firewall { | |
all-ping enable | |
group { | |
address-group ROUTERS { | |
address xxx.xxx.40.1-xxx.xxx.40.3 | |
address xxx.xxx.60.1-xxx.xxx.60.3 | |
description "Router IPs" | |
} | |
interface-group GUEST { | |
interface eth1.60 | |
} | |
interface-group INTERNAL { | |
include GUEST | |
include LAN | |
include IoT | |
include NoT | |
include MGMT | |
include SRV | |
} | |
interface-group INTERNAL-ISOLATED { | |
include NoT | |
include MGMT | |
} | |
interface-group INTERNAL-TRUSTED { | |
include LAN | |
include SRV | |
include MGMT | |
} | |
interface-group IoT { | |
interface eth1.20 | |
} | |
interface-group LAN { | |
interface eth1 | |
} | |
interface-group MGMT { | |
interface eth1.40 | |
} | |
interface-group NoT { | |
interface eth1.30 | |
} | |
interface-group OUTSIDE { | |
include WAN | |
} | |
interface-group SRV { | |
interface eth1.10 | |
} | |
interface-group WAN { | |
interface eth0 | |
} | |
network-group RFC1918 { | |
network xxx.xxx.0.0/8 | |
network xxx.xxx.0.0/12 | |
network xxx.xxx.0.0/16 | |
} | |
port-group Chromecast { | |
port 8008-8009 | |
port 5556 | |
port 5558 | |
port 5353 | |
} | |
} | |
interface eth0 { | |
in { | |
name OUTSIDE-IN | |
} | |
local { | |
name OUTSIDE-LOCAL | |
} | |
out { | |
name OUTSIDE-OUT | |
} | |
} | |
interface "eth1*" { | |
in { | |
name INSIDE-IN | |
} | |
local { | |
name INSIDE-LOCAL | |
} | |
out { | |
name INSIDE-OUT | |
} | |
} | |
name INSIDE-IN { | |
default-action drop | |
rule 10 { | |
action accept | |
description "Allow ping" | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 20 { | |
action drop | |
description "Deny all ISOLATED to WAN" | |
inbound-interface { | |
interface-group INTERNAL-ISOLATED | |
} | |
outbound-interface { | |
interface-group WAN | |
} | |
} | |
rule 21 { | |
action accept | |
description "Allow all INTERNAL to WAN" | |
inbound-interface { | |
interface-group INTERNAL | |
} | |
outbound-interface { | |
interface-group WAN | |
} | |
} | |
} | |
name INSIDE-LOCAL { | |
default-action drop | |
rule 10 { | |
action accept | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 20 { | |
action accept | |
description "Allow INTERNAL-TRUSTED to LOCAL SSH" | |
destination { | |
port ssh | |
} | |
inbound-interface { | |
interface-group INTERNAL-TRUSTED | |
} | |
protocol tcp | |
} | |
rule 30 { | |
action accept | |
description "Allow All INTERNAL to LOCAL NTP" | |
destination { | |
port ntp | |
} | |
inbound-interface { | |
interface-group INTERNAL | |
} | |
protocol udp | |
} | |
rule 40 { | |
action accept | |
description "Allow INTERNAL to LOCAL dns" | |
destination { | |
port domain | |
} | |
inbound-interface { | |
interface-group INTERNAL | |
} | |
protocol tcp_udp | |
} | |
rule 50 { | |
action accept | |
description "Allow DHCP" | |
destination { | |
port bootps | |
} | |
inbound-interface { | |
interface-group INTERNAL | |
} | |
protocol udp | |
source { | |
port bootpc | |
} | |
} | |
rule 60 { | |
action accept | |
description "Allow all rtr<->rtr" | |
inbound-interface { | |
interface-group MGMT | |
} | |
source { | |
group { | |
address-group ROUTERS | |
} | |
} | |
} | |
rule 61 { | |
action accept | |
description "Allow VRRP from ROUTERS" | |
disable | |
protocol vrrp | |
source { | |
group { | |
address-group ROUTERS | |
} | |
} | |
} | |
} | |
name INSIDE-OUT { | |
default-action accept | |
} | |
name OUTSIDE-IN { | |
default-action drop | |
} | |
name OUTSIDE-LOCAL { | |
default-action drop | |
rule 10 { | |
action accept | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 20 { | |
action accept | |
destination { | |
port 22 | |
} | |
log enable | |
protocol tcp | |
state { | |
new enable | |
} | |
} | |
rule 30 { | |
action accept | |
description "Allow Wireguard" | |
destination { | |
port 2224 | |
} | |
protocol udp | |
} | |
} | |
name OUTSIDE-OUT { | |
default-action accept | |
} | |
state-policy { | |
established { | |
action accept | |
} | |
invalid { | |
action drop | |
} | |
related { | |
action accept | |
} | |
} | |
} | |
high-availability { | |
vrrp { | |
group GUEST { | |
address xxx.xxx.60.1/24 { | |
} | |
hello-source-address xxx.xxx.60.3 | |
interface eth1.60 | |
peer-address xxx.xxx.60.2 | |
priority 100 | |
vrid 60 | |
} | |
sync-group INTERNAL { | |
member GUEST | |
} | |
} | |
} | |
interfaces { | |
ethernet eth0 { | |
address dhcp | |
description WAN | |
hw-id xx:xx:xx:xx:xx:1d | |
} | |
ethernet eth1 { | |
address xxx.xxx.0.3/24 | |
description LAN | |
hw-id xx:xx:xx:xx:xx:20 | |
vif 10 { | |
address xxx.xxx.1.3/24 | |
description Servers | |
} | |
vif 20 { | |
address xxx.xxx.20.3/24 | |
description IoT | |
} | |
vif 30 { | |
address xxx.xxx.30.3/24 | |
description NoT | |
} | |
vif 40 { | |
address xxx.xxx.40.3/24 | |
description Management | |
} | |
vif 60 { | |
address xxx.xxx.60.3/24 | |
description Guests | |
} | |
} | |
loopback lo { | |
} | |
wireguard wg0 { | |
address xxx.xxx.2.3/24 | |
description RoadWarrior | |
peer phone { | |
allowed-ips xxx.xxx.2.12/32 | |
persistent-keepalive 15 | |
preshared-key XXXX | |
public-key XXXX | |
} | |
peer rupert { | |
allowed-ips xxx.xxx.2.11/32 | |
persistent-keepalive 15 | |
preshared-key XXXX | |
public-key XXXX | |
} | |
port 2224 | |
private-key xxxxxx | |
} | |
} | |
nat { | |
source { | |
rule 10 { | |
description "MASQ all RFC1918 to eth0" | |
outbound-interface eth0 | |
source { | |
group { | |
network-group RFC1918 | |
} | |
} | |
translation { | |
address masquerade | |
} | |
} | |
} | |
} | |
protocols { | |
static { | |
route xxx.xxx.0.0/0 { | |
dhcp-interface eth0 | |
next-hop xxx.xxx.0.1 { | |
} | |
} | |
} | |
} | |
service { | |
conntrack-sync { | |
accept-protocol tcp | |
accept-protocol udp | |
accept-protocol icmp | |
accept-protocol icmp6 | |
failover-mechanism { | |
vrrp { | |
sync-group INTERNAL | |
} | |
} | |
ignore-address xxx.xxx.0.0/30 | |
ignore-address xxx.xxx.2.0/30 | |
ignore-address xxx.xxx.1.0/30 | |
ignore-address xxx.xxx.20.0/30 | |
ignore-address xxx.xxx.30.0/30 | |
ignore-address xxx.xxx.40.0/30 | |
ignore-address xxx.xxx.60.0/30 | |
ignore-address xxx.xxx.0.1 | |
ignore-address ::1 | |
interface eth1.40 { | |
peer xxxxx.tld | |
} | |
listen-address xxx.xxx.40.3 | |
} | |
dhcp-server { | |
failover { | |
name ROUTER | |
remote xxx.xxx.40.2 | |
source-address xxx.xxx.40.3 | |
status secondary | |
} | |
global-parameters "ddns-updates on;" | |
global-parameters "update-static-leases on;" | |
global-parameters "update-optimization true;" | |
global-parameters "key dhcpdupdate { algorithm hmac-md5; secret "XXXXX"; };" | |
global-parameters "ddns-rev-domainname "in-addr.arpa.";" | |
global-parameters "zone in-addr.arpa. { primary xxx.xxx.1.153; key xxxxxx }" | |
global-parameters "update-conflict-detection off;" | |
global-parameters "ddns-update-style standard;" | |
global-parameters "ddns-ttl 86400;" | |
host-decl-name | |
shared-network-name xxxxxx { | |
authoritative | |
description "Guest - VLAN 60" | |
domain-name xxxxxx | |
name-server xxx.xxx.60.1 | |
shared-network-parameters "zone guest.example.com. { primary xxx.xxx.1.153; key xxxxxx }" | |
shared-network-parameters "ddns-domainname "guest.example.com";" | |
subnet xxx.xxx.60.0/24 { | |
default-router xxx.xxx.60.1 | |
enable-failover | |
range 0 { | |
start xxx.xxx.60.20 | |
stop xxx.xxx.60.254 | |
} | |
} | |
} | |
} | |
dns { | |
dynamic { | |
address eth0 { | |
rfc2136 PDNS { | |
host-name xxxxxx | |
key xxxxxx | |
server xxxxx.tld | |
zone example.com | |
} | |
} | |
} | |
/* Use dhcp eth0 in future, instead of hardcoded name-servers */ | |
forwarding { | |
allow-from xxx.xxx.0.0/16 | |
allow-from xxx.xxx.0.0/8 | |
domain 0.x.x.in-addr.arpa. { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain 1.x.x.in-addr.arpa. { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain 20.x.x.in-addr.arpa. { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain 30.x.x.in-addr.arpa. { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain 40.x.x.in-addr.arpa. { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain home.example.com { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain iot.example.com { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain lan.example.com { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain mgmt.example.com { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
domain not.example.com { | |
name-server xxx.xxx.1.153 { | |
} | |
} | |
listen-address xxx.xxx.0.0 | |
name-server xxx.xxx.98.2 { | |
} | |
name-server xxx.xxx.101.3 { | |
} | |
} | |
} | |
https { | |
api { | |
keys { | |
id SYNC { | |
key xxxxxx | |
} | |
} | |
socket | |
} | |
virtual-host sync { | |
listen-address xxx.xxx.40.3 | |
} | |
} | |
lldp { | |
interface all { | |
} | |
interface eth0 { | |
disable | |
} | |
} | |
monitoring { | |
telegraf { | |
prometheus-client xxxxxx | |
allow-from xxx.xxx.0.0/16 | |
} | |
} | |
} | |
ntp { | |
allow-client xxxxxx | |
address xxx.xxx.0.0/16 | |
address xxx.xxx.0.0/8 | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
prefer | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
server xxxxx.tld { | |
} | |
} | |
ssh { | |
disable-password-authentication | |
dynamic-protection { | |
allow-from xxx.xxx.0.0/16 | |
} | |
port 22 | |
} | |
} | |
system { | |
config-management { | |
commit-revisions 100 | |
} | |
conntrack { | |
} | |
console { | |
device ttyS0 { | |
speed 115200 | |
} | |
} | |
domain-name xxxxxx | |
host-name xxxxxx | |
login { | |
user xxxxxx { | |
authentication { | |
encrypted-password xxxxxx | |
public-keys [email protected] { | |
key xxxxxx | |
type ssh-rsa | |
} | |
} | |
} | |
} | |
name-server xxx.xxx.0.1 | |
option { | |
ctrl-alt-delete ignore | |
keyboard-layout se-latin1 | |
} | |
syslog { | |
global { | |
facility all { | |
level info | |
} | |
facility local7 { | |
level debug | |
} | |
} | |
} | |
time-zone Europe/Stockholm | |
} | |
// Warning: Do not remove the following line. | |
// vyos-config-version: "bgp@4:broadc |
File Metadata
File Metadata
- Mime Type
- text/plain
- Storage Engine
- blob
- Storage Format
- Raw Data
- Storage Handle
- 187828
- Default Alt Text
- config.boot.2023-08-15-184048.pre-migration-prived (13 KB)