Shell Script Issues after 1.1.8 -> 1.2.4 LTS Upgrade

LinuksGuru · January 7, 2020, 4:00pm

Hi !

I have replaced 1.1.8 -> 1.2.4 LTS (clean install on new PC actaully) and now have issues with cron script.
set system task-scheduler task TASK-CHECK-GW executable path /config/scripts/anvcheckgw.sh
set system task-scheduler task TASK-CHECK-GW crontab-spec ‘* * * * *’

Script pings gateways, switches routes, adds/removes DNS servers, etc.

#!/bin/sh

# Gateway IPs.
GW1="xx.xx.xx.xx"
GW2="yy.yy.yy.yy"

GW1ETH="eth2"
GW2ETH="eth3"

# DNS Servers IPs.
DNS1="aa.aa.aa.aa"
DNS2="bb.bb.bb.bb"

GW1DIS="set protocols static route 0.0.0.0/0 next-hop "$GW1" disable"
GW1ENA="delete protocols static route 0.0.0.0/0 next-hop "$GW1" disable"
GW2DIS="set protocols static route 0.0.0.0/0 next-hop "$GW2" disable"
GW2ENA="delete protocols static route 0.0.0.0/0 next-hop "$GW2" disable"

DNS1DIS="delete service dns forwarding name-server "$DNS1
DNS1ENA="set service dns forwarding name-server "$DNS1
DNS2DIS="delete service dns forwarding name-server "$DNS2
DNS2ENA="set service dns forwarding name-server "$DNS2

/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
# Works
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper $GW1DIS
# Doesn't work
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper $DNS1DIS

/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end

GWFIXP="sudo chown -R vyos:vyattacfg /opt/vyatta/config/active/"
$GWFIXP

Previously, this selected first entry as default route, after upgrade 2nd. Why this happens?

set protocols static route 0.0.0.0/0 next-hop ‘xx.xx.xx.xx’ distance 15
set protocols static route 0.0.0.0/0 next-hop ‘yy.yy.yy.yy’ distance 100

How to fix that?
Thanks in advance.

Dmitry · January 8, 2020, 10:18am

Hello @LinuksGuru, I created LAB for this script and see correct behaviour on 1.2.4 like an 1.1.8.
Provide please output of commands

show version
show configuration commands | strip-private

LinuksGuru · January 8, 2020, 10:42am

Script called from cron, under user root I suppose.
Maybe this is the problem ?

Dmitry · January 8, 2020, 10:47am

I’m not sure. Can you explain how I can reach this behaviour?
Maybe we can modify script like in docs Command Scripting — VyOS 1.4.x (sagitta) documentation

LinuksGuru · January 8, 2020, 11:05am

OK, i’ll modify script and see what happens next.

It launched with cron with this VyOS commands, and looks like runs as root:vyattacfg

set system task-scheduler task TASK-CHECK-GW executable path /config/scripts/anvcheckgw.sh
set system task-scheduler task TASK-CHECK-GW crontab-spec ‘* * * * *’

LinuksGuru · January 8, 2020, 2:53pm

Hi !

I modified script to VyOS 1.2x standard and traced down the problem.

Routing commands working as before, dns forwarding don’t, result an error “Invalid command: [delete]”.
Manual entry of SAME commands working without any problem, additionally, I verified expansion of shell vars with echo.
I trim script to shortest version to debug errors.
VyOS 1.2.4
Build Commit ID: 396c41d79ca77a
ISO built with docker as per crux branch manual.

Is something missing from “/opt/vyatta/etc/functions/script-template” ?

#!/bin/vbash
#/config/scripts/anvcheckgw.sh

if [ $(id -g -n) != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

source /opt/vyatta/etc/functions/script-template


# Gateway IPs.
GW1="xx.xx.xx.xx"
GW2="yy.yy.yy.yy"

# Ethernet Interfaces.
GW1ETH="eth2"
GW2ETH="eth3"


# DNS Servers IPs.
DNS1="aa.aa.aa.aa"
DNS2="bb.bb.bb.bb"

# VyOS commands to disable/enable IP routes. WORKING
GW1DIS="set protocols static route 0.0.0.0/0 next-hop "$GW1" disable"
GW1ENA="delete protocols static route 0.0.0.0/0 next-hop "$GW1" disable"
GW2DIS="set protocols static route 0.0.0.0/0 next-hop "$GW2" disable"
GW2ENA="delete protocols static route 0.0.0.0/0 next-hop "$GW2" disable"

# VyOS commands to disable/enable DNS servers. NOT WORKING
DNS1DIS="delete service dns forwarding name-server "$DNS1
DNS1ENA="set service dns forwarding name-server "$DNS1
DNS2DIS="delete service dns forwarding name-server "$DNS2
DNS2ENA="set service dns forwarding name-server "$DNS2

# Result in error "Invalid command: [delete]"
configure
$DNS1DIS
$DNS2DIS
commit

LinuksGuru · January 10, 2020, 10:23am

Hi!

There is certainly some bug in 1.2.4.
Script executes without any error message, yet DNS 8.8.4.4 is NOT deleted, its still there.
Additionally, commit takes unusually long time, around 20sec.

1.1.8 commit was almost instant on same hardware and net / firewall config.

#!/bin/vbash
 
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi
 
run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
cfg=/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper

$cfg begin
$cfg delete service dns forwarding name-server 8.8.4.4
$cfg commit
$cfg end

$run show configuration commands | grep name-server

exit

Dmitry · January 10, 2020, 11:42am

Hi @LinuksGuru,
Can you provide your config?
show configuration commands | strip-private

Dmitry · January 10, 2020, 12:13pm

I tried simple script

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

run show configuration commands | grep name-server
configure
delete service dns forwarding name-server 8.8.4.4
commit
echo " - - - "
run show configuration commands | grep name-server

exit

And result

vyos@test-rtr# time /config/scripts/test.sh
set service dns forwarding name-server '1.1.1.1'
set service dns forwarding name-server '8.8.4.4'
 - - - 
set service dns forwarding name-server '1.1.1.1'

real	0m1.730s
user	0m1.142s
sys	0m0.344s

LinuksGuru · January 10, 2020, 3:11pm

Hi, Dmitry,

You should try to run this script with sudo, since my is called via cron as root:root.
Even with

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

it runs as root:vyattacfg, checked with
echo "$(id -gn)" "$(whoami)"
within script, resulting some command to malfunction.

Either 1st snippet must be modified to run as “vyos:vyattacfg” either anything called via

set system task-scheduler task TASK-CHECK-GW executable path /config/scripts/myscript.sh
set system task-scheduler task TASK-CHECK-GW crontab-spec '* * * * *'

should NOT be executed as root:root.

Dmitry · January 10, 2020, 5:20pm

With sudo same result

vyos@test-rtr# sudo time /config/scripts/test.sh
set service dns forwarding name-server '1.1.1.1'
set service dns forwarding name-server '8.8.4.4'
 - - - 
set service dns forwarding name-server '1.1.1.1'
real	0m 2.09s
user	0m 1.28s
sys	0m 0.50s

LinuksGuru · January 13, 2020, 3:16pm

Hi !

Its seems there was an issue with storing shell commands in a variable, and using them as VyOS conf commands. Quite strange, everything was fine in 1.1.8.
This script runs fine in spite I don’t like using “eval”.
I tried to store commands in something like foo() { $blahblahblah; } but for whatever reason it doesn’t work.
Dmitry, if you consider this as an awkward hackwork please suggest more elegant alternative. Thanks in advance.
Test script which works below.
And yes, commit with roughly a hundred of NAT & firewall rules takes 21sec, on Jetway JBC390F541WAA-19B with Intel Celeron Bay Trail J1900 / 2GHz 4-core SoC.

#!/bin/vbash
#/config/scripts/test.sh

source /opt/vyatta/etc/functions/script-template

if [ "$(id -g -n)" != 'vyattacfg' ] ; then
    exec sg vyattacfg -c "/bin/vbash $(readlink -f $0) $@"
fi

# DNS Servers IPs.
DNS1="6.6.6.6"
DNS2="7.7.7.7"

dns1dis="delete service dns forwarding name-server "$DNS1
dns1ena="set service dns forwarding name-server "$DNS1
dns2dis="delete service dns forwarding name-server "$DNS2
dns2ena="set service dns forwarding name-server "$DNS2

configure
eval $dns1ena
eval $dns2ena
commit

run show configuration commands | grep name-server

echo ""
echo "*********************"
echo ""

configure
eval $dns1dis
eval $dns2dis
commit

run show configuration commands | grep name-server

exit

Dmitry · January 13, 2020, 10:53pm

Hi @LinuksGuru
About NAT and firewall rules, can you provide commands example? You can use <command> | strip-private for masking private data.
As for using variables for commands, I think need deep research, in this time I don’t have answer.

LinuksGuru · January 17, 2020, 1:54pm

Hi, Dmitry,

Finally get everything worked as expected.
Variables as commands working as in an example above.
Commit takes around 20sec, I can live with that.

Below is full config with private data stripped.

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name FW-DMZ-INT default-action 'drop'
set firewall name FW-DMZ-INT description 'DMZ to Internal Private LAN'
set firewall name FW-DMZ-INT rule 300 action 'accept'
set firewall name FW-DMZ-INT rule 300 state established 'enable'
set firewall name FW-DMZ-INT rule 300 state related 'enable'
set firewall name FW-DMZ-INT rule 301 action 'drop'
set firewall name FW-DMZ-INT rule 301 state invalid 'enable'
set firewall name FW-DMZ-INT rule 305 action 'accept'
set firewall name FW-DMZ-INT rule 305 protocol 'icmp'
set firewall name FW-DMZ-INT rule 310 action 'accept'
set firewall name FW-DMZ-INT rule 310 destination port 'http,https,xxx'
set firewall name FW-DMZ-INT rule 310 protocol 'tcp'
set firewall name FW-DMZ-WAN default-action 'drop'
set firewall name FW-DMZ-WAN description 'DMZ to WAN'
set firewall name FW-DMZ-WAN rule 600 action 'accept'
set firewall name FW-DMZ-WAN rule 600 state established 'enable'
set firewall name FW-DMZ-WAN rule 600 state related 'enable'
set firewall name FW-DMZ-WAN rule 601 action 'drop'
set firewall name FW-DMZ-WAN rule 601 state invalid 'enable'
set firewall name FW-DMZ-WAN rule 610 action 'accept'
set firewall name FW-DMZ-WAN rule 610 protocol 'all'
set firewall name FW-INT-DMZ default-action 'drop'
set firewall name FW-INT-DMZ description 'Internal Private LAN to DMZ'
set firewall name FW-INT-DMZ rule 200 action 'accept'
set firewall name FW-INT-DMZ rule 200 state established 'enable'
set firewall name FW-INT-DMZ rule 200 state related 'enable'
set firewall name FW-INT-DMZ rule 201 action 'drop'
set firewall name FW-INT-DMZ rule 201 state invalid 'enable'
set firewall name FW-INT-DMZ rule 210 action 'accept'
set firewall name FW-INT-DMZ rule 210 protocol 'icmp'
set firewall name FW-INT-DMZ rule 220 action 'accept'
set firewall name FW-INT-DMZ rule 220 protocol 'tcp_udp'
set firewall name FW-INT-WAN default-action 'drop'
set firewall name FW-INT-WAN description 'Internal Private LAN to WAN'
set firewall name FW-INT-WAN rule 400 action 'accept'
set firewall name FW-INT-WAN rule 400 state established 'enable'
set firewall name FW-INT-WAN rule 400 state related 'enable'
set firewall name FW-INT-WAN rule 401 action 'drop'
set firewall name FW-INT-WAN rule 401 state invalid 'enable'
set firewall name FW-INT-WAN rule 410 action 'accept'
set firewall name FW-INT-WAN rule 410 protocol 'all'
set firewall name FW-RT-2LOC-SSH default-action 'drop'
set firewall name FW-RT-2LOC-SSH rule 160 action 'accept'
set firewall name FW-RT-2LOC-SSH rule 160 state established 'enable'
set firewall name FW-RT-2LOC-SSH rule 160 state related 'enable'
set firewall name FW-RT-2LOC-SSH rule 161 action 'drop'
set firewall name FW-RT-2LOC-SSH rule 161 state invalid 'enable'
set firewall name FW-RT-2LOC-SSH rule 165 action 'drop'
set firewall name FW-RT-2LOC-SSH rule 165 destination port '***'
set firewall name FW-RT-2LOC-SSH rule 165 log 'enable'
set firewall name FW-RT-2LOC-SSH rule 165 protocol 'tcp'
set firewall name FW-RT-2LOC-SSH rule 165 recent count '3'
set firewall name FW-RT-2LOC-SSH rule 165 recent time '60'
set firewall name FW-RT-2LOC-SSH rule 165 state new 'enable'
set firewall name FW-RT-2LOC-SSH rule 167 action 'accept'
set firewall name FW-RT-2LOC-SSH rule 167 destination port '***'
set firewall name FW-RT-2LOC-SSH rule 167 log 'enable'
set firewall name FW-RT-2LOC-SSH rule 167 protocol 'tcp'
set firewall name FW-RT-LOC2ANY-ENAALL default-action 'drop'
set firewall name FW-RT-LOC2ANY-ENAALL rule 150 action 'accept'
set firewall name FW-RT-LOC2ANY-ENAALL rule 150 state established 'enable'
set firewall name FW-RT-LOC2ANY-ENAALL rule 150 state related 'enable'
set firewall name FW-RT-LOC2ANY-ENAALL rule 151 action 'drop'
set firewall name FW-RT-LOC2ANY-ENAALL rule 151 state invalid 'enable'
set firewall name FW-RT-LOC2ANY-ENAALL rule 155 action 'accept'
set firewall name FW-RT-LOC2ANY-ENAALL rule 155 protocol 'all'
set firewall name FW-WAN-DMZ default-action 'drop'
set firewall name FW-WAN-DMZ description 'WAN to DMZ'
set firewall name FW-WAN-DMZ rule 700 action 'accept'
set firewall name FW-WAN-DMZ rule 700 state established 'enable'
set firewall name FW-WAN-DMZ rule 700 state related 'enable'
set firewall name FW-WAN-DMZ rule 701 action 'drop'
set firewall name FW-WAN-DMZ rule 701 state invalid 'enable'
set firewall name FW-WAN-DMZ rule 710 action 'accept'
set firewall name FW-WAN-DMZ rule 710 destination port 'domain,http,https,smtp,ssmtp,pop3,pop3s,imap,imaps,ftp,40110-40210,***,***'
set firewall name FW-WAN-DMZ rule 710 protocol 'tcp'
set firewall name FW-WAN-DMZ rule 711 action 'accept'
set firewall name FW-WAN-DMZ rule 711 destination port 'domain'
set firewall name FW-WAN-DMZ rule 711 protocol 'udp'
set firewall name FW-WAN-DMZ rule 720 action 'accept'
set firewall name FW-WAN-DMZ rule 720 description 'LLL to DMZ ISPConfig'
set firewall name FW-WAN-DMZ rule 720 destination port '***,***'
set firewall name FW-WAN-DMZ rule 720 protocol 'tcp'
set firewall name FW-WAN-DMZ rule 725 action 'accept'
set firewall name FW-WAN-DMZ rule 725 description 'WAN-eth1-TO-NEXTCLOUD-TEST'
set firewall name FW-WAN-DMZ rule 725 destination port '***'
set firewall name FW-WAN-DMZ rule 725 protocol 'tcp'
set firewall name FW-WAN-DMZ rule 727 action 'accept'
set firewall name FW-WAN-DMZ rule 727 description 'WAN-eth1-TO-DOTPROJECT-TEST'
set firewall name FW-WAN-DMZ rule 727 destination port '***,***,***'
set firewall name FW-WAN-DMZ rule 727 protocol 'tcp'
set firewall name FW-WAN-INT default-action 'drop'
set firewall name FW-WAN-INT description 'WAN to Internal Private LAN'
set firewall name FW-WAN-INT rule 500 action 'accept'
set firewall name FW-WAN-INT rule 500 state established 'enable'
set firewall name FW-WAN-INT rule 500 state related 'enable'
set firewall name FW-WAN-INT rule 501 action 'drop'
set firewall name FW-WAN-INT rule 501 state invalid 'enable'
set firewall name FW-WAN-INT rule 530 action 'accept'
set firewall name FW-WAN-INT rule 530 destination port '80,***-***'
set firewall name FW-WAN-INT rule 530 protocol 'tcp'
set firewall name FW-WAN-INT rule 732 action 'accept'
set firewall name FW-WAN-INT rule 732 description 'WAN-eth1-TO-DOTPR11'
set firewall name FW-WAN-INT rule 732 destination port '***'
set firewall name FW-WAN-INT rule 732 protocol 'tcp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'enable'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:0c'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:0d'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.198.21/20'
set interfaces ethernet eth2 description 'INTF-LTC1'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:f0'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 address 'xxx.xxx.202.253/24'
set interfaces ethernet eth3 description 'INTF-BTC2'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'XX:XX:XX:XX:XX:f1'
set interfaces ethernet eth3 smp-affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces ethernet eth4 address 'xxx.xxx.1.1/24'
set interfaces ethernet eth4 description 'INTF-DMZ'
set interfaces ethernet eth4 duplex 'auto'
set interfaces ethernet eth4 hw-id 'XX:XX:XX:XX:XX:f2'
set interfaces ethernet eth4 smp-affinity 'auto'
set interfaces ethernet eth4 speed 'auto'
set interfaces ethernet eth5 address 'xxx.xxx.0.1/24'
set interfaces ethernet eth5 description 'INTF-LOCAL-NET'
set interfaces ethernet eth5 duplex 'auto'
set interfaces ethernet eth5 hw-id 'XX:XX:XX:XX:XX:f3'
set interfaces ethernet eth5 smp-affinity 'auto'
set interfaces ethernet eth5 speed 'auto'
set interfaces ethernet eth6 duplex 'auto'
set interfaces ethernet eth6 hw-id 'XX:XX:XX:XX:XX:04'
set interfaces ethernet eth6 smp-affinity 'auto'
set interfaces ethernet eth6 speed 'auto'
set interfaces ethernet eth7 duplex 'auto'
set interfaces ethernet eth7 hw-id 'XX:XX:XX:XX:XX:05'
set interfaces ethernet eth7 smp-affinity 'auto'
set interfaces ethernet eth7 speed 'auto'
set interfaces ethernet eth8 duplex 'auto'
set interfaces ethernet eth8 hw-id 'XX:XX:XX:XX:XX:06'
set interfaces ethernet eth8 smp-affinity 'auto'
set interfaces ethernet eth8 speed 'auto'
set interfaces ethernet eth9 duplex 'auto'
set interfaces ethernet eth9 hw-id 'XX:XX:XX:XX:XX:07'
set interfaces ethernet eth9 smp-affinity 'auto'
set interfaces ethernet eth9 speed 'auto'
set interfaces loopback lo
set nat destination rule 700 description 'WAN-eth0-TO-DMZ'
set nat destination rule 700 destination address 'xxx.xxx.198.20'
set nat destination rule 700 destination port 'http,https,smtp,ssmtp,pop3,pop3s,imap,imaps,ftp,40110:40210'
set nat destination rule 700 inbound-interface 'any'
set nat destination rule 700 protocol 'tcp'
set nat destination rule 700 translation address 'xxx.xxx.1.3'
set nat destination rule 705 description 'WAN-eth0-TO-DMZ-dns'
set nat destination rule 705 destination address 'xxx.xxx.198.20'
set nat destination rule 705 destination port 'domain'
set nat destination rule 705 inbound-interface 'any'
set nat destination rule 705 protocol 'tcp_udp'
set nat destination rule 705 translation address 'xxx.xxx.1.3'
set nat destination rule 710 description 'WAN-eth1-TO-DMZ'
set nat destination rule 710 destination address 'xxx.xxx.202.249'
set nat destination rule 710 destination port 'http,https,smtp,ssmtp,pop3,pop3s,imap,imaps,ftp,40110:40210'
set nat destination rule 710 inbound-interface 'any'
set nat destination rule 710 protocol 'tcp'
set nat destination rule 710 translation address 'xxx.xxx.1.3'
set nat destination rule 715 description 'WAN-eth1-TO-DMZ-dns'
set nat destination rule 715 destination address 'xxx.xxx.202.249'
set nat destination rule 715 destination port 'domain'
set nat destination rule 715 inbound-interface 'any'
set nat destination rule 715 protocol 'tcp_udp'
set nat destination rule 715 translation address 'xxx.xxx.1.3'
set nat destination rule 720 description 'WAN-eth0-TO-LLL-ISPCONFIG-1'
set nat destination rule 720 destination address 'xxx.xxx.198.20'
set nat destination rule 720 destination port '***'
set nat destination rule 720 inbound-interface 'any'
set nat destination rule 720 protocol 'tcp'
set nat destination rule 720 translation address 'xxx.xxx.1.3'
set nat destination rule 720 translation port '22'
set nat destination rule 721 description 'WAN-eth1-TO-LLL-ISPCONFIG-1'
set nat destination rule 721 destination address 'xxx.xxx.202.249'
set nat destination rule 721 destination port '***'
set nat destination rule 721 inbound-interface 'any'
set nat destination rule 721 protocol 'tcp'
set nat destination rule 721 translation address 'xxx.xxx.1.3'
set nat destination rule 721 translation port '22'
set nat destination rule 722 description 'WAN-eth0-TO-WWW-ISPCONFIG-1'
set nat destination rule 722 destination address 'xxx.xxx.198.20'
set nat destination rule 722 destination port '***'
set nat destination rule 722 inbound-interface 'any'
set nat destination rule 722 protocol 'tcp'
set nat destination rule 722 translation address 'xxx.xxx.1.3'
set nat destination rule 722 translation port '***'
set nat destination rule 723 description 'WAN-eth1-TO-WWW-ISPCONFIG-1'
set nat destination rule 723 destination address 'xxx.xxx.202.249'
set nat destination rule 723 destination port '8081'
set nat destination rule 723 inbound-interface 'any'
set nat destination rule 723 protocol 'tcp'
set nat destination rule 723 translation address 'xxx.xxx.1.3'
set nat destination rule 723 translation port '***'
set nat destination rule 725 description 'WAN-eth1-TO-NEXTCLOUD-TEST'
set nat destination rule 725 destination address 'xxx.xxx.202.249'
set nat destination rule 725 destination port '***'
set nat destination rule 725 inbound-interface 'any'
set nat destination rule 725 protocol 'tcp'
set nat destination rule 725 translation address 'xxx.xxx.1.112'
set nat destination rule 725 translation port '***'
set nat destination rule 727 description 'WAN-eth1-TO-DOTPR-HTTP'
set nat destination rule 727 destination address 'xxx.xxx.202.249'
set nat destination rule 727 destination port '***'
set nat destination rule 727 inbound-interface 'any'
set nat destination rule 727 protocol 'tcp'
set nat destination rule 727 translation address 'xxx.xxx.1.115'
set nat destination rule 727 translation port '***'
set nat destination rule 728 description 'WAN-eth1-TO-DOTPR-HTTPS'
set nat destination rule 728 destination address 'xxx.xxx.202.249'
set nat destination rule 728 destination port '***'
set nat destination rule 728 inbound-interface 'any'
set nat destination rule 728 protocol 'tcp'
set nat destination rule 728 translation address 'xxx.xxx.1.115'
set nat destination rule 728 translation port '***'
set nat destination rule 729 description 'WAN-eth1-TO-DOTPR-DAT'
set nat destination rule 729 destination address 'xxx.xxx.202.249'
set nat destination rule 729 destination port '***'
set nat destination rule 729 inbound-interface 'any'
set nat destination rule 729 protocol 'tcp'
set nat destination rule 729 translation address 'xxx.xxx.1.115'
set nat destination rule 729 translation port '***'
set nat destination rule 732 description 'WAN-eth1-TO-DOTPR11'
set nat destination rule 732 destination address 'xxx.xxx.202.249'
set nat destination rule 732 destination port '***'
set nat destination rule 732 inbound-interface 'eth1'
set nat destination rule 732 protocol 'tcp'
set nat destination rule 732 translation address 'xxx.xxx.0.11'
set nat destination rule 732 translation port '80'
set nat destination rule 1221 description 'WAN-YYY-REAR-PARK2'
set nat destination rule 1221 destination port '***'
set nat destination rule 1221 inbound-interface 'any'
set nat destination rule 1221 protocol 'tcp'
set nat destination rule 1221 translation address 'xxx.xxx.0.221'
set nat destination rule 1221 translation port '80'
set nat destination rule 1222 description 'WAN-YYY-STREET-LPOST1'
set nat destination rule 1222 destination port '***'
set nat destination rule 1222 inbound-interface 'any'
set nat destination rule 1222 protocol 'tcp'
set nat destination rule 1222 translation address 'xxx.xxx.0.222'
set nat destination rule 1222 translation port '80'
set nat destination rule 1223 description 'WAN-YYY-HALL1'
set nat destination rule 1223 destination port '***'
set nat destination rule 1223 inbound-interface 'any'
set nat destination rule 1223 protocol 'tcp'
set nat destination rule 1223 translation address 'xxx.xxx.0.223'
set nat destination rule 1223 translation port '80'
set nat destination rule 1224 description 'WAN-eth0-YYY-WHBIG2'
set nat destination rule 1224 destination port '***'
set nat destination rule 1224 inbound-interface 'any'
set nat destination rule 1224 protocol 'tcp'
set nat destination rule 1224 translation address 'xxx.xxx.0.224'
set nat destination rule 1224 translation port '80'
set nat destination rule 1225 description 'WAN-YYY-OFFICE-CORRIDOR'
set nat destination rule 1225 destination port '***'
set nat destination rule 1225 inbound-interface 'any'
set nat destination rule 1225 protocol 'tcp'
set nat destination rule 1225 translation address 'xxx.xxx.0.225'
set nat destination rule 1225 translation port '80'
set nat destination rule 1226 description 'WAN-YYY-WHOLD-1'
set nat destination rule 1226 destination port '***'
set nat destination rule 1226 inbound-interface 'any'
set nat destination rule 1226 protocol 'tcp'
set nat destination rule 1226 translation address 'xxx.xxx.0.226'
set nat destination rule 1226 translation port '80'
set nat destination rule 1227 description 'WAN-YYY-WHOLD-RAMP'
set nat destination rule 1227 destination port '***'
set nat destination rule 1227 inbound-interface 'any'
set nat destination rule 1227 protocol 'tcp'
set nat destination rule 1227 translation address 'xxx.xxx.0.227'
set nat destination rule 1227 translation port '80'
set nat destination rule 1228 description 'WAN-YYY-STREET2-WH'
set nat destination rule 1228 destination port '***'
set nat destination rule 1228 inbound-interface 'any'
set nat destination rule 1228 protocol 'tcp'
set nat destination rule 1228 translation address 'xxx.xxx.0.228'
set nat destination rule 1228 translation port '80'
set nat destination rule 1230 description 'WAN-YYY-WHBIG1'
set nat destination rule 1230 destination port '***'
set nat destination rule 1230 inbound-interface 'any'
set nat destination rule 1230 protocol 'tcp'
set nat destination rule 1230 translation address 'xxx.xxx.0.230'
set nat destination rule 1230 translation port '80'
set nat destination rule 1231 description 'WAN-YYY-REAR-PARK1'
set nat destination rule 1231 destination port '***'
set nat destination rule 1231 inbound-interface 'any'
set nat destination rule 1231 protocol 'tcp'
set nat destination rule 1231 translation address 'xxx.xxx.0.231'
set nat destination rule 1231 translation port '80'
set nat destination rule 1232 description 'WAN-YYY-ENTRANCE2'
set nat destination rule 1232 destination port '***'
set nat destination rule 1232 inbound-interface 'any'
set nat destination rule 1232 protocol 'tcp'
set nat destination rule 1232 translation address 'xxx.xxx.0.233'
set nat destination rule 1232 translation port '80'
set nat source rule 100 outbound-interface 'eth2'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address 'xxx.xxx.0.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 101 outbound-interface 'eth2'
set nat source rule 101 protocol 'all'
set nat source rule 101 source address 'xxx.xxx.1.0/24'
set nat source rule 101 translation address 'masquerade'
set nat source rule 120 outbound-interface 'eth3'
set nat source rule 120 protocol 'all'
set nat source rule 120 source address 'xxx.xxx.0.0/24'
set nat source rule 120 translation address 'masquerade'
set nat source rule 121 outbound-interface 'eth3'
set nat source rule 121 protocol 'all'
set nat source rule 121 source address 'xxx.xxx.1.0/24'
set nat source rule 121 translation address 'masquerade'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.198.17 distance '15'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.202.254 distance '100'
set service dns forwarding allow-from 'xxx.xxx.0.0/0'
set service dns forwarding listen-address 'xxx.xxx.0.1'
set service dns forwarding name-server 'xxx.xxx.64.2'
set service dns forwarding name-server 'xxx.xxx.12.242'
set service dns forwarding system
set service ssh port '****'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx level 'admin'
set system name-server 'xxx.xxx.8.8'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.6'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.0.7'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system task-scheduler task TASK-CHECK-GW crontab-spec '* * * * *'
set system task-scheduler task TASK-CHECK-GW executable path '/config/scripts/anvcheckgw.sh'
set system time-zone 'Europe/****'
set zone-policy zone ZONE-DMZ default-action 'drop'
set zone-policy zone ZONE-DMZ from ZONE-INT firewall name 'FW-INT-DMZ'
set zone-policy zone ZONE-DMZ from ZONE-WAN firewall name 'FW-WAN-DMZ'
set zone-policy zone ZONE-DMZ from ZONE-ROUTER-LOCAL firewall name 'FW-RT-LOC2ANY-ENAALL'
set zone-policy zone ZONE-DMZ interface 'eth4'
set zone-policy zone ZONE-INT default-action 'drop'
set zone-policy zone ZONE-INT from ZONE-DMZ firewall name 'FW-DMZ-INT'
set zone-policy zone ZONE-INT from ZONE-WAN firewall name 'FW-WAN-INT'
set zone-policy zone ZONE-INT from ZONE-ROUTER-LOCAL firewall name 'FW-RT-LOC2ANY-ENAALL'
set zone-policy zone ZONE-INT interface 'eth5'
set zone-policy zone ZONE-WAN default-action 'drop'
set zone-policy zone ZONE-WAN from ZONE-DMZ firewall name 'FW-DMZ-WAN'
set zone-policy zone ZONE-WAN from ZONE-INT firewall name 'FW-INT-WAN'
set zone-policy zone ZONE-WAN from ZONE-ROUTER-LOCAL firewall name 'FW-RT-LOC2ANY-ENAALL'
set zone-policy zone ZONE-WAN interface 'eth2'
set zone-policy zone ZONE-WAN interface 'eth3'
set zone-policy zone ZONE-ROUTER-LOCAL default-action 'drop'
set zone-policy zone ZONE-ROUTER-LOCAL from ZONE-DMZ firewall name 'FW-RT-LOC2ANY-ENAALL'
set zone-policy zone ZONE-ROUTER-LOCAL from ZONE-INT firewall name 'FW-RT-LOC2ANY-ENAALL'
set zone-policy zone ZONE-ROUTER-LOCAL from ZONE-WAN firewall name 'FW-RT-2LOC-SSH'
set zone-policy zone ZONE-ROUTER-LOCAL local-zone