I think I have what is a reasonable vanilla EdgeRouter config. Is there a quickish way to test whether whats defined is supported on a Vyos install, before I crack out a VM and manually try and craft the same thing?
firewall {
all-ping enable
broadcast-ping enable
group {
address-group countries-allowed {
}
address-group dns-servers {
address 192.168.68.24
}
address-group nets4-blacklist {
}
address-group private-nets {
address 192.168.0.0/16
address 172.16.0.0/12
address 10.0.0.0/8
}
address-group wireguard-allowed {
address 192.168.32.0/24
address 192.168.112.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify vpn-routing {
rule 10 {
action modify
destination {
group {
address-group private-nets
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
table 100
}
source {
group {
address-group wireguard-allowed
}
}
}
}
name lan-local {
default-action accept
}
name lan-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg0 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wg2 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name lan-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name local-lan {
default-action accept
}
name local-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name local-wg0 {
default-action accept
}
name local-wg1 {
default-action accept
}
name local-wg2 {
default-action accept
}
name local-wgwifi {
default-action accept
}
name wan-lan {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-local {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
rule 400 {
action accept
destination {
port 51820
}
protocol udp
}
rule 410 {
action accept
destination {
port 51822
}
protocol udp
}
}
name wan-wg0 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wg2 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wan-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg0-lan {
default-action drop
}
name wg0-local {
default-action drop
}
name wg0-wan {
default-action drop
}
name wg0-wg1 {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg0-wg2 {
default-action drop
}
name wg0-wgwifi {
default-action drop
rule 100 {
action accept
state {
established enable
related enable
}
}
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg1-lan {
default-action accept
}
name wg1-local {
default-action accept
}
name wg1-wan {
default-action drop
}
name wg1-wg0 {
default-action accept
}
name wg1-wg2 {
default-action drop
}
name wg1-wgwifi {
default-action drop
}
name wg2-lan {
default-action accept
}
name wg2-local {
default-action accept
}
name wg2-wan {
default-action accept
rule 110 {
action drop
state {
invalid enable
}
}
}
name wg2-wg0 {
default-action drop
}
name wg2-wg1 {
default-action drop
}
name wg2-wgwifi {
default-action drop
}
name wgwifi-lan {
default-action accept
}
name wgwifi-local {
default-action accept
}
name wgwifi-wan {
default-action drop
}
name wgwifi-wg0 {
default-action accept
}
name wgwifi-wg1 {
default-action drop
}
name wgwifi-wg2 {
default-action drop
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
disable
duplex auto
speed auto
}
ethernet eth1 {
address 192.168.112.1/24
description "Mullvad (Wifi)"
duplex auto
firewall {
in {
modify vpn-routing
}
}
speed auto
}
ethernet eth2 {
address 192.168.68.1/24
description LAN
duplex auto
firewall {
in {
modify vpn-routing
}
}
speed auto
}
ethernet eth3 {
disable
duplex auto
speed auto
}
ethernet eth4 {
address dhcp
description Swisscom
dhcp-options {
client-option "send vendor-class-identifier "100008,0001";"
default-route update
default-route-distance 210
name-server no-update
}
duplex auto
mac A0:B5:49:0A:6D:C0
speed auto
}
ethernet eth5 {
disable
duplex auto
speed auto
}
loopback lo {
}
wireguard wg0 {
address 10.65.140.116/32
description "Mullvad (default route)"
mtu 1420
peer TMOEAxpcv5xz+PvcvqP0Iy4+px+hrCJUJHGcy45DVQI= {
allowed-ips 0.0.0.0/0
endpoint 185.200.118.100:51820
}
private-key /config/wireguard/wg0.key
route-allowed-ips false
}
wireguard wg1 {
address 192.168.32.1/24
description "VPN +LAN +Mullvad"
firewall {
in {
modify vpn-routing
}
}
listen-port 51820
mtu 1420
peer 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= {
allowed-ips 192.168.32.100/32
}
peer Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= {
allowed-ips 192.168.32.102/32
}
peer s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= {
allowed-ips 192.168.32.101/32
}
private-key /config/wireguard/wg1.key
route-allowed-ips false
}
wireguard wg2 {
address 10.0.10.1/24
description "VPN +LAN +Swisscom"
listen-port 51822
mtu 1420
peer 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= {
allowed-ips 10.0.10.100/32
}
peer Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= {
allowed-ips 10.0.10.102/32
}
peer s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= {
allowed-ips 10.0.10.101/32
}
private-key /config/wireguard/wg2.key
route-allowed-ips false
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth2
rule 1 {
description "HTTP Reverse Proxy"
forward-to {
address 192.168.68.49
port 80
}
original-port 80
protocol tcp
}
rule 2 {
description "HTTPS Reverse Proxy"
forward-to {
address 192.168.68.49
port 443
}
original-port 443
protocol tcp
}
rule 3 {
description Plex
forward-to {
address 192.168.68.28
port 32400
}
original-port 32400
protocol tcp
}
rule 4 {
description "Postfix SMTP"
forward-to {
address 192.168.68.15
port 25
}
original-port 25
protocol tcp
}
rule 5 {
description "Postfix SMTPS"
forward-to {
address 192.168.68.15
port 465
}
original-port 465
protocol tcp
}
rule 6 {
description "Postfix Submission"
forward-to {
address 192.168.68.15
port 587
}
original-port 587
protocol tcp
}
rule 7 {
description "Dovecot IMAP"
forward-to {
address 192.168.68.15
port 143
}
original-port 143
protocol tcp
}
rule 8 {
description "Dovecot IMAPS"
forward-to {
address 192.168.68.15
port 993
}
original-port 993
protocol tcp
}
rule 9 {
description "Dovecot POP3"
forward-to {
address 192.168.68.15
port 110
}
original-port 110
protocol tcp
}
rule 10 {
description "Dovecot POP3S"
forward-to {
address 192.168.68.15
port 995
}
original-port 995
protocol tcp
}
rule 11 {
description "Dovecot ManageSieve"
forward-to {
address 192.168.68.15
port 4190
}
original-port 4190
protocol tcp
}
wan-interface eth4
}
protocols {
static {
route 10.0.0.0/8 {
blackhole {
}
}
route 172.16.0.0/12 {
blackhole {
}
}
route 192.168.0.0/16 {
blackhole {
}
}
table 100 {
interface-route 0.0.0.0/0 {
next-hop-interface wg0 {
}
}
route 0.0.0.0/0 {
blackhole {
distance 255
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name WireGuard {
authoritative disable
subnet 192.168.112.0/24 {
default-router 192.168.112.1
dns-server 192.168.68.24
lease 3600
start 192.168.112.100 {
stop 192.168.112.163
}
}
}
static-arp disable
use-dnsmasq disable
}
gui {
cert-file /config/ssl/server.pem
http-port 80
https-port 443
listen-address 192.168.68.1
older-ciphers disable
}
nat {
rule 5000 {
description "Policy sNAT: masquerade for WAN"
outbound-interface eth4
protocol all
type masquerade
}
rule 5100 {
description "Policy sNAT: masquerade for WireGuard"
outbound-interface wg0
protocol all
type masquerade
}
}
ssh {
listen-address 192.168.68.1
port 22
protocol-version v2
}
ubnt-discover {
disable
}
unms {
disable
}
upnp2 {
acl {
rule 10 {
action deny
external-port 3074
local-port 0-65535
subnet 192.168.68.0/24
}
}
listen-on eth2
nat-pmp enable
secure-mode enable
wan eth4
}
}
system {
domain-name phillipmcmahon.com
host-name router
login {
}
name-server 192.168.68.24
ntp {
server 216.239.35.0 {
}
server 216.239.35.4 {
}
server 216.239.35.8 {
}
server 216.239.35.12 {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task loadBlackList {
executable {
path /config/scripts/post-config.d/loadBlackList.sh
}
interval 1d
}
task loadCountryList {
executable {
path /config/scripts/post-config.d/loadCountryList.sh
}
interval 1d
}
}
time-zone Europe/Zurich
}
traffic-control {
smart-queue Stability {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 160mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 50mbit
}
wan-interface eth4
}
}
zone-policy {
zone lan {
default-action drop
from local {
firewall {
name local-lan
}
}
from wan {
firewall {
name wan-lan
}
}
from wg0 {
firewall {
name wg0-lan
}
}
from wg1 {
firewall {
name wg1-lan
}
}
from wg2 {
firewall {
name wg2-lan
}
}
from wgwifi {
firewall {
name wgwifi-lan
}
}
interface eth2
}
zone local {
default-action drop
from lan {
firewall {
name lan-local
}
}
from wan {
firewall {
name wan-local
}
}
from wg0 {
firewall {
name wg0-local
}
}
from wg1 {
firewall {
name wg1-local
}
}
from wg2 {
firewall {
name wg2-local
}
}
from wgwifi {
firewall {
name wgwifi-local
}
}
local-zone
}
zone wan {
default-action drop
from lan {
firewall {
name lan-wan
}
}
from local {
firewall {
name local-wan
}
}
from wg0 {
firewall {
name wg0-wan
}
}
from wg1 {
firewall {
name wg1-wan
}
}
from wg2 {
firewall {
name wg2-wan
}
}
from wgwifi {
firewall {
name wgwifi-wan
}
}
interface eth4
}
zone wg0 {
default-action drop
from lan {
firewall {
name lan-wg0
}
}
from local {
firewall {
name local-wg0
}
}
from wan {
firewall {
name wan-wg0
}
}
from wg1 {
firewall {
name wg1-wg0
}
}
from wg2 {
firewall {
name wg2-wg0
}
}
from wgwifi {
firewall {
name wgwifi-wg0
}
}
interface wg0
}
zone wg1 {
default-action drop
from lan {
firewall {
name lan-wg1
}
}
from local {
firewall {
name local-wg1
}
}
from wan {
firewall {
name wan-wg1
}
}
from wg0 {
firewall {
name wg0-wg1
}
}
from wg2 {
firewall {
name wg2-wg1
}
}
from wgwifi {
firewall {
name wgwifi-wg1
}
}
interface wg1
}
zone wg2 {
default-action drop
from lan {
firewall {
name lan-wg2
}
}
from local {
firewall {
name local-wg2
}
}
from wan {
firewall {
name wan-wg2
}
}
from wg0 {
firewall {
name wg0-wg2
}
}
from wg1 {
firewall {
name wg1-wg2
}
}
from wgwifi {
firewall {
name wgwifi-wg2
}
}
interface wg2
}
zone wgwifi {
default-action drop
from lan {
firewall {
name lan-wgwifi
}
}
from local {
firewall {
name local-wgwifi
}
}
from wan {
firewall {
name wan-wgwifi
}
}
from wg0 {
firewall {
name wg0-wgwifi
}
}
from wg1 {
firewall {
name wg1-wgwifi
}
}
from wg2 {
firewall {
name wg2-wgwifi
}
}
interface eth1
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.8-hotfix.1.5278088.200305.1641 */