firewall { all-ping enable broadcast-ping disable config-trap disable group { network-group Nets4-BlackList { description "Blacklisted IPv4 Sources" } network-group Sam-Allowed { network 192.168.0.5/32 network 192.168.0.253/32 } network-group Sams-Networks { network 10.1.1.0/24 } network-group trusted-hosts { description "Trusted hosts for SSH to Micro" network 94.247.40.0/24 network 35.197.168.214/32 network 108.61.194.116/32 network 103.8.142.187/32 network 202.137.240.222/32 network 103.208.142.58/32 network 116.202.128.144/32 network 74.48.81.187/32 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name LAN-IN { default-action accept rule 500 { action drop description "Drop Camera sending traffic to Internet" destination { address !192.168.0.0/16 } log enable source { address 192.168.0.11-192.168.0.12 } } } name SAM-IN { default-action reject description "Sams Access to Micro" enable-default-log rule 10 { action accept destination { group { network-group Sam-Allowed } } source { group { network-group Sams-Networks } } } } name SAM-OUT { default-action reject description "Sams Access to Micro" enable-default-log rule 10 { action accept destination { group { network-group Sams-Networks } } source { group { network-group Sam-Allowed } } } } name WAN-IN { default-action drop rule 10 { action accept description "Permit Return Traffic from the WAN" state { established enable related enable } } rule 20 { action drop description "Drop traffic matching FireHol Level 1,2 and 3 Blacklists" protocol all source { group { network-group Nets4-BlackList } } } rule 50 { action accept description "Accept Traffic towards Adguard - DNS over TLS" destination { port 853 } protocol tcp_udp } rule 90 { action accept description "Permit Trusted Hosts to Micro SSH" destination { port ssh } protocol tcp source { group { network-group trusted-hosts } } } rule 95 { action accept description "Zabbix Agent Encrypted" destination { port 10051 } protocol tcp source { group { network-group trusted-hosts } } } rule 100 { action accept description "Permit traffic to NAT Rules" destination { port 25,80,443,5001,8123,8920,22067-22070,34342,45459,49371,58050-58051 } protocol tcp_udp } } name WAN-LOCAL { default-action drop rule 10 { action accept description "Accept return traffic from already established sessions" state { established enable related enable } } rule 15 { action accept description "Accept ICMP from Trusted Hosts" icmp { type-name echo-request } protocol icmp source { group { network-group trusted-hosts } } state { new enable } } rule 20 { action accept description "Incoming Wireguard Sessions" destination { port 7777-7778 } log disable protocol udp } } options { interface wg0 { adjust-mss 1380 } interface wg1 { adjust-mss 1380 } } receive-redirects disable send-redirects enable source-validation disable syn-cookies disable twa-hazards-protection enable } interfaces { ethernet eth0 { description "WAN Interface - Unison Fibre - NowNZ" duplex auto mac 4c:55:56:44:41:4e mtu 9000 offload { gro gso sg tso } speed auto } ethernet eth1 { address 192.168.0.1/24 description "MuppetLAN Network" duplex auto firewall { in { name LAN-IN } } ip { source-validation strict } mac 54:1e:56:36:29:1e mtu 9000 offload { gro gso sg tso } speed auto traffic-policy { out pppoe-in } } loopback lo { description "Loopback Interface" } pppoe pppoe0 { authentication { password **************** user CENSORED } default-route force description "Internet" firewall { in { name WAN-IN } local { name WAN-LOCAL } } mru 1500 mtu 1500 source-interface eth0 traffic-policy { out pppoe-out } } wireguard wg0 { address 192.168.10.1/24 description "Ferrari Wireguard" peer bobo.muppetz.com { allowed-ips 192.168.10.5/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer jelly2 { allowed-ips 192.168.10.16/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer mail.muppetz.com { allowed-ips 192.168.10.2/32 persistent-keepalive 20 preshared-key **************** pubkey **************** } peer nownz-laptop { allowed-ips 192.168.10.22/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer openwrt-wr902ac { allowed-ips 192.168.10.13/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer pa { allowed-ips 192.168.10.24/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer pixel { allowed-ips 192.168.10.11/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer pixel4xl { allowed-ips 192.168.10.10/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer pixel7pro { allowed-ips 192.168.10.17/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer sarahs-iphone { allowed-ips 192.168.10.25/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer sweetums { allowed-ips 192.168.10.15/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer thinky { allowed-ips 192.168.10.20/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer tims-ipad { allowed-ips 192.168.10.23/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } peer tims-macbook { allowed-ips 192.168.10.26/32 persistent-keepalive 25 preshared-key **************** pubkey **************** } port 7777 } wireguard wg1 { address 10.89.90.2/30 description "Wireguard Connection to Sam for Media Sharing" firewall { in { name SAM-IN } out { name SAM-OUT } } peer sam { address 114.23.93.1 allowed-ips 10.1.1.0/24 allowed-ips 10.89.90.1/32 persistent-keepalive 20 port 1200 preshared-key **************** pubkey **************** } port 7778 } } nat { destination { rule 50 { description "rTorrent on Micro" destination { port 49371 } inbound-interface pppoe0 protocol tcp_udp translation { address 192.168.0.5 } } rule 51 { description "BubbleUPNP Remote Access" destination { port 58050-58051 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 52 { description "Syncthing Relay" destination { port 22067-22070 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 53 { description "qBittorrent on XPS" destination { port 34342 } inbound-interface pppoe0 protocol tcp_udp translation { address 192.168.0.121 } } rule 54 { description "qBittorrent on Thinky" destination { port 45459 } inbound-interface pppoe0 protocol tcp_udp translation { address 192.168.0.120 } } rule 55 { description "SSH to Micro" destination { port 22 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 56 { description "Jellyfin on Micro" destination { port 8920 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 60 { description "Apache on Micro" destination { port 80,443 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 70 { description "Icecast on Micro" destination { port 5001 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 80 { description "STMP on Micro" destination { port 25 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.5 } } rule 90 { description "Home Assistant" destination { port 8123 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.7 } } rule 95 { description "Zabbix Agent Encrypted" destination { port 10051 } inbound-interface pppoe0 protocol tcp translation { address 192.168.0.253 } } rule 110 { description "Adguard - DNS over TLS" destination { port 853 } inbound-interface pppoe0 protocol tcp_udp translation { address 192.168.0.6 } } rule 200 { description "Hairpin NAT for Home Assistant" destination { address 202.137.243.17 port 8123 } inbound-interface eth1 protocol tcp translation { address 192.168.0.7 } } rule 210 { description "Hairpin NAT for Micro Services" destination { address 202.137.243.17 port 22,80,443,5001,8920 } inbound-interface eth1 protocol tcp translation { address 192.168.0.5 } } rule 220 { description "Hairpin NAT for Wifi Management" destination { address 202.137.243.17 port 8443 } inbound-interface eth1 protocol tcp translation { address 192.168.0.3 } } rule 230 { description "Hairpin NAT for Mosh Shell on Micro" destination { address 202.137.243.17 port 60000-60010 } inbound-interface eth1 protocol udp translation { address 192.168.0.5 } } rule 500 { description "Rewrite DNS Requests" destination { address !192.168.0.0/24 port 53 } inbound-interface eth1 protocol tcp_udp source { address !192.168.0.1-192.168.0.6 } translation { address 192.168.0.1 } } } source { rule 200 { description "Hairpin NAT for Home Assistant" destination { address 192.168.0.7 port 8123 } outbound-interface eth1 protocol tcp source { address 192.168.0.0/24 } translation { address masquerade } } rule 210 { description "Hairpin NAT for Micro Services" destination { address 192.168.0.5 port 22,80,443,5001,8920 } outbound-interface eth1 protocol tcp source { address 192.168.0.0/24 } translation { address masquerade } } rule 220 { description "Hairpin NAT for Wifi Management" destination { address 192.168.0.3 port 8443 } outbound-interface eth1 protocol tcp source { address 192.168.0.0/24 } translation { address masquerade } } rule 230 { description "Hairpin NAT for Mosh Shell on Micro" destination { address 192.168.0.5 port 60000-60010 } outbound-interface eth1 protocol udp source { address 192.168.0.0/24 } translation { address masquerade } } rule 1000 { description "Default NAT Rule for Internet Access" outbound-interface pppoe0 translation { address masquerade } } } } policy { prefix-list sams-routes { rule 1 { action permit prefix 10.1.1.0/24 } } prefix-list tims-routes { rule 1 { action permit prefix 192.168.0.0/24 } } route-map rm-static-to-bgp { rule 10 { action permit description "Local MuppetLAN Subnet" match { ip { address { prefix-list tims-routes } } } } rule 100 { action deny description "Default Deny" } } } protocols { bgp 64590 { address-family { ipv4-unicast { redistribute { connected { route-map rm-static-to-bgp } } } } neighbor 10.89.90.1 { address-family { ipv4-unicast { nexthop-self { } prefix-list { export tims-routes import sams-routes } soft-reconfiguration { inbound } } } description "Sams Router" password **************** remote-as 64589 } parameters { log-neighbor-changes router-id 10.89.90.2 } } static { route 10.0.0.0/8 { next-hop 192.168.0.15 { } } route 100.64.0.0/10 { next-hop 192.168.0.15 { } } route 103.8.143.135/32 { next-hop 192.168.0.15 { } } route 202.74.33.6/32 { next-hop 192.168.0.15 { } } route 202.137.240.52/32 { next-hop 192.168.0.15 { } } route 203.92.25.107/32 { next-hop 192.168.0.15 { } } } } service { dhcp-server { shared-network-name MuppetLAN { authoritative description "MuppetLAN DHCP Server" subnet 192.168.0.0/24 { default-router 192.168.0.1 domain-name muppetz.com domain-search muppetz.com lease 86400 name-server 192.168.0.6 ntp-server 192.168.0.1 range MuppetLANDynamic { start 192.168.0.150 stop 192.168.0.240 } static-mapping Beths-iPad { ip-address 192.168.0.113 mac-address f0:76:6f:41:6e:1c } static-mapping appletv { ip-address 192.168.0.101 mac-address 50:32:37:ba:62:79 } static-mapping beths-chromebook { ip-address 192.168.0.125 mac-address 90:0f:0c:f1:a5:4b } static-mapping beths-ipad { ip-address 192.168.0.127 mac-address f0:2f:4b:1a:4f:21 } static-mapping camera1 { ip-address 192.168.0.11 mac-address 78:11:dc:70:b9:4d static-mapping-parameters "option domain-name-servers 192.168.0.1;" } static-mapping camera2 { ip-address 192.168.0.12 mac-address 78:11:dc:70:b7:4f static-mapping-parameters "option domain-name-servers 192.168.0.1;" } static-mapping canon-printer { ip-address 192.168.0.60 mac-address 34:9f:7b:c9:36:12 } static-mapping carport-ap { ip-address 192.168.0.24 mac-address b4:fb:e4:70:ce:58 } static-mapping chatterbox { ip-address 192.168.0.10 mac-address b0:fa:eb:31:ef:3e } static-mapping daisys-chromebook { ip-address 192.168.0.130 mac-address 34:7d:f6:0c:e3:e2 } static-mapping daisysipad { ip-address 192.168.0.129 mac-address 52:77:34:96:33:96 } static-mapping hb { ip-address 192.168.0.14 mac-address 2c:3a:e8:39:0b:33 } static-mapping imac { ip-address 192.168.0.116 mac-address 38:f9:d3:de:45:5a } static-mapping ir-blaster-bedroom { ip-address 192.168.0.27 mac-address 78:0f:77:d8:f3:b4 } static-mapping kitchen-ap { ip-address 192.168.0.21 mac-address fc:ec:da:f0:44:20 } static-mapping kitchen-cca { ip-address 192.168.0.115 mac-address 54:60:09:e0:e3:40 } static-mapping lounge-ap { ip-address 192.168.0.22 mac-address 74:83:c2:c6:59:c6 } static-mapping micro { ip-address 192.168.0.5 mac-address 12:d7:8e:70:a7:b1 } static-mapping mikrotik { ip-address 192.168.0.4 mac-address 00:0c:42:a5:68:60 } static-mapping nownz-laptop { ip-address 192.168.0.123 mac-address 90:cc:df:1b:d6:68 } static-mapping office-aircon { ip-address 192.168.0.16 mac-address a0:c9:a0:08:93:3e } static-mapping oldipad { ip-address 192.168.0.112 mac-address 9c:04:eb:90:99:5c } static-mapping peters-old-ipad { ip-address 192.168.0.124 mac-address 5c:97:f3:a8:bb:18 } static-mapping pixel { ip-address 192.168.0.105 mac-address ac:37:43:a6:4c:95 } static-mapping pixel-7-pro { ip-address 192.168.0.128 mac-address d4:3a:2c:96:3a:cb } static-mapping pool-aircon { ip-address 192.168.0.26 mac-address 34:ea:e7:f5:9e:b2 } static-mapping poolshed-ap { ip-address 192.168.0.25 mac-address 78:8a:20:70:d9:36 } static-mapping ring-carport { ip-address 192.168.0.28 mac-address 9c:76:13:19:57:f1 } static-mapping ring-floodlight { ip-address 192.168.0.13 mac-address d4:36:39:a9:ea:46 } static-mapping sarah-hbrc-laptop { ip-address 192.168.0.133 mac-address 68:54:5a:ba:dc:4f static-mapping-parameters "option domain-name-servers 192.168.0.1;" } static-mapping shed-ap { ip-address 192.168.0.23 mac-address 78:8a:20:48:bb:69 } static-mapping spitfire { ip-address 192.168.0.2 mac-address f0:9f:c2:c4:28:c6 } static-mapping thinky { ip-address 192.168.0.120 mac-address 9c:2a:70:88:0f:2d } static-mapping tiltpi { ip-address 192.168.0.18 mac-address b8:27:eb:9b:73:b9 } static-mapping tims-macbook { ip-address 192.168.0.131 mac-address 6c:7e:67:cd:31:6f } static-mapping tims-mac-mini { ip-address 192.168.0.132 mac-address 20:a5:cb:d4:22:b0 } static-mapping tv { ip-address 192.168.0.99 mac-address 38:2c:4a:0e:e9:bb } static-mapping upstairs-ap { ip-address 192.168.0.20 mac-address 78:8a:20:48:bb:8d } } } } dns { forwarding { allow-from 192.168.0.0/16 cache-size 32768 dnssec off listen-address 192.168.0.1 name-server 202.137.240.39 name-server 202.137.240.40 } } snmp { community VeryLargeDancingSpaceChickens { authorization ro client 127.0.0.1 network 192.168.0.0/16 } contact "Tim Harman - tim@muppetz.com" location "10 Jervois Road, Jervoistown" } ssh { access-control { allow { user tim } } client-keepalive-interval 60 listen-address 192.168.0.1 listen-address 192.168.10.1 } } system { config-management { commit-revisions 100 } conntrack { hash-size 65536 modules { ftp pptp } table-size 524288 } console { device ttyS0 { speed 115200 } } domain-name muppetz.com host-name ferrari ip { arp { table-size 1024 } } login { banner { post-login "Ferrari - Vyos" } user tim { authentication { encrypted-password **************** public-keys JuiceSSH { key **************** type ecdsa-sha2-nistp384 } public-keys micro { key **************** type ssh-rsa } public-keys tim { key **************** type ssh-ed25519 } } full-name "Tim Harman" } } name-server 192.168.0.1 ntp { allow-clients { address 192.168.0.0/16 } listen-address 192.168.0.1 server p1.ntp.net.nz { } server p2.ntp.net.nz { } server p3.ntp.net.nz { } server p4.ntp.net.nz { } } option { ctrl-alt-delete ignore http-client { source-interface pppoe0 } reboot-on-panic startup-beep } static-host-mapping { host-name adguard.muppetz.com { inet 192.168.0.6 } host-name appletv.muppetz.com { inet 192.168.0.101 } host-name bobo.muppetz.com { inet 192.168.10.5 } host-name camera1.muppetz.com { inet 192.168.0.11 } host-name camera2.muppetz.com { inet 192.168.0.12 } host-name canon-printer.muppetz.com { alias canon-printer inet 192.168.0.60 } host-name carport-ap.muppetz.com { inet 192.168.0.24 } host-name chatterbox.muppetz.com { inet 192.168.0.10 } host-name chromecast.muppetz.com { inet 192.168.0.102 } host-name contacts.muppetz.com { inet 192.168.0.5 } host-name droid.muppetz.com { inet 192.168.0.114 } host-name fenix6pro.muppetz.com { inet 192.168.0.118 } host-name gallery.tjharman.com { inet 192.168.0.5 } host-name ha.muppetz.com { inet 192.168.0.7 } host-name hb.muppetz.com { inet 192.168.0.14 } host-name kitchen-ap.muppetz.com { inet 192.168.0.21 } host-name kitchen-cca { inet 192.168.0.115 } host-name kitchentv.muppetz.com { inet 192.168.0.103 } host-name lice.muppetz.com { inet 192.168.0.5 } host-name lounge-ap.muppetz.com { inet 192.168.0.22 } host-name mail.muppetz.com { inet 192.168.10.2 } host-name max.muppetz.com { inet 192.168.0.247 } host-name micro.muppetz.com { alias micro inet 192.168.0.5 } host-name mikrotik.muppetz.com { inet 192.168.0.4 } host-name mqtt.muppetz.com { inet 192.168.0.7 } host-name now-laptop.muppetz.com { alias now-laptop inet 192.168.10.22 } host-name office-aircon.muppetz.com { inet 192.168.0.16 } host-name oldipad.muppetz.com { inet 192.168.0.112 } host-name orbit.muppetz.com { inet 192.168.0.248 } host-name poolshed-ap.muppetz.com { inet 192.168.0.25 } host-name radio.muppetz.com { inet 192.168.0.5 } host-name reader.muppetz.com { inet 192.168.0.5 } host-name ring-carport.muppetz.com { inet 192.168.0.28 } host-name ring-floodlight.muppetz.com { inet 192.168.0.13 } host-name ring.muppetz.com { inet 192.168.0.9 } host-name router.muppetz.com { inet 192.168.0.1 } host-name rspamd.muppetz.com { inet 192.168.10.2 } host-name search.muppetz.com { inet 192.168.0.5 } host-name shed-ap.muppetz.com { inet 192.168.0.23 } host-name spitfire.muppetz.com { inet 192.168.0.2 } host-name sync.muppetz.com { inet 192.168.0.5 } host-name tasks.muppetz.com { inet 192.168.0.5 } host-name thinky.muppetz.com { inet 192.168.0.120 } host-name tilt.pi { inet 192.168.0.18 } host-name time.muppetz.com { inet 192.168.0.1 } host-name tjharman.com { inet 192.168.0.5 } host-name tv.muppetz.com { inet 192.168.0.99 } host-name upstairs-ap.muppetz.com { inet 192.168.0.20 } host-name vpn.muppetz.com { inet 192.168.0.1 } host-name wb.muppetz.com { inet 192.168.0.5 } host-name wifi.muppetz.com { inet 192.168.0.3 } host-name zabbix.muppetz.com { inet 192.168.0.253 } } sysctl { custom net.core.default_qdisc { value fq } custom net.ipv4.tcp_congestion_control { value bbr } } syslog { global { facility all { level info } } host 192.168.0.5 { facility all { level debug protocol udp } } } task-scheduler { task Update-Blacklists { executable { path /config/scripts/updBlackList.sh } interval 3h } task configbackup { executable { path /config/scripts/restic-backup } interval 1d } task fstrim { executable { arguments "/sbin/fstrim -a" path /bin/sudo } interval 7d } } time-zone Pacific/Auckland } traffic-policy { shaper pppoe-in { bandwidth 710mbit class 5 { bandwidth 4% burst 2mb description "TCP SYN/ACK" match tiny4 { ip { tcp { ack syn } } } priority 0 queue-limit 100 queue-type fq-codel } class 10 { bandwidth 1% burst 1mb description "DNS Traffic" match dns { ip { protocol udp source { port 53 } } } priority 1 queue-limit 100 queue-type fq-codel } default { bandwidth 95% burst 15k ceiling 100% codel-quantum 8000 priority 7 queue-type fq-codel } } shaper pppoe-out { bandwidth 450mbit class 5 { bandwidth 4% burst 2mb description "TCP SYN/ACK" match tiny4 { ip { tcp { ack syn } } } priority 0 queue-limit 50 queue-type fq-codel } class 10 { bandwidth 1% burst 1mb description "DNS Traffic" match dns { ip { destination { port 53 } protocol udp } } priority 1 queue-limit 50 queue-type fq-codel } default { bandwidth 95% burst 15k ceiling 100% codel-quantum 8000 priority 7 queue-type fq-codel } description "450Mbps Out via PPPoE" } }