Page Menu
Home
VyOS Platform
Search
Configure Global Search
Log In
Files
F524401
config.txt
All Users
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
phillipmcmahon
May 4 2020, 8:45 AM
2020-05-04 08:45:55 (UTC+0)
Size
29 KB
Referenced Files
None
Subscribers
None
config.txt
View Options
firewall {
all-ping enable
broadcast-ping enable
config-trap disable
group {
address-group countries-allowed {
}
address-group dns-servers {
address 192.168.68.24
}
address-group nets4-blacklist {
}
network-group private-nets {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
network-group wireguard-allowed {
network 192.168.32.0/24
network 192.168.112.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name lan-local {
default-action accept
}
name lan-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg0 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg2 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name local-lan {
default-action accept
}
name local-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name local-wg0 {
default-action accept
}
name local-wg1 {
default-action accept
}
name local-wg2 {
default-action accept
}
name local-wgwifi {
default-action accept
}
name wan-lan {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
rule 200 {
action accept
destination {
port 80
}
protocol tcp
}
rule 210 {
action accept
destination {
port 443
}
protocol tcp
}
rule 220 {
action accept
destination {
port 32400
}
protocol tcp
}
rule 230 {
action accept
destination {
port 25
}
protocol tcp
}
rule 240 {
action accept
destination {
port 465
}
protocol tcp
}
rule 250 {
action accept
destination {
port 587
}
protocol tcp
}
rule 260 {
action accept
destination {
port 143
}
protocol tcp
}
rule 270 {
action accept
destination {
port 993
}
protocol tcp
}
rule 280 {
action accept
destination {
port 110
}
protocol tcp
}
rule 290 {
action accept
destination {
port 995
}
protocol tcp
}
rule 300 {
action accept
destination {
port 4190
}
protocol tcp
}
}
name wan-local {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
rule 400 {
action accept
destination {
port 51820
}
protocol udp
}
rule 410 {
action accept
destination {
port 51822
}
protocol udp
}
}
name wan-wg0 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wg2 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg0-lan {
default-action drop
}
name wg0-local {
default-action drop
}
name wg0-wan {
default-action drop
}
name wg0-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg0-wg2 {
default-action drop
}
name wg0-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg1-lan {
default-action accept
}
name wg1-local {
default-action accept
}
name wg1-wan {
default-action drop
}
name wg1-wg0 {
default-action accept
}
name wg1-wg2 {
default-action drop
}
name wg1-wgwifi {
default-action drop
}
name wg2-lan {
default-action accept
}
name wg2-local {
default-action accept
}
name wg2-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg2-wg0 {
default-action drop
}
name wg2-wg1 {
default-action drop
}
name wg2-wgwifi {
default-action drop
}
name wgwifi-lan {
default-action accept
}
name wgwifi-local {
default-action accept
}
name wgwifi-wan {
default-action drop
}
name wgwifi-wg0 {
default-action accept
}
name wgwifi-wg1 {
default-action drop
}
name wgwifi-wg2 {
default-action drop
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 172.31.255.6/30
description wan
duplex full
hw-id 00:0d:b9:51:90:74
redirect ifb0
speed 1000
traffic-policy {
out egress
}
}
ethernet eth1 {
address 192.168.112.1/24
description "mullvad (wifi)"
duplex auto
hw-id 00:0d:b9:51:90:75
policy {
route vpn-routing
}
speed auto
}
ethernet eth2 {
address 192.168.68.1/24
description lan
duplex auto
hw-id 00:0d:b9:51:90:76
policy {
route vpn-routing
}
speed auto
}
input ifb0 {
traffic-policy {
out ingress
}
}
loopback lo {
}
wireguard wg0 {
address 10.65.140.116/32
description mullvad
mtu 1420
peer mullvad-us11 {
address 185.242.5.50
allowed-ips 0.0.0.0/0
port 51820
pubkey ****************
}
private-key ****************
}
wireguard wg1 {
address 192.168.32.1/24
description "vpn +lan +mullvad"
mtu 1420
peer inuc {
allowed-ips 192.168.32.102/32
pubkey ****************
}
peer iphone {
allowed-ips 192.168.32.103/32
pubkey ****************
}
peer laptop {
allowed-ips 192.168.32.101/32
pubkey ****************
}
peer pixel3a {
allowed-ips 192.168.32.100/32
pubkey ****************
}
policy {
route vpn-routing
}
port 51820
private-key ****************
}
wireguard wg2 {
address 10.0.10.1/24
description "vpn +lan +swisscom"
mtu 1420
peer inuc {
allowed-ips 10.0.10.102/32
pubkey ****************
}
peer iphone {
allowed-ips 10.0.10.103/32
pubkey ****************
}
peer laptop {
allowed-ips 10.0.10.101/32
pubkey ****************
}
peer pixel3a {
allowed-ips 10.0.10.100/32
pubkey ****************
}
port 51822
private-key ****************
}
}
nat {
destination {
rule 11 {
description "HTTP Reverse Proxy"
destination {
address 172.31.255.6
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.49
port 80
}
}
rule 12 {
description hairpin80
destination {
address 172.31.255.6
port 80
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.49
port 80
}
}
rule 21 {
description "HTTPS Reverse Proxy"
destination {
address 172.31.255.6
port 443
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.49
port 443
}
}
rule 22 {
description hairpin443
destination {
address 172.31.255.6
port 443
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.49
port 443
}
}
rule 31 {
description Plex
destination {
address 172.31.255.6
port 32400
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.28
port 32400
}
}
rule 32 {
description hairpin32400
destination {
address 172.31.255.6
port 32400
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.28
port 32400
}
}
rule 41 {
description "Postfix SMTP"
destination {
address 172.31.255.6
port 25
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 25
}
}
rule 42 {
description hairpin25
destination {
address 172.31.255.6
port 25
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 25
}
}
rule 51 {
description "Postfix SMTPS"
destination {
address 172.31.255.6
port 465
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 465
}
}
rule 52 {
description hairpin465
destination {
address 172.31.255.6
port 465
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 465
}
}
rule 61 {
description "Postfix Submission"
destination {
address 172.31.255.6
port 587
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 587
}
}
rule 62 {
description hairpin587
destination {
address 172.31.255.6
port 587
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 587
}
}
rule 71 {
description "Dovecot IMAP"
destination {
address 172.31.255.6
port 143
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 143
}
}
rule 72 {
description hairpin143
destination {
address 172.31.255.6
port 143
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 143
}
}
rule 81 {
description "Dovecot IMAPS"
destination {
address 172.31.255.6
port 993
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 993
}
}
rule 82 {
description hairpin993
destination {
address 172.31.255.6
port 993
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 993
}
}
rule 91 {
description "Dovecot POP3"
destination {
address 172.31.255.6
port 110
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 110
}
}
rule 92 {
description hairpin110
destination {
address 172.31.255.6
port 110
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 110
}
}
rule 101 {
description "Dovecot POP3S"
destination {
address 172.31.255.6
port 995
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 995
}
}
rule 102 {
description hairpin995
destination {
address 172.31.255.6
port 995
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 995
}
}
rule 111 {
description "Dovecot ManageSieve"
destination {
address 172.31.255.6
port 4190
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.68.15
port 4190
}
}
rule 112 {
description hairpin4190
destination {
address 172.31.255.6
port 4190
}
inbound-interface eth2
protocol tcp
translation {
address 192.168.68.15
port 4190
}
}
}
source {
rule 11 {
description hairpin
destination {
address 192.168.68.49
port 80
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 21 {
description hairpin
destination {
address 192.168.68.49
port 443
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 31 {
description hairpin
destination {
address 192.168.68.28
port 32400
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 41 {
description hairpin
destination {
address 192.168.68.15
port 25
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 51 {
description hairpin
destination {
address 192.168.68.15
port 465
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 61 {
description hairpin
destination {
address 192.168.68.15
port 587
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 71 {
description hairpin
destination {
address 192.168.68.15
port 143
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 81 {
description hairpin
destination {
address 192.168.68.15
port 993
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 91 {
description hairpin
destination {
address 192.168.68.15
port 110
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 101 {
description hairpin
destination {
address 192.168.68.15
port 995
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 111 {
description hairpin
destination {
address 192.168.68.15
port 4190
}
outbound-interface eth2
protocol tcp
source {
address 192.168.68.0/24
}
translation {
address masquerade
}
}
rule 5000 {
outbound-interface eth0
protocol all
translation {
address masquerade
}
}
rule 5100 {
outbound-interface wg0
protocol all
translation {
address masquerade
}
}
}
}
policy {
route vpn-routing {
rule 10 {
destination {
group {
network-group private-nets
}
}
set {
table main
}
}
rule 100 {
set {
table 100
}
source {
group {
network-group wireguard-allowed
}
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.31.255.5 {
}
}
route 10.0.0.0/8 {
blackhole {
}
}
route 172.16.0.0/12 {
blackhole {
}
}
route 192.168.0.0/16 {
blackhole {
}
}
table 100 {
interface-route 0.0.0.0/0 {
next-hop-interface wg0 {
}
}
route 0.0.0.0/0 {
blackhole {
distance 255
}
}
}
}
}
service {
dhcp-server {
shared-network-name mullvad {
subnet 192.168.112.0/24 {
default-router 192.168.112.1
dns-server 192.168.68.24
domain-name phillipmcmahon.com
lease 3600
range mullvad {
start 192.168.112.100
stop 192.168.112.163
}
}
}
}
dns {
forwarding {
allow-from 192.168.68.0/24
cache-size 0
domain phillipmcmahon.com {
server 192.168.1.24
}
listen-address 192.168.68.1
system
}
}
ssh {
disable-password-authentication
port 22022
}
}
system {
host-name vyos
login {
user phillipmcmahon {
authentication {
public-keys phillipmcmahon-ecdsa {
key ****************
type ecdsa-sha2-nistp521
}
}
}
}
name-server 192.168.68.24
ntp {
server time.google.com {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Europe/Zurich
}
traffic-policy {
shaper egress {
bandwidth auto
default {
bandwidth 48mbit
burst 15k
codel-quantum 1514
flows 1024
queue-limit 10240
queue-type fq-codel
}
}
shaper ingress {
bandwidth 180mbit
default {
bandwidth 90%
burst 15k
codel-quantum 1514
flows 1024
queue-limit 10240
queue-type fq-codel
}
}
}
zone-policy {
zone lan {
default-action drop
from local {
firewall {
name local-lan
}
}
from wan {
firewall {
name wan-lan
}
}
from wg0 {
firewall {
name wg0-lan
}
}
from wg1 {
firewall {
name wg1-lan
}
}
from wg2 {
firewall {
name wg2-lan
}
}
from wgwifi {
firewall {
name wgwifi-lan
}
}
interface eth2
}
zone local {
default-action drop
from lan {
firewall {
name lan-local
}
}
from wan {
firewall {
name wan-local
}
}
from wg0 {
firewall {
name wg0-local
}
}
from wg1 {
firewall {
name wg1-local
}
}
from wg2 {
firewall {
name wg2-local
}
}
from wgwifi {
firewall {
name wgwifi-local
}
}
local-zone
}
zone wan {
default-action drop
from lan {
firewall {
name lan-wan
}
}
from local {
firewall {
name local-wan
}
}
from wg0 {
firewall {
name wg0-wan
}
}
from wg1 {
firewall {
name wg1-wan
}
}
from wg2 {
firewall {
name wg2-wan
}
}
from wgwifi {
firewall {
name wgwifi-wan
}
}
interface eth0
}
zone wg0 {
default-action drop
from lan {
firewall {
name lan-wg0
}
}
from local {
firewall {
name local-wg0
}
}
from wan {
firewall {
name wan-wg0
}
}
from wg1 {
firewall {
name wg1-wg0
}
}
from wg2 {
firewall {
name wg2-wg0
}
}
from wgwifi {
firewall {
name wgwifi-wg0
}
}
interface wg0
}
zone wg1 {
default-action drop
from lan {
firewall {
name lan-wg1
}
}
from local {
firewall {
name local-wg1
}
}
from wan {
firewall {
name wan-wg1
}
}
from wg0 {
firewall {
name wg0-wg1
}
}
from wg2 {
firewall {
name wg2-wg1
}
}
from wgwifi {
firewall {
name wgwifi-wg1
}
}
interface wg1
}
zone wg2 {
default-action drop
from lan {
firewall {
name lan-wg2
}
}
from local {
firewall {
name local-wg2
}
}
from wan {
firewall {
name wan-wg2
}
}
from wg0 {
firewall {
name wg0-wg2
}
}
from wg1 {
firewall {
name wg1-wg2
}
}
from wgwifi {
firewall {
name wgwifi-wg2
}
}
interface wg2
}
zone wgwifi {
default-action drop
from lan {
firewall {
name lan-wgwifi
}
}
from local {
firewall {
name local-wgwifi
}
}
from wan {
firewall {
name wan-wgwifi
}
}
from wg0 {
firewall {
name wg0-wgwifi
}
}
from wg1 {
firewall {
name wg1-wgwifi
}
}
from wg2 {
firewall {
name wg2-wgwifi
}
}
interface eth1
}
}
File Metadata
Details
Attached
Mime Type
text/plain
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
94/1c/f08ebe7454448b80babc88d74782
Default Alt Text
config.txt (29 KB)
Attached To
Mode
T1230: Improving Boot Time for Large Firewall Configurations
Attached
Detach File
Event Timeline
Log In to Comment