firewall { all-ping enable broadcast-ping enable config-trap disable group { address-group countries-allowed { } address-group dns-servers { address 192.168.68.24 } address-group nets4-blacklist { } network-group private-nets { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/8 } network-group wireguard-allowed { network 192.168.32.0/24 network 192.168.112.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name lan-local { default-action accept } name lan-wan { default-action accept rule 110 { action drop state { invalid enable } } } name lan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg2 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wgwifi { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name local-lan { default-action accept } name local-wan { default-action accept rule 110 { action drop state { invalid enable } } } name local-wg0 { default-action accept } name local-wg1 { default-action accept } name local-wg2 { default-action accept } name local-wgwifi { default-action accept } name wan-lan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 200 { action accept destination { port 80 } protocol tcp } rule 210 { action accept destination { port 443 } protocol tcp } rule 220 { action accept destination { port 32400 } protocol tcp } rule 230 { action accept destination { port 25 } protocol tcp } rule 240 { action accept destination { port 465 } protocol tcp } rule 250 { action accept destination { port 587 } protocol tcp } rule 260 { action accept destination { port 143 } protocol tcp } rule 270 { action accept destination { port 993 } protocol tcp } rule 280 { action accept destination { port 110 } protocol tcp } rule 290 { action accept destination { port 995 } protocol tcp } rule 300 { action accept destination { port 4190 } protocol tcp } } name wan-local { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 400 { action accept destination { port 51820 } protocol udp } rule 410 { action accept destination { port 51822 } protocol udp } } name wan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg2 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wgwifi { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-lan { default-action drop } name wg0-local { default-action drop } name wg0-wan { default-action drop } name wg0-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-wg2 { default-action drop } name wg0-wgwifi { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg1-lan { default-action accept } name wg1-local { default-action accept } name wg1-wan { default-action drop } name wg1-wg0 { default-action accept } name wg1-wg2 { default-action drop } name wg1-wgwifi { default-action drop } name wg2-lan { default-action accept } name wg2-local { default-action accept } name wg2-wan { default-action accept rule 110 { action drop state { invalid enable } } } name wg2-wg0 { default-action drop } name wg2-wg1 { default-action drop } name wg2-wgwifi { default-action drop } name wgwifi-lan { default-action accept } name wgwifi-local { default-action accept } name wgwifi-wan { default-action drop } name wgwifi-wg0 { default-action accept } name wgwifi-wg1 { default-action drop } name wgwifi-wg2 { default-action drop } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address 172.31.255.6/30 description wan duplex auto hw-id 00:0d:b9:51:90:74 redirect ifb0 speed auto traffic-policy { out egress } } ethernet eth1 { address 192.168.112.1/24 description "mullvad (wifi)" duplex auto hw-id 00:0d:b9:51:90:75 policy { route vpn-routing } speed auto } ethernet eth2 { address 192.168.68.1/24 description lan duplex auto hw-id 00:0d:b9:51:90:76 policy { route vpn-routing } speed auto } input ifb0 { traffic-policy { out ingress } } loopback lo { } wireguard wg0 { address 10.65.140.116/32 description mullvad mtu 1420 peer mullvad-gb3 { allowed-ips 0.0.0.0/0 endpoint 89.238.167.244:51820 pubkey UMnM3Zphy4LsrPFYqdjJZmXV428tGmaCbpdYm74UrgQ= } private-key wg0 } wireguard wg1 { address 192.168.32.1/24 description "vpn +lan +mullvad" mtu 1420 peer inuc { allowed-ips 192.168.32.102/32 pubkey Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= } peer iphone { allowed-ips 192.168.32.103/32 pubkey vun6APmZZAE+ImcCur9OMoFfZU4dtsGHReJF3arBnAU= } peer laptop { allowed-ips 192.168.32.101/32 pubkey s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= } peer pixel3a { allowed-ips 192.168.32.100/32 pubkey 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= } policy { route vpn-routing } port 51820 private-key wg1 } wireguard wg2 { address 10.0.10.1/24 description "vpn +lan +swisscom" mtu 1420 peer inuc { allowed-ips 10.0.10.102/32 pubkey Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8= } peer iphone { allowed-ips 10.0.10.103/32 pubkey vun6APmZZAE+ImcCur9OMoFfZU4dtsGHReJF3arBnAU= } peer laptop { allowed-ips 10.0.10.101/32 pubkey s3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo= } peer pixel3a { allowed-ips 10.0.10.100/32 pubkey 8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA= } port 51822 private-key wg2 } } nat { destination { rule 11 { description "HTTP Reverse Proxy" destination { address 172.31.255.6 port 80 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 80 } } rule 12 { description hairpin80 destination { address 172.31.255.6 port 80 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 80 } } rule 21 { description "HTTPS Reverse Proxy" destination { address 172.31.255.6 port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 443 } } rule 22 { description hairpin443 destination { address 172.31.255.6 port 443 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 443 } } rule 31 { description Plex destination { address 172.31.255.6 port 32400 } inbound-interface eth0 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 32 { description hairpin32400 destination { address 172.31.255.6 port 32400 } inbound-interface eth2 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 41 { description "Postfix SMTP" destination { address 172.31.255.6 port 25 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 25 } } rule 42 { description hairpin25 destination { address 172.31.255.6 port 25 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 25 } } rule 51 { description "Postfix SMTPS" destination { address 172.31.255.6 port 465 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 465 } } rule 52 { description hairpin465 destination { address 172.31.255.6 port 465 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 465 } } rule 61 { description "Postfix Submission" destination { address 172.31.255.6 port 587 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 587 } } rule 62 { description hairpin587 destination { address 172.31.255.6 port 587 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 587 } } rule 71 { description "Dovecot IMAP" destination { address 172.31.255.6 port 143 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 143 } } rule 72 { description hairpin143 destination { address 172.31.255.6 port 143 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 143 } } rule 81 { description "Dovecot IMAPS" destination { address 172.31.255.6 port 993 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 993 } } rule 82 { description hairpin993 destination { address 172.31.255.6 port 993 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 993 } } rule 91 { description "Dovecot POP3" destination { address 172.31.255.6 port 110 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 110 } } rule 92 { description hairpin110 destination { address 172.31.255.6 port 110 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 110 } } rule 101 { description "Dovecot POP3S" destination { address 172.31.255.6 port 995 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 995 } } rule 102 { description hairpin995 destination { address 172.31.255.6 port 995 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 995 } } rule 111 { description "Dovecot ManageSieve" destination { address 172.31.255.6 port 4190 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 4190 } } rule 112 { description hairpin4190 destination { address 172.31.255.6 port 4190 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 4190 } } } source { rule 11 { description hairpin destination { address 192.168.68.49 port 80 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 21 { description hairpin destination { address 192.168.68.49 port 443 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 31 { description hairpin destination { address 192.168.68.28 port 32400 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 41 { description hairpin destination { address 192.168.68.15 port 25 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 51 { description hairpin destination { address 192.168.68.15 port 465 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 61 { description hairpin destination { address 192.168.68.15 port 587 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 71 { description hairpin destination { address 192.168.68.15 port 143 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 81 { description hairpin destination { address 192.168.68.15 port 993 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 91 { description hairpin destination { address 192.168.68.15 port 110 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 101 { description hairpin destination { address 192.168.68.15 port 995 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 111 { description hairpin destination { address 192.168.68.15 port 4190 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 5000 { outbound-interface eth0 protocol all translation { address masquerade } } rule 5100 { outbound-interface wg0 protocol all translation { address masquerade } } } } policy { route vpn-routing { rule 10 { destination { group { network-group private-nets } } set { table main } } rule 100 { set { table 100 } source { group { network-group wireguard-allowed } } } } } protocols { static { route 0.0.0.0/0 { next-hop 172.31.255.5 { } } route 10.0.0.0/8 { blackhole { } } route 172.16.0.0/12 { blackhole { } } route 192.168.0.0/16 { blackhole { } } table 100 { interface-route 0.0.0.0/0 { next-hop-interface wg0 { } } route 0.0.0.0/0 { blackhole { distance 255 } } } } } service { dhcp-server { shared-network-name mullvad { subnet 192.168.112.0/24 { default-router 192.168.112.1 dns-server 192.168.68.24 domain-name phillipmcmahon.com lease 3600 range mullvad { start 192.168.112.100 stop 192.168.112.163 } } } } dns { } ssh { port 22 } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 115200 } } host-name vyos name-server 192.168.68.24 ntp { server time.google.com { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone Europe/Zurich } traffic-policy { shaper egress { bandwidth auto default { bandwidth 50mbit burst 15k codel-quantum 1514 flows 1024 queue-limit 10240 queue-type fq-codel } } shaper ingress { bandwidth 180mbit default { bandwidth 90% burst 15k codel-quantum 1514 flows 1024 queue-limit 10240 queue-type fq-codel } } } zone-policy { zone lan { default-action drop from local { firewall { name local-lan } } from wan { firewall { name wan-lan } } from wg0 { firewall { name wg0-lan } } from wg1 { firewall { name wg1-lan } } from wg2 { firewall { name wg2-lan } } from wgwifi { firewall { name wgwifi-lan } } interface eth2 } zone local { default-action drop from lan { firewall { name lan-local } } from wan { firewall { name wan-local } } from wg0 { firewall { name wg0-local } } from wg1 { firewall { name wg1-local } } from wg2 { firewall { name wg2-local } } from wgwifi { firewall { name wgwifi-local } } local-zone } zone wan { default-action drop from lan { firewall { name lan-wan } } from local { firewall { name local-wan } } from wg0 { firewall { name wg0-wan } } from wg1 { firewall { name wg1-wan } } from wg2 { firewall { name wg2-wan } } from wgwifi { firewall { name wgwifi-wan } } interface eth0 } zone wg0 { default-action drop from lan { firewall { name lan-wg0 } } from local { firewall { name local-wg0 } } from wan { firewall { name wan-wg0 } } from wg1 { firewall { name wg1-wg0 } } from wg2 { firewall { name wg2-wg0 } } from wgwifi { firewall { name wgwifi-wg0 } } interface wg0 } zone wg1 { default-action drop from lan { firewall { name lan-wg1 } } from local { firewall { name local-wg1 } } from wan { firewall { name wan-wg1 } } from wg0 { firewall { name wg0-wg1 } } from wg2 { firewall { name wg2-wg1 } } from wgwifi { firewall { name wgwifi-wg1 } } interface wg1 } zone wg2 { default-action drop from lan { firewall { name lan-wg2 } } from local { firewall { name local-wg2 } } from wan { firewall { name wan-wg2 } } from wg0 { firewall { name wg0-wg2 } } from wg1 { firewall { name wg1-wg2 } } from wgwifi { firewall { name wgwifi-wg2 } } interface wg2 } zone wgwifi { default-action drop from lan { firewall { name lan-wgwifi } } from local { firewall { name local-wgwifi } } from wan { firewall { name wan-wgwifi } } from wg0 { firewall { name wg0-wgwifi } } from wg1 { firewall { name wg1-wgwifi } } from wg2 { firewall { name wg2-wgwifi } } interface eth1 } } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@2:firewall@5:https@1:interfaces@6:ipsec@5:l2tp@2:lldp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@5:snmp@1:ssh@1:sstp@2:system@16:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */ /* Release version: 1.3-rolling-202004020117 */