firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group CameraTabs { address xxx.xxx.20.17-xxx.xxx.20.18 } address-group KidsLaptops { address xxx.xxx.20.22-xxx.xxx.20.23 } address-group Sonos { address xxx.xxx.2.50-xxx.xxx.2.60 description Sonos } address-group Streaming { address xxx.xxx.20.30 address xxx.xxx.20.31 address xxx.xxx.2.3 address xxx.xxx.2.4 address xxx.xxx.2.7 address xxx.xxx.2.8 } network-group Cameras { network xxx.xxx.40.0/24 } network-group DMZ { network xxx.xxx.80.0/24 } network-group Isolated { network xxx.xxx.20.0/24 } network-group LocalSubnets { network xxx.xxx.2.0/24 network xxx.xxx.20.0/24 network xxx.xxx.40.0/24 network xxx.xxx.80.0/24 network xxx.xxx.88.0/24 } network-group Trusted { network xxx.xxx.2.0/24 } network-group UtahNetworks { network xxx.xxx.1.0/24 network xxx.xxx.10.0/24 network xxx.xxx.30.0/24 network xxx.xxx.50.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name CAMERAS-DMZ { default-action drop } name CAMERAS-KIDS { default-action drop } name CAMERAS-LAN { default-action drop rule 10 { action accept destination { address xxx.xxx.2.6 port 53 } protocol tcp_udp } rule 20 { action accept destination { address xxx.xxx.2.10 } } } name CAMERAS-LOCAL { default-action drop rule 100 { action accept destination { port 53 } protocol tcp_udp } rule 110 { action accept destination { port 67-68 } protocol tcp_udp } rule 120 { action accept destination { port 123 } protocol tcp_udp } } name CAMERAS-MULLVAD { default-action drop } name CAMERAS-REMOTE { default-action accept } name CAMERAS-UTAH { default-action accept } name CAMERAS-WAN { default-action accept } name DMZ-CAMERAS { default-action drop } name DMZ-KIDS { default-action drop } name DMZ-LAN { default-action drop rule 10 { action accept destination { address xxx.xxx.2.6 port 53 } protocol tcp_udp } } name DMZ-LOCAL { default-action drop rule 100 { action accept destination { port 53 } protocol tcp_udp } rule 110 { action accept destination { port 67-68 } protocol tcp_udp } rule 120 { action accept destination { port 123 } protocol tcp_udp } } name DMZ-MULLVAD { default-action accept } name DMZ-REMOTE { default-action drop } name DMZ-UTAH { default-action drop } name DMZ-WAN { default-action accept } name KIDS-CAMERAS { default-action drop } name KIDS-DMZ { default-action drop } name KIDS-LAN { default-action drop rule 10 { action accept destination { address xxx.xxx.2.6 port 53 } protocol tcp_udp } rule 15 { action accept destination { address xxx.xxx.2.5 port 6690 } protocol tcp_udp source { group { address-group KidsLaptops } } } rule 20 { action accept destination { address xxx.xxx.2.10 } source { group { address-group CameraTabs } } } } name KIDS-LOCAL { default-action drop rule 100 { action accept destination { port 53 } protocol tcp_udp } rule 110 { action accept destination { port 67-68 } protocol tcp_udp } rule 120 { action accept destination { port 123 } protocol tcp_udp } } name KIDS-MULLVAD { default-action accept } name KIDS-REMOTE { default-action accept } name KIDS-UTAH { default-action accept } name KIDS-WAN { default-action accept } name LAN-CAMERAS { default-action drop enable-default-log rule 5 { action accept destination { group { network-group Cameras } } } } name LAN-DMZ { default-action accept } name LAN-KIDS { default-action accept } name LAN-LOCAL { default-action drop rule 5 { action accept icmp { } } rule 100 { action accept destination { port 53 } protocol tcp_udp } rule 110 { action accept destination { port 67-68 } protocol tcp_udp } rule 120 { action accept destination { port 123 } protocol tcp_udp } rule 200 { action accept destination { port 55512 } protocol tcp } } name LAN-MULLVAD { default-action accept } name LAN-REMOTE { default-action accept } name LAN-UTAH { default-action accept } name LAN-WAN { default-action accept rule 10 { action drop disable } } name LOCAL-CAMERAS { default-action accept } name LOCAL-DMZ { default-action accept } name LOCAL-KIDS { default-action accept } name LOCAL-LAN { default-action accept } name LOCAL-MULLVAD { default-action accept } name LOCAL-REMOTE { default-action accept } name LOCAL-UTAH { default-action accept } name LOCAL-WAN { default-action accept } name MULLVAD-CAMERAS { default-action drop } name MULLVAD-DMZ { default-action drop } name MULLVAD-KIDS { default-action drop } name MULLVAD-LAN { default-action drop } name MULLVAD-LOCAL { default-action drop } name REMOTE-CAMERAS { default-action accept } name REMOTE-DMZ { default-action accept } name REMOTE-KIDS { default-action accept } name REMOTE-LAN { default-action accept } name REMOTE-LOCAL { default-action accept } name UTAH-CAMERAS { default-action accept } name UTAH-DMZ { default-action drop } name UTAH-KIDS { default-action accept } name UTAH-LAN { default-action accept rule 10 { action accept log enable } } name UTAH-LOCAL { default-action accept } name WAN-CAMERAS { default-action drop enable-default-log } name WAN-DMZ { default-action drop enable-default-log } name WAN-KIDS { default-action drop enable-default-log } name WAN-LAN { default-action drop enable-default-log } name WAN-LOCAL { default-action drop enable-default-log rule 5 { action accept icmp { } } rule 5000 { action accept description RoadWarriorWG destination { port 50000 } protocol udp } rule 5100 { action accept description ssh destination { port 55512 } protocol tcp_udp } rule 5200 { action accept description UtahWG destination { port 51825 } protocol udp } } receive-redirects disable send-redirects enable source-validation disable state-policy { established { action accept } invalid { action drop } related { action accept } } syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address xxx.xxx.2.1/24 description LAN duplex auto hw-id XX:XX:XX:XX:XX:10 policy { route LAN-New } speed auto vif 20 { address xxx.xxx.20.1/24 description Kids policy { route VLAN20-New } } } ethernet eth1 { address xxx.xxx.40.1/24 description Cameras duplex auto hw-id XX:XX:XX:XX:XX:11 policy { route VLAN40 } speed auto } ethernet eth2 { duplex auto hw-id XX:XX:XX:XX:XX:12 speed auto } ethernet eth3 { address xxx.xxx.80.1/24 description DMZ duplex auto hw-id XX:XX:XX:XX:XX:13 policy { route DMZ } speed auto } ethernet eth4 { address dhcp description ToLTE duplex auto hw-id XX:XX:XX:XX:XX:0e speed auto } ethernet eth5 { duplex auto hw-id XX:XX:XX:XX:XX:0f speed auto } loopback lo { } wireguard wg15 { address xxx.xxx.194.225/32 description MullvadNY96 mtu 1420 peer MullvadNY { address xxx.xxx.143.210 allowed-ips xxx.xxx.0.0/0 persistent-keepalive 15 port 51820 pubkey **************** } private-key **************** } wireguard wg16 { address xxx.xxx.45.237/32 description MullvadLA mtu 1420 peer MullvadLA { address xxx.xxx.114.236 allowed-ips xxx.xxx.0.0/0 persistent-keepalive 15 port 51820 pubkey **************** } private-key **************** } wireguard wg20 { address xxx.xxx.80.3/24 description UtahWireguard mtu 1420 peer Utah { address xxx.xxx.203.9 allowed-ips xxx.xxx.0.0/0 persistent-keepalive 5 port 51820 pubkey **************** } port 51825 private-key **************** } wireguard wg25 { address xxx.xxx.85.2/24 description UtahAlternate mtu 1420 peer UtahAlternate { address xxx.xxx.203.9 allowed-ips xxx.xxx.1.0/24 allowed-ips xxx.xxx.10.0/24 allowed-ips xxx.xxx.30.0/24 allowed-ips xxx.xxx.50.0/24 allowed-ips xxx.xxx.85.1/32 persistent-keepalive 5 port 51825 pubkey **************** } port 51826 private-key **************** } wireguard wg100 { address xxx.xxx.100.1/24 description RoadWarrior mtu 1420 peer Pixel { allowed-ips xxx.xxx.100.2/32 pubkey **************** } policy { route Wireguard } port 50000 private-key **************** } } nat { destination { rule 10 { destination { port 53 } inbound-interface eth0 protocol tcp_udp source { address xxx.xxx.2.3 } translation { address xxx.xxx.2.1 } } rule 20 { destination { port 53 } inbound-interface eth0 protocol tcp_udp source { address xxx.xxx.2.4 } translation { address xxx.xxx.2.1 } } rule 30 { description FirTVWifi destination { port 53 } inbound-interface eth0 protocol tcp_udp source { address xxx.xxx.2.7 } translation { address xxx.xxx.2.1 } } rule 100 { description XBOX destination { port 3074 } inbound-interface eth4 protocol tcp_udp translation { address xxx.xxx.80.5 port 3074 } } rule 110 { description XBOX destination { port 3544 } inbound-interface eth4 protocol udp translation { address xxx.xxx.80.5 port 3544 } } rule 120 { description XBOX destination { port 4500 } inbound-interface eth4 protocol udp translation { address xxx.xxx.80.5 port 4500 } } rule 130 { description XBOX destination { port 88 } inbound-interface eth4 protocol udp translation { address xxx.xxx.80.5 } } rule 140 { description XBOX destination { port 53 } inbound-interface eth4 protocol tcp_udp translation { address xxx.xxx.80.5 } } rule 150 { description XBOX destination { port 80 } inbound-interface eth4 protocol tcp translation { address xxx.xxx.80.5 } } rule 160 { description XBOX destination { port 500 } inbound-interface eth4 protocol udp translation { address xxx.xxx.80.5 } } } source { rule 10 { description WAN outbound-interface eth4 translation { address masquerade } } rule 20 { description MullvadNY outbound-interface wg15 translation { address masquerade } } rule 25 { description MullvadLA outbound-interface wg16 translation { address masquerade } } rule 30 { description Utah outbound-interface wg20 translation { address masquerade } } rule 35 { description UtahAlternate disable outbound-interface wg25 translation { address masquerade } } } } policy { route DMZ { rule 100 { set { table main } } } route LAN-New { rule 4 { set { table main } source { address xxx.xxx.2.6 } } rule 5 { set { table main } source { group { address-group Sonos } } } rule 10 { destination { group { network-group LocalSubnets } } set { table main } } rule 20 { destination { address xxx.xxx.80.0/24 } set { table 25 } } rule 25 { destination { address xxx.xxx.100.0/24 } set { table main } } rule 30 { destination { group { network-group !UtahNetworks } } set { table 20 } source { group { address-group Streaming } } } rule 40 { destination { group { network-group UtahNetworks } } disable set { table 20 } } rule 41 { destination { group { network-group UtahNetworks } } set { table 25 } } rule 90 { disable set { table main } source { address xxx.xxx.2.100 } } rule 100 { set { table 10 } } } route VLAN20-New { rule 10 { destination { group { network-group LocalSubnets } } log enable set { table main } } rule 15 { destination { address xxx.xxx.100.0/24 } set { table main } } rule 20 { set { table 20 } source { group { address-group Streaming } } } rule 100 { set { table 10 } } } route VLAN40 { rule 20 { destination { address xxx.xxx.30.21 } set { table 20 } } rule 100 { log enable set { table main } } } route Wireguard { enable-default-log rule 100 { destination { group { network-group LocalSubnets } } set { table main } } } } protocols { static { interface-route xxx.xxx.100.0/24 { next-hop-interface eth4.100 { } } interface-route xxx.xxx.80.0/24 { next-hop-interface wg20 { } } interface-route xxx.xxx.85.0/24 { next-hop-interface wg20 { } } table 10 { interface-route xxx.xxx.0.0/0 { next-hop-interface wg15 { } } } table 15 { interface-route xxx.xxx.0.0/0 { next-hop-interface wg16 { } } } table 20 { interface-route xxx.xxx.0.0/0 { next-hop-interface wg20 { } } } table 25 { interface-route xxx.xxx.0.0/0 { next-hop-interface wg25 { } } } } } service { dhcp-server { shared-network-name xxxxxx { subnet xxx.xxx.40.0/24 { default-router xxx.xxx.40.1 dns-server xxx.xxx.2.6 domain-name xxxxxx lease 86400 range 0 { start xxx.xxx.40.100 stop xxx.xxx.40.200 } static-mapping xxxxxx { ip-address xxx.xxx.40.21 mac-address XX:XX:XX:XX:XX:00 } static-mapping xxxxxx { ip-address xxx.xxx.40.32 mac-address XX:XX:XX:XX:XX:c8 } static-mapping xxxxxx { ip-address xxx.xxx.40.31 mac-address XX:XX:XX:XX:XX:4e } static-mapping xxxxxx { ip-address xxx.xxx.40.30 mac-address XX:XX:XX:XX:XX:AF } } } shared-network-name xxxxxx { subnet xxx.xxx.80.0/24 { default-router xxx.xxx.80.1 dns-server xxx.xxx.2.6 domain-name xxxxxx lease 86400 range 0 { start xxx.xxx.80.100 stop xxx.xxx.80.200 } static-mapping xxxxxx { ip-address xxx.xxx.80.5 mac-address XX:XX:XX:XX:XX:85 } } } shared-network-name xxxxxx { subnet xxx.xxx.20.0/24 { default-router xxx.xxx.20.1 dns-server xxx.xxx.2.6 domain-name xxxxxx lease 86400 range 0 { start xxx.xxx.20.100 stop xxx.xxx.20.200 } static-mapping xxxxxx { ip-address xxx.xxx.20.30 mac-address XX:XX:XX:XX:XX:c5 } static-mapping xxxxxx { ip-address xxx.xxx.20.31 mac-address XX:XX:XX:XX:XX:b1 } static-mapping xxxxxx { ip-address xxx.xxx.20.5 mac-address XX:XX:XX:XX:XX:57 } static-mapping xxxxxx { ip-address xxx.xxx.20.22 mac-address XX:XX:XX:XX:XX:9e } static-mapping xxxxxx { ip-address xxx.xxx.20.20 mac-address XX:XX:XX:XX:XX:d7 } static-mapping xxxxxx { ip-address xxx.xxx.20.21 mac-address XX:XX:XX:XX:XX:FE } static-mapping xxxxxx { ip-address xxx.xxx.20.18 mac-address XX:XX:XX:XX:XX:4c } static-mapping xxxxxx { ip-address xxx.xxx.20.23 mac-address XX:XX:XX:XX:XX:84 } static-mapping xxxxxx { ip-address xxx.xxx.20.15 mac-address XX:XX:XX:XX:XX:0f } } } shared-network-name xxxxxx { description LAN_DHCP subnet xxx.xxx.2.0/24 { default-router xxx.xxx.2.1 dns-server xxx.xxx.2.6 domain-name xxxxxx lease 86400 range 0 { start xxx.xxx.2.100 stop xxx.xxx.2.200 } static-mapping xxxxxx { ip-address xxx.xxx.2.13 mac-address XX:XX:XX:XX:XX:de } static-mapping xxxxxx { ip-address xxx.xxx.2.12 mac-address XX:XX:XX:XX:XX:4a } static-mapping xxxxxx { ip-address xxx.xxx.2.21 mac-address XX:XX:XX:XX:XX:cb } static-mapping xxxxxx { ip-address xxx.xxx.2.24 mac-address XX:XX:XX:XX:XX:ee } static-mapping xxxxxx { ip-address xxx.xxx.2.23 mac-address XX:XX:XX:XX:XX:4a } static-mapping xxxxxx { ip-address xxx.xxx.2.4 mac-address XX:XX:XX:XX:XX:e0 } static-mapping xxxxxx { ip-address xxx.xxx.2.10 mac-address XX:XX:XX:XX:XX:3d } static-mapping xxxxxx { ip-address xxx.xxx.2.5 mac-address XX:XX:XX:XX:XX:fd } static-mapping xxxxxx { ip-address xxx.xxx.2.3 mac-address XX:XX:XX:XX:XX:fd } static-mapping xxxxxx { ip-address xxx.xxx.2.8 mac-address XX:XX:XX:XX:XX:f3 } static-mapping xxxxxx { ip-address xxx.xxx.2.20 mac-address XX:XX:XX:XX:XX:89 } static-mapping xxxxxx { ip-address xxx.xxx.2.22 mac-address XX:XX:XX:XX:XX:7e } static-mapping xxxxxx { ip-address xxx.xxx.2.74 mac-address XX:XX:XX:XX:XX:48 } static-mapping xxxxxx { ip-address xxx.xxx.2.72 mac-address XX:XX:XX:XX:XX:2c } static-mapping xxxxxx { ip-address xxx.xxx.2.73 mac-address XX:XX:XX:XX:XX:f6 } static-mapping xxxxxx { ip-address xxx.xxx.2.6 mac-address XX:XX:XX:XX:XX:88 } static-mapping xxxxxx { ip-address xxx.xxx.2.21 mac-address XX:XX:XX:XX:XX:cb } static-mapping xxxxxx { ip-address xxx.xxx.2.57 mac-address XX:XX:XX:XX:XX:d8 } static-mapping xxxxxx { ip-address xxx.xxx.2.51 mac-address XX:XX:XX:XX:XX:b0 } static-mapping xxxxxx { ip-address xxx.xxx.2.50 mac-address XX:XX:XX:XX:XX:ec } static-mapping xxxxxx { ip-address xxx.xxx.2.56 mac-address XX:XX:XX:XX:XX:b2 } static-mapping xxxxxx { ip-address xxx.xxx.2.52 mac-address XX:XX:XX:XX:XX:b2 } static-mapping xxxxxx { ip-address xxx.xxx.2.55 mac-address XX:XX:XX:XX:XX:a8 } static-mapping xxxxxx { ip-address xxx.xxx.2.53 mac-address XX:XX:XX:XX:XX:91 } static-mapping xxxxxx { ip-address xxx.xxx.2.54 mac-address XX:XX:XX:XX:XX:d0 } static-mapping xxxxxx { ip-address xxx.xxx.2.70 mac-address XX:XX:XX:XX:XX:d2 } static-mapping xxxxxx { ip-address xxx.xxx.2.71 mac-address XX:XX:XX:XX:XX:49 } static-mapping xxxxxx { ip-address xxx.xxx.2.15 mac-address XX:XX:XX:XX:XX:EE } static-mapping xxxxxx { ip-address xxx.xxx.2.6 mac-address XX:XX:XX:XX:XX:b7 } static-mapping xxxxxx { ip-address xxx.xxx.2.11 mac-address XX:XX:XX:XX:XX:3f } } } } dns { dynamic { interface eth4 { service GoogleDNS { host-name xxxxxx login mkIwUK4lQ4InMMUV password xxxxxx protocol dyndns2 server xxxxx.tld } use-web { url http://icanhazip.com/ } } } forwarding { allow-from xxx.xxx.0.0/16 cache-size 3000 listen-address xxx.xxx.40.1 listen-address xxx.xxx.80.1 listen-address xxx.xxx.2.1 listen-address xxx.xxx.20.1 name-server xxx.xxx.222.222 name-server xxx.xxx.220.220 } } mdns { repeater { interface eth0 interface eth1 interface eth0.20 } } ssh { port 55512 } } system { acceleration { qat } config-management { commit-archive { location xxxxxx } commit-revisions 100 } console { device ttyS0 { speed 115200 } } domain-name xxxxxx host-name xxxxxx login { user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } } } name-server xxx.xxx.8.8 name-server xxx.xxx.4.4 name-servers-dhcp eth4 ntp { server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone Asia/Kuwait } zone-policy { zone CAMERAS { default-action drop from DMZ { firewall { name DMZ-CAMERAS } } from KIDS { firewall { name KIDS-CAMERAS } } from LAN { firewall { name LAN-CAMERAS } } from LOCAL { firewall { name LOCAL-CAMERAS } } from REMOTE { firewall { name REMOTE-CAMERAS } } from UTAH { firewall { name UTAH-CAMERAS } } from WAN { firewall { name WAN-CAMERAS } } interface eth1 } zone DMZ { default-action drop from CAMERAS { firewall { name CAMERAS-DMZ } } from KIDS { firewall { name KIDS-DMZ } } from LAN { firewall { name LAN-DMZ } } from LOCAL { firewall { name LOCAL-DMZ } } from REMOTE { firewall { name REMOTE-DMZ } } from UTAH { firewall { name UTAH-DMZ } } from WAN { firewall { name WAN-DMZ } } interface eth3 } zone KIDS { default-action drop from CAMERAS { firewall { name CAMERAS-KIDS } } from DMZ { firewall { name DMZ-KIDS } } from LAN { firewall { name LAN-KIDS } } from LOCAL { firewall { name LOCAL-KIDS } } from REMOTE { firewall { name REMOTE-KIDS } } from UTAH { firewall { name UTAH-KIDS } } from WAN { firewall { name WAN-KIDS } } interface eth0.20 } zone LAN { default-action drop from CAMERAS { firewall { name CAMERAS-LAN } } from DMZ { firewall { name DMZ-LAN } } from KIDS { firewall { name KIDS-LAN } } from LOCAL { firewall { name LOCAL-LAN } } from REMOTE { firewall { name REMOTE-LAN } } from UTAH { firewall { name UTAH-LAN } } from WAN { firewall { name WAN-LAN } } interface eth0 } zone LOCAL { default-action drop from CAMERAS { firewall { name CAMERAS-LOCAL } } from DMZ { firewall { name DMZ-LOCAL } } from KIDS { firewall { name KIDS-LOCAL } } from LAN { firewall { name LAN-LOCAL } } from REMOTE { firewall { name REMOTE-LOCAL } } from UTAH { firewall { name UTAH-LOCAL } } from WAN { firewall { name WAN-LOCAL } } local-zone } zone REMOTE { default-action drop from CAMERAS { firewall { name CAMERAS-REMOTE } } from DMZ { firewall { name DMZ-REMOTE } } from KIDS { firewall { name KIDS-REMOTE } } from LAN { firewall { name LAN-REMOTE } } from LOCAL { firewall { name LOCAL-REMOTE } } interface wg100 } zone UTAH { default-action drop from CAMERAS { firewall { name CAMERAS-UTAH } } from DMZ { firewall { name CAMERAS-DMZ } } from KIDS { firewall { name KIDS-UTAH } } from LAN { firewall { name LAN-UTAH } } from LOCAL { firewall { name LOCAL-UTAH } } interface wg20 interface wg25 } zone WAN { default-action drop from CAMERAS { firewall { name CAMERAS-WAN } } from DMZ { firewall { name DMZ-WAN } } from KIDS { firewall { name KIDS-WAN } } from LAN { firewall { name LAN-WAN } } from LOCAL { firewall { name LOCAL-WAN } } interface eth4 interface wg15 interface wg16 } }