firewall { all-ping enable group { address-group ROUTERS { address xxx.xxx.40.1-xxx.xxx.40.3 address xxx.xxx.60.1-xxx.xxx.60.3 description "Router IPs" } interface-group GUEST { interface eth1.60 } interface-group INTERNAL { include GUEST include LAN include IoT include NoT include MGMT include SRV } interface-group INTERNAL-ISOLATED { include NoT include MGMT } interface-group INTERNAL-TRUSTED { include LAN include SRV include MGMT } interface-group IoT { interface eth1.20 } interface-group LAN { interface eth1 } interface-group MGMT { interface eth1.40 } interface-group NoT { interface eth1.30 } interface-group OUTSIDE { include WAN } interface-group SRV { interface eth1.10 } interface-group WAN { interface eth0 } network-group RFC1918 { network xxx.xxx.0.0/8 network xxx.xxx.0.0/12 network xxx.xxx.0.0/16 } port-group Chromecast { port 8008-8009 port 5556 port 5558 port 5353 } } interface eth0 { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } out { name OUTSIDE-OUT } } interface "eth1*" { in { name INSIDE-IN } local { name INSIDE-LOCAL } out { name INSIDE-OUT } } name INSIDE-IN { default-action drop rule 10 { action accept description "Allow ping" icmp { type-name echo-request } protocol icmp state { new enable } } rule 20 { action drop description "Deny all ISOLATED to WAN" inbound-interface { interface-group INTERNAL-ISOLATED } outbound-interface { interface-group WAN } } rule 21 { action accept description "Allow all INTERNAL to WAN" inbound-interface { interface-group INTERNAL } outbound-interface { interface-group WAN } } } name INSIDE-LOCAL { default-action drop rule 10 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 20 { action accept description "Allow INTERNAL-TRUSTED to LOCAL SSH" destination { port ssh } inbound-interface { interface-group INTERNAL-TRUSTED } protocol tcp } rule 30 { action accept description "Allow All INTERNAL to LOCAL NTP" destination { port ntp } inbound-interface { interface-group INTERNAL } protocol udp } rule 40 { action accept description "Allow INTERNAL to LOCAL dns" destination { port domain } inbound-interface { interface-group INTERNAL } protocol tcp_udp } rule 50 { action accept description "Allow DHCP" destination { port bootps } inbound-interface { interface-group INTERNAL } protocol udp source { port bootpc } } rule 60 { action accept description "Allow all rtr<->rtr" inbound-interface { interface-group MGMT } source { group { address-group ROUTERS } } } rule 61 { action accept description "Allow VRRP from ROUTERS" disable protocol vrrp source { group { address-group ROUTERS } } } } name INSIDE-OUT { default-action accept } name OUTSIDE-IN { default-action drop } name OUTSIDE-LOCAL { default-action drop rule 10 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 20 { action accept destination { port 22 } log enable protocol tcp state { new enable } } rule 30 { action accept description "Allow Wireguard" destination { port 2224 } protocol udp } } name OUTSIDE-OUT { default-action accept } state-policy { established { action accept } invalid { action drop } related { action accept } } } high-availability { vrrp { group GUEST { address xxx.xxx.60.1/24 { } hello-source-address xxx.xxx.60.3 interface eth1.60 peer-address xxx.xxx.60.2 priority 100 vrid 60 } sync-group INTERNAL { member GUEST } } } interfaces { ethernet eth0 { address dhcp description WAN hw-id xx:xx:xx:xx:xx:1d } ethernet eth1 { address xxx.xxx.0.3/24 description LAN hw-id xx:xx:xx:xx:xx:20 vif 10 { address xxx.xxx.1.3/24 description Servers } vif 20 { address xxx.xxx.20.3/24 description IoT } vif 30 { address xxx.xxx.30.3/24 description NoT } vif 40 { address xxx.xxx.40.3/24 description Management } vif 60 { address xxx.xxx.60.3/24 description Guests } } loopback lo { } wireguard wg0 { address xxx.xxx.2.3/24 description RoadWarrior peer phone { allowed-ips xxx.xxx.2.12/32 persistent-keepalive 15 preshared-key XXX public-key XXX } peer rupert { allowed-ips xxx.xxx.2.11/32 persistent-keepalive 15 preshared-key XXX public-key XXX } port 2224 private-key xxxxxx } } nat { source { rule 10 { description "MASQ all RFC1918 to eth0" outbound-interface eth0 source { group { network-group RFC1918 } } translation { address masquerade } } } } protocols { static { route xxx.xxx.0.0/0 { dhcp-interface eth0 next-hop xxx.xxx.0.1 { } } } } service { conntrack-sync { accept-protocol tcp accept-protocol udp accept-protocol icmp accept-protocol icmp6 failover-mechanism { vrrp { sync-group INTERNAL } } ignore-address xxx.xxx.0.0/30 ignore-address xxx.xxx.2.0/30 ignore-address xxx.xxx.1.0/30 ignore-address xxx.xxx.20.0/30 ignore-address xxx.xxx.30.0/30 ignore-address xxx.xxx.40.0/30 ignore-address xxx.xxx.60.0/30 ignore-address xxx.xxx.0.1 ignore-address ::1 interface eth1.40 { peer xxxxx.tld } listen-address xxx.xxx.40.3 } dhcp-server { failover { name ROUTER remote xxx.xxx.40.2 source-address xxx.xxx.40.3 status secondary } global-parameters "ddns-updates on;" global-parameters "update-static-leases on;" global-parameters "update-optimization true;" global-parameters "key dhcpdupdate { algorithm hmac-md5; secret "XXXXquot;; };" global-parameters "ddns-rev-domainname "in-addr.arpa.";" global-parameters "zone in-addr.arpa. { primary xxx.xxx.1.153; key xxxxxx }" global-parameters "update-conflict-detection off;" global-parameters "ddns-update-style standard;" global-parameters "ddns-ttl 86400;" host-decl-name shared-network-name xxxxxx { authoritative description "Guest - VLAN 60" domain-name xxxxxx name-server xxx.xxx.60.1 shared-network-parameters "zone guest.example.com. { primary xxx.xxx.1.153; key xxxxxx }" shared-network-parameters "ddns-domainname "guest.example.com";" subnet xxx.xxx.60.0/24 { default-router xxx.xxx.60.1 enable-failover range 0 { start xxx.xxx.60.20 stop xxx.xxx.60.254 } } } } dns { dynamic { address eth0 { rfc2136 PDNS { host-name xxxxxx key xxxxxx server xxxxx.tld zone example.com } } } /* Use dhcp eth0 in future, instead of hardcoded name-servers */ forwarding { allow-from xxx.xxx.0.0/16 allow-from xxx.xxx.0.0/8 domain 0.x.x.in-addr.arpa. { name-server xxx.xxx.1.153 { } } domain 1.x.x.in-addr.arpa. { name-server xxx.xxx.1.153 { } } domain 20.x.x.in-addr.arpa. { name-server xxx.xxx.1.153 { } } domain 30.x.x.in-addr.arpa. { name-server xxx.xxx.1.153 { } } domain 40.x.x.in-addr.arpa. { name-server xxx.xxx.1.153 { } } domain home.example.com { name-server xxx.xxx.1.153 { } } domain iot.example.com { name-server xxx.xxx.1.153 { } } domain lan.example.com { name-server xxx.xxx.1.153 { } } domain mgmt.example.com { name-server xxx.xxx.1.153 { } } domain not.example.com { name-server xxx.xxx.1.153 { } } listen-address xxx.xxx.0.0 name-server xxx.xxx.98.2 { } name-server xxx.xxx.101.3 { } } } https { api { keys { id SYNC { key xxxxxx } } socket } virtual-host sync { listen-address xxx.xxx.40.3 } } lldp { interface all { } interface eth0 { disable } } monitoring { telegraf { prometheus-client xxxxxx allow-from xxx.xxx.0.0/16 } } } ntp { allow-client xxxxxx address xxx.xxx.0.0/16 address xxx.xxx.0.0/8 } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { prefer } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } ssh { disable-password-authentication dynamic-protection { allow-from xxx.xxx.0.0/16 } port 22 } } system { config-management { commit-revisions 100 } conntrack { } console { device ttyS0 { speed 115200 } } domain-name xxxxxx host-name xxxxxx login { user xxxxxx { authentication { encrypted-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } } } } name-server xxx.xxx.0.1 option { ctrl-alt-delete ignore keyboard-layout se-latin1 } syslog { global { facility all { level info } facility local7 { level debug } } } time-zone Europe/Stockholm } // Warning: Do not remove the following line. // vyos-config-version: "bgp@4:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-dynamic@1:dns-forwarding@4:firewall@10:flow-accounting@1:https@4:ids@1:interfaces@30:ipoe-server@1:ipsec@12:isis@3:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@3:openconnect@2:ospf@2:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.4-rolling-202308050917