itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ conf [edit] itconsult@ha-r01a# del policy route outviajt rule 5 [edit] itconsult@ha-r01a# commit [edit] itconsult@ha-r01a# save Saving configuration to '/config/config.boot'... Done [edit] itconsult@ha-r01a# exit exit itconsult@ha-r01a:~$ sh ver Version: VyOS 1.3.3 Release train: equuleus Built by: Sentrium S.L. Built on: Mon 29 May 2023 12:55 UTC Build UUID: a302f99b-4d44-4a40-82ba-1a4275902d5e Build commit ID: bc64a3a72244b9 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: Red Hat Hardware model: KVM Hardware S/N: Hardware UUID: 4eb3487e-35a2-4d93-b140-b1f9480fe4a5 Copyright: VyOS maintainers and contributors itconsult@ha-r01a:~$ sh conf c | strip-private set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall group network-group internaladdresses network 'xxx.xxx.42.0/24' set firewall group network-group internaladdresses network 'xxx.xxx.23.0/29' set firewall group network-group internaladdresses network 'xxx.xxx.203.24/29' set firewall group network-group internaladdresses network 'xxx.xxx.69.64/29' set firewall group network-group internaladdresses network 'xxx.xxx.72.64/29' set firewall group network-group internaladdresses network 'xxx.xxx.4.208/29' set firewall group network-group outviajt network 'xxx.xxx.23.0/29' set firewall group network-group outviajt network 'xxx.xxx.4.208/29' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall name TO-ROUTER default-action 'drop' set firewall name TO-ROUTER rule 10 action 'accept' set firewall name TO-ROUTER rule 10 description 'itconsult Local Traffic' set firewall name TO-ROUTER rule 10 protocol 'all' set firewall name TO-ROUTER rule 10 source address 'xxx.xxx.42.0/24' set firewall name TO-ROUTER rule 20 action 'accept' set firewall name TO-ROUTER rule 20 description 'Foreshore link subnet' set firewall name TO-ROUTER rule 20 protocol 'all' set firewall name TO-ROUTER rule 20 source address 'xxx.xxx.95.24/29' set firewall name TO-ROUTER rule 21 action 'accept' set firewall name TO-ROUTER rule 21 description 'Foreshore routed subnet' set firewall name TO-ROUTER rule 21 protocol 'all' set firewall name TO-ROUTER rule 21 source address 'xxx.xxx.69.64/29' set firewall name TO-ROUTER rule 30 action 'accept' set firewall name TO-ROUTER rule 30 description 'Newtel link subnet' set firewall name TO-ROUTER rule 30 protocol 'all' set firewall name TO-ROUTER rule 30 source address 'xxx.xxx.203.32/29' set firewall name TO-ROUTER rule 31 action 'accept' set firewall name TO-ROUTER rule 31 description 'Newtel link subnet' set firewall name TO-ROUTER rule 31 protocol 'all' set firewall name TO-ROUTER rule 31 source address 'xxx.xxx.203.24/29' set firewall name TO-ROUTER rule 40 action 'accept' set firewall name TO-ROUTER rule 40 description 'JT link subnet' set firewall name TO-ROUTER rule 40 protocol 'all' set firewall name TO-ROUTER rule 40 source address 'xxx.xxx.4.208/29' set firewall name TO-ROUTER rule 41 action 'accept' set firewall name TO-ROUTER rule 41 description 'JT routed subnet' set firewall name TO-ROUTER rule 41 protocol 'all' set firewall name TO-ROUTER rule 41 source address 'xxx.xxx.23.0/29' set firewall name TO-ROUTER rule 42 action 'accept' set firewall name TO-ROUTER rule 42 description 'JT BGP peers' set firewall name TO-ROUTER rule 42 protocol 'all' set firewall name TO-ROUTER rule 42 source address 'xxx.xxx.12.56/31' set firewall name TO-ROUTER rule 43 action 'accept' set firewall name TO-ROUTER rule 43 description 'JT BGP peers' set firewall name TO-ROUTER rule 43 protocol 'all' set firewall name TO-ROUTER rule 43 source address 'xxx.xxx.102.192/29' set firewall name TO-ROUTER rule 46 action 'accept' set firewall name TO-ROUTER rule 46 description 'qr broadband' set firewall name TO-ROUTER rule 46 protocol 'all' set firewall name TO-ROUTER rule 46 source address 'xxx.xxx.27.93/32' set firewall name TO-ROUTER rule 47 action 'accept' set firewall name TO-ROUTER rule 47 description 'vp-r01a' set firewall name TO-ROUTER rule 47 protocol 'all' set firewall name TO-ROUTER rule 47 source address 'xxx.xxx.63.136/32' set firewall name TO-ROUTER rule 50 action 'accept' set firewall name TO-ROUTER rule 50 description 'ssh from m70' set firewall name TO-ROUTER rule 50 destination port 'ssh' set firewall name TO-ROUTER rule 50 protocol 'tcp' set firewall name TO-ROUTER rule 50 source address 'xxx.xxx.144.150/32' set firewall name TO-ROUTER rule 51 action 'accept' set firewall name TO-ROUTER rule 51 description 'ssh from m72' set firewall name TO-ROUTER rule 51 destination port 'ssh' set firewall name TO-ROUTER rule 51 protocol 'tcp' set firewall name TO-ROUTER rule 51 source address 'xxx.xxx.34.123/32' set firewall name TO-ROUTER rule 60 action 'accept' set firewall name TO-ROUTER rule 60 description 'VRRP' set firewall name TO-ROUTER rule 60 destination address 'xxx.xxx.0.18' set firewall name TO-ROUTER rule 60 protocol '112' set firewall name TO-ROUTER rule 70 action 'accept' set firewall name TO-ROUTER rule 70 description 'IPSEC UDP' set firewall name TO-ROUTER rule 70 destination port '500,4500,1701' set firewall name TO-ROUTER rule 70 protocol 'udp' set firewall name TO-ROUTER rule 80 action 'accept' set firewall name TO-ROUTER rule 80 description 'IPSEC ESP' set firewall name TO-ROUTER rule 80 protocol 'esp' set firewall name TO-ROUTER rule 100 action 'accept' set firewall name TO-ROUTER rule 100 description 'DHCP' set firewall name TO-ROUTER rule 100 destination port 'bootps' set firewall name TO-ROUTER rule 100 protocol 'udp' set firewall name TO-ROUTER rule 401 action 'accept' set firewall name TO-ROUTER rule 401 description 'wireguard re lvg-r01' set firewall name TO-ROUTER rule 401 destination port '51820' set firewall name TO-ROUTER rule 401 protocol 'udp' set firewall name TO-ROUTER rule 401 source address 'xxx.xxx.69.0/24' set firewall name TO-ROUTER rule 402 action 'accept' set firewall name TO-ROUTER rule 402 description 'wireguard re lvg-r01' set firewall name TO-ROUTER rule 402 destination port '51820' set firewall name TO-ROUTER rule 402 protocol 'udp' set firewall name TO-ROUTER rule 402 source address 'xxx.xxx.70.0/24' set firewall name TO-ROUTER rule 996 action 'accept' set firewall name TO-ROUTER rule 996 description 'ICMP Throughout' set firewall name TO-ROUTER rule 996 protocol 'icmp' set firewall name TO-ROUTER rule 999 action 'reject' set firewall name TO-ROUTER rule 999 description 'Block' set firewall name TO-ROUTER rule 999 log 'disable' set firewall name TO-ROUTER rule 999 protocol 'all' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set high-availability vrrp group eth0.20-20 advertise-interval '1' set high-availability vrrp group eth0.20-20 interface 'eth0.20' set high-availability vrrp group eth0.20-20 priority '150' set high-availability vrrp group eth0.20-20 virtual-address xxx.xxx.42.170/28 set high-availability vrrp group eth0.20-20 vrid '20' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:24' set interfaces ethernet eth0 offload gro set interfaces ethernet eth0 offload gso set interfaces ethernet eth0 offload sg set interfaces ethernet eth0 offload tso set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth0 vif 20 address 'xxx.xxx.42.168/28' set interfaces ethernet eth0 vif 20 description 'Hatherley Backbone' set interfaces ethernet eth0 vif 20 firewall local name 'TO-ROUTER' set interfaces ethernet eth0 vif 20 ip ospf cost '10' set interfaces ethernet eth0 vif 20 ip ospf dead-interval '4' set interfaces ethernet eth0 vif 20 ip ospf hello-interval '1' set interfaces ethernet eth0 vif 20 ip ospf priority '120' set interfaces ethernet eth0 vif 20 ip ospf retransmit-interval '5' set interfaces ethernet eth0 vif 20 ip ospf transmit-delay '1' set interfaces ethernet eth0 vif 20 policy route 'outviajt' set interfaces ethernet eth0 vif 122 description 'ONT 509001' set interfaces loopback lo address 'xxx.xxx.42.250/32' set interfaces openvpn vtun1 description 'qr-r01a bb - ha-r01a bb' set interfaces openvpn vtun1 encryption cipher 'aes256' set interfaces openvpn vtun1 firewall local name 'TO-ROUTER' set interfaces openvpn vtun1 hash 'sha256' set interfaces openvpn vtun1 ip ospf cost '20' set interfaces openvpn vtun1 ip ospf dead-interval '4' set interfaces openvpn vtun1 ip ospf hello-interval '1' set interfaces openvpn vtun1 ip ospf network 'point-to-point' set interfaces openvpn vtun1 ip ospf priority '1' set interfaces openvpn vtun1 ip ospf retransmit-interval '5' set interfaces openvpn vtun1 ip ospf transmit-delay '1' set interfaces openvpn vtun1 local-address xxx.xxx.42.146 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 remote-address 'xxx.xxx.42.145' set interfaces openvpn vtun1 remote-host 'xxx.xxx.27.93' set interfaces openvpn vtun1 shared-secret-key-file xxxxxx set interfaces openvpn vtun2 description 'qr-r01b foreshore - ha-r01a bb' set interfaces openvpn vtun2 encryption cipher 'aes256' set interfaces openvpn vtun2 firewall local name 'TO-ROUTER' set interfaces openvpn vtun2 hash 'sha256' set interfaces openvpn vtun2 ip ospf cost '40' set interfaces openvpn vtun2 ip ospf dead-interval '4' set interfaces openvpn vtun2 ip ospf hello-interval '1' set interfaces openvpn vtun2 ip ospf network 'point-to-point' set interfaces openvpn vtun2 ip ospf priority '1' set interfaces openvpn vtun2 ip ospf retransmit-interval '5' set interfaces openvpn vtun2 ip ospf transmit-delay '1' set interfaces openvpn vtun2 local-address xxx.xxx.42.150 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun2 local-port '1195' set interfaces openvpn vtun2 mode 'site-to-site' set interfaces openvpn vtun2 remote-address 'xxx.xxx.42.149' set interfaces openvpn vtun2 remote-host 'xxx.xxx.95.29' set interfaces openvpn vtun2 remote-port '1195' set interfaces openvpn vtun2 shared-secret-key-file xxxxxx set interfaces openvpn vtun5 description 'vp-r01 - broadband' set interfaces openvpn vtun5 encryption cipher 'aes256' set interfaces openvpn vtun5 firewall local name 'TO-ROUTER' set interfaces openvpn vtun5 hash 'sha256' set interfaces openvpn vtun5 ip ospf cost '65' set interfaces openvpn vtun5 ip ospf dead-interval '4' set interfaces openvpn vtun5 ip ospf hello-interval '1' set interfaces openvpn vtun5 ip ospf network 'point-to-point' set interfaces openvpn vtun5 ip ospf priority '1' set interfaces openvpn vtun5 ip ospf retransmit-interval '5' set interfaces openvpn vtun5 ip ospf transmit-delay '1' set interfaces openvpn vtun5 local-address xxx.xxx.42.241 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun5 local-port '1198' set interfaces openvpn vtun5 mode 'site-to-site' set interfaces openvpn vtun5 remote-address 'xxx.xxx.42.242' set interfaces openvpn vtun5 remote-host 'xxx.xxx.63.136' set interfaces openvpn vtun5 remote-port '1198' set interfaces openvpn vtun5 shared-secret-key-file xxxxxx set interfaces pppoe pppoe0 authentication password xxxxxx set interfaces pppoe pppoe0 authentication user xxxxxx set interfaces pppoe pppoe0 default-route 'none' set interfaces pppoe pppoe0 firewall local name 'TO-ROUTER' set interfaces pppoe pppoe0 mtu '1492' set interfaces pppoe pppoe0 no-peer-dns set interfaces pppoe pppoe0 source-interface 'eth0.122' set interfaces wireguard wg09 address 'xxx.xxx.136.237/30' set interfaces wireguard wg09 description 'lvg-r01 via JT Broadband/Airtel' set interfaces wireguard wg09 ip ospf dead-interval '4' set interfaces wireguard wg09 ip ospf hello-interval '1' set interfaces wireguard wg09 ip ospf network 'point-to-point' set interfaces wireguard wg09 ip ospf priority '1' set interfaces wireguard wg09 ip ospf retransmit-interval '5' set interfaces wireguard wg09 ip ospf transmit-delay '1' set interfaces wireguard wg09 peer to-lvg-r01 allowed-ips 'xxx.xxx.0.0/0' set interfaces wireguard wg09 peer to-lvg-r01 persistent-keepalive '25' set interfaces wireguard wg09 peer to-lvg-r01 pubkey 'CUB1Xs9TIwiKpZLtI09YlkY6+e0qc6WParY1Ku9SrXo=' set interfaces wireguard wg09 port '51820' set interfaces wireguard wg09 private-key xxxxxx set policy as-path-list itconsult rule 10 action 'permit' set policy as-path-list itconsult rule 10 regex '^$' set policy prefix-list default-route rule 10 action 'permit' set policy prefix-list default-route rule 10 prefix 'xxx.xxx.0.0/0' set policy prefix-list itconsult-aggregated rule 10 action 'permit' set policy prefix-list itconsult-aggregated rule 10 prefix 'xxx.xxx.42.0/24' set policy prefix-list rfc1918 rule 10 action 'permit' set policy prefix-list rfc1918 rule 10 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 11 action 'permit' set policy prefix-list rfc1918 rule 11 ge '9' set policy prefix-list rfc1918 rule 11 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 20 action 'permit' set policy prefix-list rfc1918 rule 20 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 21 action 'permit' set policy prefix-list rfc1918 rule 21 ge '13' set policy prefix-list rfc1918 rule 21 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 30 action 'permit' set policy prefix-list rfc1918 rule 30 prefix 'xxx.xxx.0.0/16' set policy prefix-list rfc1918 rule 31 action 'permit' set policy prefix-list rfc1918 rule 31 ge '17' set policy prefix-list rfc1918 rule 31 prefix 'xxx.xxx.0.0/16' set policy route outviajt rule 10 description 'Internal Traffic' set policy route outviajt rule 10 destination group network-group 'internaladdresses' set policy route outviajt rule 10 set table 'main' set policy route outviajt rule 10 source group network-group 'outviajt' set policy route outviajt rule 20 description 'Out via JT' set policy route outviajt rule 20 set table '1' set policy route outviajt rule 20 source group network-group 'outviajt' set policy route outviajt rule 30 description 'Normal Traffic' set policy route outviajt rule 30 set table 'main' set policy route-map bgp-local-no-export rule 10 action 'permit' set policy route-map bgp-local-no-export rule 10 set community 'no-export' set policy route-map bgp-no-advertise rule 10 action 'deny' set policy route-map static-to-ospf rule 10 action 'permit' set policy route-map static-to-ospf rule 10 description 'Redistribute default route' set policy route-map static-to-ospf rule 10 match ip address prefix-list 'default-route' set policy route-map static-to-ospf rule 20 action 'deny' set policy route-map static-to-ospf rule 20 description 'Do not resistribute anything else' set protocols bgp XXXXXX address-family ipv4-unicast aggregate-address xxx.xxx.42.0/24 set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.42.250/32 route-map 'bgp-local-no-export' set protocols bgp XXXXXX neighbor xxx.xxx.42.213 description 'qr-r01a' set protocols bgp XXXXXX neighbor xxx.xxx.42.213 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.214 description 'vp-r01' set protocols bgp XXXXXX neighbor xxx.xxx.42.214 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.215 description 'ha-r01b' set protocols bgp XXXXXX neighbor xxx.xxx.42.215 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.251 description 'qr-r01b' set protocols bgp XXXXXX neighbor xxx.xxx.42.251 peer-group 'ITCONSULT' set protocols bgp XXXXXX parameters log-neighbor-changes set protocols bgp XXXXXX parameters no-fast-external-failover set protocols bgp XXXXXX peer-group ITCONSULT remote-as '25040' set protocols bgp XXXXXX peer-group ITCONSULT update-source 'xxx.xxx.42.250' set protocols bgp XXXXXX timers holdtime '45' set protocols bgp XXXXXX timers keepalive '5' set protocols ospf area 0 area-type normal set protocols ospf area 0 network 'xxx.xxx.42.160/28' set protocols ospf area 0 network 'xxx.xxx.42.250/32' set protocols ospf area 0 network 'xxx.xxx.42.156/30' set protocols ospf area 0 network 'xxx.xxx.42.200/30' set protocols ospf area 0 network 'xxx.xxx.42.144/30' set protocols ospf area 0 network 'xxx.xxx.42.148/30' set protocols ospf area 0 network 'xxx.xxx.42.240/30' set protocols ospf area 0 network 'xxx.xxx.136.236/30' set protocols ospf default-information originate metric '10' set protocols ospf default-information originate metric-type '1' set protocols ospf log-adjacency-changes detail set protocols ospf redistribute static metric-type '2' set protocols ospf redistribute static route-map 'static-to-ospf' set protocols static interface-route xxx.xxx.63.136/32 next-hop-interface pppoe0 set protocols static interface-route xxx.xxx.69.0/24 next-hop-interface pppoe0 set protocols static interface-route xxx.xxx.70.0/24 next-hop-interface pppoe0 set protocols static interface-route xxx.xxx.12.56/31 next-hop-interface pppoe0 set protocols static interface-route xxx.xxx.27.93/32 next-hop-interface pppoe0 set protocols static interface-route xxx.xxx.95.29/32 next-hop-interface pppoe0 set protocols static route xxx.xxx.0.0/0 blackhole distance '210' set protocols static route xxx.xxx.42.0/24 blackhole distance '210' set protocols static table 1 interface-route xxx.xxx.0.0/0 next-hop-interface pppoe0 set service snmp community [redacted] authorization 'ro' set service snmp community [redacted] network 'xxx.xxx.42.0/24' set service ssh port '22' set system config-management commit-revisions '20' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system domain-name xxxxxx set system host-name xxxxxx set system login banner post-login '' set system login banner pre-login '' set system login user xxxxxx authentication encrypted-password xxxxxx set system login user xxxxxx authentication plaintext-password xxxxxx set system name-server 'xxx.xxx.42.9' set system name-server 'xxx.xxx.42.130' set system ntp listen-address 'xxx.xxx.42.168' set system ntp listen-address 'xxx.xxx.42.250' set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system syslog global facility all level 'debug' set system syslog global facility protocols level 'debug' set system syslog host xxx.xxx.42.2 facility all level 'debug' set system time-zone 'GB' set traffic-policy itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ ls vyos-1.4.0-epa1-amd64.iso itconsult@ha-r01a:~$ add system image vyos-1.4.0-epa1-amd64.iso Checking SHA256 checksums of files on the ISO image... OK. Done! What would you like to name this image? [1.4.0-epa1]: OK. This image will be named: 1.4.0-epa1 Installing "1.4.0-epa1" image. Copying new release files... Would you like to save the current configuration directory and config file? (Yes/No) [Yes]: Copying current configuration... Would you like to save the SSH host keys from your current configuration? (Yes/No) [Yes]: Copying SSH keys... Running post-install script... Setting up grub configuration... Done. itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ reboot Are you sure you want to reboot this system? [y/N] y Using username "itconsult". itconsult@eth0-20.ha-r01a.itconsult.net's password: itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ ls /tmp systemd-private-b80c5f901fa2437889ab47f447b0f0b8-chrony.service-vTYhCv systemd-private-b80c5f901fa2437889ab47f447b0f0b8-openvpn@vtun5.service-l3xsaC systemd-private-b80c5f901fa2437889ab47f447b0f0b8-haveged.service-GVSDmK systemd-private-b80c5f901fa2437889ab47f447b0f0b8-systemd-logind.service-JdsYpJ systemd-private-b80c5f901fa2437889ab47f447b0f0b8-openvpn@vtun1.service-9niyhs vyos-configd-script-stdout systemd-private-b80c5f901fa2437889ab47f447b0f0b8-openvpn@vtun2.service-V5bbj6 vyos-config-status itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ cat /tmp/vyos-config vyos-configd-script-stdout vyos-config-status itconsult@ha-r01a:~$ cat /tmp/vyos-config-status 0 itconsult@ha-r01a:~$ cat /tmp/vyos-configd-script-stdout WARNING: changing speed/duplex setting on "eth0" is unsupported! DEPRECATION WARNING: OpenVPN shared-secret support will be removed in future VyOS versions. Please migrate your site-to-site tunnels to TLS. You can use self-signed certificates with peer fingerprint verification, consult the documentation for details. DEPRECATION WARNING: OpenVPN shared-secret support will be removed in future VyOS versions. Please migrate your site-to-site tunnels to TLS. You can use self-signed certificates with peer fingerprint verification, consult the documentation for details. DEPRECATION WARNING: OpenVPN shared-secret support will be removed in future VyOS versions. Please migrate your site-to-site tunnels to TLS. You can use self-signed certificates with peer fingerprint verification, consult the documentation for details. itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ sh ver Version: VyOS 1.4.0-epa1 Release train: sagitta Built by: Sentrium S.L. Built on: Thu 22 Feb 2024 19:17 UTC Build UUID: 97f0c92c-b99d-4bde-a67f-079ca030f2a1 Build commit ID: bcac2eb1f9b49c Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: Red Hat Hardware model: KVM Hardware S/N: Hardware UUID: 4eb3487e-35a2-4d93-b140-b1f9480fe4a5 Copyright: VyOS maintainers and contributors itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ sh conf c | strip-private set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-receive-redirects 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'enable' set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'enable' set firewall global-options source-validation 'disable' set firewall global-options syn-cookies 'enable' set firewall global-options twa-hazards-protection 'disable' set firewall group network-group internaladdresses network 'xxx.xxx.42.0/24' set firewall group network-group internaladdresses network 'xxx.xxx.23.0/29' set firewall group network-group internaladdresses network 'xxx.xxx.203.24/29' set firewall group network-group internaladdresses network 'xxx.xxx.69.64/29' set firewall group network-group internaladdresses network 'xxx.xxx.72.64/29' set firewall group network-group internaladdresses network 'xxx.xxx.4.208/29' set firewall group network-group outviajt network 'xxx.xxx.23.0/29' set firewall group network-group outviajt network 'xxx.xxx.4.208/29' set firewall ipv4 input filter default-action 'accept' set firewall ipv4 input filter rule 5 action 'jump' set firewall ipv4 input filter rule 5 inbound-interface name 'eth0.20' set firewall ipv4 input filter rule 5 jump-target 'TO-ROUTER' set firewall ipv4 input filter rule 10 action 'jump' set firewall ipv4 input filter rule 10 inbound-interface name 'pppoe0' set firewall ipv4 input filter rule 10 jump-target 'TO-ROUTER' set firewall ipv4 input filter rule 15 action 'jump' set firewall ipv4 input filter rule 15 inbound-interface name 'vtun1' set firewall ipv4 input filter rule 15 jump-target 'TO-ROUTER' set firewall ipv4 input filter rule 20 action 'jump' set firewall ipv4 input filter rule 20 inbound-interface name 'vtun2' set firewall ipv4 input filter rule 20 jump-target 'TO-ROUTER' set firewall ipv4 input filter rule 25 action 'jump' set firewall ipv4 input filter rule 25 inbound-interface name 'vtun5' set firewall ipv4 input filter rule 25 jump-target 'TO-ROUTER' set firewall ipv4 name TO-ROUTER default-action 'drop' set firewall ipv4 name TO-ROUTER rule 10 action 'return' set firewall ipv4 name TO-ROUTER rule 10 description 'itconsult Local Traffic' set firewall ipv4 name TO-ROUTER rule 10 protocol 'all' set firewall ipv4 name TO-ROUTER rule 10 source address 'xxx.xxx.42.0/24' set firewall ipv4 name TO-ROUTER rule 20 action 'return' set firewall ipv4 name TO-ROUTER rule 20 description 'Foreshore link subnet' set firewall ipv4 name TO-ROUTER rule 20 protocol 'all' set firewall ipv4 name TO-ROUTER rule 20 source address 'xxx.xxx.95.24/29' set firewall ipv4 name TO-ROUTER rule 21 action 'return' set firewall ipv4 name TO-ROUTER rule 21 description 'Foreshore routed subnet' set firewall ipv4 name TO-ROUTER rule 21 protocol 'all' set firewall ipv4 name TO-ROUTER rule 21 source address 'xxx.xxx.69.64/29' set firewall ipv4 name TO-ROUTER rule 30 action 'return' set firewall ipv4 name TO-ROUTER rule 30 description 'Newtel link subnet' set firewall ipv4 name TO-ROUTER rule 30 protocol 'all' set firewall ipv4 name TO-ROUTER rule 30 source address 'xxx.xxx.203.32/29' set firewall ipv4 name TO-ROUTER rule 31 action 'return' set firewall ipv4 name TO-ROUTER rule 31 description 'Newtel link subnet' set firewall ipv4 name TO-ROUTER rule 31 protocol 'all' set firewall ipv4 name TO-ROUTER rule 31 source address 'xxx.xxx.203.24/29' set firewall ipv4 name TO-ROUTER rule 40 action 'return' set firewall ipv4 name TO-ROUTER rule 40 description 'JT link subnet' set firewall ipv4 name TO-ROUTER rule 40 protocol 'all' set firewall ipv4 name TO-ROUTER rule 40 source address 'xxx.xxx.4.208/29' set firewall ipv4 name TO-ROUTER rule 41 action 'return' set firewall ipv4 name TO-ROUTER rule 41 description 'JT routed subnet' set firewall ipv4 name TO-ROUTER rule 41 protocol 'all' set firewall ipv4 name TO-ROUTER rule 41 source address 'xxx.xxx.23.0/29' set firewall ipv4 name TO-ROUTER rule 42 action 'return' set firewall ipv4 name TO-ROUTER rule 42 description 'JT BGP peers' set firewall ipv4 name TO-ROUTER rule 42 protocol 'all' set firewall ipv4 name TO-ROUTER rule 42 source address 'xxx.xxx.12.56/31' set firewall ipv4 name TO-ROUTER rule 43 action 'return' set firewall ipv4 name TO-ROUTER rule 43 description 'JT BGP peers' set firewall ipv4 name TO-ROUTER rule 43 protocol 'all' set firewall ipv4 name TO-ROUTER rule 43 source address 'xxx.xxx.102.192/29' set firewall ipv4 name TO-ROUTER rule 46 action 'return' set firewall ipv4 name TO-ROUTER rule 46 description 'qr broadband' set firewall ipv4 name TO-ROUTER rule 46 protocol 'all' set firewall ipv4 name TO-ROUTER rule 46 source address 'xxx.xxx.27.93/32' set firewall ipv4 name TO-ROUTER rule 47 action 'return' set firewall ipv4 name TO-ROUTER rule 47 description 'vp-r01a' set firewall ipv4 name TO-ROUTER rule 47 protocol 'all' set firewall ipv4 name TO-ROUTER rule 47 source address 'xxx.xxx.63.136/32' set firewall ipv4 name TO-ROUTER rule 50 action 'return' set firewall ipv4 name TO-ROUTER rule 50 description 'ssh from m70' set firewall ipv4 name TO-ROUTER rule 50 destination port 'ssh' set firewall ipv4 name TO-ROUTER rule 50 protocol 'tcp' set firewall ipv4 name TO-ROUTER rule 50 source address 'xxx.xxx.144.150/32' set firewall ipv4 name TO-ROUTER rule 51 action 'return' set firewall ipv4 name TO-ROUTER rule 51 description 'ssh from m72' set firewall ipv4 name TO-ROUTER rule 51 destination port 'ssh' set firewall ipv4 name TO-ROUTER rule 51 protocol 'tcp' set firewall ipv4 name TO-ROUTER rule 51 source address 'xxx.xxx.34.123/32' set firewall ipv4 name TO-ROUTER rule 60 action 'return' set firewall ipv4 name TO-ROUTER rule 60 description 'VRRP' set firewall ipv4 name TO-ROUTER rule 60 destination address 'xxx.xxx.0.18' set firewall ipv4 name TO-ROUTER rule 60 protocol '112' set firewall ipv4 name TO-ROUTER rule 70 action 'return' set firewall ipv4 name TO-ROUTER rule 70 description 'IPSEC UDP' set firewall ipv4 name TO-ROUTER rule 70 destination port '500,4500,1701' set firewall ipv4 name TO-ROUTER rule 70 protocol 'udp' set firewall ipv4 name TO-ROUTER rule 80 action 'return' set firewall ipv4 name TO-ROUTER rule 80 description 'IPSEC ESP' set firewall ipv4 name TO-ROUTER rule 80 protocol 'esp' set firewall ipv4 name TO-ROUTER rule 100 action 'return' set firewall ipv4 name TO-ROUTER rule 100 description 'DHCP' set firewall ipv4 name TO-ROUTER rule 100 destination port 'bootps' set firewall ipv4 name TO-ROUTER rule 100 protocol 'udp' set firewall ipv4 name TO-ROUTER rule 401 action 'return' set firewall ipv4 name TO-ROUTER rule 401 description 'wireguard re lvg-r01' set firewall ipv4 name TO-ROUTER rule 401 destination port '51820' set firewall ipv4 name TO-ROUTER rule 401 protocol 'udp' set firewall ipv4 name TO-ROUTER rule 401 source address 'xxx.xxx.69.0/24' set firewall ipv4 name TO-ROUTER rule 402 action 'return' set firewall ipv4 name TO-ROUTER rule 402 description 'wireguard re lvg-r01' set firewall ipv4 name TO-ROUTER rule 402 destination port '51820' set firewall ipv4 name TO-ROUTER rule 402 protocol 'udp' set firewall ipv4 name TO-ROUTER rule 402 source address 'xxx.xxx.70.0/24' set firewall ipv4 name TO-ROUTER rule 996 action 'return' set firewall ipv4 name TO-ROUTER rule 996 description 'ICMP Throughout' set firewall ipv4 name TO-ROUTER rule 996 protocol 'icmp' set firewall ipv4 name TO-ROUTER rule 999 action 'reject' set firewall ipv4 name TO-ROUTER rule 999 description 'Block' set firewall ipv4 name TO-ROUTER rule 999 protocol 'all' set high-availability vrrp group eth0.20-20 address xxx.xxx.42.170/28 set high-availability vrrp group eth0.20-20 advertise-interval '1' set high-availability vrrp group eth0.20-20 interface 'eth0.20' set high-availability vrrp group eth0.20-20 priority '150' set high-availability vrrp group eth0.20-20 vrid '20' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:24' set interfaces ethernet eth0 offload gro set interfaces ethernet eth0 offload gso set interfaces ethernet eth0 offload sg set interfaces ethernet eth0 offload tso set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth0 vif 20 address 'xxx.xxx.42.168/28' set interfaces ethernet eth0 vif 20 description 'Hatherley Backbone' set interfaces ethernet eth0 vif 122 description 'ONT 509001' set interfaces loopback lo address 'xxx.xxx.42.250/32' set interfaces openvpn vtun1 description 'qr-r01a bb - ha-r01a bb' set interfaces openvpn vtun1 encryption cipher 'aes256' set interfaces openvpn vtun1 hash 'sha256' set interfaces openvpn vtun1 local-address xxx.xxx.42.146 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 remote-address 'xxx.xxx.42.145' set interfaces openvpn vtun1 remote-host 'xxx.xxx.27.93' set interfaces openvpn vtun1 shared-secret-key 'openvpn_vtun1_shared' set interfaces openvpn vtun2 description 'qr-r01b foreshore - ha-r01a bb' set interfaces openvpn vtun2 encryption cipher 'aes256' set interfaces openvpn vtun2 hash 'sha256' set interfaces openvpn vtun2 local-address xxx.xxx.42.150 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun2 local-port '1195' set interfaces openvpn vtun2 mode 'site-to-site' set interfaces openvpn vtun2 remote-address 'xxx.xxx.42.149' set interfaces openvpn vtun2 remote-host 'xxx.xxx.95.29' set interfaces openvpn vtun2 remote-port '1195' set interfaces openvpn vtun2 shared-secret-key 'openvpn_vtun2_shared' set interfaces openvpn vtun5 description 'vp-r01 - broadband' set interfaces openvpn vtun5 encryption cipher 'aes256' set interfaces openvpn vtun5 hash 'sha256' set interfaces openvpn vtun5 local-address xxx.xxx.42.241 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun5 local-port '1198' set interfaces openvpn vtun5 mode 'site-to-site' set interfaces openvpn vtun5 remote-address 'xxx.xxx.42.242' set interfaces openvpn vtun5 remote-host 'xxx.xxx.63.136' set interfaces openvpn vtun5 remote-port '1198' set interfaces openvpn vtun5 shared-secret-key 'openvpn_vtun5_shared' set interfaces pppoe pppoe0 authentication password xxxxxx set interfaces pppoe pppoe0 authentication username xxxxxx set interfaces pppoe pppoe0 mtu '1492' set interfaces pppoe pppoe0 no-default-route set interfaces pppoe pppoe0 no-peer-dns set interfaces pppoe pppoe0 source-interface 'eth0.122' set interfaces wireguard wg09 address 'xxx.xxx.136.237/30' set interfaces wireguard wg09 description 'lvg-r01 via JT Broadband/Airtel' set interfaces wireguard wg09 peer to-lvg-r01 allowed-ips 'xxx.xxx.0.0/0' set interfaces wireguard wg09 peer to-lvg-r01 persistent-keepalive '25' set interfaces wireguard wg09 peer to-lvg-r01 public-key 'CUB1Xs9TIwiKpZLtI09YlkY6+e0qc6WParY1Ku9SrXo=' set interfaces wireguard wg09 port '51820' set interfaces wireguard wg09 private-key xxxxxx set pki openvpn shared-secret xxxxxx key xxxxxx set pki openvpn shared-secret xxxxxx version '1' set pki openvpn shared-secret xxxxxx key xxxxxx set pki openvpn shared-secret xxxxxx version '1' set pki openvpn shared-secret xxxxxx key xxxxxx set pki openvpn shared-secret xxxxxx version '1' set policy as-path-list itconsult rule 10 action 'permit' set policy as-path-list itconsult rule 10 regex '^$' set policy prefix-list default-route rule 10 action 'permit' set policy prefix-list default-route rule 10 prefix 'xxx.xxx.0.0/0' set policy prefix-list itconsult-aggregated rule 10 action 'permit' set policy prefix-list itconsult-aggregated rule 10 prefix 'xxx.xxx.42.0/24' set policy prefix-list rfc1918 rule 10 action 'permit' set policy prefix-list rfc1918 rule 10 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 11 action 'permit' set policy prefix-list rfc1918 rule 11 ge '9' set policy prefix-list rfc1918 rule 11 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 20 action 'permit' set policy prefix-list rfc1918 rule 20 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 21 action 'permit' set policy prefix-list rfc1918 rule 21 ge '13' set policy prefix-list rfc1918 rule 21 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 30 action 'permit' set policy prefix-list rfc1918 rule 30 prefix 'xxx.xxx.0.0/16' set policy prefix-list rfc1918 rule 31 action 'permit' set policy prefix-list rfc1918 rule 31 ge '17' set policy prefix-list rfc1918 rule 31 prefix 'xxx.xxx.0.0/16' set policy route outviajt interface 'eth0.20' set policy route outviajt rule 10 description 'Internal Traffic' set policy route outviajt rule 10 destination group network-group 'internaladdresses' set policy route outviajt rule 10 set table 'main' set policy route outviajt rule 10 source group network-group 'outviajt' set policy route outviajt rule 20 description 'Out via JT' set policy route outviajt rule 20 set table '1' set policy route outviajt rule 20 source group network-group 'outviajt' set policy route outviajt rule 30 description 'Normal Traffic' set policy route outviajt rule 30 set table 'main' set policy route-map bgp-local-no-export rule 10 action 'permit' set policy route-map bgp-local-no-export rule 10 set set policy route-map bgp-no-advertise rule 10 action 'deny' set policy route-map static-to-ospf rule 10 action 'permit' set policy route-map static-to-ospf rule 10 description 'Redistribute default route' set policy route-map static-to-ospf rule 10 match ip address prefix-list 'default-route' set policy route-map static-to-ospf rule 20 action 'deny' set policy route-map static-to-ospf rule 20 description 'Do not resistribute anything else' set protocols bgp address-family ipv4-unicast aggregate-address xxx.xxx.42.0/24 set protocols bgp address-family ipv4-unicast network xxx.xxx.42.250/32 route-map 'bgp-local-no-export' set protocols bgp neighbor xxx.xxx.42.213 address-family ipv4-unicast set protocols bgp neighbor xxx.xxx.42.213 description 'qr-r01a' set protocols bgp neighbor xxx.xxx.42.213 peer-group 'ITCONSULT' set protocols bgp neighbor xxx.xxx.42.214 address-family ipv4-unicast set protocols bgp neighbor xxx.xxx.42.214 description 'vp-r01' set protocols bgp neighbor xxx.xxx.42.214 peer-group 'ITCONSULT' set protocols bgp neighbor xxx.xxx.42.215 address-family ipv4-unicast set protocols bgp neighbor xxx.xxx.42.215 description 'ha-r01b' set protocols bgp neighbor xxx.xxx.42.215 peer-group 'ITCONSULT' set protocols bgp neighbor xxx.xxx.42.251 address-family ipv4-unicast set protocols bgp neighbor xxx.xxx.42.251 description 'qr-r01b' set protocols bgp neighbor xxx.xxx.42.251 peer-group 'ITCONSULT' set protocols bgp parameters log-neighbor-changes set protocols bgp parameters no-fast-external-failover set protocols bgp peer-group ITCONSULT remote-as '25040' set protocols bgp peer-group ITCONSULT update-source 'xxx.xxx.42.250' set protocols bgp system-as '25040' set protocols bgp timers holdtime '45' set protocols bgp timers keepalive '5' set protocols ospf area 0 area-type normal set protocols ospf area 0 network 'xxx.xxx.42.160/28' set protocols ospf area 0 network 'xxx.xxx.42.250/32' set protocols ospf area 0 network 'xxx.xxx.42.156/30' set protocols ospf area 0 network 'xxx.xxx.42.200/30' set protocols ospf area 0 network 'xxx.xxx.42.144/30' set protocols ospf area 0 network 'xxx.xxx.42.148/30' set protocols ospf area 0 network 'xxx.xxx.42.240/30' set protocols ospf area 0 network 'xxx.xxx.136.236/30' set protocols ospf default-information originate metric '10' set protocols ospf default-information originate metric-type '1' set protocols ospf interface eth0.20 cost '10' set protocols ospf interface eth0.20 dead-interval '4' set protocols ospf interface eth0.20 hello-interval '1' set protocols ospf interface eth0.20 priority '120' set protocols ospf interface eth0.20 retransmit-interval '5' set protocols ospf interface eth0.20 transmit-delay '1' set protocols ospf interface vtun1 cost '20' set protocols ospf interface vtun1 dead-interval '4' set protocols ospf interface vtun1 hello-interval '1' set protocols ospf interface vtun1 network 'point-to-point' set protocols ospf interface vtun1 priority '1' set protocols ospf interface vtun1 retransmit-interval '5' set protocols ospf interface vtun1 transmit-delay '1' set protocols ospf interface vtun2 cost '40' set protocols ospf interface vtun2 dead-interval '4' set protocols ospf interface vtun2 hello-interval '1' set protocols ospf interface vtun2 network 'point-to-point' set protocols ospf interface vtun2 priority '1' set protocols ospf interface vtun2 retransmit-interval '5' set protocols ospf interface vtun2 transmit-delay '1' set protocols ospf interface vtun5 cost '65' set protocols ospf interface vtun5 dead-interval '4' set protocols ospf interface vtun5 hello-interval '1' set protocols ospf interface vtun5 network 'point-to-point' set protocols ospf interface vtun5 priority '1' set protocols ospf interface vtun5 retransmit-interval '5' set protocols ospf interface vtun5 transmit-delay '1' set protocols ospf interface wg09 dead-interval '4' set protocols ospf interface wg09 hello-interval '1' set protocols ospf interface wg09 network 'point-to-point' set protocols ospf interface wg09 priority '1' set protocols ospf interface wg09 retransmit-interval '5' set protocols ospf interface wg09 transmit-delay '1' set protocols ospf log-adjacency-changes detail set protocols ospf redistribute static metric-type '2' set protocols ospf redistribute static route-map 'static-to-ospf' set protocols static route xxx.xxx.0.0/0 blackhole distance '210' set protocols static route xxx.xxx.63.136/32 interface pppoe0 set protocols static route xxx.xxx.69.0/24 interface pppoe0 set protocols static route xxx.xxx.70.0/24 interface pppoe0 set protocols static route xxx.xxx.42.0/24 blackhole distance '210' set protocols static route xxx.xxx.12.56/31 interface pppoe0 set protocols static route xxx.xxx.27.93/32 interface pppoe0 set protocols static route xxx.xxx.95.29/32 interface pppoe0 set protocols static table 1 route xxx.xxx.0.0/0 interface pppoe0 set qos policy set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0' set service ntp allow-client xxxxxx '::/0' set service ntp server xxxxx.tld set service ntp server xxxxx.tld set service ntp server xxxxx.tld set service ntp server xxxxx.tld set service snmp community [redacted] authorization 'ro' set service snmp community [redacted] network 'xxx.xxx.42.0/24' set service ssh port '22' set system config-management commit-revisions '20' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system domain-name xxxxxx set system host-name xxxxxx set system login banner post-login '' set system login banner pre-login '' set system login user xxxxxx authentication encrypted-password xxxxxx set system login user xxxxxx authentication plaintext-password xxxxxx set system name-server 'xxx.xxx.42.9' set system name-server 'xxx.xxx.42.130' set system syslog global facility all level 'debug' set system syslog global facility local7 level 'debug' set system syslog host xxx.xxx.42.2 facility all level 'debug' set system time-zone 'GB' itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ itconsult@ha-r01a:~$ conf [edit] itconsult@ha-r01a# load Loading configuration from 'config.boot' No configuration changes to commit. [edit] itconsult@ha-r01a# exit exit itconsult@ha-r01a:~$ itconsult@ha-r01a:~$