<aside> 🔥 MAIN_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP allow port 445 for SMB allow ports for Windows Deployment Services allow 10.0.110.0/24 (IoT devices) allow from 10.0.100.0/24 to 10.0.100.0/24 (to make sure devices can communicate) deny 10.0.100.5 to pppoe0 (block ‣ internet access) deny 10.0.0.0/8 (rest of net)
MAIN_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP
</aside>
<aside> 🔥 IOT_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (rest of net)
IOT_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP
</aside>
<aside> 🚦 QoS Limited (at router) to 250kbps up, 2mbps down
</aside>
<aside> 🔥 CAM_IN default drop allow estab/related drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (lans) deny 0.0.0.0/8 (internet)
CAM_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP
</aside>
<aside> 💱 NAT Rules To redirect any NTP requests to the Synology (NVR)’s NTP server.
rule 1 {
description "redir cam ntp to syno"
destination {
port 123
}
inbound-interface switch0.120
inside-address {
address SYNO IP ADDR
port 123
}
log disable
protocol udp
source {
address 10.0.120.0/24
}
type destination
}
rule 5011 {
description "masq for cam vlan"
log disable
outbound-interface switch0.120
protocol all
source {
address 10.0.120.0/24
}
type masquerade
}
</aside>
<aside> 🚦 Limited at AP (per device) to 50mbps up, 5mbps down
</aside>
<aside> 🔥 GUEST_IN allow estab/related from other VLANs drop invalid allow port 53,67 for DNS,DHCP deny 10.0.0.0/8 (rest of net)
GUEST_LOCAL allow estab/related drop invalid allow port 53,67 for DNS,DHCP
</aside>
Currently this is used for tailscale.home.tomr.network.