firewall GROUP HIDDEN
set firewall ip-src-route 'enable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall name FROM-INTERNET default-action 'drop'
set firewall name FROM-INTERNET description 'FROM-INTERNET-FW-to-PAT-OR-NAT-Get-IA'
set firewall name FROM-INTERNET enable-default-log
set firewall name FROM-INTERNET rule 1 action 'accept'
set firewall name FROM-INTERNET rule 1 protocol 'tcp_udp'
set firewall name FROM-INTERNET rule 1 state established 'enable'
set firewall name FROM-INTERNET rule 1 state related 'enable'
set firewall name FROM-INTERNET rule 2 action 'accept'
set firewall name FROM-INTERNET rule 2 protocol 'icmp'
set firewall name FROM-INTERNET rule 2 state established 'enable'
set firewall name FROM-INTERNET rule 2 state related 'enable'
set firewall name FROM-INTERNET rule 3 action 'accept'
set firewall name FROM-INTERNET rule 3 source group network-group 'VPN-PEER'
set firewall name FROM-ROUTING default-action 'drop'
set firewall name FROM-ROUTING rule 1 action 'accept'
set firewall name FROM-ROUTING rule 1 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 1 state established 'enable'
set firewall name FROM-ROUTING rule 1 state related 'enable'
set firewall name FROM-ROUTING rule 999998 action 'accept'
set firewall name FROM-ROUTING rule 999998 description 'Tunnel-Wireguard_Site-to-Site'
set firewall name FROM-ROUTING rule 999998 destination address '...56.0/24'
set firewall name FROM-ROUTING rule 999998 destination port '51820'
set firewall name FROM-ROUTING rule 999998 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 999998 source address '...56.0/24'
set firewall name FROM-ROUTING rule 999999 action 'accept'
set firewall name FROM-ROUTING rule 999999 description 'Tunnel-Wireguard_Site-to-Site'
set firewall name FROM-ROUTING rule 999999 destination address '...56.0/24'
set firewall name FROM-ROUTING rule 999999 destination port '51820'
set firewall name FROM-ROUTING rule 999999 protocol 'tcp_udp'
set firewall name FROM-ROUTING rule 999999 source address '...56.0/24'
set firewall name INTERNAL-ROUTING default-action 'drop'
set firewall name INTERNAL-ROUTING rule 1 action 'accept'
set firewall name INTERNAL-ROUTING rule 1 destination port '22,23,443'
set firewall name INTERNAL-ROUTING rule 1 protocol 'tcp_udp'
set firewall name INTERNAL-ROUTING rule 1 source address '...50.0/24'
set firewall name INTERNAL-ROUTING rule 2 action 'accept'
set firewall name INTERNAL-ROUTING rule 2 destination address '...50.0/24'
set firewall name INTERNAL-ROUTING rule 2 protocol 'tcp_udp'
set firewall name INTERNAL-ROUTING rule 2 source port '22,23,443'
set firewall name INTERNAL-ROUTING rule 3 action 'accept'
set firewall name INTERNAL-ROUTING rule 3 protocol 'icmp'
set firewall name LAN default-action 'drop'
set firewall name LAN description 'For-ALL-LAN-OUT-to-FROM-INTERNET'
set firewall name LAN enable-default-log
set firewall name LAN rule 1 action 'accept'
set firewall name LAN rule 1 protocol 'tcp_udp'
set firewall name LAN rule 1 source address '...50.0/24'
set firewall name LAN rule 2 action 'accept'
set firewall name LAN rule 2 protocol 'icmp'
set firewall name LAN rule 2 source address '...50.0/24'
set firewall name LAN rule 3 action 'accept'
set firewall name LAN rule 3 destination group network-group 'SWITCH-ACCESS-WAN'
set firewall name LAN rule 3 protocol 'tcp_udp'
set firewall name LAN rule 3 source address '...24.0.0/19'
set firewall name LAN rule 4 action 'accept'
set firewall name LAN rule 4 destination group network-group 'SWITCH-ACCESS-WAN'
set firewall name LAN rule 4 protocol 'icmp'
set firewall name LAN rule 4 source address '...24.0.0/19'
set firewall receive-redirects 'disable'
set firewall source-validation 'strict'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'enable'
set firewall zone Cisco-CAPWAP default-action 'drop'
set firewall zone Cisco-CAPWAP from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone Cisco-CAPWAP interface 'eth1.9'
set firewall zone Cisco-CAPWAP intra-zone-filtering action 'drop'
set firewall zone Cisco-WIFI default-action 'drop'
set firewall zone Cisco-WIFI from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone Cisco-WIFI interface 'eth1.6'
set firewall zone Cisco-WIFI intra-zone-filtering action 'drop'
set firewall zone DSLAM default-action 'drop'
set firewall zone DSLAM from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone DSLAM interface 'eth1.17'
set firewall zone DSLAM intra-zone-filtering action 'drop'
set firewall zone MGMT-100 default-action 'drop'
set firewall zone MGMT-100 from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-100 interface 'eth1.100'
set firewall zone MGMT-100 intra-zone-filtering action 'drop'
set firewall zone MGMT-AMFAR default-action 'drop'
set firewall zone MGMT-AMFAR from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-AMFAR interface 'eth1.887'
set firewall zone MGMT-AMFAR intra-zone-filtering action 'drop'
set firewall zone MGMT-ESX default-action 'drop'
set firewall zone MGMT-ESX from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-ESX interface 'eth1.16'
set firewall zone MGMT-ESX intra-zone-filtering action 'drop'
set firewall zone MGMT-Mikrotik default-action 'drop'
set firewall zone MGMT-Mikrotik from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-Mikrotik interface 'eth1.807'
set firewall zone MGMT-Mikrotik intra-zone-filtering action 'drop'
set firewall zone MGMT-SW default-action 'drop'
set firewall zone MGMT-SW from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone MGMT-SW from WAN firewall name 'FROM-INTERNET'
set firewall zone MGMT-SW interface 'eth1'
set firewall zone MGMT-SW intra-zone-filtering action 'drop'
set firewall zone OFFICE default-action 'drop'
set firewall zone OFFICE from Cisco-CAPWAP firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from Cisco-WIFI firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from DSLAM firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-100 firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-AMFAR firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-ESX firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-Mikrotik firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from MGMT-SW firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE from ROUTING firewall name 'FROM-ROUTING'
set firewall zone OFFICE from TUN firewall name 'LAN'
set firewall zone OFFICE from WAN firewall name 'FROM-INTERNET'
set firewall zone OFFICE from WIFI6 firewall name 'INTERNAL-ROUTING'
set firewall zone OFFICE interface 'eth2'
set firewall zone OFFICE intra-zone-filtering action 'drop'
set firewall zone ROUTING default-action 'drop'
set firewall zone ROUTING from OFFICE firewall name 'LAN'
set firewall zone ROUTING from ROUTING-INT firewall name 'FROM-ROUTING'
set firewall zone ROUTING interface 'wg0'
set firewall zone ROUTING intra-zone-filtering action 'drop'
set firewall zone ROUTING-INT default-action 'drop'
set firewall zone ROUTING-INT from OFFICE firewall name 'LAN'
set firewall zone ROUTING-INT from ROUTING firewall name 'FROM-ROUTING'
set firewall zone ROUTING-INT interface 'eth3'
set firewall zone ROUTING-INT intra-zone-filtering action 'drop'
set firewall zone TUN default-action 'drop'
set firewall zone TUN from OFFICE firewall name 'LAN'
set firewall zone TUN interface 'vti0'
set firewall zone TUN intra-zone-filtering action 'drop'
set firewall zone WAN default-action 'drop'
set firewall zone WAN from MGMT-SW firewall name 'LAN'
set firewall zone WAN from OFFICE firewall name 'LAN'
set firewall zone WAN interface 'eth0'
set firewall zone WAN intra-zone-filtering action 'drop'
set firewall zone WIFI6 default-action 'drop'
set firewall zone WIFI6 from OFFICE firewall name 'INTERNAL-ROUTING'
set firewall zone WIFI6 interface 'eth1.18'
set firewall zone WIFI6 intra-zone-filtering action 'drop'
set interfaces ethernet eth0 address '...11/24'
set interfaces ethernet eth0 address '...0.28/24'
set interfaces ethernet eth0 address '...0.7/24'
set interfaces ethernet eth0 description 'WAN'
# INTERFACE MANAGEMENT HIDDEN
set interfaces ethernet eth2 address '....50.1/24'
set interfaces ethernet eth2 description 'OFFICE'
set interfaces ethernet eth2 hw-id '40:62:31:06:e7:ac'
set interfaces ethernet eth3 address '....56.4/24'
set interfaces ethernet eth3 description 'Routing-VyOS-InterSite'
set interfaces ethernet eth3 hw-id '40:62:31:06:e7:ad'
set interfaces loopback lo
set interfaces vti vti0 address '...50.254/24'
set interfaces vti vti0 description 'Tunnel-Int_Site-to-Site'
set interfaces wireguard wg0 address '...56.4/24'
set interfaces wireguard wg0 description 'Wireguard-VyOS-Intersite'
set interfaces wireguard wg0 peer CANNES address '....56.1'
set interfaces wireguard wg0 peer CANNES allowed-ips '....53.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...65.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...56.0/24'
set interfaces wireguard wg0 peer CANNES allowed-ips '...50.0/24'
set interfaces wireguard wg0 peer CANNES persistent-keepalive '10'
set interfaces wireguard wg0 peer CANNES port '51820'
set interfaces wireguard wg0 peer CANNES preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer CANNES public-key '2IpOP06h6+uein4AGcFvT9GVXeWtM157yT2NGtH96TQ='
set interfaces wireguard wg0 peer EUCLYDE address '....56.2'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....54.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....66.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer EUCLYDE allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer EUCLYDE port '51820'
set interfaces wireguard wg0 peer EUCLYDE preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer EUCLYDE public-key 'hta8QB/BL+tIk0f2HtSQC8y2luu1GQ+IokTKaPPJ8xY='
set interfaces wireguard wg0 peer PARIS address '....56.3'
set interfaces wireguard wg0 peer PARIS allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....55.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....67.0/24'
set interfaces wireguard wg0 peer PARIS allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer PARIS port '51820'
set interfaces wireguard wg0 peer PARIS preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer PARIS public-key 'nNplzcI1QEI0j/2EBY6UFlRVQRIV4WiEz5NGt4vv0iM='
set interfaces wireguard wg0 peer XPRESS address '....56.5'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....32/28'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....50.0/24'
set interfaces wireguard wg0 peer XPRESS allowed-ips '....56.0/24'
set interfaces wireguard wg0 peer XPRESS port '51820'
set interfaces wireguard wg0 peer XPRESS preshared-key 'Q/Cq0+wxYBnqT4MTzdFwgFecl7l0gwD6KDMaYbbkNTE='
set interfaces wireguard wg0 peer XPRESS public-key 'uFvm/rS3wl24W6qkTp53OcAor4ApfEneGTPt5eRc0Sc='
set interfaces wireguard wg0 port '51820'
set interfaces wireguard wg0 private-key 'sMana+QzKo35IPrFS/tkYaLzlWqx8CyKjpGul1s18VY='
set nat source rule 10 destination address '172.24.219.0/24'
set nat source rule 10 exclude
set nat source rule 10 outbound-interface 'vti0'
set nat source rule 10 source address '....50.0/24'
set nat source rule 11 destination address '10.1.0.0/24'
set nat source rule 11 exclude
set nat source rule 11 outbound-interface 'eth0'
set nat source rule 11 source address '....50.0/24'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '....50.0/24'
set nat source rule 100 translation address '...11'
set protocols static route 0.0.0.0/0 next-hop ...1 distance '1'
set protocols static route 10.1.0.0/24 interface vti0
set protocols static route ....53.0/24 next-hop ....56.1 interface 'wg0'
set protocols static route ....54.0/24 next-hop ....56.2 interface 'wg0'
set protocols static route ....55.0/24 next-hop ....56.3 interface 'wg0'
set protocols static route ....65.0/24 next-hop ....56.1 interface 'wg0'
set protocols static route ....66.0/24 next-hop ....56.2 interface 'wg0'
set protocols static route ....67.0/24 next-hop ....56.3 interface 'wg0'
set protocols static route 172.24.219.0/24 interface vti0
set protocols static route 192.168.211.32/28 next-hop ....56.5 interface 'wg0'
set service dhcp-server listen-address '....50.1'
set service dhcp-server shared-network-name OFFICE authoritative
set service dhcp-server shared-network-name OFFICE description 'DHCP-Office-LAN'
set service dhcp-server shared-network-name OFFICE domain-name 'viapass.com'
set service dhcp-server shared-network-name OFFICE domain-search 'viapass.com'
set service dhcp-server shared-network-name OFFICE name-server '....50.1'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 default-router '....50.1'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 lease '14400'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 range 0 start '....50.130'
set service dhcp-server shared-network-name OFFICE subnet ....50.0/24 range 0 stop '....50.200'
set service dns forwarding allow-from '....50.0/24'
set service dns forwarding ignore-hosts-file
set service dns forwarding listen-address '....50.1'
set service dns forwarding name-server ...162
set service dns forwarding name-server ...80
set service ssh listen-address '....50.1'
set service ssh port '666'
set system time-zone 'Europe/Paris'
set vpn ipsec authentication psk AC-AMBASSADEUR id '...7'
set vpn ipsec authentication psk AC-AMBASSADEUR id '...219'
set vpn ipsec authentication psk AC-AMBASSADEUR secret 'Amba55adeurAC'
set vpn ipsec authentication psk MADRID id '...7'
set vpn ipsec authentication psk MADRID id '...7'
set vpn ipsec authentication psk MADRID secret 'Mad1C@nnes'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption '3des'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'md5'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption '3des'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'md5'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication local-id '...7'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer AC-AMBASSADEUR authentication remote-id '...219'
set vpn ipsec site-to-site peer AC-AMBASSADEUR ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer AC-AMBASSADEUR local-address '...7'
set vpn ipsec site-to-site peer AC-AMBASSADEUR remote-address '...219'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 local prefix '....50.0/24'
set vpn ipsec site-to-site peer AC-AMBASSADEUR tunnel 0 remote prefix '...0/24'
set vpn ipsec site-to-site peer AC-AMBASSADEUR vti bind 'vti0'
set vpn ipsec site-to-site peer AC-AMBASSADEUR vti esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer MADRID authentication local-id '...7'
set vpn ipsec site-to-site peer MADRID authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer MADRID authentication remote-id '...7'
set vpn ipsec site-to-site peer MADRID ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer MADRID local-address '...7'
set vpn ipsec site-to-site peer MADRID remote-address '...7'
set vpn ipsec site-to-site peer MADRID tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer MADRID tunnel 0 local prefix '....50.0/24'
set vpn ipsec site-to-site peer MADRID tunnel 0 remote prefix '10.1.0.0/24'
set vpn ipsec site-to-site peer MADRID vti bind 'vti0'
set vpn ipsec site-to-site peer MADRID vti esp-group 'office-srv-esp'
set firewall name VPN-IN-OUT default-action 'drop'
set firewall name VPN-IN-OUT rule 1 action 'accept'
set firewall name VPN-IN-OUT rule 1 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 1 protocol 'icmp'
set firewall name VPN-IN-OUT rule 1 source address '...50.0/24'
set firewall name VPN-IN-OUT rule 2 action 'accept'
set firewall name VPN-IN-OUT rule 2 destination group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 2 destination port '22,23,443'
set firewall name VPN-IN-OUT rule 2 protocol 'tcp_udp'
set firewall name VPN-IN-OUT rule 2 source address '...50.0/24'
set firewall name VPN-IN-OUT rule 3 action 'accept'
set firewall name VPN-IN-OUT rule 3 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 3 protocol 'icmp'
set firewall name VPN-IN-OUT rule 3 source group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 4 action 'accept'
set firewall name VPN-IN-OUT rule 4 destination address '...50.0/24'
set firewall name VPN-IN-OUT rule 4 protocol 'tcp_udp'
set firewall name VPN-IN-OUT rule 4 source group network-group 'VPN-LAN'
set firewall name VPN-IN-OUT rule 4 source port '22,23,443'
Interface vti in the same subnet OFFICE + static route to VPN-LAN via vti0