firewall { global-options { all-ping "enable" broadcast-ping "disable" ip-src-route "disable" log-martians "enable" receive-redirects "disable" send-redirects "enable" source-validation "disable" syn-cookies "enable" twa-hazards-protection "disable" } group { network-group inside-nets { network "192.168.0.0/24" network "10.31.74.0/27" } } ipv4 { name lan-local-v4 { default-action "drop" default-log description "LAN to This Router IPv4" rule 1 { action "accept" description "explicit allow inbound ssh always (anti-lockout)" destination { port "22" } protocol "tcp" source { group { network-group "inside-nets" } } } rule 2 { action "accept" description "explicit allow dhcp" destination { port "67-68" } protocol "udp" source { port "67-68" } } rule 3 { action "accept" description "default allow from known nets to router" destination { address-mask "0.0.0.0" } source { group { network-group "inside-nets" } } } } name lan-wan-v4 { default-action "drop" default-log description "LAN to WAN IPv4" rule 1 { action "accept" } } name local-lan-v4 { default-action "drop" default-log description "This Router to LAN IPv4" rule 2 { action "accept" description "allow dhcp" destination { port "67-68" } protocol "udp" source { port "67-68" } } rule 3 { action "accept" description "default allow from known nets to router" destination { address-mask "0.0.0.0" } source { group { network-group "inside-nets" } } } } name local-wan-v4 { default-action "drop" default-log description "This Router to WAN IPv4" rule 1 { action "accept" } } name wan-lan-v4 { default-action "drop" default-log description "WAN to LAN IPv4" rule 1 { action "accept" state "established" state "related" } rule 2 { action "drop" state "invalid" } rule 771 { action "accept" description "tv7" destination { address "233.50.230.0/24" port "5000" } protocol "udp" } rule 772 { action "accept" description "tv7" protocol "igmp" } } name wan-local-v4 { default-action "drop" default-log description "WAN to This Router IPv4" rule 1 { action "accept" state "established" state "related" } rule 2 { action "drop" state "invalid" } rule 3 { action "accept" description "DHCPv4 replies" destination { port "67,68" } protocol "udp" source { port "67,68" } } rule 4 { action "accept" description "Wireguard" destination { port "51820" } log protocol "udp" } rule 771 { action "accept" description "tv7" destination { address "233.50.230.0/24" port "5000" } protocol "udp" } rule 772 { action "accept" description "tv7" protocol "igmp" } } } zone lan { default-action "drop" from local { firewall { name "local-lan-v4" } } from wan { firewall { name "wan-lan-v4" } } interface "eth1" interface "eth2" interface "wg01" } zone local { default-action "drop" from lan { firewall { name "lan-local-v4" } } from wan { firewall { name "wan-local-v4" } } local-zone } zone wan { default-action "drop" from lan { firewall { name "lan-wan-v4" } } from local { firewall { name "local-wan-v4" } } interface "eth0" } } interfaces { ethernet eth0 { address "dhcp" description "Init7" hw-id "50:7c:6f:7a:fc:08" offload { gro gso sg tso } } ethernet eth1 { address "192.168.0.1/24" description "LAN" hw-id "50:7c:6f:7a:fc:09" offload { gro gso sg tso } } ethernet eth2 { address "10.31.74.1/27" description "MGMT" hw-id "9c:6b:00:82:af:93" offload { gro } } loopback lo { } wireguard wg01 { address "192.168.10.1/24" description "wireguard" peer 1td { allowed-ips "192.168.10.4/32" public-key "" } port "51820" private-key "" } } load-balancing { reverse-proxy { backend bk-api-01 { description "My API-1" mode "tcp" server api01 { address "192.168.0.2" port "8777" } } backend bk-api-02 { description "My API-2" mode "tcp" server api02 { address "192.168.0.2" port "8080" } } backend bk-api-03 { description "My API-3" mode "tcp" server api03 { address "192.168.0.2" port "9000" } } backend bk-api-04 { description "My API-4" mode "tcp" server api04 { address "192.168.0.2" port "8123" } } service http { description "bind app listen on 80 port" mode "tcp" port "80" rule 1 { domain-name "paperless.xx.local" set { backend "bk-api-01" } } rule 2 { domain-name "weather.xx.local" set { backend "bk-api-02" } } rule 3 { domain-name "portainer.xx.local" set { backend "bk-api-03" } } rule 4 { domain-name "homeassistant.xx.local" set { backend "bk-api-04" } } } } } nat { source { rule 771 { outbound-interface { name "eth0" } source { address "192.168.0.0/24" } translation { address "masquerade" } } rule 772 { outbound-interface { name "eth0" } source { address "10.31.74.0/24" } translation { address "masquerade" } } rule 773 { outbound-interface { name "eth0" } source { address "192.168.10.0/24" } translation { address "masquerade" } } } } protocols { igmp-proxy { interface eth0 { alt-subnet "0.0.0.0/0" role "upstream" } interface eth1 { role "downstream" } } static { route 0.0.0.0/0 { dhcp-interface "eth0" } } } service { dhcp-server { listen-interface "eth1" listen-interface "eth2" shared-network-name lan { authoritative description "LAN" subnet 192.168.0.0/24 { option { default-router "192.168.0.1" domain-name "xx.xx" name-server "192.168.0.1" } range 0 { start "192.168.0.20" stop "192.168.0.220" } static-mapping nas { ip-address "192.168.0.2" mac "00:11:32:9b:11:01" } subnet-id "1" } } shared-network-name mgmt { authoritative description "Mgmt" option { name-server "192.168.0.1" } subnet 10.31.74.0/27 { option { default-router "10.31.74.1" } range scope1 { start "10.31.74.2" stop "10.31.74.30" } subnet-id "2" } } } dns { forwarding { allow-from "192.168.0.0/24" authoritative-domain xx.local { records { a homeassistant { address "192.168.0.1" } a paperless { address "192.168.0.1" } a portainer { address "192.168.0.1" } a weather { address "192.168.0.1" } } } listen-address "192.168.0.1" } } lldp { interface eth1 { } interface eth2 { } management-address "10.31.74.1" } ntp { allow-client { address "127.0.0.0/8" address "169.254.0.0/16" address "10.0.0.0/8" address "172.16.0.0/12" address "192.168.0.0/16" address "::1/128" address "fe80::/10" address "fc00::/7" } server 0.ch.pool.ntp.org { pool } server 1.ch.pool.ntp.org { pool } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } ssh { listen-address "10.31.74.1" listen-address "192.168.0.1" port "22" } } system { config-management { commit-archive { location "sftp://xx:xx@192.168.0.2/NetBackup/vyos" } commit-revisions "100" } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed "115200" } } domain-name "" host-name "vyos" login { user vyos { authentication { encrypted-password "" plaintext-password "" } } } name-server "eth0" name-server "77.109.128.2" name-server "213.144.129.20" option { keyboard-layout "de" performance "throughput" } static-host-mapping syslog { global { facility all { level "info" } facility local7 { level "debug" } } } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@5:dns-dynamic@4:dns-forwarding@4:firewall@16:flow-accounting@1:https@6:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@2:quagga@11:reverse-proxy@1:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@27:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.5-stream-2025-Q1