分享一个 h3c 防火墙配置

实现了以下功能：

• 三个 wan 口，分别是 pppoe 静态 IP DHCP
• 实现了内外网分流
• 实现了内网互通 防火墙和 ikuai/openwrt 的配置很不一样，踩了很多坑，折腾一周才弄好，很多 ai 都没法解决，只能自己去社区去查资料
  为啥要折腾这个，一个是便宜，400 块就可以买到，二是 pve 的 ikuai 分流老是有问题，我觉得商业产品可能更稳定一些，三是因为在公司有公网，加个防火墙配置策略也安全一点

# version 7.1.064, Release 960P52 # sysname H3C # clock timezone Beijing add 08:00:00 clock protocol ntp # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # archive configuration location flash: filename-prefix 20250403 # dialer-group 2 rule ip permit # nat log enable # dhcp enable # dns server 8.8.8.8 dns server 114.114.114.114 # password-recovery enable # vlan 1 # object-group ip address 内网 security-zone Trust 0 network subnet 192.168.3.0 255.255.255.0 # dhcp server ip-pool 1 gateway-list 192.168.8.1 network 192.168.8.0 mask 255.255.255.0 dns-list 114.114.114.114 8.8.8.8 # dhcp server ip-pool 2 gateway-list 192.168.4.1 network 192.168.4.0 mask 255.255.255.0 dns-list 223.5.5.5 # controller Cellular1/0/0 # controller Cellular1/0/1 # interface Dialer0 mtu 1492 ppp chap password cipher mima ppp chap user zhanghu ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user zhanghu password cipher mima dialer-group 2 dialer timer idle 0 dialer timer autodial 5 ip address ppp-negotiate tcp mss 1400 nat outbound port-preserved counting # interface NULL0 # interface GigabitEthernet1/0/0 port link-mode route combo enable copper ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 port link-mode route combo enable fiber # interface GigabitEthernet1/0/2 port link-mode route ip address 192.168.99.1 255.255.255.0 # interface GigabitEthernet1/0/3 port link-mode route # interface GigabitEthernet1/0/4 port link-mode route nat outbound nat hairpin enable manage http inbound manage http outbound manage https inbound manage https outbound manage ping inbound manage ping outbound manage ssh inbound manage ssh outbound undo dhcp select server pppoe-client dial-bundle-number 0 # interface GigabitEthernet1/0/5 port link-mode route ip address dhcp-alloc nat outbound nat hairpin enable manage http inbound manage http outbound manage https inbound manage https outbound manage ping inbound manage ping outbound manage ssh inbound manage ssh outbound undo dhcp select server # interface GigabitEthernet1/0/6 port link-mode route ip address 192.168.6.88 255.255.255.0 nat outbound nat hairpin enable manage http inbound manage http outbound manage https inbound manage https outbound manage ping inbound manage ping outbound manage ssh inbound manage ssh outbound gateway 192.168.6.1 # interface GigabitEthernet1/0/7 port link-mode route # interface GigabitEthernet1/0/8 port link-mode route # interface GigabitEthernet1/0/9 port link-mode route # interface GigabitEthernet1/0/10 port link-mode route ip address 192.168.4.1 255.255.255.0 ip last-hop hold nat outbound nat outbound 2000 nat hairpin enable manage http inbound manage http outbound manage https inbound manage https outbound manage ping inbound manage ping outbound manage ssh inbound manage ssh outbound # interface GigabitEthernet1/0/11 port link-mode route ip address 192.168.8.1 255.255.255.0 nat outbound nat outbound 2000 nat hairpin enable manage http inbound manage http outbound manage https inbound manage https outbound manage ping inbound manage ping outbound manage ssh inbound manage ssh outbound # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/10 import interface GigabitEthernet1/0/11 # security-zone name DMZ # security-zone name Untrust import interface Dialer0 import interface GigabitEthernet1/0/4 import interface GigabitEthernet1/0/5 import interface GigabitEthernet1/0/6 # security-zone name Management import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/2 # zone-pair security source Local destination Trust # zone-pair security source Local destination Untrust # zone-pair security source Trust destination Local # zone-pair security source Trust destination Untrust # scheduler logfile size 16 # line class aux user-role network-operator # line class console authentication-mode scheme user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line con 0 authentication-mode password user-role network-admin set authentication password hash mima # line vty 0 63 authentication-mode scheme user-role network-admin # ip route-static 0.0.0.0 0 Dialer0 ip route-static 10.251.251.0 24 192.168.1.1 ip route-static 192.168.20.0 24 192.168.1.1 # performance-management # ssh server enable # arp ip-conflict log prompt # ntp-service enable ntp-service unicast-peer 101.6.6.172 ntp-service unicast-peer 203.107.6.88 # sntp unicast-server 101.6.6.172 version 1 # acl number 2000 rule 5 permit source 192.168.8.0 0.0.0.255 rule 10 permit source 192.168.4.0 0.0.0.255 # acl basic 2001 # acl advanced 3000 description 国内 rule 0 permit ip destination 1.0.1.0 0.0.0.255 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash mima service-type ssh terminal http https authorization-attribute user-role level-3 authorization-attribute user-role network-admin authorization-attribute user-role network-operator # ipsec logging negotiation enable # ike logging negotiation enable # ip http enable ip https enable # inspect logging parameter-profile av_logging_default_parameter # inspect logging parameter-profile ips_logging_default_parameter # inspect logging parameter-profile url_logging_default_parameter # inspect email parameter-profile mailsetting_default_parameter undo authentication enable # loadbalance link-group 8duan predictor hash address source transparent enable success-criteria at-least 1 link 8duan success-criteria at-least 1 # loadbalance link-group cmcc predictor hash address source transparent enable success-criteria at-least 1 link cmcc success-criteria at-least 1 # loadbalance link-group openwrt predictor hash address source transparent enable success-criteria at-least 1 link openwrt success-criteria at-least 1 # loadbalance link-group pppoe_dianxin predictor hash address source transparent enable success-criteria at-least 1 link pppoe_dianxin success-criteria at-least 1 # loadbalance class 4duan type link-generic match-any match 97 destination ip address 192.168.4.0 24 # loadbalance class 8duan type link-generic match-any match 55 destination ip address 192.168.8.0 24 # loadbalance class openwrt type link-generic match-any match 12 destination ip address 192.168.6.0 24 # loadbalance class 电信特征 type link-generic match-any description 电信特征 168.2.1 match 16821 isp chinatel # loadbalance class 国内特征 type link-generic match-any description 国内通用特征 100 match 100 isp cn match 16800 isp cnc match 16811 isp cmcc match 16812 isp educn match 16813 isp chinatel # loadbalance class 国外 ip 识别 type link-generic match-any description 国外黑洞 match 2000 isp hk match 2001 isp mo match 2002 isp tw match 2003 isp 国外测试组-咕噜咕噜 # loadbalance class 联通特征 00 type link-generic match-any description 联通特征 200 match 200 isp cnc # loadbalance class 内网 type link-generic match-any match 100 destination ip address x match 102 source ip address x match 324 destination ip address 1x match 1231 destination ip address x # loadbalance class 移动特征 type link-generic match-any description 移动特征 192.168.1.1 match 16811 isp cmcc # loadbalance action ##defaultactionforllbipv4##%%autocreatedbyweb%% type link-generic link-group openwrt # loadbalance action ob$action$#for#4duan type link-generic forward all # loadbalance action ob$action$#for#8duan type link-generic forward all # loadbalance action ob$action$#for#openwrt type link-generic forward all # loadbalance action ob$action$#for#国内特征 type link-generic link-group pppoe_dianxin fallback-action continue # loadbalance action ob$action$#for#内网 type link-generic forward all # loadbalance policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% type link-generic class 4duan action ob$action$#for#4duan class 8duan action ob$action$#for#8duan class openwrt action ob$action$#for#openwrt class 内网 action ob$action$#for#内网 class 国内特征 action ob$action$#for#国内特征 default-class action ##defaultactionforllbipv4##%%autocreatedbyweb%% # virtual-server ##defaultvsforllbipv4##%%autocreatedbyweb%% type link-ip virtual ip address 0.0.0.0 0 lb-policy ##defaultpolicyforllbipv4##%%autocreatedbyweb%% bandwidth busy-protection enable bandwidth interface statistics enable service enable # loadbalance isp name 国外测试组-咕噜咕噜 description 咕噜咕噜 ip 组-测试 ip address 93.123.23.0 24 # loadbalance isp name 内网 ip address 192.168.8.0 24 # loadbalance isp file flash:/lbispinfo.tp # loadbalance isp auto-update enable loadbalance isp auto-update frequency per-day loadbalance isp auto-update whois-server domain whois.iana.org # loadbalance region china isp chinatel isp cmcc isp cnc isp educn # loadbalance link 4duan router ip 192.168.4.1 success-criteria at-least 1 # loadbalance link 8duan router ip 192.168.8.1 # loadbalance link cmcc router ip 192.168.1.1 success-criteria at-least 1 # loadbalance link openwrt router ip 192.168.6.1 success-criteria at-least 1 # loadbalance link pppoe_dianxin router interface Dialer0 success-criteria at-least 1 # security-policy ip rule 0 name pass-0 action pass source-zone Local destination-zone Trust rule 1 name pass-1 action pass source-zone Local destination-zone Untrust rule 2 name pass-2 action pass source-zone Trust destination-zone Local rule 3 name pass-3 action pass source-zone Trust destination-zone Untrust rule 4 name pass-4 action pass source-zone Untrust destination-zone Trust rule 5 name pass-5 action pass source-zone Untrust destination-zone Local rule 6 name pass-6 action pass source-zone Trust destination-zone Trust rule 7 name pass-7 action pass source-zone Local destination-zone Local rule 8 name Untrust_Untrust_8_IPv4 action pass source-zone Untrust destination-zone Untrust # ips logging parameter-profile ips_logging_default_parameter # anti-virus logging parameter-profile av_logging_default_parameter # cloud-management server domain secops.h3c.com # return