V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
c0c0c0
V2EX  ›  宽带症候群

分享一个 h3c 防火墙配置

  •  
  •   c0c0c0 · 192 天前 · 1479 次点击
    这是一个创建于 192 天前的主题,其中的信息可能已经有所发展或是发生改变。

    实现了以下功能:

    • 三个 wan 口,分别是 pppoe 静态 IP DHCP
    • 实现了内外网分流
    • 实现了内网互通 防火墙和 ikuai/openwrt 的配置很不一样,踩了很多坑,折腾一周才弄好,很多 ai 都没法解决,只能自己去社区去查资料
      为啥要折腾这个,一个是便宜,400 块就可以买到,二是 pve 的 ikuai 分流老是有问题,我觉得商业产品可能更稳定一些,三是因为在公司有公网,加个防火墙配置策略也安全一点
    #
     version 7.1.064, Release 9660P52
    #
     sysname H3C
    #
     clock timezone Beijing add 08:00:00
     clock protocol ntp
    #
     irf mac-address persistent timer
     irf auto-update enable
     undo irf link-delay
     irf member 1 priority 1
    #
     archive configuration location flash: filename-prefix 20250403
    #
     dialer-group 2 rule ip permit
    #
     nat log enable
    #
     dhcp enable
    #
     dns server 8.8.8.8
     dns server 114.114.114.114
    #
     password-recovery enable
    #
    vlan 1
    #
    object-group ip address 内网
     security-zone Trust
     0 network subnet 192.168.3.0 255.255.255.0
    #
    dhcp server ip-pool 1
     gateway-list 192.168.8.1
     network 192.168.8.0 mask 255.255.255.0
     dns-list 114.114.114.114 8.8.8.8
    #
    dhcp server ip-pool 2
     gateway-list 192.168.4.1
     network 192.168.4.0 mask 255.255.255.0
     dns-list 223.5.5.5
    #
    controller Cellular1/0/0
    #
    controller Cellular1/0/1
    #
    interface Dialer0
     mtu 1492
     ppp chap password cipher mima
     ppp chap user zhanghu 
     ppp ipcp dns admit-any 
     ppp ipcp dns request 
     ppp pap local-user zhanghu password cipher mima
     dialer-group 2
     dialer timer idle 0
     dialer timer autodial 5
     ip address ppp-negotiate
     tcp mss 1400
     nat outbound port-preserved counting
    #
    interface NULL0
    #
    interface GigabitEthernet1/0/0
     port link-mode route
     combo enable copper
     ip address 192.168.0.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1
     port link-mode route
     combo enable fiber
    #
    interface GigabitEthernet1/0/2
     port link-mode route
     ip address 192.168.99.1 255.255.255.0
    #
    interface GigabitEthernet1/0/3
     port link-mode route
    #
    interface GigabitEthernet1/0/4
     port link-mode route
     nat outbound
     nat hairpin enable
     manage http inbound
     manage http outbound
     manage https inbound
     manage https outbound
     manage ping inbound
     manage ping outbound
     manage ssh inbound
     manage ssh outbound
     undo dhcp select server
     pppoe-client dial-bundle-number 0
    #
    interface GigabitEthernet1/0/5
     port link-mode route
     ip address dhcp-alloc
     nat outbound
     nat hairpin enable
     manage http inbound
     manage http outbound
     manage https inbound
     manage https outbound
     manage ping inbound
     manage ping outbound
     manage ssh inbound
     manage ssh outbound
     undo dhcp select server
    #
    interface GigabitEthernet1/0/6
     port link-mode route
     ip address 192.168.6.88 255.255.255.0
     nat outbound
     nat hairpin enable
     manage http inbound
     manage http outbound
     manage https inbound
     manage https outbound
     manage ping inbound
     manage ping outbound
     manage ssh inbound
     manage ssh outbound
     gateway 192.168.6.1
    #
    interface GigabitEthernet1/0/7
     port link-mode route
    #
    interface GigabitEthernet1/0/8
     port link-mode route
    #
    interface GigabitEthernet1/0/9
     port link-mode route
    #
    interface GigabitEthernet1/0/10
     port link-mode route
     ip address 192.168.4.1 255.255.255.0
     ip last-hop hold
     nat outbound
     nat outbound 2000
     nat hairpin enable
     manage http inbound
     manage http outbound
     manage https inbound
     manage https outbound
     manage ping inbound
     manage ping outbound
     manage ssh inbound
     manage ssh outbound
    #
    interface GigabitEthernet1/0/11
     port link-mode route
     ip address 192.168.8.1 255.255.255.0
     nat outbound
     nat outbound 2000
     nat hairpin enable
     manage http inbound
     manage http outbound
     manage https inbound
     manage https outbound
     manage ping inbound
     manage ping outbound
     manage ssh inbound
     manage ssh outbound
    #
    security-zone name Local
    #
    security-zone name Trust
     import interface GigabitEthernet1/0/10
     import interface GigabitEthernet1/0/11
    #
    security-zone name DMZ
    #
    security-zone name Untrust
     import interface Dialer0
     import interface GigabitEthernet1/0/4
     import interface GigabitEthernet1/0/5
     import interface GigabitEthernet1/0/6
    #
    security-zone name Management
     import interface GigabitEthernet1/0/0
     import interface GigabitEthernet1/0/2
    #
    zone-pair security source Local destination Trust
    #
    zone-pair security source Local destination Untrust
    #
    zone-pair security source Trust destination Local
    #
    zone-pair security source Trust destination Untrust
    #
     scheduler logfile size 16
    #
    line class aux
     user-role network-operator
    #
    line class console
     authentication-mode scheme
     user-role network-admin
    #
    line class vty
     user-role network-operator
    #
    line aux 0
     user-role network-admin
    #
    line con 0
     authentication-mode password
     user-role network-admin
     set authentication password hash mima
    #
    line vty 0 63
     authentication-mode scheme
     user-role network-admin
    #
     ip route-static 0.0.0.0 0 Dialer0
     ip route-static 10.251.251.0 24 192.168.1.1
     ip route-static 192.168.20.0 24 192.168.1.1
    #
    performance-management
    #
     ssh server enable
    #
     arp ip-conflict log prompt
    #
     ntp-service enable
     ntp-service unicast-peer 101.6.6.172
     ntp-service unicast-peer 203.107.6.88
    #
     sntp unicast-server 101.6.6.172 version 1
    #
    acl number 2000
     rule 5 permit source 192.168.8.0 0.0.0.255
     rule 10 permit source 192.168.4.0 0.0.0.255
    #
    acl basic 2001
    #
    acl advanced 3000
     description 国内
     rule 0 permit ip destination 1.0.1.0 0.0.0.255
    #
    domain system
    #
     domain default enable system
    #
    role name level-0
     description Predefined level-0 role
    #
    role name level-1
     description Predefined level-1 role
    #
    role name level-2
     description Predefined level-2 role
    #
    role name level-3
     description Predefined level-3 role
    #
    role name level-4
     description Predefined level-4 role
    #
    role name level-5
     description Predefined level-5 role
    #
    role name level-6
     description Predefined level-6 role
    #
    role name level-7
     description Predefined level-7 role
    #
    role name level-8
     description Predefined level-8 role
    #
    role name level-9
     description Predefined level-9 role
    #
    role name level-10
     description Predefined level-10 role
    #
    role name level-11
     description Predefined level-11 role
    #
    role name level-12
     description Predefined level-12 role
    #
    role name level-13
     description Predefined level-13 role
    #
    role name level-14
     description Predefined level-14 role
    #
    user-group system
    #
    local-user admin class manage
     password hash mima
     service-type ssh terminal http https
     authorization-attribute user-role level-3
     authorization-attribute user-role network-admin
     authorization-attribute user-role network-operator
    #
     ipsec logging negotiation enable
    #
     ike logging negotiation enable
    #
     ip http enable
     ip https enable
    #
    inspect logging parameter-profile av_logging_default_parameter
    #
    inspect logging parameter-profile ips_logging_default_parameter
    #
    inspect logging parameter-profile url_logging_default_parameter
    #
    inspect email parameter-profile mailsetting_default_parameter
     undo authentication enable
    #
    loadbalance link-group 8duan
     predictor hash address source
     transparent enable
     success-criteria at-least 1
     link 8duan
      success-criteria at-least 1
    #
    loadbalance link-group cmcc
     predictor hash address source
     transparent enable
     success-criteria at-least 1
     link cmcc
      success-criteria at-least 1
    #
    loadbalance link-group openwrt
     predictor hash address source
     transparent enable
     success-criteria at-least 1
     link openwrt
      success-criteria at-least 1
    #
    loadbalance link-group pppoe_dianxin
     predictor hash address source
     transparent enable
     success-criteria at-least 1
     link pppoe_dianxin
      success-criteria at-least 1
    #
    loadbalance class 4duan type link-generic match-any
     match 97 destination ip address 192.168.4.0 24
    #
    loadbalance class 8duan type link-generic match-any
     match 55 destination ip address 192.168.8.0 24
    #
    loadbalance class openwrt type link-generic match-any
     match 12 destination ip address 192.168.6.0 24
    #
    loadbalance class 电信特征 type link-generic match-any
     description 电信特征 168.2.1
     match 16821 isp chinatel
    #
    loadbalance class 国内特征 type link-generic match-any
     description 国内通用特征 100
     match 100 isp cn
     match 16800 isp cnc
     match 16811 isp cmcc
     match 16812 isp educn
     match 16813 isp chinatel
    #
    loadbalance class 国外 ip 识别 type link-generic match-any
     description 国外黑洞
     match 2000 isp hk
     match 2001 isp mo
     match 2002 isp tw
     match 2003 isp 国外测试组-咕噜咕噜
    #
    loadbalance class 联通特征 00 type link-generic match-any
     description 联通特征 200
     match 200 isp cnc
    #
    loadbalance class 内网 type link-generic match-any
     match 100 destination ip address x
     match 102 source ip address x
     match 324 destination ip address 1x
     match 1231 destination ip address x
    #
    loadbalance class 移动特征 type link-generic match-any
     description 移动特征 192.168.1.1
     match 16811 isp cmcc
    #
    loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic
     link-group openwrt
    #
    loadbalance action ob$action$#for#4duan type link-generic
     forward all
    #
    loadbalance action ob$action$#for#8duan type link-generic
     forward all
    #
    loadbalance action ob$action$#for#openwrt type link-generic
     forward all
    #
    loadbalance action ob$action$#for#国内特征 type link-generic
     link-group pppoe_dianxin
     fallback-action continue
    #
    loadbalance action ob$action$#for#内网 type link-generic
     forward all
    #
    loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic
     class 4duan action ob$action$#for#4duan
     class 8duan action ob$action$#for#8duan
     class openwrt action ob$action$#for#openwrt
     class 内网 action ob$action$#for#内网
     class 国内特征 action ob$action$#for#国内特征
     default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%%
    #
    virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip
     virtual ip address 0.0.0.0 0
     lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%%
     bandwidth busy-protection enable
     bandwidth interface statistics enable
     service enable
    #
    loadbalance isp name 国外测试组-咕噜咕噜 
     description 咕噜咕噜 ip 组-测试
     ip address 93.123.23.0 24
    #
    loadbalance isp name 内网 
     ip address 192.168.8.0 24
    #
     loadbalance isp file flash:/lbispinfo.tp
    #
     loadbalance isp auto-update enable
     loadbalance isp auto-update frequency per-day
     loadbalance isp auto-update whois-server domain whois.iana.org
    #
    loadbalance region china
     isp chinatel
     isp cmcc
     isp cnc
     isp educn
    #
    loadbalance link 4duan
     router ip 192.168.4.1
     success-criteria at-least 1
    #
    loadbalance link 8duan
     router ip 192.168.8.1
    #
    loadbalance link cmcc
     router ip 192.168.1.1
     success-criteria at-least 1
    #
    loadbalance link openwrt
     router ip 192.168.6.1
     success-criteria at-least 1
    #
    loadbalance link pppoe_dianxin
     router interface Dialer0
     success-criteria at-least 1
    #
    security-policy ip
     rule 0 name pass-0
      action pass
      source-zone Local
      destination-zone Trust
     rule 1 name pass-1
      action pass
      source-zone Local
      destination-zone Untrust
     rule 2 name pass-2
      action pass
      source-zone Trust
      destination-zone Local
     rule 3 name pass-3
      action pass
      source-zone Trust
      destination-zone Untrust
     rule 4 name pass-4
      action pass
      source-zone Untrust
      destination-zone Trust
     rule 5 name pass-5
      action pass
      source-zone Untrust
      destination-zone Local
     rule 6 name pass-6
      action pass
      source-zone Trust
      destination-zone Trust
     rule 7 name pass-7
      action pass
      source-zone Local
      destination-zone Local
     rule 8 name Untrust_Untrust_8_IPv4
      action pass
      source-zone Untrust
      destination-zone Untrust
    #
    ips logging parameter-profile ips_logging_default_parameter
    #
    anti-virus logging parameter-profile av_logging_default_parameter
    #
     cloud-management server domain secops.h3c.com
    #
    return
    
    
    4 条回复    2025-04-15 19:54:54 +08:00
    defunct9
        1
    defunct9  
       192 天前
    怎么看着像半吊子的锐捷
    wheat0r
        2
    wheat0r  
       192 天前
    @defunct9 锐捷是思科命令,h3c 是华为命令
    djw123
        3
    djw123  
       192 天前   ❤️ 1
    H3C 的墙其实 web 就能完胜,而且这一眼 F1000 策略太多吞吐跟不上
    xqzr
        4
    xqzr  
       192 天前
    > tcp mss 1400

    MSS 最佳 1452
    关于   ·   帮助文档   ·   自助推广系统   ·   博客   ·   API   ·   FAQ   ·   Solana   ·   2718 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 02:24 · PVG 10:24 · LAX 19:24 · JFK 22:24
    ♥ Do have faith in what you're doing.