firewall { all-ping enable broadcast-ping disable config-trap disable group { network-group RFC1918 { network 192.168.0.0/16 network 10.0.0.0/8 network 172.16.0.0/12 } network-group client-networks { network 10.1.20.0/24 network 10.1.21.0/24 network 10.1.22.0/24 } network-group test-include-group { include client-networks } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name LAN-LAN { default-action accept enable-default-log } name LAN-VYOS { default-action accept enable-default-log } name LAN-WAN { default-action accept enable-default-log } name VYOS-LAN { default-action accept enable-default-log } name VYOS-WAN { default-action accept enable-default-log } name WAN-LAN { default-action drop enable-default-log } name WAN-VYOS { default-action drop enable-default-log } receive-redirects disable send-redirects enable source-validation disable state-policy { established { action accept } invalid { action drop } related { action accept } } syn-cookies enable twa-hazards-protection disable zone LAN { default-action reject enable-default-log from VYOS { firewall { name VYOS-LAN } } from WAN { firewall { name WAN-LAN } } interface bond0.11 interface bond0.18 interface bond0.21 interface bond0.22 intra-zone-filtering { firewall { name LAN-LAN } } } zone VYOS { default-action reject enable-default-log from LAN { firewall { name LAN-VYOS } } from WAN { firewall { name WAN-VYOS } } local-zone } zone WAN { default-action drop enable-default-log from LAN { firewall { name LAN-WAN } } from VYOS { firewall { name VYOS-WAN } } interface eth0 interface bond0.102 } } interfaces { bonding bond0 { member { interface eth2 interface eth3 } mode 802.3ad vif 11 { address 10.1.11.1/24 } vif 18 { address 10.1.18.1/24 } vif 21 { address 10.1.21.1/24 } vif 22 { address 10.1.22.1/24 } vif 102 { address dhcp } } ethernet eth0 { address dhcp description WAN hw-id 00:50:56:a5:34:e5 } ethernet eth1 { address dhcp description MGMT hw-id 00:50:56:a5:51:79 } ethernet eth2 { hw-id 00:50:56:a5:9d:71 } ethernet eth3 { hw-id 00:50:56:a5:43:9c } ethernet eth4 { hw-id 00:50:56:a5:6f:6d } ethernet eth5 { hw-id 00:50:56:a5:f7:ab } loopback lo { } } nat { source { rule 10 { outbound-interface eth0 translation { address masquerade } } } } protocols { static { route 0.0.0.0/0 { dhcp-interface eth0 } } } service { ntp { allow-client { address 0.0.0.0/0 address ::/0 } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } ssh { } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name vyos login { user vyos { authentication { encrypted-password $6$fI0P/MgeXKBQF9AT$5itWks96uhN78/QvqKKD7RAiUf4E0SSBgjXeQBkekhgt3EOEsdTYWc3ifoo45gZl8itgC2wX.91UTAIsH3KC.. plaintext-password "" } } } syslog { global { facility all { level info } facility local7 { level debug } } } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@4:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-dynamic@1:dns-forwarding@4:firewall@10:flow-accounting@1:https@4:ids@1:interfaces@30:ipoe-server@1:ipsec@12:isis@3:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@3:openconnect@2:ospf@2:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@26:vrf@3:vrrp@vyos@vyos:/config$