3C
#
 clock timezone Beijing add 08:00:00
 clock protocol ntp
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 archive configuration location flash: filename-prefix 20250403
#
 dialer-group 2 rule ip permit
#
 nat log enable
#
 dhcp enable
#
 dns server 8.8.8.8
 dns server 114.114.114.114
#
 password-recovery enable
#
vlan 1
#
object-group ip address 内网
 security-zone Trust
 0 network subnet 192.168.3.0 255.255.255.0
#
dhcp server ip-pool 1
 gateway-list 192.168.8.1
 network 192.168.8.0 mask 255.255.255.0
 dns-list 114.114.114.114 8.8.8.8
#
dhcp server ip-pool 2
 gateway-list 192.168.4.1
 network 192.168.4.0 mask 255.255.255.0
 dns-list 223.5.5.5
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface Dialer0
 mtu 1492
 ppp chap password cipher mima
 ppp chap user zhanghu 
 ppp ipcp dns admit-any 
 ppp ipcp dns request 
 ppp pap local-user zhanghu password cipher mima
 dialer-group 2
 dialer timer idle 0
 dialer timer autodial 5
 ip address ppp-negotiate
 tcp mss 1400
 nat outbound port-preserved counting
#
interface NULL0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-mode route
 combo enable fiber
#
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 192.168.99.1 255.255.255.0
#
interface GigabitEthernet1/0/3
 port link-mode route
#
interface GigabitEthernet1/0/4
 port link-mode route
 nat outbound
 nat hairpin enable
 manage http inbound
 manage http outbound
 manage https inbound
 manage https outbound
 manage ping inbound
 manage ping outbound
 manage ssh inbound
 manage ssh outbound
 undo dhcp select server
 pppoe-client dial-bundle-number 0
#
interface GigabitEthernet1/0/5
 port link-mode route
 ip address dhcp-alloc
 nat outbound
 nat hairpin enable
 manage http inbound
 manage http outbound
 manage https inbound
 manage https outbound
 manage ping inbound
 manage ping outbound
 manage ssh inbound
 manage ssh outbound
 undo dhcp select server
#
interface GigabitEthernet1/0/6
 port link-mode route
 ip address 192.168.6.88 255.255.255.0
 nat outbound
 nat hairpin enable
 manage http inbound
 manage http outbound
 manage https inbound
 manage https outbound
 manage ping inbound
 manage ping outbound
 manage ssh inbound
 manage ssh outbound
 gateway 192.168.6.1
#
interface GigabitEthernet1/0/7
 port link-mode route
#
interface GigabitEthernet1/0/8
 port link-mode route
#
interface GigabitEthernet1/0/9
 port link-mode route
#
interface GigabitEthernet1/0/10
 port link-mode route
 ip address 192.168.4.1 255.255.255.0
 ip last-hop hold
 nat outbound
 nat outbound 2000
 nat hairpin enable
 manage http inbound
 manage http outbound
 manage https inbound
 manage https outbound
 manage ping inbound
 manage ping outbound
 manage ssh inbound
 manage ssh outbound
#
interface GigabitEthernet1/0/11
 port link-mode route
 ip address 192.168.8.1 255.255.255.0
 nat outbound
 nat outbound 2000
 nat hairpin enable
 manage http inbound
 manage http outbound
 manage https inbound
 manage https outbound
 manage ping inbound
 manage ping outbound
 manage ssh inbound
 manage ssh outbound
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/10
 import interface GigabitEthernet1/0/11
#
security-zone name DMZ
#
security-zone name Untrust
 import interface Dialer0
 import interface GigabitEthernet1/0/4
 import interface GigabitEthernet1/0/5
 import interface GigabitEthernet1/0/6
#
security-zone name Management
 import interface GigabitEthernet1/0/0
 import interface GigabitEthernet1/0/2
#
zone-pair security source Local destination Trust
#
zone-pair security source Local destination Untrust
#
zone-pair security source Trust destination Local
#
zone-pair security source Trust destination Untrust
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 authentication-mode scheme
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line con 0
 authentication-mode password
 user-role network-admin
 set authentication password hash mima
#
line vty 0 63
 authentication-mode scheme
 user-role network-admin
#
 ip route-static 0.0.0.0 0 Dialer0
 ip route-static 10.251.251.0 24 192.168.1.1
 ip route-static 192.168.20.0 24 192.168.1.1
#
performance-management
#
 ssh server enable
#
 arp ip-conflict log prompt
#
 ntp-service enable
 ntp-service unicast-peer 101.6.6.172
 ntp-service unicast-peer 203.107.6.88
#
 sntp unicast-server 101.6.6.172 version 1
#
acl number 2000
 rule 5 permit source 192.168.8.0 0.0.0.255
 rule 10 permit source 192.168.4.0 0.0.0.255
#
acl basic 2001
#
acl advanced 3000
 description 国内
 rule 0 permit ip destination 1.0.1.0 0.0.0.255
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash mima
 service-type ssh terminal http https
 authorization-attribute user-role level-3
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
 ipsec logging negotiation enable
#
 ike logging negotiation enable
#
 ip http enable
 ip https enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
 undo authentication enable
#
loadbalance link-group 8duan
 predictor hash address source
 transparent enable
 success-criteria at-least 1
 link 8duan
  success-criteria at-least 1
#
loadbalance link-group cmcc
 predictor hash address source
 transparent enable
 success-criteria at-least 1
 link cmcc
  success-criteria at-least 1
#
loadbalance link-group openwrt
 predictor hash address source
 transparent enable
 success-criteria at-least 1
 link openwrt
  success-criteria at-least 1
#
loadbalance link-group pppoe_dianxin
 predictor hash address source
 transparent enable
 success-criteria at-least 1
 link pppoe_dianxin
  success-criteria at-least 1
#
loadbalance class 4duan type link-generic match-any
 match 97 destination ip address 192.168.4.0 24
#
loadbalance class 8duan type link-generic match-any
 match 55 destination ip address 192.168.8.0 24
#
loadbalance class openwrt type link-generic match-any
 match 12 destination ip address 192.168.6.0 24
#
loadbalance class 电信特征 type link-generic match-any
 description 电信特征 168.2.1
 match 16821 isp chinatel
#
loadbalance class 国内特征 type link-generic match-any
 description 国内通用特征 100
 match 100 isp cn
 match 16800 isp cnc
 match 16811 isp cmcc
 match 16812 isp educn
 match 16813 isp chinatel
#
loadbalance class 国外 ip 识别 type link-generic match-any
 description 国外黑洞
 match 2000 isp hk
 match 2001 isp mo
 match 2002 isp tw
 match 2003 isp 国外测试组-咕噜咕噜
#
loadbalance class 联通特征 00 type link-generic match-any
 description 联通特征 200
 match 200 isp cnc
#
loadbalance class 内网 type link-generic match-any
 match 100 destination ip address x
 match 102 source ip address x
 match 324 destination ip address 1x
 match 1231 destination ip address x
#
loadbalance class 移动特征 type link-generic match-any
 description 移动特征 192.168.1.1
 match 16811 isp cmcc
#
loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
 link-group openwrt
#
loadbalance action ob$action$#for#4duan type link-generic
 forward all
#
loadbalance action ob$action$#for#8duan type link-generic
 forward all
#
loadbalance action ob$action$#for#openwrt type link-generic
 forward all
#
loadbalance action ob$action$#for#国内特征 type link-generic
 link-group pppoe_dianxin
 fallback-action continue
#
loadbalance action ob$action$#for#内网 type link-generic
 forward all
#
loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
 class 4duan action ob$action$#for#4duan
 class 8duan action ob$action$#for#8duan
 class openwrt action ob$action$#for#openwrt
 class 内网 action ob$action$#for#内网
 class 国内特征 action ob$action$#for#国内特征
 default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
#
virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
 virtual ip address 0.0.0.0 0
 lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
 bandwidth busy-protection enable
 bandwidth interface statistics enable
 service enable
#
loadbalance isp name 国外测试组-咕噜咕噜 
 description 咕噜咕噜 ip 组-测试
 ip address 93.123.23.0 24
#
loadbalance isp name 内网 
 ip address 192.168.8.0 24
#
 loadbalance isp file flash:/lbispinfo.tp
#
 loadbalance isp auto-update enable
 loadbalance isp auto-update frequency per-day
 loadbalance isp auto-update whois-server domain whois.iana.org
#
loadbalance region china
 isp chinatel
 isp cmcc
 isp cnc
 isp educn
#
loadbalance link 4duan
 router ip 192.168.4.1
 success-criteria at-least 1
#
loadbalance link 8duan
 router ip 192.168.8.1
#
loadbalance link cmcc
 router ip 192.168.1.1
 success-criteria at-least 1
#
loadbalance link openwrt
 router ip 192.168.6.1
 success-criteria at-least 1
#
loadbalance link pppoe_dianxin
 router interface Dialer0
 success-criteria at-least 1
#
security-policy ip
 rule 0 name pass-0
  action pass
  source-zone Local
  destination-zone Trust
 rule 1 name pass-1
  action pass
  source-zone Local
  destination-zone Untrust
 rule 2 name pass-2
  action pass
  source-zone Trust
  destination-zone Local
 rule 3 name pass-3
  action pass
  source-zone Trust
  destination-zone Untrust
 rule 4 name pass-4
  action pass
  source-zone Untrust
  destination-zone Trust
 rule 5 name pass-5
  action pass
  source-zone Untrust
  destination-zone Local
 rule 6 name pass-6
  action pass
  source-zone Trust
  destination-zone Trust
 rule 7 name pass-7
  action pass
  source-zone Local
  destination-zone Local
 rule 8 name Untrust_Untrust_8_IPv4
  action pass
  source-zone Untrust
  destination-zone Untrust
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus logging parameter-profile av_logging_default_parameter
#
 cloud-management server domain secops.h3c.com
#
return
  • 防火墙
  • 配置
  • 功能
    4 条回复    2025-04-15 19:54:54 +08:00
    defunct9
        1
    defunct9  
       1 天前
    怎么看着像半吊子的锐捷
    wheat0r
        2
    wheat0r  
       1 天前
    @defunct9 锐捷是思科命令,h3c 是华为命令
    djw123
        3
    djw123  
       1 天前   ❤️ 1
    H3C 的墙其实 web 就能完胜,而且这一眼 F1000 策略太多吞吐跟不上
    xqzr
        4
    xqzr  
       1 天前
    > tcp mss 1400

    MSS 最佳 1452
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2917 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 21ms · UTC 14:53 · PVG 22:53 · LAX 07:53 · JFK 10:53
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.