config.txt
All Users
Actions

Authored By

	phillipmcmahon
	May 4 2020, 8:45 AM

Size

29 KB

Referenced Files

None

Subscribers

None

config.txt
View Options

	firewall {
	all-ping enable
	broadcast-ping enable
	config-trap disable
	group {
	address-group countries-allowed {
	}
	address-group dns-servers {
	address 192.168.68.24
	}
	address-group nets4-blacklist {
	}
	network-group private-nets {
	network 192.168.0.0/16
	network 172.16.0.0/12
	network 10.0.0.0/8
	}
	network-group wireguard-allowed {
	network 192.168.32.0/24
	network 192.168.112.0/24
	}
	}
	ipv6-receive-redirects disable
	ipv6-src-route disable
	ip-src-route disable
	log-martians enable
	name lan-local {
	default-action accept
	}
	name lan-wan {
	default-action accept
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name lan-wg0 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name lan-wg1 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name lan-wg2 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name lan-wgwifi {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name local-lan {
	default-action accept
	}
	name local-wan {
	default-action accept
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name local-wg0 {
	default-action accept
	}
	name local-wg1 {
	default-action accept
	}
	name local-wg2 {
	default-action accept
	}
	name local-wgwifi {
	default-action accept
	}
	name wan-lan {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	rule 200 {
	action accept
	destination {
	port 80
	}
	protocol tcp
	}
	rule 210 {
	action accept
	destination {
	port 443
	}
	protocol tcp
	}
	rule 220 {
	action accept
	destination {
	port 32400
	}
	protocol tcp
	}
	rule 230 {
	action accept
	destination {
	port 25
	}
	protocol tcp
	}
	rule 240 {
	action accept
	destination {
	port 465
	}
	protocol tcp
	}
	rule 250 {
	action accept
	destination {
	port 587
	}
	protocol tcp
	}
	rule 260 {
	action accept
	destination {
	port 143
	}
	protocol tcp
	}
	rule 270 {
	action accept
	destination {
	port 993
	}
	protocol tcp
	}
	rule 280 {
	action accept
	destination {
	port 110
	}
	protocol tcp
	}
	rule 290 {
	action accept
	destination {
	port 995
	}
	protocol tcp
	}
	rule 300 {
	action accept
	destination {
	port 4190
	}
	protocol tcp
	}
	}
	name wan-local {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	rule 400 {
	action accept
	destination {
	port 51820
	}
	protocol udp
	}
	rule 410 {
	action accept
	destination {
	port 51822
	}
	protocol udp
	}
	}
	name wan-wg0 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wan-wg1 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wan-wg2 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wan-wgwifi {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wg0-lan {
	default-action drop
	}
	name wg0-local {
	default-action drop
	}
	name wg0-wan {
	default-action drop
	}
	name wg0-wg1 {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wg0-wg2 {
	default-action drop
	}
	name wg0-wgwifi {
	default-action drop
	rule 100 {
	action accept
	state {
	established enable
	related enable
	}
	}
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wg1-lan {
	default-action accept
	}
	name wg1-local {
	default-action accept
	}
	name wg1-wan {
	default-action drop
	}
	name wg1-wg0 {
	default-action accept
	}
	name wg1-wg2 {
	default-action drop
	}
	name wg1-wgwifi {
	default-action drop
	}
	name wg2-lan {
	default-action accept
	}
	name wg2-local {
	default-action accept
	}
	name wg2-wan {
	default-action accept
	rule 110 {
	action drop
	state {
	invalid enable
	}
	}
	}
	name wg2-wg0 {
	default-action drop
	}
	name wg2-wg1 {
	default-action drop
	}
	name wg2-wgwifi {
	default-action drop
	}
	name wgwifi-lan {
	default-action accept
	}
	name wgwifi-local {
	default-action accept
	}
	name wgwifi-wan {
	default-action drop
	}
	name wgwifi-wg0 {
	default-action accept
	}
	name wgwifi-wg1 {
	default-action drop
	}
	name wgwifi-wg2 {
	default-action drop
	}
	receive-redirects disable
	send-redirects enable
	source-validation disable
	syn-cookies enable
	twa-hazards-protection disable
	}
	interfaces {
	ethernet eth0 {
	address 172.31.255.6/30
	description wan
	duplex full
	hw-id 00:0d:b9:51:90:74
	redirect ifb0
	speed 1000
	traffic-policy {
	out egress
	}
	}
	ethernet eth1 {
	address 192.168.112.1/24
	description "mullvad (wifi)"
	duplex auto
	hw-id 00:0d:b9:51:90:75
	policy {
	route vpn-routing
	}
	speed auto
	}
	ethernet eth2 {
	address 192.168.68.1/24
	description lan
	duplex auto
	hw-id 00:0d:b9:51:90:76
	policy {
	route vpn-routing
	}
	speed auto
	}
	input ifb0 {
	traffic-policy {
	out ingress
	}
	}
	loopback lo {
	}
	wireguard wg0 {
	address 10.65.140.116/32
	description mullvad
	mtu 1420
	peer mullvad-us11 {
	address 185.242.5.50
	allowed-ips 0.0.0.0/0
	port 51820
	pubkey ****************
	}
	private-key ****************
	}
	wireguard wg1 {
	address 192.168.32.1/24
	description "vpn +lan +mullvad"
	mtu 1420
	peer inuc {
	allowed-ips 192.168.32.102/32
	pubkey ****************
	}
	peer iphone {
	allowed-ips 192.168.32.103/32
	pubkey ****************
	}
	peer laptop {
	allowed-ips 192.168.32.101/32
	pubkey ****************
	}
	peer pixel3a {
	allowed-ips 192.168.32.100/32
	pubkey ****************
	}
	policy {
	route vpn-routing
	}
	port 51820
	private-key ****************
	}
	wireguard wg2 {
	address 10.0.10.1/24
	description "vpn +lan +swisscom"
	mtu 1420
	peer inuc {
	allowed-ips 10.0.10.102/32
	pubkey ****************
	}
	peer iphone {
	allowed-ips 10.0.10.103/32
	pubkey ****************
	}
	peer laptop {
	allowed-ips 10.0.10.101/32
	pubkey ****************
	}
	peer pixel3a {
	allowed-ips 10.0.10.100/32
	pubkey ****************
	}
	port 51822
	private-key ****************
	}
	}
	nat {
	destination {
	rule 11 {
	description "HTTP Reverse Proxy"
	destination {
	address 172.31.255.6
	port 80
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.49
	port 80
	}
	}
	rule 12 {
	description hairpin80
	destination {
	address 172.31.255.6
	port 80
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.49
	port 80
	}
	}
	rule 21 {
	description "HTTPS Reverse Proxy"
	destination {
	address 172.31.255.6
	port 443
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.49
	port 443
	}
	}
	rule 22 {
	description hairpin443
	destination {
	address 172.31.255.6
	port 443
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.49
	port 443
	}
	}
	rule 31 {
	description Plex
	destination {
	address 172.31.255.6
	port 32400
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.28
	port 32400
	}
	}
	rule 32 {
	description hairpin32400
	destination {
	address 172.31.255.6
	port 32400
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.28
	port 32400
	}
	}
	rule 41 {
	description "Postfix SMTP"
	destination {
	address 172.31.255.6
	port 25
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 25
	}
	}
	rule 42 {
	description hairpin25
	destination {
	address 172.31.255.6
	port 25
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 25
	}
	}
	rule 51 {
	description "Postfix SMTPS"
	destination {
	address 172.31.255.6
	port 465
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 465
	}
	}
	rule 52 {
	description hairpin465
	destination {
	address 172.31.255.6
	port 465
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 465
	}
	}
	rule 61 {
	description "Postfix Submission"
	destination {
	address 172.31.255.6
	port 587
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 587
	}
	}
	rule 62 {
	description hairpin587
	destination {
	address 172.31.255.6
	port 587
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 587
	}
	}
	rule 71 {
	description "Dovecot IMAP"
	destination {
	address 172.31.255.6
	port 143
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 143
	}
	}
	rule 72 {
	description hairpin143
	destination {
	address 172.31.255.6
	port 143
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 143
	}
	}
	rule 81 {
	description "Dovecot IMAPS"
	destination {
	address 172.31.255.6
	port 993
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 993
	}
	}
	rule 82 {
	description hairpin993
	destination {
	address 172.31.255.6
	port 993
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 993
	}
	}
	rule 91 {
	description "Dovecot POP3"
	destination {
	address 172.31.255.6
	port 110
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 110
	}
	}
	rule 92 {
	description hairpin110
	destination {
	address 172.31.255.6
	port 110
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 110
	}
	}
	rule 101 {
	description "Dovecot POP3S"
	destination {
	address 172.31.255.6
	port 995
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 995
	}
	}
	rule 102 {
	description hairpin995
	destination {
	address 172.31.255.6
	port 995
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 995
	}
	}
	rule 111 {
	description "Dovecot ManageSieve"
	destination {
	address 172.31.255.6
	port 4190
	}
	inbound-interface eth0
	protocol tcp
	translation {
	address 192.168.68.15
	port 4190
	}
	}
	rule 112 {
	description hairpin4190
	destination {
	address 172.31.255.6
	port 4190
	}
	inbound-interface eth2
	protocol tcp
	translation {
	address 192.168.68.15
	port 4190
	}
	}
	}
	source {
	rule 11 {
	description hairpin
	destination {
	address 192.168.68.49
	port 80
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 21 {
	description hairpin
	destination {
	address 192.168.68.49
	port 443
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 31 {
	description hairpin
	destination {
	address 192.168.68.28
	port 32400
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 41 {
	description hairpin
	destination {
	address 192.168.68.15
	port 25
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 51 {
	description hairpin
	destination {
	address 192.168.68.15
	port 465
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 61 {
	description hairpin
	destination {
	address 192.168.68.15
	port 587
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 71 {
	description hairpin
	destination {
	address 192.168.68.15
	port 143
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 81 {
	description hairpin
	destination {
	address 192.168.68.15
	port 993
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 91 {
	description hairpin
	destination {
	address 192.168.68.15
	port 110
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 101 {
	description hairpin
	destination {
	address 192.168.68.15
	port 995
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 111 {
	description hairpin
	destination {
	address 192.168.68.15
	port 4190
	}
	outbound-interface eth2
	protocol tcp
	source {
	address 192.168.68.0/24
	}
	translation {
	address masquerade
	}
	}
	rule 5000 {
	outbound-interface eth0
	protocol all
	translation {
	address masquerade
	}
	}
	rule 5100 {
	outbound-interface wg0
	protocol all
	translation {
	address masquerade
	}
	}
	}
	}
	policy {
	route vpn-routing {
	rule 10 {
	destination {
	group {
	network-group private-nets
	}
	}
	set {
	table main
	}
	}
	rule 100 {
	set {
	table 100
	}
	source {
	group {
	network-group wireguard-allowed
	}
	}
	}
	}
	}
	protocols {
	static {
	route 0.0.0.0/0 {
	next-hop 172.31.255.5 {
	}
	}
	route 10.0.0.0/8 {
	blackhole {
	}
	}
	route 172.16.0.0/12 {
	blackhole {
	}
	}
	route 192.168.0.0/16 {
	blackhole {
	}
	}
	table 100 {
	interface-route 0.0.0.0/0 {
	next-hop-interface wg0 {
	}
	}
	route 0.0.0.0/0 {
	blackhole {
	distance 255
	}
	}
	}
	}
	}
	service {
	dhcp-server {
	shared-network-name mullvad {
	subnet 192.168.112.0/24 {
	default-router 192.168.112.1
	dns-server 192.168.68.24
	domain-name phillipmcmahon.com
	lease 3600
	range mullvad {
	start 192.168.112.100
	stop 192.168.112.163
	}
	}
	}
	}
	dns {
	forwarding {
	allow-from 192.168.68.0/24
	cache-size 0
	domain phillipmcmahon.com {
	server 192.168.1.24
	}
	listen-address 192.168.68.1
	system
	}
	}
	ssh {
	disable-password-authentication
	port 22022
	}
	}
	system {
	host-name vyos
	login {
	user phillipmcmahon {
	authentication {
	public-keys phillipmcmahon-ecdsa {
	key ****************
	type ecdsa-sha2-nistp521
	}
	}
	}
	}
	name-server 192.168.68.24
	ntp {
	server time.google.com {
	}
	}
	syslog {
	global {
	facility all {
	level info
	}
	facility protocols {
	level debug
	}
	}
	}
	time-zone Europe/Zurich
	}
	traffic-policy {
	shaper egress {
	bandwidth auto
	default {
	bandwidth 48mbit
	burst 15k
	codel-quantum 1514
	flows 1024
	queue-limit 10240
	queue-type fq-codel
	}
	}
	shaper ingress {
	bandwidth 180mbit
	default {
	bandwidth 90%
	burst 15k
	codel-quantum 1514
	flows 1024
	queue-limit 10240
	queue-type fq-codel
	}
	}
	}
	zone-policy {
	zone lan {
	default-action drop
	from local {
	firewall {
	name local-lan
	}
	}
	from wan {
	firewall {
	name wan-lan
	}
	}
	from wg0 {
	firewall {
	name wg0-lan
	}
	}
	from wg1 {
	firewall {
	name wg1-lan
	}
	}
	from wg2 {
	firewall {
	name wg2-lan
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-lan
	}
	}
	interface eth2
	}
	zone local {
	default-action drop
	from lan {
	firewall {
	name lan-local
	}
	}
	from wan {
	firewall {
	name wan-local
	}
	}
	from wg0 {
	firewall {
	name wg0-local
	}
	}
	from wg1 {
	firewall {
	name wg1-local
	}
	}
	from wg2 {
	firewall {
	name wg2-local
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-local
	}
	}
	local-zone
	}
	zone wan {
	default-action drop
	from lan {
	firewall {
	name lan-wan
	}
	}
	from local {
	firewall {
	name local-wan
	}
	}
	from wg0 {
	firewall {
	name wg0-wan
	}
	}
	from wg1 {
	firewall {
	name wg1-wan
	}
	}
	from wg2 {
	firewall {
	name wg2-wan
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-wan
	}
	}
	interface eth0
	}
	zone wg0 {
	default-action drop
	from lan {
	firewall {
	name lan-wg0
	}
	}
	from local {
	firewall {
	name local-wg0
	}
	}
	from wan {
	firewall {
	name wan-wg0
	}
	}
	from wg1 {
	firewall {
	name wg1-wg0
	}
	}
	from wg2 {
	firewall {
	name wg2-wg0
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-wg0
	}
	}
	interface wg0
	}
	zone wg1 {
	default-action drop
	from lan {
	firewall {
	name lan-wg1
	}
	}
	from local {
	firewall {
	name local-wg1
	}
	}
	from wan {
	firewall {
	name wan-wg1
	}
	}
	from wg0 {
	firewall {
	name wg0-wg1
	}
	}
	from wg2 {
	firewall {
	name wg2-wg1
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-wg1
	}
	}
	interface wg1
	}
	zone wg2 {
	default-action drop
	from lan {
	firewall {
	name lan-wg2
	}
	}
	from local {
	firewall {
	name local-wg2
	}
	}
	from wan {
	firewall {
	name wan-wg2
	}
	}
	from wg0 {
	firewall {
	name wg0-wg2
	}
	}
	from wg1 {
	firewall {
	name wg1-wg2
	}
	}
	from wgwifi {
	firewall {
	name wgwifi-wg2
	}
	}
	interface wg2
	}
	zone wgwifi {
	default-action drop
	from lan {
	firewall {
	name lan-wgwifi
	}
	}
	from local {
	firewall {
	name local-wgwifi
	}
	}
	from wan {
	firewall {
	name wan-wgwifi
	}
	}
	from wg0 {
	firewall {
	name wg0-wgwifi
	}
	}
	from wg1 {
	firewall {
	name wg1-wgwifi
	}
	}
	from wg2 {
	firewall {
	name wg2-wgwifi
	}
	}
	interface eth1
	}
	}

File Metadata

Mime Type: text/plain
Storage Engine: local-disk
Storage Format: Raw Data
Storage Handle: 94/1c/f08ebe7454448b80babc88d74782
Default Alt Text: config.txt (29 KB)

config.txtAll UsersActions

config.txtView Options

File Metadata

Event Timeline

config.txt
All Users
Actions

config.txt
View Options