VLANs, WAN LB and inter-VLAN/subnet routing

This is my config:

set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/29'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group network-group cf-ipv4 network 'xxx.xxx.48.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.244.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.200.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.4.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.64.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.192.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.96.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.128.0/17'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/15'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/14'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.72.0/22'
set firewall ipv6-name EXTERNAL-IN-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-IN-v6 enable-default-log
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 destination port '80,443'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 protocol 'tcp_udp'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 source group network-group 'cf-ipv6'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 enable-default-log
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 icmpv6 type 'echo-request'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 protocol 'icmpv6'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 description 'ssh'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent count '15'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent time '60'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 state new 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name EXTERNAL-IN default-action 'drop'
set firewall name EXTERNAL-IN enable-default-log
set firewall name EXTERNAL-IN rule 10 action 'accept'
set firewall name EXTERNAL-IN rule 10 log 'enable'
set firewall name EXTERNAL-IN rule 10 state established 'enable'
set firewall name EXTERNAL-IN rule 10 state related 'enable'
set firewall name EXTERNAL-IN rule 20 action 'accept'
set firewall name EXTERNAL-IN rule 20 description 'servarr-vlan200'
set firewall name EXTERNAL-IN rule 20 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 20 destination port '80,443'
set firewall name EXTERNAL-IN rule 20 log 'enable'
set firewall name EXTERNAL-IN rule 20 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 20 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 20 state new 'enable'
set firewall name EXTERNAL-IN rule 21 action 'drop'
set firewall name EXTERNAL-IN rule 21 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 21 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 21 destination port '5053'
set firewall name EXTERNAL-IN rule 21 log 'enable'
set firewall name EXTERNAL-IN rule 21 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 21 recent count '100'
set firewall name EXTERNAL-IN rule 21 recent time '60'
set firewall name EXTERNAL-IN rule 21 state new 'enable'
set firewall name EXTERNAL-IN rule 22 action 'accept'
set firewall name EXTERNAL-IN rule 22 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 22 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 22 destination port '5053'
set firewall name EXTERNAL-IN rule 22 log 'enable'
set firewall name EXTERNAL-IN rule 22 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 22 state new 'enable'
set firewall name EXTERNAL-IN rule 30 action 'accept'
set firewall name EXTERNAL-IN rule 30 description 'kvm'
set firewall name EXTERNAL-IN rule 30 destination address 'xxx.xxx.69.6'
set firewall name EXTERNAL-IN rule 30 destination port '80,443'
set firewall name EXTERNAL-IN rule 30 log 'enable'
set firewall name EXTERNAL-IN rule 30 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 30 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL default-action 'drop'
set firewall name EXTERNAL-LOCAL enable-default-log
set firewall name EXTERNAL-LOCAL rule 10 action 'accept'
set firewall name EXTERNAL-LOCAL rule 10 log 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state established 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state related 'enable'
set firewall name EXTERNAL-LOCAL rule 20 action 'accept'
set firewall name EXTERNAL-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name EXTERNAL-LOCAL rule 20 log 'enable'
set firewall name EXTERNAL-LOCAL rule 20 protocol 'icmp'
set firewall name EXTERNAL-LOCAL rule 20 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 30 action 'drop'
set firewall name EXTERNAL-LOCAL rule 30 description 'ssh'
set firewall name EXTERNAL-LOCAL rule 30 destination port '22'
set firewall name EXTERNAL-LOCAL rule 30 log 'enable'
set firewall name EXTERNAL-LOCAL rule 30 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 30 recent count '15'
set firewall name EXTERNAL-LOCAL rule 30 recent time '60'
set firewall name EXTERNAL-LOCAL rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 31 action 'accept'
set firewall name EXTERNAL-LOCAL rule 31 destination port '22'
set firewall name EXTERNAL-LOCAL rule 31 log 'enable'
set firewall name EXTERNAL-LOCAL rule 31 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 31 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 40 action 'accept'
set firewall name EXTERNAL-LOCAL rule 40 description 'magic-wan'
set firewall name EXTERNAL-LOCAL rule 40 log 'enable'
set firewall name EXTERNAL-LOCAL rule 40 protocol 'gre'
set firewall name EXTERNAL-LOCAL rule 40 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-LOCAL rule 50 action 'accept'
set firewall name EXTERNAL-LOCAL rule 50 icmp type-name 'echo-reply'
set firewall name EXTERNAL-LOCAL rule 50 log 'enable'
set firewall name EXTERNAL-LOCAL rule 50 protocol 'icmp'
set firewall options interface tun0 adjust-mss '1436'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'EXTERNAL1'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth0 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth0 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth0 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:de'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description 'EXTERNAL2'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth1 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth1 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth1 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:df'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.69.1/24'
set interfaces ethernet eth2 description 'INTERNAL1'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:e0'
set interfaces ethernet eth2 ip arp-cache-timeout '30'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth2 vif 100 address 'xxx.xxx.70.1/24'
set interfaces ethernet eth2 vif 100 description 'asus'
set interfaces ethernet eth2 vif 200 address 'xxx.xxx.71.1/24'
set interfaces ethernet eth2 vif 200 description 'servarr'
set interfaces ethernet eth2 vif 200 ip
set interfaces ethernet eth3 address 'xxx.xxx.73.1/24'
set interfaces ethernet eth3 description 'INTERNAL2'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:e1'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces tunnel tun0 address 'xxx.xxx.72.20/31'
set interfaces tunnel tun0 description 'magic-wan'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip source-validation 'loose'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 remote 'xxx.xxx.66.5'
set interfaces tunnel tun0 source-address 'xxx.xxx.189.102'
set load-balancing wan disable-source-nat
set load-balancing wan enable-local-traffic
set load-balancing wan flush-connections
set load-balancing wan interface-health eth0 failure-count '2'
set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth0 success-count '1'
set load-balancing wan interface-health eth0 test 10 resp-time '5'
set load-balancing wan interface-health eth0 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth0 test 10 ttl-limit '1'
set load-balancing wan interface-health eth0 test 10 type 'ping'
set load-balancing wan interface-health eth0 test 20 resp-time '5'
set load-balancing wan interface-health eth0 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth0 test 20 ttl-limit '1'
set load-balancing wan interface-health eth0 test 20 type 'ping'
set load-balancing wan interface-health eth1 failure-count '2'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth1 test 10 ttl-limit '1'
set load-balancing wan interface-health eth1 test 10 type 'ping'
set load-balancing wan interface-health eth1 test 20 resp-time '5'
set load-balancing wan interface-health eth1 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth1 test 20 ttl-limit '1'
set load-balancing wan interface-health eth1 test 20 type 'ping'
set load-balancing wan rule 10 failover
set load-balancing wan rule 10 inbound-interface 'eth2'
set load-balancing wan rule 10 interface eth0 weight '10'
set load-balancing wan rule 10 interface eth1 weight '1'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan sticky-connections inbound
set nat destination rule 10 description 'servarr-vlan200-eth0'
set nat destination rule 10 destination port '80,443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log 'enable'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address 'xxx.xxx.71.2'
set nat destination rule 11 description 'bind-vlan200-eth0'
set nat destination rule 11 destination port '5053'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp_udp'
set nat destination rule 11 translation address 'xxx.xxx.71.2'
set nat destination rule 11 translation port '5053'
set nat destination rule 20 description 'servarr-vlan200-eth1'
set nat destination rule 20 destination port '80,443'
set nat destination rule 20 inbound-interface 'eth1'
set nat destination rule 20 log 'enable'
set nat destination rule 20 protocol 'tcp_udp'
set nat destination rule 20 translation address 'xxx.xxx.71.2'
set nat destination rule 21 description 'bind-vlan200-eth1'
set nat destination rule 21 destination port '5053'
set nat destination rule 21 inbound-interface 'eth1'
set nat destination rule 21 protocol 'tcp_udp'
set nat destination rule 21 translation address 'xxx.xxx.71.2'
set nat destination rule 21 translation port '5053'
set nat destination rule 30 description 'kvm-eth0'
set nat destination rule 30 destination port '2053'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 log 'enable'
set nat destination rule 30 protocol 'tcp_udp'
set nat destination rule 30 translation address 'xxx.xxx.69.6'
set nat destination rule 30 translation port '443'
set nat destination rule 40 description 'kvm-eth1'
set nat destination rule 40 destination port '2053'
set nat destination rule 40 inbound-interface 'eth1'
set nat destination rule 40 log 'enable'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address 'xxx.xxx.69.6'
set nat destination rule 40 translation port '443'
set nat source rule 100 description 'eth0'
set nat source rule 100 log 'enable'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/16'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 description 'eth1'
set nat source rule 200 log 'enable'
set nat source rule 200 outbound-interface 'eth1'
set nat source rule 200 source address 'xxx.xxx.0.0/16'
set nat source rule 200 translation address 'masquerade'
set policy route magic-wan enable-default-log
set policy route magic-wan rule 100 description 'magic-wan'
set policy route magic-wan rule 100 log 'enable'
set policy route magic-wan rule 100 protocol 'tcp_udp'
set policy route magic-wan rule 100 set table '100'
set policy route magic-wan rule 100 source address 'xxx.xxx.71.5'
set protocols static table 100 route xxx.xxx.0.0/0 next-hop xxx.xxx.72.21
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 default-router 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 name-server 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 start 'xxx.xxx.69.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 stop 'xxx.xxx.69.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:33'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:64'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:28'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 default-router 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 name-server 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 start 'xxx.xxx.73.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 stop 'xxx.xxx.73.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 default-router 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 name-server 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 start 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 stop 'xxx.xxx.70.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:d8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 default-router 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 name-server 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 start 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 stop 'xxx.xxx.71.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:53'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:07'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:c9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.5'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:3e'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.69.1'
set service dns forwarding listen-address 'xxx.xxx.70.1'
set service dns forwarding listen-address 'xxx.xxx.71.1'
set service dns forwarding listen-address 'xxx.xxx.73.1'
set service dns forwarding name-server 'xxx.xxx.69.7'
set service ssh disable-password-authentication
set service ssh loglevel 'verbose'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp256'
set system name-server 'xxx.xxx.69.1'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.8.8'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.70.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.6'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.7'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.5'
set system sysctl custom net.ipv4.conf.all.accept_local value '1'
set system syslog global facility all level 'all'
set system syslog global facility protocols level 'all'
set system time-zone 'Asia/Singapore'

Netgear GS308T:

image1407×379 13.4 KB

ARP:

Interfaces:

IP route:

Problem:

1. Host on VLAN can ping others on the main network (non-VLANs) but hosts on the main network cannot ping hosts on the VLANS, the hosts on the VLANs can ping each other as well. I want this to be the opposite, I can ping the hosts on the VLANs, but they can’t initiate a connection with the hosts on the mains network unless specified, I take this to be a zone-based policy? If so, how I do go about setting it up?

2. With WAN LB, the DNAT settings on the VLANs don’t work, remote connections timed out, and if I set WAN rules on the VLAN interfaces, it goes kaput. Not quite sure why this is.

For point 1, problem might be that all traffic received on eth2 is matching WLB, so when pinging from host on main network, to host connected in VLAN X, traffic goes througn WLB. You can validate this using tcpdump.
If that’s the scenario, adding exclude rule to your WLB should fix the issue. For example:

set load-balancing wan rule 5 inbound-interface eth2
set load-balancing wan rule 5 destination address A.B.C.D/E   #--> your vlan network
set load-balancing wan rule 5 exclude

Blockquote
For point 1, problem might be that all traffic received on eth2 is matching WLB, so when pinging from host on main network, to host connected in VLAN X, traffic goes througn WLB

Yeah you’re right, excluding it works now. So how I actually segregate the VLANS so they can’t talk to other hosts except for going to the internet?

From your post, your networks for vlans are:

set interfaces ethernet eth2 address 'xxx.xxx.69.1/24'
set interfaces ethernet eth2 vif 100 address 'xxx.xxx.70.1/24'
set interfaces ethernet eth2 vif 200 address 'xxx.xxx.71.1/24'

Firewall for blocking communications from vifs 100,200 to xxx.xx.69.0/24:

# Define firewall rules for blocking communication from vif 100
set firewall name VLAN-100 default-action accept
set firewall name VLAN-100 rule 10 description "Block to eth2 network"
set firewall name VLAN-100 rule 10 destination address xxx.xxx.69.0/24
set firewall name VLAN-100 rule 10 action drop
set firewall name VLAN-100 rule 20 description "Block to vif 200 network"
set firewall name VLAN-100 rule 20 destination address xxx.xxx.71.0/24
set firewall name VLAN-100 rule 20 action drop
# Define firewall rules for blocking communication from vif 200
set firewall name VLAN-200 default-action accept
set firewall name VLAN-200 rule 10 destination address xxx.xxx.69.0/24
set firewall name VLAN-200 rule 10 action drop
set firewall name VLAN-200 rule 20 description "Block to vif 100 network"
set firewall name VLAN-200 rule 20 destination address xxx.xxx.70.0/24
set firewall name VLAN-200 rule 20 action drop

# Attach firewall to desired interfaces
set interfaces ethernet eth2 vif 100 firewall in name VLAN-100
set interfaces ethernet eth2 vif 200 firewall in name VLAN-200

Awesome, that should work fine. Is there anything I’m missing? Should I be looking to segment it on the smart switch itself or is using firewalls to segment the way to go?

And, why default-action accept? It does seem necessary cause I lost internet access in the VLANs, is there a way to do a positive model or is it not necessary since that’s set on the WAN interfaces?

Additionally, if I had the WAN LB exclusion then my NAT-ed env doesn’t work well being proxied by Cloudflare, tons of time outs because connections come in through both eth0 and eth1 instead of failig over from eth0. So I added source addresses to the WAN LB exclusions but it still occurs, where should I be looking at?

set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/29'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group network-group cf-ipv4 network 'xxx.xxx.48.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.244.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.200.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.4.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.64.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.192.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.96.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.128.0/17'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/15'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/14'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.72.0/22'
set firewall ipv6-name EXTERNAL-IN-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-IN-v6 enable-default-log
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 destination port '80,443'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 protocol 'tcp_udp'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 source group network-group 'cf-ipv6'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 enable-default-log
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 icmpv6 type 'echo-request'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 protocol 'icmpv6'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 description 'ssh'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent count '15'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent time '60'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 state new 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name EXTERNAL-IN default-action 'drop'
set firewall name EXTERNAL-IN enable-default-log
set firewall name EXTERNAL-IN rule 10 action 'accept'
set firewall name EXTERNAL-IN rule 10 log 'enable'
set firewall name EXTERNAL-IN rule 10 state established 'enable'
set firewall name EXTERNAL-IN rule 10 state related 'enable'
set firewall name EXTERNAL-IN rule 20 action 'accept'
set firewall name EXTERNAL-IN rule 20 description 'servarr-vlan200'
set firewall name EXTERNAL-IN rule 20 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 20 destination port '80,443'
set firewall name EXTERNAL-IN rule 20 log 'enable'
set firewall name EXTERNAL-IN rule 20 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 20 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 20 state new 'enable'
set firewall name EXTERNAL-IN rule 21 action 'drop'
set firewall name EXTERNAL-IN rule 21 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 21 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 21 destination port '5053'
set firewall name EXTERNAL-IN rule 21 log 'enable'
set firewall name EXTERNAL-IN rule 21 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 21 recent count '100'
set firewall name EXTERNAL-IN rule 21 recent time '60'
set firewall name EXTERNAL-IN rule 21 state new 'enable'
set firewall name EXTERNAL-IN rule 22 action 'accept'
set firewall name EXTERNAL-IN rule 22 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 22 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 22 destination port '5053'
set firewall name EXTERNAL-IN rule 22 log 'enable'
set firewall name EXTERNAL-IN rule 22 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 22 state new 'enable'
set firewall name EXTERNAL-IN rule 30 action 'accept'
set firewall name EXTERNAL-IN rule 30 description 'kvm'
set firewall name EXTERNAL-IN rule 30 destination address 'xxx.xxx.69.6'
set firewall name EXTERNAL-IN rule 30 destination port '80,443'
set firewall name EXTERNAL-IN rule 30 log 'enable'
set firewall name EXTERNAL-IN rule 30 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 30 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL default-action 'drop'
set firewall name EXTERNAL-LOCAL enable-default-log
set firewall name EXTERNAL-LOCAL rule 10 action 'accept'
set firewall name EXTERNAL-LOCAL rule 10 log 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state established 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state related 'enable'
set firewall name EXTERNAL-LOCAL rule 20 action 'accept'
set firewall name EXTERNAL-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name EXTERNAL-LOCAL rule 20 log 'enable'
set firewall name EXTERNAL-LOCAL rule 20 protocol 'icmp'
set firewall name EXTERNAL-LOCAL rule 20 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 30 action 'drop'
set firewall name EXTERNAL-LOCAL rule 30 description 'ssh'
set firewall name EXTERNAL-LOCAL rule 30 destination port '22'
set firewall name EXTERNAL-LOCAL rule 30 log 'enable'
set firewall name EXTERNAL-LOCAL rule 30 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 30 recent count '15'
set firewall name EXTERNAL-LOCAL rule 30 recent time '60'
set firewall name EXTERNAL-LOCAL rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 31 action 'accept'
set firewall name EXTERNAL-LOCAL rule 31 destination port '22'
set firewall name EXTERNAL-LOCAL rule 31 log 'enable'
set firewall name EXTERNAL-LOCAL rule 31 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 31 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 40 action 'accept'
set firewall name EXTERNAL-LOCAL rule 40 description 'magic-wan'
set firewall name EXTERNAL-LOCAL rule 40 log 'enable'
set firewall name EXTERNAL-LOCAL rule 40 protocol 'gre'
set firewall name EXTERNAL-LOCAL rule 40 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-LOCAL rule 50 action 'accept'
set firewall name EXTERNAL-LOCAL rule 50 icmp type-name 'echo-reply'
set firewall name EXTERNAL-LOCAL rule 50 log 'enable'
set firewall name EXTERNAL-LOCAL rule 50 protocol 'icmp'
set firewall name VLAN-100 default-action 'accept'
set firewall name VLAN-100 enable-default-log
set firewall name VLAN-100 rule 10 action 'accept'
set firewall name VLAN-100 rule 10 log 'enable'
set firewall name VLAN-100 rule 10 state established 'enable'
set firewall name VLAN-100 rule 10 state related 'enable'
set firewall name VLAN-100 rule 30 action 'accept'
set firewall name VLAN-100 rule 30 description 'Printer access'
set firewall name VLAN-100 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-100 rule 31 action 'accept'
set firewall name VLAN-100 rule 31 description 'Pihole DNS'
set firewall name VLAN-100 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-100 rule 31 destination port '53'
set firewall name VLAN-100 rule 31 protocol 'tcp_udp'
set firewall name VLAN-100 rule 40 action 'drop'
set firewall name VLAN-100 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-100 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-100 rule 41 action 'drop'
set firewall name VLAN-100 rule 41 description 'Restrict Access to VLAN200 network'
set firewall name VLAN-100 rule 41 destination address 'xxx.xxx.71.0/24'
set firewall name VLAN-200 default-action 'accept'
set firewall name VLAN-200 enable-default-log
set firewall name VLAN-200 rule 10 action 'accept'
set firewall name VLAN-200 rule 10 log 'enable'
set firewall name VLAN-200 rule 10 state established 'enable'
set firewall name VLAN-200 rule 10 state related 'enable'
set firewall name VLAN-200 rule 30 action 'accept'
set firewall name VLAN-200 rule 30 description 'Printer access'
set firewall name VLAN-200 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-200 rule 31 action 'accept'
set firewall name VLAN-200 rule 31 description 'Pihole DNS'
set firewall name VLAN-200 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-200 rule 31 destination port '53'
set firewall name VLAN-200 rule 31 protocol 'tcp_udp'
set firewall name VLAN-200 rule 32 action 'accept'
set firewall name VLAN-200 rule 32 description 'ERFI1 Access'
set firewall name VLAN-200 rule 32 destination address 'xxx.xxx.69.3'
set firewall name VLAN-200 rule 32 protocol 'tcp_udp'
set firewall name VLAN-200 rule 33 action 'accept'
set firewall name VLAN-200 rule 33 description 'Magic Access'
set firewall name VLAN-200 rule 33 destination address 'xxx.xxx.72.21'
set firewall name VLAN-200 rule 40 action 'drop'
set firewall name VLAN-200 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-200 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-200 rule 41 action 'drop'
set firewall name VLAN-200 rule 41 description 'Restrict Access to VLAN100 network'
set firewall name VLAN-200 rule 41 destination address 'xxx.xxx.70.0/24'
set firewall options interface tun0 adjust-mss '1436'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'EXTERNAL1'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth0 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth0 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth0 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:de'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description 'EXTERNAL2'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth1 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth1 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth1 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:df'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.69.1/24'
set interfaces ethernet eth2 description 'INTERNAL1'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:e0'
set interfaces ethernet eth2 ip arp-cache-timeout '30'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth2 vif 100 address 'xxx.xxx.70.1/24'
set interfaces ethernet eth2 vif 100 description 'asus'
set interfaces ethernet eth2 vif 100 firewall in name 'VLAN-100'
set interfaces ethernet eth2 vif 200 address 'xxx.xxx.71.1/24'
set interfaces ethernet eth2 vif 200 description 'servarr'
set interfaces ethernet eth2 vif 200 firewall in name 'VLAN-200'
set interfaces ethernet eth2 vif 200 policy route 'magic-wan'
set interfaces ethernet eth3 address 'xxx.xxx.73.1/24'
set interfaces ethernet eth3 description 'INTERNAL2'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:e1'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces tunnel tun0 address 'xxx.xxx.72.20/31'
set interfaces tunnel tun0 description 'magic-wan'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip source-validation 'loose'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 remote 'xxx.xxx.66.5'
set interfaces tunnel tun0 source-address 'xxx.xxx.189.102'
set load-balancing wan disable-source-nat
set load-balancing wan enable-local-traffic
set load-balancing wan flush-connections
set load-balancing wan interface-health eth0 failure-count '2'
set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth0 success-count '1'
set load-balancing wan interface-health eth0 test 10 resp-time '5'
set load-balancing wan interface-health eth0 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth0 test 10 ttl-limit '1'
set load-balancing wan interface-health eth0 test 10 type 'ping'
set load-balancing wan interface-health eth0 test 20 resp-time '5'
set load-balancing wan interface-health eth0 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth0 test 20 ttl-limit '1'
set load-balancing wan interface-health eth0 test 20 type 'ping'
set load-balancing wan interface-health eth1 failure-count '2'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth1 test 10 ttl-limit '1'
set load-balancing wan interface-health eth1 test 10 type 'ping'
set load-balancing wan interface-health eth1 test 20 resp-time '5'
set load-balancing wan interface-health eth1 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth1 test 20 ttl-limit '1'
set load-balancing wan interface-health eth1 test 20 type 'ping'
set load-balancing wan rule 5 description 'magic-wan'
set load-balancing wan rule 5 destination address 'xxx.xxx.72.21/31'
set load-balancing wan rule 5 exclude
set load-balancing wan rule 5 inbound-interface 'eth0'
set load-balancing wan rule 5 protocol 'all'
set load-balancing wan rule 10 description 'vlan-exclusion-100'
set load-balancing wan rule 10 destination address 'xxx.xxx.70.1/24'
set load-balancing wan rule 10 exclude
set load-balancing wan rule 10 inbound-interface 'eth2'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 10 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 20 description 'vlan-exclusion-200'
set load-balancing wan rule 20 destination address 'xxx.xxx.71.1/24'
set load-balancing wan rule 20 exclude
set load-balancing wan rule 20 inbound-interface 'eth2'
set load-balancing wan rule 20 protocol 'all'
set load-balancing wan rule 20 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 30 failover
set load-balancing wan rule 30 inbound-interface 'eth2'
set load-balancing wan rule 30 interface eth0 weight '10'
set load-balancing wan rule 30 interface eth1 weight '1'
set load-balancing wan rule 30 protocol 'all'
set load-balancing wan sticky-connections inbound
set nat destination rule 10 description 'servarr-vlan200-eth0'
set nat destination rule 10 destination port '80,443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log 'enable'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address 'xxx.xxx.71.2'
set nat destination rule 11 description 'bind-vlan200-eth0'
set nat destination rule 11 destination port '5053'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp_udp'
set nat destination rule 11 translation address 'xxx.xxx.71.2'
set nat destination rule 11 translation port '5053'
set nat destination rule 20 description 'servarr-vlan200-eth1'
set nat destination rule 20 destination port '80,443'
set nat destination rule 20 inbound-interface 'eth1'
set nat destination rule 20 log 'enable'
set nat destination rule 20 protocol 'tcp_udp'
set nat destination rule 20 translation address 'xxx.xxx.71.2'
set nat destination rule 21 description 'bind-vlan200-eth1'
set nat destination rule 21 destination port '5053'
set nat destination rule 21 inbound-interface 'eth1'
set nat destination rule 21 protocol 'tcp_udp'
set nat destination rule 21 translation address 'xxx.xxx.71.2'
set nat destination rule 21 translation port '5053'
set nat destination rule 30 description 'kvm-eth0'
set nat destination rule 30 destination port '2053'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 log 'enable'
set nat destination rule 30 protocol 'tcp_udp'
set nat destination rule 30 translation address 'xxx.xxx.69.6'
set nat destination rule 30 translation port '443'
set nat destination rule 40 description 'kvm-eth1'
set nat destination rule 40 destination port '2053'
set nat destination rule 40 inbound-interface 'eth1'
set nat destination rule 40 log 'enable'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address 'xxx.xxx.69.6'
set nat destination rule 40 translation port '443'
set nat source rule 100 description 'eth0'
set nat source rule 100 log 'enable'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/16'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 description 'eth1'
set nat source rule 200 log 'enable'
set nat source rule 200 outbound-interface 'eth1'
set nat source rule 200 source address 'xxx.xxx.0.0/16'
set nat source rule 200 translation address 'masquerade'
set policy route magic-wan enable-default-log
set policy route magic-wan rule 100 description 'magic-wan'
set policy route magic-wan rule 100 log 'enable'
set policy route magic-wan rule 100 protocol 'tcp_udp'
set policy route magic-wan rule 100 set table '100'
set policy route magic-wan rule 100 source address 'xxx.xxx.71.5'
set protocols static table 100 route xxx.xxx.0.0/0 next-hop xxx.xxx.72.21
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 default-router 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 name-server 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 start 'xxx.xxx.69.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 stop 'xxx.xxx.69.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:33'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:64'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:28'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 default-router 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 name-server 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 start 'xxx.xxx.73.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 stop 'xxx.xxx.73.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 default-router 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 name-server 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 start 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 stop 'xxx.xxx.70.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:d8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 default-router 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 name-server 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 start 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 stop 'xxx.xxx.71.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:53'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:07'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:c9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.5'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:1c'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.69.1'
set service dns forwarding listen-address 'xxx.xxx.70.1'
set service dns forwarding listen-address 'xxx.xxx.71.1'
set service dns forwarding listen-address 'xxx.xxx.73.1'
set service dns forwarding name-server 'xxx.xxx.69.7'
set service ssh disable-password-authentication
set service ssh loglevel 'verbose'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp256'
set system name-server 'xxx.xxx.69.1'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.8.8'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.70.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.6'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.7'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.5'
set system sysctl custom net.ipv4.conf.all.accept_local value '1'
set system syslog global facility all level 'all'
set system syslog global facility protocols level 'all'
set system time-zone 'Asia/Singapore'

What’s the purpose of rule 5 of WLB? You are using inbound-interface eth0, while that is defined as one of your WANs interfaces.
Also, you may try removing command set load-balancing wan disable-source-nat, and let automatic NAT do the job.
Also, exclusion rules (10 and 20) looks ok. Rule 30 applis WLB to eth2, but not to VLANS 100 and 200. If you need to balance that traffic, you may need more rules.

What’s the purpose of rule 5 of WLB? You are using inbound-interface eth0, while that is defined as one of your WANs interfaces

So I’m running a gre tunnel to Cloudflare and it doesn’t work with WLB on, but this rule isn’t doing anything anyway.

Rule 30 applis WLB to eth2, but not to VLANS 100 and 200. If you need to balance that traffic, you may need more rules.

I did try to balance eth2.100 and eth2.200, but I lost internet access, I could still ping other networks from eth2 but not other protocols, ssh connections were lost as well.

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/29'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group network-group cf-ipv4 network 'xxx.xxx.48.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.244.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.200.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.4.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.64.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.192.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.96.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.128.0/17'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/15'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/14'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.72.0/22'
set firewall ipv6-name EXTERNAL-IN-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-IN-v6 enable-default-log
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 destination port '80,443'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 protocol 'tcp_udp'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 source group network-group 'cf-ipv6'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 enable-default-log
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 icmpv6 type 'echo-request'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 protocol 'icmpv6'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 description 'ssh'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent count '15'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent time '60'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 state new 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name EXTERNAL-IN default-action 'drop'
set firewall name EXTERNAL-IN enable-default-log
set firewall name EXTERNAL-IN rule 10 action 'accept'
set firewall name EXTERNAL-IN rule 10 log 'enable'
set firewall name EXTERNAL-IN rule 10 state established 'enable'
set firewall name EXTERNAL-IN rule 10 state related 'enable'
set firewall name EXTERNAL-IN rule 20 action 'accept'
set firewall name EXTERNAL-IN rule 20 description 'servarr-vlan200'
set firewall name EXTERNAL-IN rule 20 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 20 destination port '80,443'
set firewall name EXTERNAL-IN rule 20 log 'enable'
set firewall name EXTERNAL-IN rule 20 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 20 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 20 state new 'enable'
set firewall name EXTERNAL-IN rule 21 action 'drop'
set firewall name EXTERNAL-IN rule 21 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 21 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 21 destination port '5053'
set firewall name EXTERNAL-IN rule 21 log 'enable'
set firewall name EXTERNAL-IN rule 21 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 21 recent count '100'
set firewall name EXTERNAL-IN rule 21 recent time '60'
set firewall name EXTERNAL-IN rule 21 state new 'enable'
set firewall name EXTERNAL-IN rule 22 action 'accept'
set firewall name EXTERNAL-IN rule 22 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 22 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 22 destination port '5053'
set firewall name EXTERNAL-IN rule 22 log 'enable'
set firewall name EXTERNAL-IN rule 22 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 22 state new 'enable'
set firewall name EXTERNAL-IN rule 30 action 'accept'
set firewall name EXTERNAL-IN rule 30 description 'kvm'
set firewall name EXTERNAL-IN rule 30 destination address 'xxx.xxx.69.6'
set firewall name EXTERNAL-IN rule 30 destination port '80,443'
set firewall name EXTERNAL-IN rule 30 log 'enable'
set firewall name EXTERNAL-IN rule 30 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 30 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL default-action 'drop'
set firewall name EXTERNAL-LOCAL enable-default-log
set firewall name EXTERNAL-LOCAL rule 10 action 'accept'
set firewall name EXTERNAL-LOCAL rule 10 log 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state established 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state related 'enable'
set firewall name EXTERNAL-LOCAL rule 20 action 'accept'
set firewall name EXTERNAL-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name EXTERNAL-LOCAL rule 20 log 'enable'
set firewall name EXTERNAL-LOCAL rule 20 protocol 'icmp'
set firewall name EXTERNAL-LOCAL rule 20 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 30 action 'drop'
set firewall name EXTERNAL-LOCAL rule 30 description 'ssh'
set firewall name EXTERNAL-LOCAL rule 30 destination port '22'
set firewall name EXTERNAL-LOCAL rule 30 log 'enable'
set firewall name EXTERNAL-LOCAL rule 30 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 30 recent count '15'
set firewall name EXTERNAL-LOCAL rule 30 recent time '60'
set firewall name EXTERNAL-LOCAL rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 31 action 'accept'
set firewall name EXTERNAL-LOCAL rule 31 destination port '22'
set firewall name EXTERNAL-LOCAL rule 31 log 'enable'
set firewall name EXTERNAL-LOCAL rule 31 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 31 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 40 action 'accept'
set firewall name EXTERNAL-LOCAL rule 40 description 'magic-wan'
set firewall name EXTERNAL-LOCAL rule 40 log 'enable'
set firewall name EXTERNAL-LOCAL rule 40 protocol 'gre'
set firewall name EXTERNAL-LOCAL rule 40 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-LOCAL rule 50 action 'accept'
set firewall name EXTERNAL-LOCAL rule 50 icmp type-name 'echo-reply'
set firewall name EXTERNAL-LOCAL rule 50 log 'enable'
set firewall name EXTERNAL-LOCAL rule 50 protocol 'icmp'
set firewall name VLAN-100 default-action 'accept'
set firewall name VLAN-100 enable-default-log
set firewall name VLAN-100 rule 10 action 'accept'
set firewall name VLAN-100 rule 10 log 'enable'
set firewall name VLAN-100 rule 10 state established 'enable'
set firewall name VLAN-100 rule 10 state related 'enable'
set firewall name VLAN-100 rule 30 action 'accept'
set firewall name VLAN-100 rule 30 description 'Printer access'
set firewall name VLAN-100 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-100 rule 31 action 'accept'
set firewall name VLAN-100 rule 31 description 'Pihole DNS'
set firewall name VLAN-100 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-100 rule 31 destination port '53'
set firewall name VLAN-100 rule 31 protocol 'tcp_udp'
set firewall name VLAN-100 rule 40 action 'drop'
set firewall name VLAN-100 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-100 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-100 rule 41 action 'drop'
set firewall name VLAN-100 rule 41 description 'Restrict Access to VLAN200 network'
set firewall name VLAN-100 rule 41 destination address 'xxx.xxx.71.0/24'
set firewall name VLAN-200 default-action 'accept'
set firewall name VLAN-200 enable-default-log
set firewall name VLAN-200 rule 10 action 'accept'
set firewall name VLAN-200 rule 10 log 'enable'
set firewall name VLAN-200 rule 10 state established 'enable'
set firewall name VLAN-200 rule 10 state related 'enable'
set firewall name VLAN-200 rule 30 action 'accept'
set firewall name VLAN-200 rule 30 description 'Printer access'
set firewall name VLAN-200 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-200 rule 31 action 'accept'
set firewall name VLAN-200 rule 31 description 'Pihole DNS'
set firewall name VLAN-200 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-200 rule 31 destination port '53'
set firewall name VLAN-200 rule 31 protocol 'tcp_udp'
set firewall name VLAN-200 rule 32 action 'accept'
set firewall name VLAN-200 rule 32 description 'ERFI1 Access'
set firewall name VLAN-200 rule 32 destination address 'xxx.xxx.69.3'
set firewall name VLAN-200 rule 32 protocol 'tcp_udp'
set firewall name VLAN-200 rule 33 action 'accept'
set firewall name VLAN-200 rule 33 description 'Magic Access'
set firewall name VLAN-200 rule 33 destination address 'xxx.xxx.72.21'
set firewall name VLAN-200 rule 40 action 'drop'
set firewall name VLAN-200 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-200 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-200 rule 41 action 'drop'
set firewall name VLAN-200 rule 41 description 'Restrict Access to VLAN100 network'
set firewall name VLAN-200 rule 41 destination address 'xxx.xxx.70.0/24'
set firewall options interface tun0 adjust-mss '1436'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'EXTERNAL1'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth0 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth0 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth0 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:de'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description 'EXTERNAL2'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth1 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth1 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth1 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:df'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.69.1/24'
set interfaces ethernet eth2 description 'INTERNAL1'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:e0'
set interfaces ethernet eth2 ip arp-cache-timeout '30'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth2 vif 100 address 'xxx.xxx.70.1/24'
set interfaces ethernet eth2 vif 100 description 'asus'
set interfaces ethernet eth2 vif 100 firewall in name 'VLAN-100'
set interfaces ethernet eth2 vif 200 address 'xxx.xxx.71.1/24'
set interfaces ethernet eth2 vif 200 description 'servarr'
set interfaces ethernet eth2 vif 200 firewall in name 'VLAN-200'
set interfaces ethernet eth2 vif 200 policy route 'magic-wan'
set interfaces ethernet eth3 address 'xxx.xxx.73.1/24'
set interfaces ethernet eth3 description 'INTERNAL2'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:e1'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces tunnel tun0 address 'xxx.xxx.72.20/31'
set interfaces tunnel tun0 description 'magic-wan'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 ip source-validation 'loose'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 remote 'xxx.xxx.66.5'
set interfaces tunnel tun0 source-address 'xxx.xxx.189.102'
set load-balancing wan enable-local-traffic
set load-balancing wan flush-connections
set load-balancing wan interface-health eth0 failure-count '2'
set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth0 success-count '1'
set load-balancing wan interface-health eth0 test 10 resp-time '5'
set load-balancing wan interface-health eth0 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth0 test 10 ttl-limit '1'
set load-balancing wan interface-health eth0 test 10 type 'ping'
set load-balancing wan interface-health eth0 test 20 resp-time '5'
set load-balancing wan interface-health eth0 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth0 test 20 ttl-limit '1'
set load-balancing wan interface-health eth0 test 20 type 'ping'
set load-balancing wan interface-health eth1 failure-count '2'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth1 test 10 ttl-limit '1'
set load-balancing wan interface-health eth1 test 10 type 'ping'
set load-balancing wan interface-health eth1 test 20 resp-time '5'
set load-balancing wan interface-health eth1 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth1 test 20 ttl-limit '1'
set load-balancing wan interface-health eth1 test 20 type 'ping'
set load-balancing wan rule 10 description 'magic-wan'
set load-balancing wan rule 10 destination address 'xxx.xxx.72.21/31'
set load-balancing wan rule 10 exclude
set load-balancing wan rule 10 inbound-interface 'eth0'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 20 description 'vlan-exclusion-100'
set load-balancing wan rule 20 destination address 'xxx.xxx.70.1/24'
set load-balancing wan rule 20 exclude
set load-balancing wan rule 20 inbound-interface 'eth2'
set load-balancing wan rule 20 protocol 'all'
set load-balancing wan rule 20 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 30 description 'vlan-exclusion-200'
set load-balancing wan rule 30 destination address 'xxx.xxx.71.1/24'
set load-balancing wan rule 30 exclude
set load-balancing wan rule 30 inbound-interface 'eth2'
set load-balancing wan rule 30 protocol 'all'
set load-balancing wan rule 30 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 42 failover
set load-balancing wan rule 42 inbound-interface 'eth2'
set load-balancing wan rule 42 interface eth0 weight '10'
set load-balancing wan rule 42 interface eth1 weight '1'
set load-balancing wan rule 42 protocol 'all'
set nat destination rule 10 description 'servarr-vlan200-eth0'
set nat destination rule 10 destination port '80,443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log 'enable'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address 'xxx.xxx.71.2'
set nat destination rule 11 description 'bind-vlan200-eth0'
set nat destination rule 11 destination port '5053'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp_udp'
set nat destination rule 11 translation address 'xxx.xxx.71.2'
set nat destination rule 11 translation port '5053'
set nat destination rule 20 description 'servarr-vlan200-eth1'
set nat destination rule 20 destination port '80,443'
set nat destination rule 20 inbound-interface 'eth1'
set nat destination rule 20 log 'enable'
set nat destination rule 20 protocol 'tcp_udp'
set nat destination rule 20 translation address 'xxx.xxx.71.2'
set nat destination rule 21 description 'bind-vlan200-eth1'
set nat destination rule 21 destination port '5053'
set nat destination rule 21 inbound-interface 'eth1'
set nat destination rule 21 protocol 'tcp_udp'
set nat destination rule 21 translation address 'xxx.xxx.71.2'
set nat destination rule 21 translation port '5053'
set nat destination rule 30 description 'kvm-eth0'
set nat destination rule 30 destination port '2053'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 log 'enable'
set nat destination rule 30 protocol 'tcp_udp'
set nat destination rule 30 translation address 'xxx.xxx.69.6'
set nat destination rule 30 translation port '443'
set nat destination rule 40 description 'kvm-eth1'
set nat destination rule 40 destination port '2053'
set nat destination rule 40 inbound-interface 'eth1'
set nat destination rule 40 log 'enable'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address 'xxx.xxx.69.6'
set nat destination rule 40 translation port '443'
set nat source rule 100 description 'eth0'
set nat source rule 100 log 'enable'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/16'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 description 'eth1'
set nat source rule 200 log 'enable'
set nat source rule 200 outbound-interface 'eth1'
set nat source rule 200 source address 'xxx.xxx.0.0/16'
set nat source rule 200 translation address 'masquerade'
set policy route magic-wan enable-default-log
set policy route magic-wan rule 100 description 'magic-wan'
set policy route magic-wan rule 100 log 'enable'
set policy route magic-wan rule 100 protocol 'tcp_udp'
set policy route magic-wan rule 100 set table '100'
set policy route magic-wan rule 100 source address 'xxx.xxx.71.5'
set protocols static table 100 route xxx.xxx.0.0/0 next-hop xxx.xxx.72.21
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 default-router 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 name-server 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 start 'xxx.xxx.69.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 stop 'xxx.xxx.69.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:33'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:64'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:28'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 default-router 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 name-server 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 start 'xxx.xxx.73.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 stop 'xxx.xxx.73.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 default-router 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 name-server 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 start 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 stop 'xxx.xxx.70.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:d8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 default-router 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 name-server 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 start 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 stop 'xxx.xxx.71.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:53'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:07'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:c9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.5'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:1c'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.69.1'
set service dns forwarding listen-address 'xxx.xxx.70.1'
set service dns forwarding listen-address 'xxx.xxx.71.1'
set service dns forwarding listen-address 'xxx.xxx.73.1'
set service dns forwarding name-server 'xxx.xxx.69.7'
set service ssh disable-password-authentication
set service ssh loglevel 'verbose'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp256'
set system name-server 'xxx.xxx.69.1'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.8.8'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.70.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.6'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.7'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.5'
set system sysctl custom net.ipv4.conf.all.accept_local value '1'
set system syslog global facility all level 'all'
set system syslog global facility protocols level 'all'
set system time-zone 'Asia/Singapore'

So it turns out enable-local-traffic is the culprit, I’m not quite sure what this does.

Config:

set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/29'
set firewall group ipv6-network-group cf-ipv6 network 'xxxx:xxxx::/32'
set firewall group network-group cf-ipv4 network 'xxx.xxx.48.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.244.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.200.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.4.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.64.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.192.0/18'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.96.0/20'
set firewall group network-group cf-ipv4 network 'xxx.xxx.240.0/22'
set firewall group network-group cf-ipv4 network 'xxx.xxx.128.0/17'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/15'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/14'
set firewall group network-group cf-ipv4 network 'xxx.xxx.0.0/13'
set firewall group network-group cf-ipv4 network 'xxx.xxx.72.0/22'
set firewall ipv6-name EXTERNAL-IN-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-IN-v6 enable-default-log
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 destination port '80,443'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 protocol 'tcp_udp'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 source group network-group 'cf-ipv6'
set firewall ipv6-name EXTERNAL-IN-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 default-action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 enable-default-log
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state established 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 10 state related 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 icmpv6 type 'echo-request'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 protocol 'icmpv6'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 20 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 action 'drop'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 description 'ssh'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent count '15'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 recent time '60'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 30 state new 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 action 'accept'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 destination port '22'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 log 'enable'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 protocol 'tcp'
set firewall ipv6-name EXTERNAL-LOCAL-v6 rule 31 state new 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name EXTERNAL-IN default-action 'drop'
set firewall name EXTERNAL-IN enable-default-log
set firewall name EXTERNAL-IN rule 10 action 'accept'
set firewall name EXTERNAL-IN rule 10 log 'enable'
set firewall name EXTERNAL-IN rule 10 state established 'enable'
set firewall name EXTERNAL-IN rule 10 state related 'enable'
set firewall name EXTERNAL-IN rule 20 action 'accept'
set firewall name EXTERNAL-IN rule 20 description 'servarr-vlan200'
set firewall name EXTERNAL-IN rule 20 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 20 destination port '80,443'
set firewall name EXTERNAL-IN rule 20 log 'enable'
set firewall name EXTERNAL-IN rule 20 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 20 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 20 state new 'enable'
set firewall name EXTERNAL-IN rule 21 action 'drop'
set firewall name EXTERNAL-IN rule 21 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 21 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 21 destination port '5053'
set firewall name EXTERNAL-IN rule 21 log 'enable'
set firewall name EXTERNAL-IN rule 21 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 21 recent count '100'
set firewall name EXTERNAL-IN rule 21 recent time '60'
set firewall name EXTERNAL-IN rule 21 state new 'enable'
set firewall name EXTERNAL-IN rule 22 action 'accept'
set firewall name EXTERNAL-IN rule 22 description 'bind-vlan200'
set firewall name EXTERNAL-IN rule 22 destination address 'xxx.xxx.71.2'
set firewall name EXTERNAL-IN rule 22 destination port '5053'
set firewall name EXTERNAL-IN rule 22 log 'enable'
set firewall name EXTERNAL-IN rule 22 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 22 state new 'enable'
set firewall name EXTERNAL-IN rule 30 action 'accept'
set firewall name EXTERNAL-IN rule 30 description 'kvm'
set firewall name EXTERNAL-IN rule 30 destination address 'xxx.xxx.69.6'
set firewall name EXTERNAL-IN rule 30 destination port '80,443'
set firewall name EXTERNAL-IN rule 30 log 'enable'
set firewall name EXTERNAL-IN rule 30 protocol 'tcp_udp'
set firewall name EXTERNAL-IN rule 30 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-IN rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL default-action 'drop'
set firewall name EXTERNAL-LOCAL enable-default-log
set firewall name EXTERNAL-LOCAL rule 10 action 'accept'
set firewall name EXTERNAL-LOCAL rule 10 log 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state established 'enable'
set firewall name EXTERNAL-LOCAL rule 10 state related 'enable'
set firewall name EXTERNAL-LOCAL rule 20 action 'accept'
set firewall name EXTERNAL-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name EXTERNAL-LOCAL rule 20 log 'enable'
set firewall name EXTERNAL-LOCAL rule 20 protocol 'icmp'
set firewall name EXTERNAL-LOCAL rule 20 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 30 action 'drop'
set firewall name EXTERNAL-LOCAL rule 30 description 'ssh'
set firewall name EXTERNAL-LOCAL rule 30 destination port '22'
set firewall name EXTERNAL-LOCAL rule 30 log 'enable'
set firewall name EXTERNAL-LOCAL rule 30 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 30 recent count '15'
set firewall name EXTERNAL-LOCAL rule 30 recent time '60'
set firewall name EXTERNAL-LOCAL rule 30 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 31 action 'accept'
set firewall name EXTERNAL-LOCAL rule 31 destination port '22'
set firewall name EXTERNAL-LOCAL rule 31 log 'enable'
set firewall name EXTERNAL-LOCAL rule 31 protocol 'tcp'
set firewall name EXTERNAL-LOCAL rule 31 state new 'enable'
set firewall name EXTERNAL-LOCAL rule 40 action 'accept'
set firewall name EXTERNAL-LOCAL rule 40 description 'magic-wan'
set firewall name EXTERNAL-LOCAL rule 40 log 'enable'
set firewall name EXTERNAL-LOCAL rule 40 protocol 'gre'
set firewall name EXTERNAL-LOCAL rule 40 source group network-group 'cf-ipv4'
set firewall name EXTERNAL-LOCAL rule 50 action 'accept'
set firewall name EXTERNAL-LOCAL rule 50 icmp type-name 'echo-reply'
set firewall name EXTERNAL-LOCAL rule 50 log 'enable'
set firewall name EXTERNAL-LOCAL rule 50 protocol 'icmp'
set firewall name VLAN-100 default-action 'accept'
set firewall name VLAN-100 enable-default-log
set firewall name VLAN-100 rule 10 action 'accept'
set firewall name VLAN-100 rule 10 log 'enable'
set firewall name VLAN-100 rule 10 state established 'enable'
set firewall name VLAN-100 rule 10 state related 'enable'
set firewall name VLAN-100 rule 30 action 'accept'
set firewall name VLAN-100 rule 30 description 'Printer access'
set firewall name VLAN-100 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-100 rule 31 action 'accept'
set firewall name VLAN-100 rule 31 description 'Pihole DNS'
set firewall name VLAN-100 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-100 rule 31 destination port '53'
set firewall name VLAN-100 rule 31 protocol 'tcp_udp'
set firewall name VLAN-100 rule 40 action 'drop'
set firewall name VLAN-100 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-100 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-100 rule 41 action 'drop'
set firewall name VLAN-100 rule 41 description 'Restrict Access to VLAN200 network'
set firewall name VLAN-100 rule 41 destination address 'xxx.xxx.71.0/24'
set firewall name VLAN-200 default-action 'accept'
set firewall name VLAN-200 enable-default-log
set firewall name VLAN-200 rule 10 action 'accept'
set firewall name VLAN-200 rule 10 log 'enable'
set firewall name VLAN-200 rule 10 state established 'enable'
set firewall name VLAN-200 rule 10 state related 'enable'
set firewall name VLAN-200 rule 30 action 'accept'
set firewall name VLAN-200 rule 30 description 'Printer access'
set firewall name VLAN-200 rule 30 destination address 'xxx.xxx.69.12'
set firewall name VLAN-200 rule 31 action 'accept'
set firewall name VLAN-200 rule 31 description 'Pihole DNS'
set firewall name VLAN-200 rule 31 destination address 'xxx.xxx.69.7'
set firewall name VLAN-200 rule 31 destination port '53'
set firewall name VLAN-200 rule 31 protocol 'tcp_udp'
set firewall name VLAN-200 rule 32 action 'accept'
set firewall name VLAN-200 rule 32 description 'ERFI1 Access'
set firewall name VLAN-200 rule 32 destination address 'xxx.xxx.69.3'
set firewall name VLAN-200 rule 32 protocol 'tcp_udp'
set firewall name VLAN-200 rule 33 action 'accept'
set firewall name VLAN-200 rule 33 description 'Magic Access'
set firewall name VLAN-200 rule 33 destination address 'xxx.xxx.72.20/31'
set firewall name VLAN-200 rule 40 action 'drop'
set firewall name VLAN-200 rule 40 description 'Restrict Access to INTERNAL1 network'
set firewall name VLAN-200 rule 40 destination address 'xxx.xxx.69.0/24'
set firewall name VLAN-200 rule 41 action 'drop'
set firewall name VLAN-200 rule 41 description 'Restrict Access to VLAN100 network'
set firewall name VLAN-200 rule 41 destination address 'xxx.xxx.70.0/24'
set firewall options interface tun0 adjust-mss '1436'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'EXTERNAL1'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth0 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth0 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth0 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:de'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth1 description 'EXTERNAL2'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 firewall in ipv6-name 'EXTERNAL-IN-v6'
set interfaces ethernet eth1 firewall in name 'EXTERNAL-IN'
set interfaces ethernet eth1 firewall local ipv6-name 'EXTERNAL-LOCAL-v6'
set interfaces ethernet eth1 firewall local name 'EXTERNAL-LOCAL'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:df'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.69.1/24'
set interfaces ethernet eth2 description 'INTERNAL1'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:e0'
set interfaces ethernet eth2 ip arp-cache-timeout '30'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth2 vif 100 address 'xxx.xxx.70.1/24'
set interfaces ethernet eth2 vif 100 description 'asus'
set interfaces ethernet eth2 vif 100 firewall in name 'VLAN-100'
set interfaces ethernet eth2 vif 200 address 'xxx.xxx.71.1/24'
set interfaces ethernet eth2 vif 200 description 'servarr'
set interfaces ethernet eth2 vif 200 firewall in name 'VLAN-200'
set interfaces ethernet eth2 vif 200 policy route 'magic-wan'
set interfaces ethernet eth3 address 'xxx.xxx.73.1/24'
set interfaces ethernet eth3 description 'INTERNAL2'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:e1'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces tunnel tun0 address 'xxx.xxx.72.20/31'
set interfaces tunnel tun0 description 'magic-wan'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 mtu '1476'
set interfaces tunnel tun0 remote 'xxx.xxx.66.5'
set interfaces tunnel tun0 source-address 'xxx.xxx.189.102'
set load-balancing wan flush-connections
set load-balancing wan interface-health eth0 failure-count '2'
set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth0 success-count '1'
set load-balancing wan interface-health eth0 test 10 resp-time '5'
set load-balancing wan interface-health eth0 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth0 test 10 ttl-limit '1'
set load-balancing wan interface-health eth0 test 10 type 'ping'
set load-balancing wan interface-health eth0 test 20 resp-time '5'
set load-balancing wan interface-health eth0 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth0 test 20 ttl-limit '1'
set load-balancing wan interface-health eth0 test 20 type 'ping'
set load-balancing wan interface-health eth1 failure-count '2'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan interface-health eth1 success-count '1'
set load-balancing wan interface-health eth1 test 10 resp-time '5'
set load-balancing wan interface-health eth1 test 10 target 'xxx.xxx.8.8'
set load-balancing wan interface-health eth1 test 10 ttl-limit '1'
set load-balancing wan interface-health eth1 test 10 type 'ping'
set load-balancing wan interface-health eth1 test 20 resp-time '5'
set load-balancing wan interface-health eth1 test 20 target 'xxx.xxx.1.1'
set load-balancing wan interface-health eth1 test 20 ttl-limit '1'
set load-balancing wan interface-health eth1 test 20 type 'ping'
set load-balancing wan rule 10 description 'vlan-exclusion-100'
set load-balancing wan rule 10 destination address 'xxx.xxx.70.1/24'
set load-balancing wan rule 10 exclude
set load-balancing wan rule 10 inbound-interface 'eth2'
set load-balancing wan rule 10 protocol 'all'
set load-balancing wan rule 10 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 20 description 'vlan-exclusion-200'
set load-balancing wan rule 20 destination address 'xxx.xxx.71.1/24'
set load-balancing wan rule 20 exclude
set load-balancing wan rule 20 inbound-interface 'eth2'
set load-balancing wan rule 20 protocol 'all'
set load-balancing wan rule 20 source address 'xxx.xxx.69.1/24'
set load-balancing wan rule 30 description 'tun0-exclusion-vlan100'
set load-balancing wan rule 30 destination address 'xxx.xxx.72.20/31'
set load-balancing wan rule 30 exclude
set load-balancing wan rule 30 inbound-interface 'eth2.100'
set load-balancing wan rule 30 protocol 'all'
set load-balancing wan rule 31 description 'tun0-exclusion-vlan200'
set load-balancing wan rule 31 destination address 'xxx.xxx.72.20/31'
set load-balancing wan rule 31 exclude
set load-balancing wan rule 31 inbound-interface 'eth2.200'
set load-balancing wan rule 31 protocol 'all'
set load-balancing wan rule 32 description 'tun0-exclusion-eth2'
set load-balancing wan rule 32 destination address 'xxx.xxx.72.20/31'
set load-balancing wan rule 32 exclude
set load-balancing wan rule 32 inbound-interface 'eth2'
set load-balancing wan rule 32 protocol 'all'
set load-balancing wan rule 40 failover
set load-balancing wan rule 40 inbound-interface 'eth2.100'
set load-balancing wan rule 40 interface eth0 weight '10'
set load-balancing wan rule 40 interface eth1 weight '1'
set load-balancing wan rule 40 protocol 'all'
set load-balancing wan rule 41 failover
set load-balancing wan rule 41 inbound-interface 'eth2.200'
set load-balancing wan rule 41 interface eth0 weight '10'
set load-balancing wan rule 41 interface eth1 weight '1'
set load-balancing wan rule 41 protocol 'all'
set load-balancing wan rule 42 failover
set load-balancing wan rule 42 inbound-interface 'eth2'
set load-balancing wan rule 42 interface eth0 weight '10'
set load-balancing wan rule 42 interface eth1 weight '1'
set load-balancing wan rule 42 protocol 'all'
set load-balancing wan rule 50 failover
set load-balancing wan rule 50 inbound-interface 'tun0'
set load-balancing wan rule 50 interface eth0 weight '10'
set load-balancing wan rule 50 interface eth1 weight '1'
set load-balancing wan rule 50 protocol 'all'
set load-balancing wan sticky-connections inbound
set nat destination rule 10 description 'servarr-vlan200-eth0'
set nat destination rule 10 destination port '80,443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 log 'enable'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address 'xxx.xxx.71.2'
set nat destination rule 11 description 'bind-vlan200-eth0'
set nat destination rule 11 destination port '5053'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp_udp'
set nat destination rule 11 translation address 'xxx.xxx.71.2'
set nat destination rule 11 translation port '5053'
set nat destination rule 20 description 'servarr-vlan200-eth1'
set nat destination rule 20 destination port '80,443'
set nat destination rule 20 inbound-interface 'eth1'
set nat destination rule 20 log 'enable'
set nat destination rule 20 protocol 'tcp_udp'
set nat destination rule 20 translation address 'xxx.xxx.71.2'
set nat destination rule 21 description 'bind-vlan200-eth1'
set nat destination rule 21 destination port '5053'
set nat destination rule 21 inbound-interface 'eth1'
set nat destination rule 21 protocol 'tcp_udp'
set nat destination rule 21 translation address 'xxx.xxx.71.2'
set nat destination rule 21 translation port '5053'
set nat destination rule 30 description 'kvm-eth0'
set nat destination rule 30 destination port '2053'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 log 'enable'
set nat destination rule 30 protocol 'tcp_udp'
set nat destination rule 30 translation address 'xxx.xxx.69.6'
set nat destination rule 30 translation port '443'
set nat destination rule 40 description 'kvm-eth1'
set nat destination rule 40 destination port '2053'
set nat destination rule 40 inbound-interface 'eth1'
set nat destination rule 40 log 'enable'
set nat destination rule 40 protocol 'tcp_udp'
set nat destination rule 40 translation address 'xxx.xxx.69.6'
set nat destination rule 40 translation port '443'
set nat source rule 100 description 'eth0'
set nat source rule 100 log 'enable'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/16'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 description 'eth1'
set nat source rule 200 log 'enable'
set nat source rule 200 outbound-interface 'eth1'
set nat source rule 200 source address 'xxx.xxx.0.0/16'
set nat source rule 200 translation address 'masquerade'
set policy route magic-wan enable-default-log
set policy route magic-wan rule 100 description 'magic-wan'
set policy route magic-wan rule 100 log 'enable'
set policy route magic-wan rule 100 protocol 'tcp_udp'
set policy route magic-wan rule 100 set table '100'
set policy route magic-wan rule 100 source address 'xxx.xxx.71.4'
set protocols static table 100 route xxx.xxx.0.0/0 next-hop xxx.xxx.72.21
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 default-router 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 name-server 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 name-server 'xxx.xxx.69.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 start 'xxx.xxx.69.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 range 0 stop 'xxx.xxx.69.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.6'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:33'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:64'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.69.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.69.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:28'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 default-router 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 name-server 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 name-server 'xxx.xxx.73.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 start 'xxx.xxx.73.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.73.0/24 range 0 stop 'xxx.xxx.73.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 default-router 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 name-server 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 name-server 'xxx.xxx.70.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 start 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 range 0 stop 'xxx.xxx.70.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.70.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.70.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:d8'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 default-router 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 lease '300'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 name-server 'xxx.xxx.69.7'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 name-server 'xxx.xxx.71.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 start 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 range 0 stop 'xxx.xxx.71.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.4'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:53'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:07'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.3'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:c9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.71.5'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.71.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:1c'
set service dns forwarding allow-from 'xxx.xxx.0.0/16'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.69.1'
set service dns forwarding listen-address 'xxx.xxx.70.1'
set service dns forwarding listen-address 'xxx.xxx.71.1'
set service dns forwarding listen-address 'xxx.xxx.73.1'
set service ssh disable-password-authentication
set service ssh loglevel 'verbose'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp256'
set system name-server 'xxx.xxx.69.1'
set system name-server 'xxx.xxx.1.1'
set system name-server 'xxx.xxx.8.8'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.70.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.6'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.7'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.69.4'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.71.5'
set system sysctl custom net.ipv4.conf.all.accept_local value '1'
set system syslog global facility all level 'all'
set system syslog global facility protocols level 'all'
set system time-zone 'Asia/Singapore'

The last thing that I haven’t been able to make work is to route a client to tun0 then to the internet

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.