firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name FW_ALLOW_ALL { default-action accept } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } high-availability { vrrp { group sentrium-internal-01 { advertise-interval 1 health-check { failure-count 1 interval 4 } hello-source-address xxx.xxx.100.1 interface eth1 peer-address xxx.xxx.100.2 priority 200 virtual-address xxx.xxx.100.254/24 vrid 26 } } } interfaces { ethernet eth0 { address dhcp duplex auto hw-id XX:XX:XX:4b:33:e5 smp-affinity auto speed auto } ethernet eth1 { address xxx.xxx.100.1/24 duplex auto hw-id XX:XX:XX:01:da:89 smp-affinity auto speed auto } ethernet eth2 { duplex auto hw-id XX:XX:XX:2d:07:cb smp-affinity auto speed auto } loopback lo { } } nat { destination { rule 10 { inbound-interface eth2 source { address xxx.xxx.55.0/24 } translation { address xxx.xxx.1.1 } } } source { rule 10 { outbound-interface eth1 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 100 { outbound-interface eth1 source { address xxx.xxx.56.0/24 } translation { address xxx.xxx.21.0/24 } } rule 200 { outbound-interface eth+ source { address xxx.xxx.100.0/24 } translation { address masquerade } } rule 201 { outbound-interface eth+ source { address xxx.xxx.201.0/24 } translation { address masquerade } } } } policy { prefix-list DEFAULT-ROUTE { rule 10 { action permit prefix xxx.xxx.0.0/0 } } route-map ALLOW-DEFAULT { rule 10 { action permit match { ip { address { prefix-list DEFAULT-ROUTE } } } } } } protocols { bgp XXXXXX { address-family { ipv4-unicast { redistribute { kernel { } static { } } } } neighbor xxx.xxx.100.2 { address-family { ipv4-unicast { default-originate { route-map ALLOW-DEFAULT } nexthop-self soft-reconfiguration { inbound } } } passive remote-as XXXXXX } } static { interface-route6 xxxx:xxxx:0:70::/60 { next-hop-interface eth2 { } } route xxx.xxx.4.4/32 { next-hop xxx.xxx.2.2 { } } route xxx.xxx.8.8/32 { next-hop xxx.xxx.20.1 { } } table 10 { route xxx.xxx.15.0/24 { next-hop xxx.xxx.20.1 { } } } } } service { https { http-redirect enable listen-address xxx.xxx.56.101 } ssh { } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 9600 } } host-name xxxxxx login { user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } level admin } } name-server xxx.xxx.8.8 ntp { server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Kiev } traffic-policy { drop-tail dt01 { queue-limit 10000 } fair-queue fair-queue1 { hash-interval 30 queue-limit 20 } network-emulator nem1 { bandwidth 10mbit burst 15k network-delay 10ms packet-reordering 20 queue-limit 1033 } priority-queue prio1 { default { queue-type random-detect } } random-detect rad1 { bandwidth 10mbit precedence 0 { average-packet 750 mark-probability 50 maximum-threshold 3000 minimum-threshold 1000 queue-limit 50000 } } rate-control ratecon1 { bandwidth 10mbit burst 0.1mb latency 50ms } round-robin rr1 { default { quantum 1514 queue-type fq-codel } } shaper shaper1 { bandwidth 100mbps class 2 { bandwidth 20000 burst 15k match class2match { ip { source { address xxx.xxx.0.0/24 } } } queue-type fair-queue } class 3 { bandwidth 30000 burst 15k match class3match { ip { source { address xxx.xxx.0.0/24 } } } priority 6 queue-type fair-queue } default { bandwidth 15000 burst 15k queue-type fair-queue } } } vpn { ipsec { esp-group office-srv-esp { compression disable lifetime 1800 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha1 } } ike-group office-srv-ike { ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth1 } site-to-site { peer xxxxx.tld { authentication { mode pre-shared-secret pre-shared-secret xxxxxx } connection-type initiate ike-group office-srv-ike ikev2-reauth inherit local-address xxx.xxx.100.1 tunnel 0 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix xxx.xxx.20.0/24 } remote { prefix xxx.xxx.201.0/24 } } tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group office-srv-esp local { prefix xxx.xxx.20.0/24 } remote { prefix xxx.xxx.202.0/24 } } } } } } zone-policy { zone zone-eth0 { default-action drop from zone-eth1 { firewall { name FW_ALLOW_ALL } } from zone-local { firewall { name FW_ALLOW_ALL } } interface eth0 } zone zone-eth1 { default-action drop from zone-eth0 { firewall { name FW_ALLOW_ALL } } from zone-local { firewall { name FW_ALLOW_ALL } } interface eth1 } zone zone-eth2 { default-action drop interface eth2 } zone zone-local { default-action drop from zone-eth0 { firewall { name FW_ALLOW_ALL } } from zone-eth1 { firewall { name FW_ALLOW_ALL } } from zone-eth2 { firewall { name FW_ALLOW_ALL } } local-zone } }