firewall { all-ping enable broadcast-ping disable config-trap disable group { address-group AIRPLAY { address 172.16.35.241 address 172.16.35.242 address 172.16.35.243 description "Apple Airplay" } address-group DMZ-WEBSERVER { address 172.16.36.10 address 172.16.36.40 address 172.16.36.20 } address-group DMZ-RDP-SERVER { address 172.16.33.40 address 172.16.33.41 } address-group DOMAIN-CONTROLLER { address 172.16.100.10 address 172.16.100.20 } address-group SONOS { address 172.16.35.20 address 172.16.35.21 address 172.16.35.22 address 172.16.35.23 } network-group SSH-IN-ALLOW { description "Permit SSH login" network 172.16.0.0/16 } } ipv6-name LAN-LOCAL-6 { default-action accept } ipv6-name LOCAL-LAN-6 { default-action accept } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name DMZ-GUEST { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name DMZ-LAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept description "NTP and LDAP to AD DC" destination { group { address-group DOMAIN-CONTROLLER } port 123,389,636 } protocol tcp_udp } rule 300 { action accept destination { group { address-group DMZ-RDP-SERVER } port 3389 } protocol tcp_udp source { address 172.16.36.20 } } } name DMZ-LOCAL { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 50 { action accept destination { address 172.16.254.30 port 53 } protocol tcp_udp } rule 123 { action accept destination { port 123 } protocol udp } } name DMZ-WAN { default-action accept } name GUEST-DMZ { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept destination { port 80,443 } protocol tcp } } name GUEST-IOT { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept description "Airplay Devices to GUEST" protocol tcp_udp source { group { address-group AIRPLAY } } } rule 110 { action accept description "Sonos Devices to GUEST" protocol tcp_udp source { group { address-group SONOS } } } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 300 { action accept description "BCAST relay" destination { port 1900 } protocol udp } } name GUEST-LAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name GUEST-LOCAL { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 10 { action accept description DNS destination { address 172.31.0.254 port 53 } protocol tcp_udp } rule 11 { action accept description DHCP destination { port 67 } protocol udp } rule 15 { action accept destination { address 172.31.0.254 } protocol icmp } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 210 { action accept description "Sonos Broadcast" destination { port 1900 } protocol udp } } name GUEST-WAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 25 { action accept description SMTP destination { port 25,587 } protocol tcp } rule 53 { action accept destination { address 9.9.9.9 port 53 } protocol tcp_udp } rule 100 { action accept protocol icmp } rule 110 { action accept description POP3 destination { port 110,995 } protocol tcp } rule 123 { action accept description "NTP Client" destination { port 123 } protocol udp } rule 143 { action accept description IMAP destination { port 143,993 } protocol tcp } rule 200 { action accept destination { port 80,443 } protocol tcp } rule 500 { action accept description "L2TP IPSec" destination { port 500,4500 } protocol udp } rule 600 { action accept description "Apple Services TCP" destination { port 5222-5224 } protocol tcp } rule 601 { action accept description "Apple Services UDP" destination { port 3478-3497,4500,16384-16387,16393-16402 } protocol udp } } name IOT-GUEST { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept description "Airplay Devices to IOT" protocol tcp_udp source { group { address-group AIRPLAY } } } rule 110 { action accept description "Sonos Devices to IOT" protocol tcp_udp source { group { address-group SONOS } } } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 300 { action accept description "BCAST relay" destination { port 1900 } protocol udp } } name IOT-LAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept description "Airplay Devices to LAN" protocol tcp_udp source { group { address-group AIRPLAY } } } rule 110 { action accept description "Sonos Devices to LAN" protocol tcp_udp source { group { address-group SONOS } } } rule 200 { action accept description WebDav destination { address 172.16.33.200 port 5005,5006 } protocol tcp } } name IOT-LOCAL { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 10 { action accept description DNS destination { address 172.16.254.30 port 53 } protocol tcp_udp } rule 11 { action accept description DHCP destination { port 67 } protocol udp } rule 15 { action accept destination { address 172.16.35.254 } protocol icmp } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 201 { action accept description "MCAST relay" destination { address 172.16.35.254 port 5353 } protocol udp } rule 210 { action accept description "Sonos Broadcast" destination { port 1900,6969 } protocol udp } } name IOT-WAN { default-action accept } name LAN-DMZ { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 22 { action accept description "SSH into DMZ" destination { port 22 } protocol tcp } rule 100 { action accept destination { group { address-group DMZ-WEBSERVER } port 22,80,443 } protocol tcp } } name LAN-GUEST { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name LAN-IOT { default-action accept } name LAN-LOCAL { default-action accept } name LAN-WAN { default-action accept } name LOCAL-DMZ { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name LOCAL-GUEST { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 5 { action accept protocol icmp } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 300 { action accept description "BCAST relay" destination { port 1900 } protocol udp } } name LOCAL-IOT { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 5 { action accept protocol icmp } rule 200 { action accept description "MCAST relay" destination { address 224.0.0.251 port 5353 } protocol udp } rule 300 { action accept description "BCAST relay" destination { port 1900,6969 } protocol udp } } name LOCAL-LAN { default-action accept } name LOCAL-WAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 10 { action accept protocol icmp } rule 50 { action accept description DNS destination { port 53 } protocol tcp_udp } rule 80 { action accept destination { port 80,443 } protocol tcp } rule 123 { action accept description NTP destination { port 123 } protocol udp } rule 1000 { action accept destination { address 192.0.2.1 port 7701 } protocol udp source { port 7701 } } rule 1010 { action accept destination { address 192.0.2.3 port 7705 } protocol udp source { port 7705 } } } name WAN-DMZ { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 100 { action accept destination { address 172.16.36.10 port 80,443 } protocol tcp } } name WAN-GUEST { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name WAN-IOT { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } name WAN-LAN { default-action drop enable-default-log rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 1000 { action accept description "RDP von GeFoekoM zu endor" destination { address 172.16.33.40 port 3389 } protocol tcp source { group { network-group SSH-IN-ALLOW } } } } name WAN-LOCAL { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 22 { action accept destination { port 22 } protocol tcp source { group { network-group SSH-IN-ALLOW } } } rule 1000 { action accept destination { port 7701 } protocol udp source { address 192.0.2.1 port 7701 } } rule 1010 { action accept destination { port 7705 } protocol udp source { address 192.0.2.3 port 7705 } } } options { interface pppoe0 { adjust-mss 1452 } interface wg02 { adjust-mss 1320 } interface wg05 { adjust-mss 1320 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { bonding bond0 { hash-policy layer2 mode 802.3ad } ethernet eth0 { duplex auto smp-affinity auto speed auto vif 5 { address 172.16.37.254/24 ip { ospf { authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } } vif 7 { pppoe 0 { default-route auto mtu 1492 name-server none password vyos user-id vyos } } vif 10 { address 172.16.33.254/24 description VYOS-LAN } vif 20 { address 172.31.0.254/24 description VYOS-GUEST } vif 35 { address 172.16.35.254/24 description VYOS-IOT } vif 50 { address 172.16.36.254/24 description VYOS-DMZ } vif 100 { address 172.16.100.254/24 } vif 201 { address 172.18.201.254/24 address 2001:db8:201::ffff/64 description VYOS-TEST-VLAN0201 ip { ospf { authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } } vif 202 { address 172.18.202.254/24 description VYOS-TEST-VLAN0202 ip { ospf { authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } } vif 203 { address 172.18.203.254/24 description VYOS-TEST-VLAN0203 ip { ospf { authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } } vif 204 { address 172.18.204.254/24 address 2001:db8:204::ffff/64 description VYOS-TEST-VLAN0204 ip { ospf { authentication { md5 { key-id 10 { md5-key vyos } } } dead-interval 40 hello-interval 10 priority 1 retransmit-interval 5 transmit-delay 1 } } } } ethernet eth1 { duplex auto smp-affinity auto speed auto } ethernet eth2 { bond-group bond0 duplex auto smp-affinity auto speed auto } ethernet eth3 { bond-group bond0 duplex auto smp-affinity auto speed auto } loopback lo { address 172.16.254.30/32 } wireguard wg02 { address 172.16.252.69/30 ip { ospf { cost 200 dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 5 } } mtu 1360 peer AC1 { allowed-ips 0.0.0.0/0 endpoint 192.0.2.1:7701 pubkey r5X09QBmLHYEM/FcTG24DnMntaKfN/3A853KbhZ7SAQ= } port 7701 } wireguard wg05 { address 172.16.252.73/30 ip { ospf { cost 10 dead-interval 40 hello-interval 10 network point-to-point priority 1 retransmit-interval 5 transmit-delay 5 } } mtu 1360 peer BR1 { allowed-ips 0.0.0.0/0 endpoint 192.0.2.3:7705 pubkey qs/VtOtQ8g0VclnPJq5IiQM7bsVSTbjhO+3txBEnnVc= } port 7705 } } nat { destination { rule 100 { description HTTP(S) destination { port 80,443 } inbound-interface pppoe0 protocol tcp translation { address 172.16.36.10 } } rule 1000 { destination { port 3389 } inbound-interface pppoe0 protocol tcp translation { address 172.16.33.40 } } } source { rule 100 { outbound-interface pppoe0 source { address 172.16.32.0/19 } translation { address masquerade } } rule 200 { outbound-interface pppoe0 source { address 172.16.100.0/24 } translation { address masquerade } } rule 300 { outbound-interface pppoe0 source { address 172.31.0.0/24 } translation { address masquerade } } rule 400 { outbound-interface pppoe0 source { address 172.18.201.0/21 } translation { address masquerade } } } } policy { route-map MAP-OSPF-CONNECTED { rule 1 { action deny description VYOS-GUEST match { interface eth0.20 } } rule 20 { action permit description VYOS-LAN match { interface eth0.10 } } rule 30 { action permit description VYOS-IOT match { interface eth0.35 } } rule 40 { action permit description VYOS-DMZ match { interface eth0.50 } } rule 50 { action permit description VYOS-MGMT match { interface eth0.100 } } } } protocols { ospf { area 0 { network 172.16.254.30/32 network 172.16.252.68/30 network 172.16.252.72/30 network 172.16.37.0/24 network 172.18.201.0/24 network 172.18.202.0/24 network 172.18.203.0/24 network 172.18.204.0/24 } log-adjacency-changes { } parameters { abr-type cisco router-id 172.16.254.30 } passive-interface default passive-interface-exclude eth0.5 passive-interface-exclude wg05 passive-interface-exclude wg02 passive-interface-exclude eth0.201 passive-interface-exclude eth0.202 passive-interface-exclude eth0.203 passive-interface-exclude eth0.204 redistribute { connected { metric-type 2 route-map MAP-OSPF-CONNECTED } } } static { route 10.0.0.0/8 { blackhole { distance 254 } } route 169.254.0.0/16 { blackhole { distance 254 } } route 172.16.0.0/12 { blackhole { distance 254 } } route 192.168.0.0/16 { blackhole { distance 254 } } } } service { broadcast-relay { id 1 { interface eth0.20 interface eth0.35 interface eth0.10 port 1900 } id 2 { interface eth0.35 interface eth0.10 port 6969 } } dhcp-server { shared-network-name VYOS-BACKBONE { authoritative subnet 172.16.37.0/24 { default-router 172.16.37.254 dns-server 172.16.254.30 domain-name vybos.net domain-search vyos.net lease 86400 ntp-server 172.16.254.30 range 0 { start 172.16.37.120 stop 172.16.37.149 } } } shared-network-name VYOS-GUEST { authoritative subnet 172.31.0.0/24 { default-router 172.31.0.254 dns-server 172.31.0.254 domain-name vyos.net domain-search vyos.net lease 86400 range 0 { start 172.31.0.100 stop 172.31.0.239 } } } shared-network-name VYOS-IOT { authoritative subnet 172.16.35.0/24 { default-router 172.16.35.254 dns-server 172.16.254.30 domain-name vyos.net domain-search vyos.net lease 86400 ntp-server 172.16.254.30 range 0 { start 172.16.35.101 stop 172.16.35.149 } } } shared-network-name VYOS-LAN { authoritative subnet 172.16.33.0/24 { default-router 172.16.33.254 dns-server 172.16.254.30 domain-name vyos.net domain-search vyos.net lease 86400 ntp-server 172.16.254.30 range 0 { start 172.16.33.100 stop 172.16.33.189 } } } shared-network-name VYOS-VLAN0201 { subnet 172.18.201.0/24 { default-router 172.18.201.254 dns-server 172.16.254.30 dns-server 172.16.254.20 static-mapping LR1 { ip-address 172.18.201.10 mac-address 00:50:56:22:12:01 } } } } dns { forwarding { allow-from 172.16.0.0/12 cache-size 10000 domain 16.172.in-addr.arpa { server 172.16.100.10 server 172.16.100.20 server 172.16.110.30 } domain 18.172.in-addr.arpa { server 172.16.100.10 server 172.16.100.20 server 172.16.110.30 } domain vyos.net { server 172.16.100.20 server 172.16.100.10 server 172.16.110.30 } ignore-hosts-file listen-address 172.16.254.30 listen-address 172.31.0.254 negative-ttl 60 } } lldp { interface all { } interface pppoe0 { disable } legacy-protocols { cdp edp fdp sonmp } snmp { enable } } mdns { repeater { interface eth0.35 interface eth0.10 } } snmp { community kleinerPenis { authorization ro network 172.16.100.0/24 } listen-address 172.16.254.30 { port 161 } } ssh { disable-host-validation port 22 } } system { config-management { commit-archive { location tftp://172.16.20.200/CONFIGS/BR1.wueIII } commit-revisions 200 } conntrack { expect-table-size 2048 hash-size 32768 modules { sip { disable } } table-size 262144 timeout { icmp 30 other 600 udp { other 300 stream 300 } } } console { device ttyS0 { speed 115200 } } disable-dhcp-nameservers domain-name vyos.net host-name BR1.wue3 login { user vyos { authentication { plaintext-password "vyos" } level admin } } name-server 172.16.254.30 ntp { allow-clients { address 172.16.0.0/12 } server 0.de.pool.ntp.org { } server 1.de.pool.ntp.org { } server 2.de.pool.ntp.org { } server 3.de.pool.ntp.org { } } options { beep-if-fully-booted ctrl-alt-del-action ignore reboot-on-panic true } syslog { global { facility all { level debug } facility protocols { level debug } } host 172.16.100.1 { facility all { level warning } } } time-zone Europe/Berlin } traffic-policy { } zone-policy { zone DMZ { default-action drop from GUEST { firewall { name GUEST-DMZ } } from LAN { firewall { name LAN-DMZ } } from LOCAL { firewall { name LOCAL-DMZ } } from WAN { firewall { name WAN-DMZ } } interface eth0.50 } zone GUEST { default-action drop from DMZ { firewall { name DMZ-GUEST } } from IOT { firewall { name IOT-GUEST } } from LAN { firewall { name LAN-GUEST } } from LOCAL { firewall { name LOCAL-GUEST } } from WAN { firewall { name WAN-GUEST } } interface eth0.20 } zone IOT { default-action drop from GUEST { firewall { name GUEST-IOT } } from LAN { firewall { name LAN-IOT } } from LOCAL { firewall { name LOCAL-IOT } } from WAN { firewall { name WAN-IOT } } interface eth0.35 } zone LAN { default-action drop from DMZ { firewall { name DMZ-LAN } } from GUEST { firewall { name GUEST-LAN } } from IOT { firewall { name IOT-LAN } } from LOCAL { firewall { ipv6-name LOCAL-LAN-6 name LOCAL-LAN } } from WAN { firewall { name WAN-LAN } } interface eth0.5 interface eth0.10 interface eth0.100 interface wg02 interface wg05 interface eth0.201 interface eth0.202 interface eth0.203 interface eth0.204 } zone LOCAL { default-action drop from DMZ { firewall { name DMZ-LOCAL } } from GUEST { firewall { name GUEST-LOCAL } } from IOT { firewall { name IOT-LOCAL } } from LAN { firewall { ipv6-name LAN-LOCAL-6 name LAN-LOCAL } } from WAN { firewall { name WAN-LOCAL } } local-zone } zone WAN { default-action drop from DMZ { firewall { name DMZ-WAN } } from GUEST { firewall { name GUEST-WAN } } from IOT { firewall { name IOT-WAN } } from LAN { firewall { name LAN-WAN } } from LOCAL { firewall { name LOCAL-WAN } } interface pppoe0 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@3:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */ /* Release version: 1.2.4 */