firewall { global-options { all-ping "enable" broadcast-ping "disable" ip-src-route "disable" ipv6-receive-redirects "disable" ipv6-src-route "disable" log-martians "enable" } group { address-group ALL_WEBSERVERS { address "198.18.15.12" address "198.18.31.5" address "198.18.63.5" address "198.18.15.14" address "198.18.31.6" address "198.18.63.6" description "REDACTED" } address-group ATT_WEBSITES { address "192.0.2.227" address "192.0.2.230" address "192.0.2.233" description "REDACTED" } address-group BACKBONE_GLUSTER_CLIENTS { address "198.18.16.2" address "198.18.16.3" address "198.18.16.5" address "198.18.16.6" address "198.18.48.2" address "198.18.48.3" address "198.18.48.5" address "198.18.48.6" } address-group BACKBONE_JUMP_HOSTS { address "198.18.16.4" address "198.18.48.4" description "REDACTED" } address-group BACKBONE_MYSQL_SERVERS { address "198.18.31.5" address "198.18.63.5" address "198.18.31.6" address "198.18.63.6" address "198.18.16.7" address "198.18.48.7" description "REDACTED" } address-group BACKBONE_NAME_SERVERS { address "198.18.31.3" address "198.18.63.3" description "REDACTED" } address-group BACKBONE_SECURITY_SERVERS { address "198.18.31.4" address "198.18.63.4" description "REDACTED" } address-group INT_GLUSTER_SERVERS { address "198.18.255.5" address "198.18.9.3-198.18.9.5" description "REDACTED" } address-group INT_JUMP_HOSTS { address "198.18.15.13" address "192.0.2.229" description "REDACTED" } address-group INT_NAMESERVERS { address "198.18.255.1" address "198.18.15.10" description "REDACTED" } address-group INT_TIMESERVERS { address "198.18.255.2" address "198.18.15.11" description "REDACTED" } address-group INT_WEBSERVERS { address "198.18.15.12" address "198.18.15.14" description "REDACTED" } interface-group BACKBONE { interface "wg0" interface "wg1" interface "wg2" interface "wg3" interface "wg4" interface "wg5" interface "wg6" interface "wg7" interface "wg8" interface "wg9" interface "wg100" } ipv6-address-group ALL_WEBSERVERS-V6 { address "2001:db8:1:64::12" address "2001:db8:1:64::14" address "2001:db8:1:150b::5" address "2001:db8:1:150b::6" address "2001:db8:1:23e3::5" address "2001:db8:1:23e3::6" address "2001:db8:1:ffff::3" description "REDACTED" } ipv6-address-group BACKBONE_GLUSTER_CLIENTS-V6 { address "2001:db8:1:1538::2" address "2001:db8:1:1538::3" address "2001:db8:1:1538::5" address "2001:db8:1:1538::6" address "2001:db8:1:239d::2" address "2001:db8:1:239d::3" address "2001:db8:1:239d::5" address "2001:db8:1:239d::6" } ipv6-address-group BACKBONE_JUMP_HOSTS-V6 { address "2001:db8:1:239d::4" address "2001:db8:1:1538::4" description "REDACTED" } ipv6-address-group BACKBONE_MYSQL_SERVERS-V6 { address "2001:db8:1:150b::5" address "2001:db8:1:150b::6" address "2001:db8:1:23e3::5" address "2001:db8:1:23e3::6" address "2001:db8:1:1538::7" address "2001:db8:1:239d::7" description "REDACTED" } ipv6-address-group BACKBONE_NAME_SERVERS-V6 { address "2001:db8:1:150b::3" address "2001:db8:1:23e3::3" description "REDACTED" } ipv6-address-group BACKBONE_SECURITY_SERVERS-V6 { address "2001:db8:1:150b::4" address "2001:db8:1:23e3::4" description "REDACTED" } ipv6-address-group IBM_WEBSITES-V6 { address "2001:db8:1e01:80::227" address "2001:db8:1e01:80::230" address "2001:db8:1e01:80::233" description "REDACTED" } ipv6-address-group INT_GLUSTER_SERVERS-V6 { address "2001:db8:1:ffff::5" address "2001:db8:1:46::3-2001:db8:1:46::5" description "REDACTED" } ipv6-address-group INT_JUMP_HOSTS-V6 { address "2001:db8:1:64::13" address "2001:db8:1e01:80::229" description "REDACTED" } ipv6-address-group INT_NAMESERVERS-V6 { address "2001:db8:1:ffff::1" address "2001:db8:1:64::10" description "REDACTED" } ipv6-address-group INT_TIMESERVERS-V6 { address "2001:db8:1:ffff::2" address "2001:db8:1:64::11" description "REDACTED" } ipv6-address-group INT_WEBSERVERS-V6 { address "2001:db8:1:64::12" address "2001:db8:1:64::14" description "REDACTED" } ipv6-network-group IBM_SERVERS-V6 { description "REDACTED" network "2001:db8:1:239d::/64" network "2001:db8:1:23e3::/64" network "2001:db8:1:1538::/64" network "2001:db8:1:150b::/64" } ipv6-network-group INT_SERVERS-V6 { description "REDACTED" network "2001:db8:1:a::/64" network "2001:db8:1:46::/64" network "2001:db8:1:64::/64" } network-group IBM_MGMT { network "169.254.85.240/28" network "169.254.49.0/26" } network-group IBM_SERVERS { description "REDACTED" network "198.18.16.0/24" network "198.18.31.0/28" network "198.18.48.0/24" network "198.18.63.0/28" } network-group INT_SERVERS { description "REDACTED" network "198.18.0.0/24" network "198.18.15.8/29" network "198.18.9.0/24" } network-group RFC1918 { description "REDACTED" network "198.18.0.0/16" network "10.0.0.0/8" } port-group GLUSTER_CLIENT { description "REDACTED" port "24007" port "24009" port "49152-65535" } port-group WEB { description "REDACTED" port "80" port "443" } port-group WIREGUARD { port "51820-51830" port "51920" } } ipv4 { forward { filter { default-action "drop" rule 2 { action "accept" state "established" state "related" } rule 4 { action "drop" state "invalid" } rule 10 { action "accept" description "REDACTED" inbound-interface { group "BACKBONE" } outbound-interface { group "BACKBONE" } } rule 20 { action "accept" description "REDACTED" inbound-interface { name "bond0.110" } outbound-interface { group "BACKBONE" } } rule 100 { action "accept" description "REDACTED" inbound-interface { name "bond0.110" } outbound-interface { name "bond0.20" } } rule 200 { action "jump" description "REDACTED" inbound-interface { group "BACKBONE" } jump-target "BACKBONE_TO_INT" outbound-interface { name "bond0.110" } } rule 210 { action "jump" description "REDACTED" inbound-interface { name "bond0.20" } jump-target "PUBLIC_TO_INT" outbound-interface { name "bond0.110" } } } } input { filter { default-action "drop" rule 1 { action "accept" state "established" state "related" } rule 2 { action "drop" state "invalid" } rule 10 { action "jump" inbound-interface { group "BACKBONE" } jump-target "BACKBONE_TO_LOCAL" } rule 20 { action "jump" inbound-interface { name "bond0.110" } jump-target "INT_TO_LOCAL" } rule 30 { action "jump" inbound-interface { name "bond0.20" } jump-target "PUBLIC_TO_LOCAL" } } } name BACKBONE_TO_INT { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" description "REDACTED" protocol "icmp" source { group { network-group "RFC1918" } } } rule 10 { action "accept" description "REDACTED" source { group { address-group "BACKBONE_JUMP_HOSTS" } } } rule 20 { action "accept" description "REDACTED" destination { address "198.18.15.11" } protocol "tcp_udp" source { group { address-group "BACKBONE_SECURITY_SERVERS" } } } rule 30 { action "accept" description "REDACTED" destination { address "198.18.255.4" port "162,2055" } protocol "udp" source { address "198.18.253.0/24" } } rule 40 { action "accept" description "REDACTED" destination { address "198.18.9.3" port "ssh" } protocol "tcp" source { address "198.18.253.0/24" } } rule 50 { action "accept" description "REDACTED" destination { address "198.18.15.11" port "www,ldap,https,ldaps" } protocol "tcp" source { group { network-group "IBM_SERVERS" } } } rule 60 { action "accept" description "REDACTED" destination { address "198.18.15.11" port "kerberos,kpasswd" } protocol "tcp_udp" source { group { network-group "IBM_SERVERS" } } } rule 70 { action "accept" description "REDACTED" destination { address "198.18.15.10" port "5300" } protocol "tcp_udp" source { group { address-group "BACKBONE_NAME_SERVERS" } } } rule 80 { action "accept" description "REDACTED" destination { group { address-group "INT_WEBSERVERS" } port "3306,4444,4567,4568" } protocol "tcp" source { group { address-group "BACKBONE_MYSQL_SERVERS" } } } rule 90 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS" } port "ssh" } protocol "tcp" } rule 100 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS" } port "5201-5213" } protocol "tcp" } rule 110 { action "accept" description "REDACTED" destination { group { address-group "INT_NAMESERVERS" } port "domain,514" } protocol "tcp_udp" } rule 120 { action "accept" description "REDACTED" destination { group { address-group "INT_NAMESERVERS" } port "19532" } protocol "tcp" } rule 130 { action "accept" description "REDACTED" destination { group { address-group "INT_TIMESERVERS" } port "ntp,radius,radius-acct" } protocol "udp" } rule 140 { action "accept" description "REDACTED" destination { address "198.19.27.65" port "51413" } protocol "tcp_udp" } rule 142 { action "drop" description "REDACTED" destination { address "54.39.27.65" } protocol "icmp" } rule 144 { action "drop" description "REDACTED" destination { address "54.39.27.65" port "!51413" } protocol "tcp_udp" } rule 150 { action "accept" description "REDACTED" destination { group { address-group "ATT_WEBSITES" port-group "WEB" } } protocol "tcp" } rule 160 { action "accept" description "REDACTED" destination { group { address-group "INT_GLUSTER_SERVERS" port-group "GLUSTER_CLIENT" } } protocol "tcp" source { group { address-group "BACKBONE_GLUSTER_CLIENTS" } } } } name BACKBONE_TO_LOCAL { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" description "REDACTED" protocol "icmp" } rule 10 { action "accept" description "REDACTED" destination { port "ssh" } protocol "tcp" source { group { address-group "BACKBONE_JUMP_HOSTS" } } } rule 20 { action "accept" description "REDACTED" destination { port "snmp" } protocol "udp" source { group { address-group "ALL_WEBSERVERS" } } } } name INT_TO_LOCAL { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" description "REDACTED" protocol "icmp" } rule 10 { action "accept" description "REDACTED" destination { port "ssh" } protocol "tcp" source { group { address-group "INT_JUMP_HOSTS" } } } rule 20 { action "accept" description "REDACTED" destination { port "bgp" } protocol "tcp" source { address "198.18.15.0/29" } } rule 30 { action "accept" description "REDACTED" destination { port "3780" } protocol "udp" source { address "198.18.15.3-198.18.15.4" } } rule 40 { action "accept" description "REDACTED" destination { port "3784-3785,4784" } protocol "udp" source { address "198.18.15.0/29" } } rule 50 { action "accept" description "REDACTED" protocol "vrrp" } rule 60 { action "accept" description "REDACTED" destination { port "snmp" } protocol "udp" source { group { address-group "ALL_WEBSERVERS" } } } rule 70 { action "accept" description "REDACTED" destination { address "198.18.253.2-198.18.253.3" port "https" } protocol "tcp" source { address "198.18.253.2-198.18.253.3" } } } name PUBLIC_TO_INT { default-action "drop" description "REDACTED" rule 10 { action "drop" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS" } port "55875" } protocol "tcp" recent { count "3" time "hour" } state "new" } rule 15 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS" } port "55875" } protocol "tcp" } rule 20 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS" } port "5201-5232" } disable protocol "tcp_udp" } rule 30 { action "accept" description "REDACTED" destination { group { address-group "ATT_WEBSITES" port-group "WEB" } } protocol "tcp" } } name PUBLIC_TO_LOCAL { default-action "drop" description "REDACTED" rule 10 { action "accept" description "REDACTED" destination { group { port-group "WIREGUARD" } } protocol "tcp_udp" source { group { port-group "WIREGUARD" } } } rule 20 { action "accept" description "REDACTED" protocol "vrrp" } } output { filter { default-action "accept" } } } ipv6 { forward { filter { default-action "drop" rule 2 { action "accept" state "established" state "related" } rule 4 { action "drop" state "invalid" } rule 10 { action "accept" description "REDACTED" inbound-interface { group "BACKBONE" } outbound-interface { group "BACKBONE" } } rule 20 { action "accept" description "REDACTED" inbound-interface { name "bond0.110" } outbound-interface { group "BACKBONE" } } rule 100 { action "accept" inbound-interface { name "bond0.110" } outbound-interface { name "bond0.20" } } rule 200 { action "jump" description "REDACTED" inbound-interface { group "BACKBONE" } jump-target "BACKBONE_TO_INT-V6" outbound-interface { name "bond0.110" } } rule 210 { action "jump" description "REDACTED" inbound-interface { name "bond0.20" } jump-target "PUBLIC_TO_INT-V6" outbound-interface { name "bond0.110" } } } } input { filter { default-action "drop" rule 1 { action "accept" state "established" state "related" } rule 2 { action "drop" state "invalid" } rule 10 { action "jump" inbound-interface { group "BACKBONE" } jump-target "BACKBONE_TO_LOCAL-V6" } rule 20 { action "jump" inbound-interface { name "bond0.110" } jump-target "INT_TO_LOCAL-V6" } rule 30 { action "jump" inbound-interface { name "bond0.20" } jump-target "PUBLIC_TO_LOCAL-V6" } } } name BACKBONE_TO_INT-V6 { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" description "REDACTED" protocol "ipv6-icmp" source { address "2001:db8:1::/48" } } rule 10 { action "accept" description "REDACTED" source { group { address-group "BACKBONE_JUMP_HOSTS-V6" } } } rule 20 { action "accept" description "REDACTED" destination { address "2001:db8:1:64::11" } protocol "tcp_udp" source { group { address-group "BACKBONE_SECURITY_SERVERS-V6" } } } rule 30 { action "accept" description "REDACTED" destination { address "2001:db8:1:ffff::4" port "162,2055" } protocol "udp" source { address "2001:db8:1:fffe::/64" } } rule 40 { action "accept" description "REDACTED" destination { address "2001:db8:1:46::3" port "ssh" } protocol "tcp" source { address "2001:db8:1:fffe::/64" } } rule 50 { action "accept" description "REDACTED" destination { address "2001:db8:1:64::11" port "www,ldap,https,ldaps" } protocol "tcp" source { group { network-group "IBM_SERVERS-V6" } } } rule 60 { action "accept" description "REDACTED" destination { address "2001:db8:1:64::11" port "kerberos,kpasswd" } protocol "tcp_udp" source { group { network-group "IBM_SERVERS-V6" } } } rule 70 { action "accept" description "REDACTED" destination { address "2001:db8:1:64::10" port "5300" } protocol "tcp_udp" source { group { address-group "BACKBONE_NAME_SERVERS-V6" } } } rule 80 { action "accept" description "REDACTED" destination { group { address-group "INT_WEBSERVERS-V6" } port "3306,4444,4567,4568" } protocol "tcp" source { group { address-group "BACKBONE_MYSQL_SERVERS-V6" } } } rule 90 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS-V6" } port "ssh" } protocol "tcp" } rule 100 { action "accept" description "REDACTED" destination { group { address-group "INT_JUMP_HOSTS-V6" } port "5201-5213" } protocol "tcp" } rule 110 { action "accept" description "REDACTED" destination { group { address-group "INT_NAMESERVERS-V6" } port "domain,514" } protocol "tcp_udp" } rule 120 { action "accept" description "REDACTED" destination { group { address-group "INT_NAMESERVERS-V6" } port "19532" } protocol "tcp" } rule 130 { action "accept" description "REDACTED" destination { group { address-group "INT_TIMESERVERS-V6" } port "ntp,radius,radius-acct" } protocol "udp" } rule 140 { action "accept" description "REDACTED" destination { address "2001:db8:1e01:80::/64" } protocol "all" } rule 150 { action "accept" description "REDACTED" destination { group { address-group "INT_GLUSTER_SERVERS-V6" port-group "GLUSTER_CLIENT" } } protocol "tcp" source { group { address-group "BACKBONE_GLUSTER_CLIENTS-V6" } } } } name BACKBONE_TO_LOCAL-V6 { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" protocol "ipv6-icmp" } rule 10 { action "accept" description "REDACTED" destination { port "ssh" } protocol "tcp" source { group { address-group "BACKBONE_JUMP_HOSTS-V6" } } } rule 20 { action "accept" description "REDACTED" destination { port "bgp" } protocol "tcp" source { address "fe80::/10" } } rule 30 { action "accept" description "REDACTED" destination { port "3784-3785,4784" } protocol "udp" source { address "fe80::/10" } } rule 40 { action "accept" description "REDACTED" destination { port "snmp" } protocol "udp" source { group { address-group "ALL_WEBSERVERS-V6" } } } } name INT_TO_LOCAL-V6 { default-action "drop" description "REDACTED" enable-default-log rule 1 { action "accept" description "REDACTED" protocol "ipv6-icmp" } rule 10 { action "accept" description "REDACTED" destination { port "ssh" } protocol "tcp" source { group { address-group "INT_JUMP_HOSTS-V6" } } } rule 20 { action "accept" description "REDACTED" destination { port "bgp" } protocol "tcp" source { address "2001:db8:1:6e::/64" } } rule 30 { action "accept" description "REDACTED" destination { port "3784-3785,4784" } protocol "udp" source { address "2001:db8:1:6e::/64" } } rule 40 { action "accept" description "REDACTED" protocol "vrrp" } rule 50 { action "accept" description "REDACTED" destination { port "snmp" } protocol "udp" source { group { address-group "ALL_WEBSERVERS-V6" } } } rule 60 { action "accept" description "REDACTED" destination { port "443" } protocol "tcp" source { address "2001:db8:1:fffe::2-2001:db8:1:fffe::3" } } } name PUBLIC_TO_INT-V6 { default-action "drop" description "REDACTED" rule 1 { action "accept" description "REDACTED" protocol "ipv6-icmp" } } name PUBLIC_TO_LOCAL-V6 { default-action "drop" description "REDACTED" rule 1 { action "accept" description "REDACTED" protocol "ipv6-icmp" } rule 10 { action "accept" description "REDACTED" destination { port "546" } protocol "udp" source { port "547" } } rule 20 { action "accept" description "REDACTED" destination { group { port-group "WIREGUARD" } } protocol "udp" } rule 30 { action "accept" description "REDACTED" protocol "vrrp" } } output { filter { default-action "accept" } } } } high-availability { vrrp { group ATT-V4 { address 198.19.52.249/22 { } authentication { password "somePassword" type "plaintext-password" } interface "bond0.20" priority "254" vrid "1" } group ATT-V6 { address 2001:db8:6ec:b000::249/64 { } authentication { password "somePassword2" type "plaintext-password" } interface "bond0.20" priority "254" vrid "2" } snmp sync-group CR01.INT { member "ATT-V4" member "ATT-V6" } } } interfaces { bonding bond0 { description "REDACTED" hash-policy "layer3+4" ipv6 { address { no-default-link-local } } lacp-rate "fast" member { interface "eth0" interface "eth1" } mode "802.3ad" mtu "9214" vif 20 { address "198.18.100.4/29" address "192.0.2.226/32" address "2001:db8:6ec:b000::226/64" description "REDACTED" dhcpv6-options { duid "00:01:00:01:c7:92:bc:12:34:56:78:9a:bc:de" pd 0 { interface dum1 { address "0" } } pd 1 { interface dum1 { address "0" } } pd 2 { interface dum1 { address "0" } } pd 3 { interface dum1 { address "0" } } rapid-commit } mtu "1500" } vif 110 { address "198.18.15.4/29" address "fe80::198:18:15:4/64" address "2001:db8:1:6e::4/64" description "REDACTED" ipv6 { address { no-default-link-local } } mtu "9214" } } dummy dum0 { address "2001:db8:1:fffe::3/128" address "198.18.253.3/32" description "REDACTED" } dummy dum1 { description "REDACTED" } ethernet eth0 { description "REDACTED" disable-flow-control hw-id "12:34:56:78:9a:bc" offload { gro gso sg tso } ring-buffer { rx "4096" tx "4096" } } ethernet eth1 { description "REDACTED" disable-flow-control hw-id "de:f0:12:34:56:78" offload { gro gso sg tso } ring-buffer { rx "4096" tx "4096" } } loopback lo { } wireguard wg0 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01-VYOS.BHSv4 { address "198.19.115.181" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51822" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51820" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg1 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01-VYOS.BHSv6 { address "2001:db8:203:b0b5::1" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51823" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51821" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg2 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01A-VYOS.DAL10v4 { address "198.19.77.126" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51822" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51822" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg3 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01A-VYOS.DAL10v6 { address "2001:db8:1e01:7d::4" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51823" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51823" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg4 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01B-VYOS.DAL10v4 { address "198.19.77.123" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51822" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51824" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg5 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01B-VYOS.DAL10v6 { address "2001:db8:1e01:7d::5" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51823" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51825" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg6 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01A-VYOS.WDC07v4 { address "198.19.15.10" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51822" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51826" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg7 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01A-VYOS.WDC07v6 { address "2001:db8:3a01:a5::3" allowed-ips "0.0.0.0/0" allowed-ips "::/0" port "51823" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51827" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg8 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01B-VYOS.WDC07v4 { address "198.19.15.11" allowed-ips "::/0" allowed-ips "0.0.0.0/0" port "51822" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51828" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg9 { description "REDACTED" fwmark "51820" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer CR01B-VYOS.WDC07v6 { address "2001:db8:3a01:a5::2" allowed-ips "::/0" allowed-ips "0.0.0.0/0" port "51823" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51829" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } wireguard wg100 { address "198.18.7.1/24" address "2001:db8:1:fff::1/64" description "REDACTED" ip { adjust-mss "clamp-mss-to-pmtu" } ipv6 { adjust-mss "clamp-mss-to-pmtu" } peer PEER1 { allowed-ips "198.18.7.0/24" allowed-ips "2001:db8:1:fff::/64" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } peer PEER2 { allowed-ips "198.18.7.0/24" allowed-ips "2001:db8:1:fff::/64" public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" } port "51920" private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" } } nat { source { rule 999 { description "REDACTED" outbound-interface { name "bond0.20" } source { address "198.18.0.0/20" } translation { address "198.19.52.249" } } } } nat66 { source { rule 10 { description "REDACTED" outbound-interface { name "bond0.20" } source { prefix "2001:db8:1:a::/64" } translation { address "2001:db8:6ec:b00c::/64" } } rule 20 { description "REDACTED" outbound-interface { name "bond0.20" } source { prefix "2001:db8:1:46::/64" } translation { address "2001:db8:6ec:b00d::/64" } } rule 30 { description "REDACTED" outbound-interface { name "bond0.20" } source { prefix "2001:db8:1:c8::/64" } translation { address "2001:db8:6ec:b00e::/64" } } rule 40 { description "REDACTED" outbound-interface { name "bond0.20" } source { prefix "2001:db8:1:f0::/64" } translation { address "2001:db8:6ec:b00f::/64" } } } } policy { as-path-list DAL10 { rule 10 { action "permit" description "REDACTED" regex "4242420668_$" } } as-path-list IBM { rule 10 { action "permit" description "REDACTED" regex "^_42424206(68|70)_$" } } as-path-list INT { rule 10 { action "permit" description "REDACTED" regex "_" } } as-path-list WDC07 { rule 10 { action "permit" description "REDACTED" regex "4242420670_$" } } large-community-list ANYCAST_ALL { rule 10 { action "permit" description "REDACTED" regex "4242420696:100:.*" } } large-community-list ANYCAST_INT { description "REDACTED" rule 10 { action "permit" description "REDACTED" regex "4242420696:100:1" } } large-community-list BLACKHOLE_ALL { description "REDACTED" rule 10 { action "permit" regex "4242420696:86:.*" } } large-community-list LOOPBACK_ALL { rule 10 { action "permit" description "REDACTED" regex "4242420696:10:.*" } } prefix-list BGP-DAL10 { rule 10 { action "permit" description "REDACTED" ge "23" prefix "198.18.16.0/20" } } prefix-list BGP-INT { rule 10 { action "permit" description "REDACTED" ge "23" prefix "198.18.0.0/20" } } prefix-list BGP-REDISTRIBUTE { description "REDACTED" rule 10 { action "permit" description "REDACTED" prefix "198.18.100.0/29" } rule 20 { action "permit" description "REDACTED" prefix "198.18.15.0/29" } rule 30 { action "permit" description "REDACTED" prefix "198.18.7.0/24" } } prefix-list BGP-SERVICES { description "REDACTED" rule 10 { action "permit" description "REDACTED" prefix "10.0.0.0/8" } rule 20 { action "permit" description "REDACTED" ge "9" prefix "10.0.0.0/8" } } prefix-list BGP-WDC07 { rule 10 { action "permit" description "REDACTED" ge "23" prefix "198.18.48.0/20" } } prefix-list DEFAULT { description "REDACTED" rule 10 { action "permit" description "REDACTED" prefix "0.0.0.0/0" } } prefix-list LOOPBACK { description "REDACTED" rule 10 { action "permit" ge "32" prefix "198.18.253.0/24" } } prefix-list6 BGP-DAL10-V6 { rule 10 { action "permit" description "REDACTED" ge "64" prefix "2001:db8:1:1000::/52" } } prefix-list6 BGP-INT-V6 { rule 10 { action "permit" description "REDACTED" ge "64" prefix "2001:db8:1::/52" } } prefix-list6 BGP-WDC07-V6 { rule 10 { action "permit" description "REDACTED" ge "64" prefix "2001:db8:1:2000::/52" } } prefix-list6 DEFAULT-V6 { description "REDACTED" rule 10 { action "permit" description "REDACTED" prefix "::/0" } } prefix-list6 LOOPBACK-V6 { rule 10 { action "permit" description "REDACTED" ge "128" prefix "2001:db8:1:fffe::/64" } } route LAN_OUT { description "REDACTED" interface "bond0.110" rule 10 { description "REDACTED" set { table "110" } source { address "198.19.27.64/28" } } rule 9999 { set { table "main" } } } route-map BGP-BACKBONE-COSTED { rule 10 { action "permit" description "REDACTED" match { ip { address { prefix-list "LOOPBACK" } } } } rule 20 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "LOOPBACK-V6" } } } } rule 30 { action "permit" call "BGP-BACKBONE-OUT" description "REDACTED" set { local-preference "0" } } } route-map BGP-BACKBONE-IN { rule 10 { action "permit" description "REDACTED" match { as-path "WDC07" large-community { large-community-list "ANYCAST_ALL" } } set { metric "+150" } } rule 20 { action "permit" description "REDACTED" match { large-community { large-community-list "ANYCAST_ALL" } } set { metric "+100" } } rule 30 { action "permit" description "REDACTED" match { large-community { large-community-list "BLACKHOLE_ALL" } } set { ip-next-hop "198.18.253.0" ipv6-next-hop { global "2001:db8:1:fffe:198:18:253:0" } } } rule 40 { action "permit" description "REDACTED" match { as-path "WDC07" ip { address { prefix-list "BGP-SERVICES" } } } set { metric "+150" } } rule 50 { action "permit" description "REDACTED" match { large-community { large-community-list "LOOPBACK_ALL" } } } rule 60 { action "permit" description "REDACTED" match { as-path "IBM" ip { address { prefix-list "BGP-SERVICES" } } } } rule 70 { action "permit" description "REDACTED" match { as-path "DAL10" ip { address { prefix-list "BGP-DAL10" } } } } rule 80 { action "permit" description "REDACTED" match { as-path "DAL10" ipv6 { address { prefix-list "BGP-DAL10-V6" } } } } rule 90 { action "permit" description "REDACTED" match { as-path "WDC07" ip { address { prefix-list "BGP-WDC07" } } } } rule 100 { action "permit" description "REDACTED" match { as-path "WDC07" ipv6 { address { prefix-list "BGP-WDC07-V6" } } } } rule 999 { action "permit" call "BGP-REDISTRIBUTE" description "REDACTED" } } route-map BGP-BACKBONE-OUT { rule 10 { action "permit" description "REDACTED" match { large-community { large-community-list "ANYCAST_INT" } } } rule 20 { action "permit" description "REDACTED" match { large-community { large-community-list "BLACKHOLE_ALL" } } } rule 30 { action "permit" description "REDACTED" match { large-community { large-community-list "LOOPBACK_ALL" } } } rule 40 { action "permit" match { as-path "INT" ip { address { prefix-list "BGP-INT" } } } } rule 50 { action "permit" match { as-path "INT" ipv6 { address { prefix-list "BGP-INT-V6" } } } } rule 999 { action "permit" call "BGP-REDISTRIBUTE" description "REDACTED" } } route-map BGP-CORE-COSTED { rule 10 { action "permit" description "REDACTED" match { ip { address { prefix-list "LOOPBACK" } } } } rule 20 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "LOOPBACK-V6" } } } } rule 30 { action "permit" call "BGP-CORE-OUT" description "REDACTED" set { local-preference "0" } } } route-map BGP-CORE-IN { rule 10 { action "permit" description "REDACTED" match { large-community { large-community-list "ANYCAST_INT" } } set { ipv6-next-hop { prefer-global } } } rule 20 { action "permit" description "REDACTED" match { ip { address { prefix-list "BGP-INT" } } } } rule 30 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "BGP-INT-V6" } } } set { ipv6-next-hop { prefer-global } } } rule 40 { action "permit" description "REDACTED" match { ip { address { prefix-list "DEFAULT" } } } } rule 50 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "DEFAULT-V6" } } } set { ipv6-next-hop { prefer-global } } } rule 60 { action "permit" description "REDACTED" match { large-community { large-community-list "LOOPBACK_ALL" } } set { ipv6-next-hop { prefer-global } } } } route-map BGP-CORE-OUT { rule 10 { action "permit" description "REDACTED" match { large-community { large-community-list "ANYCAST_ALL" } } } rule 20 { action "permit" description "REDACTED" match { ip { address { prefix-list "BGP-SERVICES" } } } } rule 30 { action "permit" description "REDACTED" match { ip { address { prefix-list "BGP-DAL10" } } } } rule 40 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "BGP-DAL10-V6" } } } } rule 50 { action "permit" description "REDACTED" match { ip { address { prefix-list "BGP-WDC07" } } } } rule 60 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "BGP-WDC07-V6" } } } } rule 70 { action "permit" description "REDACTED" match { large-community { large-community-list "LOOPBACK_ALL" } } } rule 999 { action "permit" call "BGP-REDISTRIBUTE" description "REDACTED" } } route-map BGP-REDISTRIBUTE { rule 10 { action "permit" description "REDACTED" match { tag "86" } set { large-community { add "4242420696:86:1" } origin "igp" } } rule 20 { action "permit" description "REDACTED" match { ip { address { prefix-list "LOOPBACK" } } } set { large-community { add "4242420696:10:1" } origin "igp" } } rule 30 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "LOOPBACK-V6" } } } set { large-community { add "4242420696:10:1" } origin "igp" } } rule 40 { action "permit" description "REDACTED" match { ip { address { prefix-list "BGP-REDISTRIBUTE" } } } set { origin "igp" } } rule 50 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "BGP-INT-V6" } } } set { origin "igp" } } } route-map DEFAULT-ZEBRA-IN { rule 10 { action "permit" description "REDACTED" match { ip { address { prefix-list "DEFAULT" } } } set { src "192.0.2.226" } } rule 20 { action "permit" description "REDACTED" set { src "198.18.253.3" } } } route-map DEFAULT-ZEBRA-IN-V6 { rule 10 { action "permit" description "REDACTED" match { ipv6 { address { prefix-list "DEFAULT-V6" } } } set { src "2600:1700:6ec:b000::226" } } rule 20 { action "permit" description "REDACTED" set { src "2001:db8:1:fffe::3" } } } route6 LAN_OUT-V6 { description "REDACTED" interface "bond0.110" rule 10 { description "REDACTED" set { table "110" } source { address "2001:db8:203:64ef::/64" } } rule 20 { description "REDACTED" set { table "100" } source { address "2001:db8:1e01:80::/64" } } rule 999 { set { table "main" } } } } protocols { bfd { profile FAR { interval { receive "100" transmit "100" } } profile NEAR { interval { receive "50" transmit "50" } } } bgp { address-family { ipv4-unicast { redistribute { connected { route-map "BGP-REDISTRIBUTE" } } } ipv6-unicast { redistribute { connected { route-map "BGP-REDISTRIBUTE" } } } } neighbor 198.18.15.1 { peer-group "CORE" } neighbor 198.18.15.3 { peer-group "CORE" } neighbor 198.18.15.5 { peer-group "CORE" } neighbor 2001:db8:1:6e::1 { peer-group "COREv6" } neighbor 2001:db8:1:6e::3 { peer-group "COREv6" } neighbor 2001:db8:1:6e::5 { peer-group "COREv6" } neighbor wg0 { interface { v6only { peer-group "BACKBONE" remote-as "4242420669" } } } neighbor wg1 { interface { v6only { peer-group "BACKBONE" remote-as "4242420669" } } } neighbor wg2 { interface { v6only { peer-group "BACKBONE" remote-as "4242420668" } } } neighbor wg3 { interface { v6only { peer-group "BACKBONE" remote-as "4242420668" } } } neighbor wg4 { interface { v6only { peer-group "BACKBONE" remote-as "4242420668" } } } neighbor wg5 { interface { v6only { peer-group "BACKBONE" remote-as "4242420668" } } } neighbor wg6 { interface { v6only { peer-group "BACKBONE" remote-as "4242420670" } } } neighbor wg7 { interface { v6only { peer-group "BACKBONE" remote-as "4242420670" } } } neighbor wg8 { interface { v6only { peer-group "BACKBONE" remote-as "4242420670" } } } neighbor wg9 { interface { v6only { peer-group "BACKBONE" remote-as "4242420670" } } } parameters { bestpath { as-path { confed multipath-relax } } confederation { identifier "4242420696" peers "4242420668" peers "4242420669" peers "4242420670" } fast-convergence graceful-restart network-import-check router-id "198.18.253.3" } peer-group BACKBONE { address-family { ipv4-unicast { nexthop-self route-map { export "BGP-BACKBONE-OUT" import "BGP-BACKBONE-IN" } soft-reconfiguration { inbound } } ipv6-unicast { nexthop-self route-map { export "BGP-BACKBONE-OUT" import "BGP-BACKBONE-IN" } soft-reconfiguration { inbound } } } bfd { profile "FAR" } capability { extended-nexthop } } peer-group CORE { address-family { ipv4-unicast { default-originate nexthop-self route-map { export "BGP-CORE-OUT" import "BGP-CORE-IN" } soft-reconfiguration { inbound } } } bfd { profile "NEAR" } remote-as "4242420666" } peer-group COREv6 { address-family { ipv6-unicast { default-originate nexthop-self route-map { export "BGP-CORE-OUT" import "BGP-CORE-IN" } soft-reconfiguration { inbound } } } bfd { profile "NEAR" } remote-as "4242420666" } system-as "4242420666" } static { route 0.0.0.0/0 { next-hop 198.19.52.1 { } } route 10.0.0.0/8 { blackhole { distance "253" } } route 192.0.2.224/28 { blackhole } route 192.0.2.225/32 { next-hop 198.18.253.2 { } } route 100.64.0.0/10 { blackhole } route 198.19.52.0/22 { interface bond0.20 { } } route 169.254.0.0/16 { blackhole } route 172.16.0.0/12 { blackhole } route 198.18.0.0/15 { blackhole } route6 2001:db8:3a01:2::/64 { blackhole { distance "253" } } route6 2001:db8:2701:1ad::/64 { blackhole { distance "253" } } route6 2001:db8:2701:1c9::/64 { blackhole { distance "253" } } route6 ::/0 { next-hop 2001:db8:6ec:b000::1 { } } route6 fc00::/7 { blackhole } table 100 { route6 ::/0 { next-hop 2001:db8:1:fffe::6 { } next-hop 2001:db8:1:fffe::7 { } } } table 110 { route 0.0.0.0/0 { next-hop 198.18.253.12 { } } route6 ::/0 { next-hop 2001:db8:1:fffe::12 { } } } } } service { conntrack-sync { disable-external-cache failover-mechanism { vrrp { sync-group "CR01.INT" } } ignore-address "fe80::/10" ignore-address "ff00::/8" ignore-address "169.254.0.0/16" ignore-address "224.0.0.0/4" ignore-address "127.0.0.0/8" interface bond0.110 { } sync-queue-size "10" } https { api { graphql { authentication { type "token" } introspection } keys { id CR01A-VYOS.INT { key "Key123" } } } virtual-host CONFIG-SYNC { allow-client { address "198.18.253.2" } listen-address "198.18.253.3" server-name "cr01b-vyos.int.rtr.trae32566.org" } virtual-host CONFIG-SYNC-V6 { allow-client { address "2001:db8:1:fffe::2" } listen-address "2001:db8:1:fffe::3" server-name "cr01b-vyos.int.rtr.trae32566.org" } } lldp ntp { allow-client { address "0.0.0.0/0" address "::/0" } server ntp01.ac.trae32566.org { prefer } server sec01-cs9.dal10.trae32566.org { } server sec01-cs9.int.trae32566.org { } } snmp { community REDACTED { client "198.18.15.12" client "198.18.31.5" client "198.18.63.5" client "2001:db8:1:64::12" client "2001:db8:1:150b::5" client "2001:db8:1:23e3::5" } contact "Trae Santiago " listen-address 198.18.253.3 { } listen-address 2001:db8:1:fffe::3 { } location "A LAND FAR FAR AWAY" trap-target 198.18.255.4 { community "REDACTED" } trap-target 2001:db8:1:ffff::4 { community "REDACTED" } } ssh { disable-host-validation listen-address "198.18.253.3" listen-address "2001:db8:1:fffe::3" } } system { config-management { commit-archive { location "sftp://SOMEUSER:SOMEPASS@stor01a-rh9.int.trae32566.org/int/cr01b-vyos" source-address "198.18.253.3" } commit-revisions "10000" } conntrack { flow-accounting table-size "1000000" timeout { icmp "10" other "60" tcp { close-wait "20" established "3600" fin-wait "30" syn-recv "30" syn-sent "60" } udp { stream "60" } } } console { device ttyS0 { speed "115200" } } domain-name "int.trae32566.org" domain-search { domain "int.trae32566.org" domain "rtr.trae32566.org" domain "trae32566.org" } frr { snmp { bgpd zebra } } host-name "cr01b-vyos" ip { multipath { layer4-hashing } protocol bgp { route-map "DEFAULT-ZEBRA-IN" } protocol static { route-map "DEFAULT-ZEBRA-IN" } } ipv6 { multipath { layer4-hashing } protocol bgp { route-map "DEFAULT-ZEBRA-IN-V6" } protocol static { route-map "DEFAULT-ZEBRA-IN-V6" } } login { radius { server 198.18.15.11 { key "someKey123!" } server 198.18.31.4 { key "someKey123!" } server 198.18.255.2 { key "someKey123!" priority "10" } source-address "198.18.253.3" } user vyos { authentication { plaintext-password "vyos" } } } name-server "2001:db8:1:ffff::1" name-server "198.18.255.1" name-server "2001:db8:1:64::10" name-server "198.18.15.10" name-server "2001:db8:1:150b::3" name-server "198.18.31.3" option { ctrl-alt-delete "reboot" performance "latency" reboot-on-panic time-format "24-hour" } sysctl { parameter net.core.rmem_default { value "1703936" } parameter net.core.rmem_max { value "8388608" } parameter net.ipv4.fib_multipath_use_neigh { value "1" } } syslog { global { facility all { level "info" } facility local7 { level "debug" } preserve-fqdn } host log01.ac.trae32566.org { facility all { level "all" } } } time-zone "US/Central" } // Warning: Do not remove the following line. // vyos-config-version: "bgp@4:broadcast-relay@1:cluster@2:config-management@1:conntrack@4:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@7:dhcpv6-server@2:dns-dynamic@3:dns-forwarding@4:firewall@13:flow-accounting@1:https@5:ids@1:interfaces@32:ipoe-server@2:ipsec@12:isis@3:l2tp@5:lldp@1:mdns@1:monitoring@1:nat@7:nat66@2:ntp@3:openconnect@2:openvpn@1:ospf@2:pim@1:policy@7:pppoe-server@7:pptp@3:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@5:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.5-rolling-202312130023