VyOS Upgrade from 1.3.0-epa3 to 1.4-rolling-202111290926
Config:
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall ipv6-name DMZ-from-LOCAL-v6 default-action 'reject' set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 action 'accept' set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state established 'enable' set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1010 state related 'enable' set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 action 'drop' set firewall ipv6-name DMZ-from-LOCAL-v6 rule 1020 state invalid 'enable' set firewall ipv6-name DMZ-from-PRIVATE-v6 default-action 'accept' set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 action 'accept' set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state established 'enable' set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1010 state related 'enable' set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 action 'drop' set firewall ipv6-name DMZ-from-PRIVATE-v6 rule 1020 state invalid 'enable' set firewall ipv6-name DMZ-from-PUBLIC-v6 default-action 'reject' set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 action 'accept' set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state established 'enable' set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1010 state related 'enable' set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 action 'drop' set firewall ipv6-name DMZ-from-PUBLIC-v6 rule 1020 state invalid 'enable' set firewall ipv6-name LOCAL-from-DMZ-v6 default-action 'reject' set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 action 'accept' set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state established 'enable' set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1010 state related 'enable' set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 action 'drop' set firewall ipv6-name LOCAL-from-DMZ-v6 rule 1020 state invalid 'enable' set firewall ipv6-name LOCAL-from-PRIVATE-v6 default-action 'accept' set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 action 'accept' set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state established 'enable' set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1010 state related 'enable' set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 action 'drop' set firewall ipv6-name LOCAL-from-PRIVATE-v6 rule 1020 state invalid 'enable' set firewall ipv6-name LOCAL-from-PUBLIC-v6 default-action 'reject' set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 action 'accept' set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state established 'enable' set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1010 state related 'enable' set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 action 'drop' set firewall ipv6-name LOCAL-from-PUBLIC-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PRIVATE-from-DMZ-v6 default-action 'accept' set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 action 'accept' set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state established 'enable' set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1010 state related 'enable' set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 action 'drop' set firewall ipv6-name PRIVATE-from-DMZ-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PRIVATE-from-LOCAL-v6 default-action 'reject' set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 action 'accept' set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state established 'enable' set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1010 state related 'enable' set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 action 'drop' set firewall ipv6-name PRIVATE-from-LOCAL-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 default-action 'reject' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 action 'accept' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state established 'enable' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1010 state related 'enable' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 action 'drop' set firewall ipv6-name PRIVATE-from-PUBLIC-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PUBLIC-from-DMZ-v6 default-action 'accept' set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 action 'accept' set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state established 'enable' set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1010 state related 'enable' set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 action 'drop' set firewall ipv6-name PUBLIC-from-DMZ-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PUBLIC-from-LOCAL-v6 default-action 'accept' set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 action 'accept' set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state established 'enable' set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1010 state related 'enable' set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 action 'drop' set firewall ipv6-name PUBLIC-from-LOCAL-v6 rule 1020 state invalid 'enable' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 default-action 'accept' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 action 'accept' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state established 'enable' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1010 state related 'enable' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 action 'drop' set firewall ipv6-name PUBLIC-from-PRIVATE-v6 rule 1020 state invalid 'enable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall name DMZ-from-LOCAL-v4 default-action 'reject' set firewall name DMZ-from-LOCAL-v4 enable-default-log set firewall name DMZ-from-LOCAL-v4 rule 1010 action 'accept' set firewall name DMZ-from-LOCAL-v4 rule 1010 log 'enable' set firewall name DMZ-from-LOCAL-v4 rule 1010 state established 'enable' set firewall name DMZ-from-LOCAL-v4 rule 1010 state related 'enable' set firewall name DMZ-from-LOCAL-v4 rule 1020 action 'drop' set firewall name DMZ-from-LOCAL-v4 rule 1020 log 'enable' set firewall name DMZ-from-LOCAL-v4 rule 1020 state invalid 'enable' set firewall name DMZ-from-PRIVATE-v4 default-action 'accept' set firewall name DMZ-from-PRIVATE-v4 enable-default-log set firewall name DMZ-from-PRIVATE-v4 rule 1010 action 'accept' set firewall name DMZ-from-PRIVATE-v4 rule 1010 log 'enable' set firewall name DMZ-from-PRIVATE-v4 rule 1010 state established 'enable' set firewall name DMZ-from-PRIVATE-v4 rule 1010 state related 'enable' set firewall name DMZ-from-PRIVATE-v4 rule 1020 action 'drop' set firewall name DMZ-from-PRIVATE-v4 rule 1020 log 'enable' set firewall name DMZ-from-PRIVATE-v4 rule 1020 state invalid 'enable' set firewall name DMZ-from-PUBLIC-v4 default-action 'reject' set firewall name DMZ-from-PUBLIC-v4 enable-default-log set firewall name DMZ-from-PUBLIC-v4 rule 1010 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1010 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1010 state established 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1010 state related 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1020 action 'drop' set firewall name DMZ-from-PUBLIC-v4 rule 1020 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1020 state invalid 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1030 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1030 description 'Allow TCP_SIP to PBX' set firewall name DMZ-from-PUBLIC-v4 rule 1030 destination address 'xxx.xxx.12.2' set firewall name DMZ-from-PUBLIC-v4 rule 1030 destination port '5060' set firewall name DMZ-from-PUBLIC-v4 rule 1030 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1030 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1031 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1031 description 'Allow UDP_SIP to PBX' set firewall name DMZ-from-PUBLIC-v4 rule 1031 destination address 'xxx.xxx.12.2' set firewall name DMZ-from-PUBLIC-v4 rule 1031 destination port '5060' set firewall name DMZ-from-PUBLIC-v4 rule 1031 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1031 protocol 'udp' set firewall name DMZ-from-PUBLIC-v4 rule 1032 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1032 description 'Allow TCP_HTTP to PBX' set firewall name DMZ-from-PUBLIC-v4 rule 1032 destination address 'xxx.xxx.12.2' set firewall name DMZ-from-PUBLIC-v4 rule 1032 destination port '80' set firewall name DMZ-from-PUBLIC-v4 rule 1032 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1032 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1033 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1033 description 'Allow TCP_HTTPS to PBX' set firewall name DMZ-from-PUBLIC-v4 rule 1033 destination address 'xxx.xxx.12.2' set firewall name DMZ-from-PUBLIC-v4 rule 1033 destination port '443' set firewall name DMZ-from-PUBLIC-v4 rule 1033 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1033 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1034 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1034 description 'Allow TCP_3000 to PBX' set firewall name DMZ-from-PUBLIC-v4 rule 1034 destination address 'xxx.xxx.12.2' set firewall name DMZ-from-PUBLIC-v4 rule 1034 destination port '3000' set firewall name DMZ-from-PUBLIC-v4 rule 1034 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1034 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1040 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1040 description 'Allow TCP_HTTP' set firewall name DMZ-from-PUBLIC-v4 rule 1040 destination port '80' set firewall name DMZ-from-PUBLIC-v4 rule 1040 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1041 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1041 description 'Allow TCP_HTTPS' set firewall name DMZ-from-PUBLIC-v4 rule 1041 destination port '443' set firewall name DMZ-from-PUBLIC-v4 rule 1041 protocol 'tcp' set firewall name DMZ-from-PUBLIC-v4 rule 1050 action 'accept' set firewall name DMZ-from-PUBLIC-v4 rule 1050 description 'Allow ICMP to all' set firewall name DMZ-from-PUBLIC-v4 rule 1050 log 'enable' set firewall name DMZ-from-PUBLIC-v4 rule 1050 protocol 'icmp' set firewall name LOCAL-from-DMZ-v4 default-action 'reject' set firewall name LOCAL-from-DMZ-v4 enable-default-log set firewall name LOCAL-from-DMZ-v4 rule 1010 action 'accept' set firewall name LOCAL-from-DMZ-v4 rule 1010 log 'enable' set firewall name LOCAL-from-DMZ-v4 rule 1010 state established 'enable' set firewall name LOCAL-from-DMZ-v4 rule 1010 state related 'enable' set firewall name LOCAL-from-DMZ-v4 rule 1020 action 'drop' set firewall name LOCAL-from-DMZ-v4 rule 1020 log 'enable' set firewall name LOCAL-from-DMZ-v4 rule 1020 state invalid 'enable' set firewall name LOCAL-from-PRIVATE-v4 default-action 'accept' set firewall name LOCAL-from-PRIVATE-v4 enable-default-log set firewall name LOCAL-from-PRIVATE-v4 rule 1010 action 'accept' set firewall name LOCAL-from-PRIVATE-v4 rule 1010 log 'enable' set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state established 'enable' set firewall name LOCAL-from-PRIVATE-v4 rule 1010 state related 'enable' set firewall name LOCAL-from-PRIVATE-v4 rule 1020 action 'drop' set firewall name LOCAL-from-PRIVATE-v4 rule 1020 log 'enable' set firewall name LOCAL-from-PRIVATE-v4 rule 1020 state invalid 'enable' set firewall name LOCAL-from-PUBLIC-v4 default-action 'reject' set firewall name LOCAL-from-PUBLIC-v4 enable-default-log set firewall name LOCAL-from-PUBLIC-v4 rule 1010 action 'accept' set firewall name LOCAL-from-PUBLIC-v4 rule 1010 log 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state established 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1010 state related 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1020 action 'drop' set firewall name LOCAL-from-PUBLIC-v4 rule 1020 log 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1020 state invalid 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 action 'accept' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 description 'Allow IPSEC STS to Router' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 destination address 'xxx.xxx.130.161' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 destination port '500' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 log 'enable' set firewall name LOCAL-from-PUBLIC-v4 rule 1030 protocol 'udp' set firewall name PRIVATE-from-DMZ-v4 default-action 'accept' set firewall name PRIVATE-from-DMZ-v4 enable-default-log set firewall name PRIVATE-from-DMZ-v4 rule 1010 action 'accept' set firewall name PRIVATE-from-DMZ-v4 rule 1010 log 'enable' set firewall name PRIVATE-from-DMZ-v4 rule 1010 state established 'enable' set firewall name PRIVATE-from-DMZ-v4 rule 1010 state related 'enable' set firewall name PRIVATE-from-DMZ-v4 rule 1020 action 'drop' set firewall name PRIVATE-from-DMZ-v4 rule 1020 log 'enable' set firewall name PRIVATE-from-DMZ-v4 rule 1020 state invalid 'enable' set firewall name PRIVATE-from-LOCAL-v4 default-action 'reject' set firewall name PRIVATE-from-LOCAL-v4 enable-default-log set firewall name PRIVATE-from-LOCAL-v4 rule 1010 action 'accept' set firewall name PRIVATE-from-LOCAL-v4 rule 1010 log 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state established 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1010 state related 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1020 action 'drop' set firewall name PRIVATE-from-LOCAL-v4 rule 1020 log 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1020 state invalid 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1030 action 'accept' set firewall name PRIVATE-from-LOCAL-v4 rule 1030 log 'enable' set firewall name PRIVATE-from-LOCAL-v4 rule 1030 protocol '89' set firewall name PRIVATE-from-PUBLIC-v4 default-action 'reject' set firewall name PRIVATE-from-PUBLIC-v4 enable-default-log set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 action 'accept' set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 log 'enable' set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state established 'enable' set firewall name PRIVATE-from-PUBLIC-v4 rule 1010 state related 'enable' set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 action 'drop' set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 log 'enable' set firewall name PRIVATE-from-PUBLIC-v4 rule 1020 state invalid 'enable' set firewall name PUBLIC-from-DMZ-v4 default-action 'accept' set firewall name PUBLIC-from-DMZ-v4 enable-default-log set firewall name PUBLIC-from-DMZ-v4 rule 1010 action 'accept' set firewall name PUBLIC-from-DMZ-v4 rule 1010 log 'enable' set firewall name PUBLIC-from-DMZ-v4 rule 1010 state established 'enable' set firewall name PUBLIC-from-DMZ-v4 rule 1010 state related 'enable' set firewall name PUBLIC-from-DMZ-v4 rule 1020 action 'drop' set firewall name PUBLIC-from-DMZ-v4 rule 1020 log 'enable' set firewall name PUBLIC-from-DMZ-v4 rule 1020 state invalid 'enable' set firewall name PUBLIC-from-LOCAL-v4 default-action 'accept' set firewall name PUBLIC-from-LOCAL-v4 enable-default-log set firewall name PUBLIC-from-LOCAL-v4 rule 1010 action 'accept' set firewall name PUBLIC-from-LOCAL-v4 rule 1010 log 'enable' set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state established 'enable' set firewall name PUBLIC-from-LOCAL-v4 rule 1010 state related 'enable' set firewall name PUBLIC-from-LOCAL-v4 rule 1020 action 'drop' set firewall name PUBLIC-from-LOCAL-v4 rule 1020 log 'enable' set firewall name PUBLIC-from-LOCAL-v4 rule 1020 state invalid 'enable' set firewall name PUBLIC-from-PRIVATE-v4 default-action 'accept' set firewall name PUBLIC-from-PRIVATE-v4 enable-default-log set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 action 'accept' set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 log 'enable' set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state established 'enable' set firewall name PUBLIC-from-PRIVATE-v4 rule 1010 state related 'enable' set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 action 'drop' set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 log 'enable' set firewall name PUBLIC-from-PRIVATE-v4 rule 1020 state invalid 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set interfaces ethernet eth0 address 'xxx.xxx.29.144/32' set interfaces ethernet eth0 address 'xxx.xxx.91.81/32' set interfaces ethernet eth0 address 'xxx.xxx.91.85/32' set interfaces ethernet eth0 description 'OVH-WANIN' set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:73' set interfaces ethernet eth1 address 'xxx.xxx.130.161/27' set interfaces ethernet eth1 address 'xxx.xxx.130.170/27' set interfaces ethernet eth1 address 'xxx.xxx.130.172/27' set interfaces ethernet eth1 description 'vRACK-WANIN' set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:48' set interfaces ethernet eth1 vif 86 address 'xxx.xxx.10.1/24' set interfaces ethernet eth1 vif 86 description 'vlan86-horizon' set interfaces ethernet eth1 vif 87 description 'vlan87-docker' set interfaces ethernet eth1 vif 90 address 'xxx.xxx.6.1/24' set interfaces ethernet eth1 vif 90 description 'vlan90-devnet' set interfaces ethernet eth1 vif 99 address 'xxx.xxx.4.1/23' set interfaces ethernet eth1 vif 99 description 'vlan99-clientvpn' set interfaces ethernet eth1 vif 100 address 'xxx.xxx.0.9/22' set interfaces ethernet eth1 vif 100 address 'xxxx:xxxx:e013:100::1/64' set interfaces ethernet eth1 vif 100 description 'vlan100-mgmt' set interfaces ethernet eth1 vif 200 address 'xxx.xxx.11.1/24' set interfaces ethernet eth1 vif 200 description 'DMZ1' set interfaces ethernet eth1 vif 200 policy route 'PBR' set interfaces ethernet eth1 vif 210 address 'xxx.xxx.12.1/24' set interfaces ethernet eth1 vif 210 description 'DMZ2' set interfaces ethernet eth1 vif 210 policy route 'PBR' set interfaces ethernet eth2 address 'xxx.xxx.99.1/24' set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:5d' set interfaces loopback lo set interfaces tunnel tun0 address 'xxx.xxx.42.1/29' set interfaces tunnel tun0 description 'gre-tunnel mig-wpb' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 remote 'xxx.xxx.235.33' set interfaces tunnel tun0 source-address 'xxx.xxx.130.161' set interfaces tunnel tun1 address 'xxxx:xxxx:7:4a::2/64' set interfaces tunnel tun1 description 'HE.NET IPv6 Tunnel' set interfaces tunnel tun1 encapsulation 'sit' set interfaces tunnel tun1 remote 'xxx.xxx.22.2' set interfaces tunnel tun1 source-address 'xxx.xxx.130.161' set interfaces tunnel tun2 address 'xxx.xxx.50.1/29' set interfaces tunnel tun2 description 'gre-tunnel atl-prod' set interfaces tunnel tun2 encapsulation 'gre' set interfaces tunnel tun2 remote 'xxx.xxx.137.19' set interfaces tunnel tun2 source-address 'xxx.xxx.130.161' set interfaces vti vti0 address 'xxx.xxx.46.1/30' set interfaces vti vti0 mtu '1436' set nat destination rule 10 description '.170 - reverse proxy TCP80' set nat destination rule 10 destination address 'xxx.xxx.130.170' set nat destination rule 10 destination port '80' set nat destination rule 10 inbound-interface 'eth1' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address 'xxx.xxx.12.3' set nat destination rule 11 description '.170 - vch02 rproxy TCP8000' set nat destination rule 11 destination address 'xxx.xxx.130.170' set nat destination rule 11 destination port '8000' set nat destination rule 11 inbound-interface 'eth1' set nat destination rule 11 protocol 'tcp' set nat destination rule 11 translation address 'xxx.xxx.0.176' set nat destination rule 12 description '.170 - reverse proxy TCP443' set nat destination rule 12 destination address 'xxx.xxx.130.170' set nat destination rule 12 destination port '443' set nat destination rule 12 inbound-interface 'eth1' set nat destination rule 12 protocol 'tcp' set nat destination rule 12 translation address 'xxx.xxx.12.3' set nat destination rule 20 description '.81 - Skynet TCP443,992,1194,5555' set nat destination rule 20 destination address 'xxx.xxx.91.81' set nat destination rule 20 destination port '443,992,1194,5555' set nat destination rule 20 inbound-interface 'eth0' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address 'xxx.xxx.0.181' set nat destination rule 21 description '.81 - Skynet UDP500,4500,1701,1194' set nat destination rule 21 destination address 'xxx.xxx.91.81' set nat destination rule 21 destination port '500,4500,1701,1194' set nat destination rule 21 inbound-interface 'eth0' set nat destination rule 21 protocol 'udp' set nat destination rule 21 translation address 'xxx.xxx.0.181' set nat destination rule 30 description '.85 - PBX UDP10k-20k,5060-5061,4569' set nat destination rule 30 destination address 'xxx.xxx.130.172' set nat destination rule 30 destination port '10000-20000,5060,5061,4569' set nat destination rule 30 inbound-interface 'eth1' set nat destination rule 30 protocol 'udp' set nat destination rule 30 translation address 'xxx.xxx.12.2' set nat destination rule 31 description '.85 - PBX TCP80,443,3000,5060,5061' set nat destination rule 31 destination address 'xxx.xxx.130.172' set nat destination rule 31 destination port '80,443,3000,5060,5061' set nat destination rule 31 inbound-interface 'eth1' set nat destination rule 31 protocol 'tcp' set nat destination rule 31 translation address 'xxx.xxx.12.2' set nat destination rule 40 description '.144 - ESMC TCP80,443,3128,2222,8883,139,445' set nat destination rule 40 destination address 'xxx.xxx.29.144' set nat destination rule 40 destination port '80,443,3128,2222,8883,139,445' set nat destination rule 40 inbound-interface 'eth0' set nat destination rule 40 protocol 'tcp' set nat destination rule 40 translation address 'xxx.xxx.0.96' set nat destination rule 41 description '.144 - ESMC UDP80,443,3128,2222,8883,139,445,137,138' set nat destination rule 41 destination address 'xxx.xxx.29.144' set nat destination rule 41 destination port '80,443,3128,2222,8883,139,445,137,138' set nat destination rule 41 inbound-interface 'eth0' set nat destination rule 41 protocol 'udp' set nat destination rule 41 translation address 'xxx.xxx.0.96' set nat destination rule 50 description '.161 - MGMTVIN200 TCP3389' set nat destination rule 50 destination address 'xxx.xxx.130.161' set nat destination rule 50 destination port '3389' set nat destination rule 50 inbound-interface 'eth1' set nat destination rule 50 protocol 'tcp' set nat destination rule 50 translation address 'xxx.xxx.0.99' set nat source rule 99 description 'AllowRestrictedNATOut-TCP_NTP' set nat source rule 99 destination port '123' set nat source rule 99 outbound-interface 'eth1' set nat source rule 99 protocol 'tcp' set nat source rule 99 source address 'xxx.xxx.0.0/21' set nat source rule 99 translation address 'xxx.xxx.130.161' set nat source rule 100 description 'AllowRestrictedNATOut-TCP_HTTP' set nat source rule 100 destination port '80' set nat source rule 100 outbound-interface 'eth1' set nat source rule 100 protocol 'tcp' set nat source rule 100 source address 'xxx.xxx.0.0/21' set nat source rule 100 translation address 'xxx.xxx.130.161' set nat source rule 101 description 'AllowRestrictedNATOut-TCP_HTTPS' set nat source rule 101 destination port '443' set nat source rule 101 outbound-interface 'eth1' set nat source rule 101 protocol 'tcp' set nat source rule 101 source address 'xxx.xxx.0.0/21' set nat source rule 101 translation address 'xxx.xxx.130.161' set nat source rule 102 description 'AllowRestrictedNATOut-TCP_902' set nat source rule 102 destination port '902' set nat source rule 102 outbound-interface 'eth1' set nat source rule 102 protocol 'tcp' set nat source rule 102 source address 'xxx.xxx.0.0/21' set nat source rule 102 translation address 'xxx.xxx.130.161' set nat source rule 110 description 'AllowICMPOut' set nat source rule 110 outbound-interface 'eth1' set nat source rule 110 protocol 'icmp' set nat source rule 110 source address 'xxx.xxx.0.0/21' set nat source rule 110 translation address 'xxx.xxx.130.161' set nat source rule 120 description 'AllowRestrictedNATOut-UDP_DNS' set nat source rule 120 destination port '53' set nat source rule 120 outbound-interface 'eth1' set nat source rule 120 protocol 'udp' set nat source rule 120 source address 'xxx.xxx.0.0/21' set nat source rule 120 translation address 'xxx.xxx.130.161' set nat source rule 121 description 'AllowRestrictedNATOut-UDP_NTP' set nat source rule 121 destination port '123' set nat source rule 121 outbound-interface 'eth1' set nat source rule 121 protocol 'udp' set nat source rule 121 source address 'xxx.xxx.0.0/21' set nat source rule 121 translation address 'xxx.xxx.130.161' set nat source rule 200 description 'Give MGMTVIN200 unrestricted access' set nat source rule 200 outbound-interface 'eth1' set nat source rule 200 source address 'xxx.xxx.0.99' set nat source rule 200 translation address 'xxx.xxx.130.161' set nat source rule 210 description 'Give ESMC unrestricted access' set nat source rule 210 outbound-interface 'eth0' set nat source rule 210 source address 'xxx.xxx.0.96' set nat source rule 210 translation address 'xxx.xxx.29.144' set nat source rule 220 description 'Give VPNVIN100 unrestricted access' set nat source rule 220 outbound-interface 'eth1' set nat source rule 220 source address 'xxx.xxx.0.181' set nat source rule 220 translation address 'xxx.xxx.130.161' set nat source rule 230 description 'Give PBXVIN400 unrestricted access' set nat source rule 230 destination address '!xxx.xxx.0.0/8' set nat source rule 230 outbound-interface 'eth1' set nat source rule 230 source address 'xxx.xxx.12.2' set nat source rule 230 translation address 'xxx.xxx.130.172' set nat source rule 240 description 'Give DMZ Web-Only Access-TCP80' set nat source rule 240 destination address '!xxx.xxx.0.0/8' set nat source rule 240 destination port '80' set nat source rule 240 outbound-interface 'eth1' set nat source rule 240 protocol 'tcp' set nat source rule 240 source address 'xxx.xxx.12.3' set nat source rule 240 translation address 'xxx.xxx.130.161' set nat source rule 241 description 'Give DMZ Web-Only Access-TCP443' set nat source rule 241 destination address '!xxx.xxx.0.0/8' set nat source rule 241 destination port '443' set nat source rule 241 outbound-interface 'eth1' set nat source rule 241 protocol 'tcp' set nat source rule 241 source address 'xxx.xxx.12.3' set nat source rule 241 translation address 'xxx.xxx.130.161' set policy local-route rule 101 set table '11' set policy local-route rule 101 source 'xxx.xxx.130.161' set policy local-route rule 101 source 'xxx.xxx.130.170' set policy local-route rule 101 source 'xxx.xxx.130.172' set policy local-route rule 102 set table '10' set policy local-route rule 102 source 'xxx.xxx.29.144' set policy local-route rule 102 source 'xxx.xxx.91.81' set policy local-route rule 102 source 'xxx.xxx.91.85' set policy prefix-list V4-InternalRoutes rule 10 action 'permit' set policy prefix-list V4-InternalRoutes rule 10 description 'Allow10Net' set policy prefix-list V4-InternalRoutes rule 10 prefix 'xxx.xxx.0.0/8' set policy route PBR rule 20 description 'Route items out through OVH WAN' set policy route PBR rule 20 set table '10' set policy route PBR rule 20 source address 'xxx.xxx.11.0/24' set policy route PBR rule 30 description 'Route items out through vRack WAN' set policy route PBR rule 30 set table '11' set policy route PBR rule 30 source address 'xxx.xxx.12.0/24' set policy route-map V4-OSPF rule 10 action 'permit' set policy route-map V4-OSPF rule 10 match ip address prefix-list 'V4-InternalRoutes' set policy route-map V4-OSPF rule 20 action 'deny' set protocols ospf area 0 network 'xxx.xxx.0.0/16' set protocols ospf area 0 network 'xxx.xxx.46.0/29' set protocols ospf area 0 network 'xxx.xxx.0.0/16' set protocols ospf area 1 network 'xxx.xxx.0.0/13' set protocols ospf area 1 network 'xxx.xxx.42.0/29' set protocols ospf area 3 network 'xxx.xxx.0.0/16' set protocols ospf area 3 network 'xxx.xxx.50.0/29' set protocols ospf interface eth1.86 passive disable set protocols ospf interface eth1.87 passive disable set protocols ospf interface eth1.90 passive disable set protocols ospf interface eth1.99 passive disable set protocols ospf interface eth1.100 passive disable set protocols ospf interface tun0 passive disable set protocols ospf interface tun2 passive disable set protocols ospf interface vti0 dead-interval '40' set protocols ospf interface vti0 hello-interval '10' set protocols ospf interface vti0 passive disable set protocols ospf interface vti0 priority '1' set protocols ospf interface vti0 retransmit-interval '5' set protocols ospf interface vti0 transmit-delay '1' set protocols ospf log-adjacency-changes set protocols ospf parameters abr-type 'cisco' set protocols ospf parameters router-id 'xxx.xxx.0.9' set protocols ospf passive-interface 'default' set protocols ospf redistribute static metric-type '2' set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.130.190 set protocols static route xxx.xxx.0.0/16 next-hop xxx.xxx.46.1 set protocols static route xxx.xxx.0.0/16 next-hop xxx.xxx.46.2 set protocols static route xxx.xxx.0.0/16 next-hop xxx.xxx.50.2 set protocols static route xxx.xxx.0.0/13 next-hop xxx.xxx.42.2 set protocols static route6 ::/0 interface tun1 set protocols static table 10 route xxx.xxx.0.0/0 next-hop xxx.xxx.68.254 interface 'eth0' set protocols static table 11 route xxx.xxx.0.0/0 next-hop xxx.xxx.130.190 set service dns forwarding allow-from 'xxx.xxx.0.0/16' set service dns forwarding cache-size '0' set service dns forwarding listen-address 'xxx.xxx.0.9' set service router-advert interface eth1.100 name-server 'xxxx:xxxx:e013:100::dc' set service router-advert interface eth1.100 name-server 'xxxx:xxxx:4860::8888' set service router-advert interface eth1.100 prefix xxxx:xxxx:e013:100::/64 set service ssh listen-address 'xxx.xxx.0.9' set service ssh port '22' set system config-management commit-revisions '100' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system console device ttyS0 speed '115200' set system host-name xxxxxx set system login banner post-login '// RTRVIN300 // ******* // T0 LOGIN ONLY // ' set system login user xxxxxx authentication encrypted-password xxxxxx set system name-server 'xxx.xxx.1.1' set system name-server 'xxxx:xxxx:4860::8888' set system name-server 'xxxx:xxxx:4860::8844' set system name-server 'xxxx:xxxx:4700::1111' set system name-server 'xxxx:xxxx:4700::1001' set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system syslog global facility all level 'info' set system syslog global facility protocols level 'debug' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 compression 'disable' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 lifetime '3600' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 mode 'tunnel' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 pfs 'enable' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 proposal 1 encryption 'aes128' set vpn ipsec esp-group ESP-AES128-SHA1-DH2 proposal 1 hash 'sha1' set vpn ipsec esp-group GBUS-MT-ESP compression 'disable' set vpn ipsec esp-group GBUS-MT-ESP lifetime '86400' set vpn ipsec esp-group GBUS-MT-ESP mode 'tunnel' set vpn ipsec esp-group GBUS-MT-ESP pfs 'dh-group2' set vpn ipsec esp-group GBUS-MT-ESP proposal 1 encryption 'aes256' set vpn ipsec esp-group GBUS-MT-ESP proposal 1 hash 'sha1' set vpn ipsec esp-group mikrotik-esp compression 'disable' set vpn ipsec esp-group mikrotik-esp lifetime '1800' set vpn ipsec esp-group mikrotik-esp mode 'tunnel' set vpn ipsec esp-group mikrotik-esp pfs 'dh-group2' set vpn ipsec esp-group mikrotik-esp proposal 1 encryption 'aes128' set vpn ipsec esp-group mikrotik-esp proposal 1 hash 'sha1' set vpn ipsec ike-group GBUS-MT-IKE close-action 'none' set vpn ipsec ike-group GBUS-MT-IKE ikev2-reauth 'no' set vpn ipsec ike-group GBUS-MT-IKE key-exchange 'ikev1' set vpn ipsec ike-group GBUS-MT-IKE lifetime '86400' set vpn ipsec ike-group GBUS-MT-IKE proposal 1 dh-group '2' set vpn ipsec ike-group GBUS-MT-IKE proposal 1 encryption 'aes256' set vpn ipsec ike-group GBUS-MT-IKE proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 close-action 'none' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 ikev2-reauth 'no' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 key-exchange 'ikev1' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 lifetime '28800' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 proposal 1 dh-group '19' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-AES256-SHA256-DH19 proposal 1 hash 'sha256' set vpn ipsec ike-group mikrotik-ike close-action 'none' set vpn ipsec ike-group mikrotik-ike ikev2-reauth 'no' set vpn ipsec ike-group mikrotik-ike key-exchange 'ikev1' set vpn ipsec ike-group mikrotik-ike lifetime '28800' set vpn ipsec ike-group mikrotik-ike proposal 1 dh-group '19' set vpn ipsec ike-group mikrotik-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group mikrotik-ike proposal 1 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate' set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'GBUS-MT-ESP' set vpn ipsec site-to-site peer xxxxx.tld ike-group 'GBUS-MT-IKE' set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit' set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.130.161' set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 protocol 'gre' set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate' set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'GBUS-MT-ESP' set vpn ipsec site-to-site peer xxxxx.tld ike-group 'GBUS-MT-IKE' set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit' set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.130.161' set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 protocol 'gre' set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate' set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'mikrotik-esp' set vpn ipsec site-to-site peer xxxxx.tld ike-group 'mikrotik-ike' set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit' set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.130.161' set vpn ipsec site-to-site peer xxxxx.tld vti bind 'vti0' set vpn ipsec site-to-site peer xxxxx.tld vti esp-group 'ESP-AES128-SHA1-DH2' set zone-policy zone DMZ default-action 'drop' set zone-policy zone DMZ description 'Dmz Zone' set zone-policy zone DMZ from LOCAL firewall ipv6-name 'DMZ-from-LOCAL-v6' set zone-policy zone DMZ from LOCAL firewall name 'DMZ-from-LOCAL-v4' set zone-policy zone DMZ from PRIVATE firewall ipv6-name 'DMZ-from-PRIVATE-v6' set zone-policy zone DMZ from PRIVATE firewall name 'DMZ-from-PRIVATE-v4' set zone-policy zone DMZ from PUBLIC firewall ipv6-name 'DMZ-from-PUBLIC-v6' set zone-policy zone DMZ from PUBLIC firewall name 'DMZ-from-PUBLIC-v4' set zone-policy zone DMZ interface 'eth1.200' set zone-policy zone DMZ interface 'eth1.210' set zone-policy zone LOCAL default-action 'drop' set zone-policy zone LOCAL description 'Local Zone' set zone-policy zone LOCAL from DMZ firewall ipv6-name 'LOCAL-from-DMZ-v6' set zone-policy zone LOCAL from DMZ firewall name 'LOCAL-from-DMZ-v4' set zone-policy zone LOCAL from PRIVATE firewall ipv6-name 'LOCAL-from-PRIVATE-v6' set zone-policy zone LOCAL from PRIVATE firewall name 'LOCAL-from-PRIVATE-v4' set zone-policy zone LOCAL from PUBLIC firewall ipv6-name 'LOCAL-from-PUBLIC-v6' set zone-policy zone LOCAL from PUBLIC firewall name 'LOCAL-from-PUBLIC-v4' set zone-policy zone LOCAL local-zone set zone-policy zone PRIVATE default-action 'drop' set zone-policy zone PRIVATE description 'Private Zone' set zone-policy zone PRIVATE from DMZ firewall ipv6-name 'PRIVATE-from-DMZ-v6' set zone-policy zone PRIVATE from DMZ firewall name 'PRIVATE-from-DMZ-v4' set zone-policy zone PRIVATE from LOCAL firewall ipv6-name 'PRIVATE-from-LOCAL-v6' set zone-policy zone PRIVATE from LOCAL firewall name 'PRIVATE-from-LOCAL-v4' set zone-policy zone PRIVATE from PUBLIC firewall ipv6-name 'PRIVATE-from-PUBLIC-v6' set zone-policy zone PRIVATE from PUBLIC firewall name 'PRIVATE-from-PUBLIC-v4' set zone-policy zone PRIVATE interface 'eth1.100' set zone-policy zone PRIVATE interface 'eth1.99' set zone-policy zone PRIVATE interface 'vti0' set zone-policy zone PRIVATE interface 'tun0' set zone-policy zone PRIVATE interface 'tun2' set zone-policy zone PUBLIC default-action 'drop' set zone-policy zone PUBLIC description 'Public Zone' set zone-policy zone PUBLIC from DMZ firewall ipv6-name 'PUBLIC-from-DMZ-v6' set zone-policy zone PUBLIC from DMZ firewall name 'PUBLIC-from-DMZ-v4' set zone-policy zone PUBLIC from LOCAL firewall ipv6-name 'PUBLIC-from-LOCAL-v6' set zone-policy zone PUBLIC from LOCAL firewall name 'PUBLIC-from-LOCAL-v4' set zone-policy zone PUBLIC from PRIVATE firewall ipv6-name 'PUBLIC-from-PRIVATE-v6' set zone-policy zone PUBLIC from PRIVATE firewall name 'PUBLIC-from-PRIVATE-v4' set zone-policy zone PUBLIC interface 'eth0' set zone-policy zone PUBLIC interface 'eth1' set zone-policy zone PUBLIC interface 'tun1'
Default static route does not get added to the linux routing table.