2026-04-09 23:50:42 -04:00
{
"general" : {
"wan_interface" : "eno2" ,
"log_max_kb" : 1024 ,
"log_errors_only" : false ,
"dnsmasq_log_queries" : false ,
"daily_execute_time_24hr_local" : "02:30"
} ,
"upstream_dns" : {
"strict_order" : false ,
"cache_size" : 10000 ,
"upstream_servers" : [
"1.1.1.1" ,
"1.0.0.1" ,
"2606:4700:4700::1111" ,
"2606:4700:4700::1001"
]
} ,
"banned_ips" : [
{ "description" : "Example: single IPv4 ban" , "enabled" : false , "ip" : "94.130.52.18" } ,
{ "description" : "Example: ban IPv4 /24 by wildcard" , "enabled" : false , "ip" : "94.130.52.*" } ,
{ "description" : "Example: ban IPv4 /16 by wildcard" , "enabled" : false , "ip" : "94.130.*.*" } ,
{ "description" : "Example: ban IPv4 CIDR" , "enabled" : false , "ip" : "94.130.0.0/16" } ,
{ "description" : "Example: ban IPv4 range in one quartet" , "enabled" : false , "ip" : "94.130.52.1-20" } ,
{ "description" : "Example: ban IPv4 range and wildcard" , "enabled" : false , "ip" : "94.130-133.52.*" } ,
{ "description" : "Example: single IPv6 ban" , "enabled" : false , "ip" : "2a01:4f8:c17:b0f::2" } ,
{ "description" : "Example: ban IPv6 /48 by wildcard" , "enabled" : false , "ip" : "2a01:4f8:c17:*" } ,
{ "description" : "Example: ban IPv6 CIDR" , "enabled" : false , "ip" : "2a01:4f8::/32" }
] ,
"host_overrides" : [
{
"description" : "LAN DNS override for home server DDNS hostname" ,
"enabled" : true ,
"host" : "myhome.ddns.net" ,
"ip" : "192.168.1.20"
}
] ,
"blocklists" : [
{
"name" : "oisd-big" ,
"description" : "OISD Big - ads, phishing, malware, telemetry" ,
"save_as" : "oisd-big.conf" ,
"url" : "https://big.oisd.nl/dnsmasq2" ,
"format" : "dnsmasq"
} ,
{
"name" : "hagezi-light" ,
"description" : "Hagezi Light - ads, tracking, metrics, badware" ,
"save_as" : "hagezi-light.conf" ,
"url" : "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/light.txt" ,
"format" : "dnsmasq"
} ,
{
"name" : "hagezi-pro-plus" ,
"description" : "Hagezi Pro Plus - ads, tracking, porn, gambling combined" ,
"save_as" : "hagezi-pro-plus.conf" ,
"url" : "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.plus.txt" ,
"format" : "dnsmasq"
}
] ,
"inter_vlan_exceptions" : [
{ "description" : "IoT TV -> Plex" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.10.3" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 32400 } ,
{ "description" : "IoT Streaming Box -> Plex" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.10.4" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 32400 } ,
{ "description" : "Kids -> Plex" , "enabled" : true , "protocol" : "both" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 32400 } ,
{ "description" : "Kids -> SMB" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 445 } ,
{ "description" : "Kids -> Game Server" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 25565 } ,
{ "description" : "Kids -> Web Server HTTP" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 80 } ,
{ "description" : "Kids -> Web Server HTTPS" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 443 } ,
{ "description" : "Trusted -> Printer (RAW)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.1.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 9100 } ,
{ "description" : "Trusted -> Printer (IPP)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.1.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 631 } ,
{ "description" : "Kids -> Printer (RAW)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 9100 } ,
{ "description" : "Kids -> Printer (IPP)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 631 } ,
{ "description" : "Guest -> Printer (RAW)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.20.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 9100 } ,
{ "description" : "Guest -> Printer (IPP)" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.20.0/24" , "dst_ip_or_subnet" : "192.168.10.2" , "dst_port" : 631 } ,
{ "description" : "VPN -> SSH + Rsync" , "enabled" : true , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.40.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 22 } ,
{ "description" : "VPN -> SMB" , "enabled" : false , "protocol" : "tcp" , "src_ip_or_subnet" : "192.168.40.0/24" , "dst_ip_or_subnet" : "192.168.1.20" , "dst_port" : 445 } ,
{ "description" : "Trusted -> Kids (LAN Gaming)" , "enabled" : false , "protocol" : "both" , "src_ip_or_subnet" : "192.168.1.0/24" , "dst_ip_or_subnet" : "192.168.30.0/24" } ,
{ "description" : "Parent PC -> Kids (LAN Gaming)" , "enabled" : false , "protocol" : "both" , "src_ip_or_subnet" : "192.168.1.50" , "dst_ip_or_subnet" : "192.168.30.0/24" } ,
{ "description" : "Kids -> Parent PC (LAN Gaming)" , "enabled" : false , "protocol" : "both" , "src_ip_or_subnet" : "192.168.30.0/24" , "dst_ip_or_subnet" : "192.168.1.50" }
] ,
"port_forwarding" : [
{ "description" : "WireGuard VPN" , "enabled" : true , "protocol" : "udp" , "dest_port" : 51820 , "nat_ip" : "192.168.1.20" , "nat_port" : 51820 } ,
{ "description" : "Plex Server" , "enabled" : true , "protocol" : "both" , "dest_port" : 32400 , "nat_ip" : "192.168.1.20" , "nat_port" : 32400 } ,
{ "description" : "Web Server HTTP" , "enabled" : true , "protocol" : "tcp" , "dest_port" : 80 , "nat_ip" : "192.168.1.20" , "nat_port" : 80 } ,
{ "description" : "Web Server HTTPS" , "enabled" : true , "protocol" : "tcp" , "dest_port" : 443 , "nat_ip" : "192.168.1.20" , "nat_port" : 443 } ,
{ "description" : "Game Server" , "enabled" : true , "protocol" : "tcp" , "dest_port" : 25565 , "nat_ip" : "192.168.1.20" , "nat_port" : 25565 } ,
{ "description" : "SSH" , "enabled" : false , "protocol" : "tcp" , "dest_port" : 22 , "nat_ip" : "192.168.1.20" , "nat_port" : 22 }
] ,
"vlans" : [
{
"vlan_id" : 1 ,
"name" : "trusted" ,
"interface" : "enp6s0" ,
"radius_default" : false ,
2026-05-17 03:26:01 -04:00
"mdns_reflection" : false ,
2026-04-09 23:50:42 -04:00
"use_blocklists" : [ "oisd-big" , "hagezi-light" ] ,
"server_identities" : [
{ "description" : "Router/Gateway" , "ip" : "192.168.1.1" } ,
{ "description" : "Home Server" , "ip" : "192.168.1.20" , "hostname" : "homeserver" } ,
{ "description" : "UniFi Controller Inform Host" , "ip" : "192.168.1.10" , "hostname" : "unifi-controller" }
] ,
"dhcp" : {
"subnet" : "192.168.1.0" ,
"subnet_mask" : "255.255.255.0" ,
"dynamic_pool_start" : "192.168.1.100" ,
"dynamic_pool_end" : "192.168.1.245" ,
"lease_time" : "24h" ,
"domain" : "local" ,
"explicit_overrides" : { "gateway" : "" , "dns_server" : "" , "ntp_server" : "" }
} ,
"reservations" : [
{ "enabled" : true , "description" : "UniFi Switch" , "hostname" : "unifi-switch" , "mac" : "aa:bb:cc:dd:ee:01" , "ip" : "192.168.1.2" , "radius_client" : true } ,
{ "enabled" : true , "description" : "UniFi AP (Kitchen)" , "hostname" : "unifi-ap-kitchen" , "mac" : "aa:bb:cc:dd:ee:02" , "ip" : "192.168.1.3" , "radius_client" : true } ,
{ "enabled" : true , "description" : "UniFi AP (Lounge)" , "hostname" : "unifi-ap-lounge" , "mac" : "aa:bb:cc:dd:ee:03" , "ip" : "192.168.1.4" , "radius_client" : true } ,
{ "enabled" : true , "description" : "UniFi AP (Upstairs)" , "hostname" : "unifi-ap-upstairs" , "mac" : "aa:bb:cc:dd:ee:04" , "ip" : "192.168.1.5" , "radius_client" : true } ,
{ "enabled" : true , "description" : "Home Server" , "hostname" : "homeserver" , "mac" : "aa:bb:cc:dd:ee:05" , "ip" : "192.168.1.20" } ,
{ "enabled" : true , "description" : "Desktop PC" , "hostname" : "desktop-pc" , "mac" : "aa:bb:cc:dd:ee:06" , "ip" : "192.168.1.50" }
] ,
"port_wrangling" : [
{ "description" : "DNS wrangling - redirect Trusted DNS to local resolver" , "enabled" : true , "protocol" : "both" , "dest_port" : 53 , "redirect_to" : "192.168.1.1" } ,
{ "description" : "NTP wrangling - redirect Trusted NTP to local time server" , "enabled" : false , "protocol" : "udp" , "dest_port" : 123 , "redirect_to" : "192.168.1.1" }
]
} ,
{
"vlan_id" : 10 ,
"name" : "iot" ,
"interface" : "enp6s0.10" ,
"radius_default" : false ,
2026-05-17 03:26:01 -04:00
"mdns_reflection" : true ,
2026-04-09 23:50:42 -04:00
"use_blocklists" : [ "oisd-big" , "hagezi-light" ] ,
"server_identities" : [
{ "description" : "Router/Gateway" , "ip" : "192.168.10.1" }
] ,
"dhcp" : {
"subnet" : "192.168.10.0" ,
"subnet_mask" : "255.255.255.0" ,
"dynamic_pool_start" : "192.168.10.100" ,
"dynamic_pool_end" : "192.168.10.245" ,
"lease_time" : "24h" ,
"domain" : "local" ,
"explicit_overrides" : { "gateway" : "" , "dns_server" : "" , "ntp_server" : "" }
} ,
"reservations" : [
{ "enabled" : true , "description" : "Network Printer" , "hostname" : "printer" , "mac" : "aa:bb:cc:dd:ee:10" , "ip" : "192.168.10.2" } ,
{ "enabled" : true , "description" : "Smart TV" , "hostname" : "smart-tv" , "mac" : "aa:bb:cc:dd:ee:11" , "ip" : "192.168.10.3" } ,
{ "enabled" : true , "description" : "Streaming Box (Eth)" , "hostname" : "streaming-box-eth" , "mac" : "aa:bb:cc:dd:ee:12" , "ip" : "192.168.10.4" } ,
{ "enabled" : true , "description" : "Streaming Box (Wifi)" , "hostname" : "streaming-box-wifi" , "mac" : "aa:bb:cc:dd:ee:13" , "ip" : "192.168.10.4" } ,
{ "enabled" : true , "description" : "Raspberry Pi" , "hostname" : "rpi" , "mac" : "aa:bb:cc:dd:ee:14" , "ip" : "192.168.10.12" } ,
{ "enabled" : true , "description" : "NAS" , "hostname" : "nas" , "mac" : "aa:bb:cc:dd:ee:15" , "ip" : "192.168.10.14" } ,
{ "enabled" : true , "description" : "Doorbell Camera" , "hostname" : "doorbell-camera" , "mac" : "aa:bb:cc:dd:ee:16" , "ip" : "dynamic" } ,
{ "enabled" : true , "description" : "Smart Speaker" , "hostname" : "smart-speaker" , "mac" : "aa:bb:cc:dd:ee:17" , "ip" : "dynamic" }
] ,
"port_wrangling" : [
{ "description" : "DNS wrangling - redirect IoT DNS to local resolver" , "enabled" : true , "protocol" : "both" , "dest_port" : 53 , "redirect_to" : "192.168.10.1" } ,
{ "description" : "NTP wrangling - redirect IoT NTP to local time server" , "enabled" : false , "protocol" : "udp" , "dest_port" : 123 , "redirect_to" : "192.168.10.1" }
]
} ,
{
"vlan_id" : 20 ,
"name" : "guest" ,
"interface" : "enp6s0.20" ,
"radius_default" : true ,
2026-05-17 03:26:01 -04:00
"mdns_reflection" : true ,
2026-04-09 23:50:42 -04:00
"use_blocklists" : [ "oisd-big" , "hagezi-light" ] ,
"server_identities" : [
{ "description" : "Router/Gateway" , "ip" : "192.168.20.1" }
] ,
"dhcp" : {
"subnet" : "192.168.20.0" ,
"subnet_mask" : "255.255.255.0" ,
"dynamic_pool_start" : "192.168.20.100" ,
"dynamic_pool_end" : "192.168.20.245" ,
"lease_time" : "4h" ,
"domain" : "local" ,
"explicit_overrides" : { "gateway" : "" , "dns_server" : "" , "ntp_server" : "" }
} ,
"reservations" : [
{ "enabled" : true , "description" : "Family Member Phone 1" , "hostname" : "phone-1" , "mac" : "aa:bb:cc:dd:ee:20" , "ip" : "dynamic" } ,
{ "enabled" : true , "description" : "Family Member Phone 2" , "hostname" : "phone-2" , "mac" : "aa:bb:cc:dd:ee:21" , "ip" : "dynamic" }
] ,
"port_wrangling" : [
{ "description" : "DNS wrangling - redirect Guest DNS to local resolver" , "enabled" : true , "protocol" : "both" , "dest_port" : 53 , "redirect_to" : "192.168.20.1" } ,
{ "description" : "NTP wrangling - redirect Guest NTP to local time server" , "enabled" : false , "protocol" : "udp" , "dest_port" : 123 , "redirect_to" : "192.168.20.1" }
]
} ,
{
"vlan_id" : 30 ,
"name" : "kids" ,
"interface" : "enp6s0.30" ,
"radius_default" : false ,
2026-05-17 03:26:01 -04:00
"mdns_reflection" : true ,
2026-04-09 23:50:42 -04:00
"use_blocklists" : [ "oisd-big" , "hagezi-light" , "hagezi-pro-plus" ] ,
"server_identities" : [
{ "description" : "Router/Gateway" , "ip" : "192.168.30.1" }
] ,
"dhcp" : {
"subnet" : "192.168.30.0" ,
"subnet_mask" : "255.255.255.0" ,
"dynamic_pool_start" : "192.168.30.100" ,
"dynamic_pool_end" : "192.168.30.245" ,
"lease_time" : "24h" ,
"domain" : "local" ,
"explicit_overrides" : { "gateway" : "" , "dns_server" : "" , "ntp_server" : "" }
} ,
"reservations" : [
{ "enabled" : true , "description" : "Child 1 Laptop" , "hostname" : "child1-laptop" , "mac" : "aa:bb:cc:dd:ee:30" , "ip" : "dynamic" } ,
{ "enabled" : true , "description" : "Child 2 Laptop" , "hostname" : "child2-laptop" , "mac" : "aa:bb:cc:dd:ee:31" , "ip" : "dynamic" } ,
{ "enabled" : true , "description" : "Child 3 Laptop" , "hostname" : "child3-laptop" , "mac" : "aa:bb:cc:dd:ee:32" , "ip" : "dynamic" } ,
{ "enabled" : true , "description" : "Child Tablet" , "hostname" : "child-tablet" , "mac" : "aa:bb:cc:dd:ee:33" , "ip" : "dynamic" }
] ,
"port_wrangling" : [
{ "description" : "DNS wrangling - redirect Kids DNS to local resolver" , "enabled" : true , "protocol" : "both" , "dest_port" : 53 , "redirect_to" : "192.168.30.1" } ,
{ "description" : "NTP wrangling - redirect Kids NTP to local time server" , "enabled" : false , "protocol" : "udp" , "dest_port" : 123 , "redirect_to" : "192.168.30.1" }
]
} ,
{
"vlan_id" : 40 ,
"name" : "vpn" ,
"interface" : "wg0" ,
"radius_default" : false ,
2026-05-17 03:26:01 -04:00
"mdns_reflection" : false ,
2026-04-09 23:50:42 -04:00
"use_blocklists" : [ "oisd-big" , "hagezi-light" ] ,
"vpn_information" : {
"listen_port" : 51820 ,
"gateway" : "192.168.40.1" ,
"domain" : "local" ,
"explicit_overrides" : { "dns_server" : "" , "mtu" : "" }
} ,
"reservations" : [ ] ,
"port_wrangling" : [
{ "description" : "DNS wrangling - redirect VPN DNS to local resolver" , "enabled" : true , "protocol" : "both" , "dest_port" : 53 , "redirect_to" : "192.168.40.1" } ,
{ "description" : "NTP wrangling - redirect VPN NTP to local time server" , "enabled" : false , "protocol" : "udp" , "dest_port" : 123 , "redirect_to" : "192.168.40.1" }
]
}
2026-05-17 03:26:01 -04:00
]
2026-04-09 23:50:42 -04:00
}
