firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name lan-local { default-action accept enable-default-log rule 50 { action accept destination { port 53 } protocol tcp_udp source { address 192.168.254.150 } state { new enable } } } name lan-wan { default-action accept enable-default-log } name local-lan { default-action accept enable-default-log } name local-wan { default-action accept enable-default-log } name wan-lan { default-action drop enable-default-log rule 5 { action accept description "Allow EST/Related Traffic" state { established enable related enable } } rule 20 { action accept protocol icmp state { new enable } } rule 30 { action accept destination { port 443 } protocol tcp state { new enable } } rule 40 { action accept destination { port 80 } protocol tcp state { new enable } } } name wan-local { default-action drop enable-default-log rule 5 { action accept description "Allow EST/Related Traffic" state { established enable related enable } } rule 20 { action accept protocol icmp state { new enable } } rule 30 { action accept description "Allow Wireguard Traffic" destination { port 51820 } protocol udp source { } state { new enable } } rule 40 { action accept description "Allow SSH Traffic" destination { port 22 } protocol tcp source { } state { new enable } } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { bonding bond0 { member { interface eth2 interface eth1 } mode 802.3ad vif 10 { address 10.4.10.1/24 } vif 20 { address 10.4.20.1/24 } vif 30 { address 10.4.30.1/24 } vif 68 { address 10.4.68.1/24 } } bridge br0 { enable-vlan member { interface eth6 { native-vlan 920 } interface eth7 { native-vlan 920 } } vif 920 { address 192.168.20.1/24 } } ethernet eth0 { address 64.201.235.85/26 hw-id 7c:5a:1c:80:5f:1a } ethernet eth1 { hw-id 7c:5a:1c:80:5f:1b } ethernet eth2 { hw-id 7c:5a:1c:80:5f:1c } ethernet eth3 { hw-id 7c:5a:1c:80:5f:1d } ethernet eth4 { hw-id 7c:5a:1c:80:5f:1e } ethernet eth5 { hw-id 7c:5a:1c:80:5f:1f } ethernet eth6 { hw-id 7c:5a:1c:80:5f:20 } ethernet eth7 { hw-id 7c:5a:1c:80:5f:21 } ethernet eth8 { hw-id 7c:5a:1c:80:5f:22 } wireguard wg01 { address 172.16.10.1/32 peer to-iphone { allowed-ips 172.16.10.101/32 pubkey ##################### } peer to-r2 { allowed-ips 172.16.10.2/32 allowed-ips 10.5.0.0/16 pubkey ##################### } port 51820 } } nat { destination { rule 30 { destination { port 443 } inbound-interface eth0 protocol tcp translation { address 10.4.168.3 } } rule 40 { destination { port 80 } inbound-interface eth0 protocol tcp translation { address 10.4.168.3 } } } source { rule 100 { outbound-interface eth0 source { address 10.4.0.0/15 } translation { address masquerade } } rule 200 { outbound-interface eth0 source { address 192.168.0.0/16 } translation { address masquerade } } } } protocols { bgp 64512 { neighbor 10.4.68.21 { peer-group K8s } parameters { router-id 10.4.68.1 } peer-group K8s { address-family { ipv4-unicast { } } remote-as internal } } static { interface-route 172.16.10.2/32 { next-hop-interface wg01 { } } interface-route 172.16.10.101/32 { next-hop-interface wg01 { } } route 0.0.0.0/0 { next-hop { } } route 10.5.0.0/16 { next-hop 172.16.10.1 { } next-hop 172.16.10.2 { } } } } service { dhcp-relay { interface eth1.30 interface eth1.31 interface eth1.32 server 10.4.30.15 } dhcp-server { shared-network-name GUEST-WIFI { subnet 10.4.42.0/24 { default-router 10.4.42.1 name-server 10.4.20.11 name-server 10.4.20.12 range 0 { start 10.4.42.10 stop 10.4.42.250 } } } shared-network-name INT { subnet 10.4.20.0/24 { default-router 10.4.20.1 domain-name int.example.com domain-search int.example.com name-server 10.4.20.11 name-server 10.4.20.12 ping-check range 0 { start 10.4.20.210 stop 10.4.20.250 } } } shared-network-name INT-CLIENT { subnet 10.4.21.0/24 { default-router 10.4.21.1 domain-name int.example.com domain-search int.example.com name-server 10.4.20.11 name-server 10.4.20.12 ping-check range 0 { start 10.4.21.10 stop 10.4.21.250 } } } shared-network-name INT-CLIENT-WIFI { subnet 10.4.22.0/24 { default-router 10.4.22.1 domain-name int.example.com domain-search int.example.com name-server 10.4.20.11 name-server 10.4.20.12 range 0 { start 10.4.22.10 stop 10.4.22.250 } } } shared-network-name K8s { subnet 10.4.68.0/24 { default-router 10.4.68.1 name-server 10.5.10.1 range 0 { start 10.4.68.100 stop 10.4.68.250 } static-mapping master01.k8s.example.com { ip-address 10.4.68.11 mac-address d8:3a:dd:19:16:9f } static-mapping master02.k8s.example.com { ip-address 10.4.68.12 mac-address d8:3a:dd:19:16:00 } static-mapping master03.k8s.example.com { ip-address 10.4.68.13 mac-address dc:a6:32:66:16:92 } static-mapping w1.k8s.example.com { ip-address 10.4.68.21 mac-address BC:24:11:BC:FB:42 } static-mapping worker01.k8s.example.com { ip-address 10.4.68.21 mac-address 54:b2:03:9b:89:c4 } static-mapping worker02.k8s.example.com { ip-address 10.4.68.22 mac-address 54:b2:03:19:cf:5a } static-mapping worker03.k8s.example.com { ip-address 10.4.68.23 mac-address 54:b2:03:04:87:43 } static-mapping worker04.k8s.example.com { ip-address 10.4.68.24 mac-address 54:b2:03:89:60:e2 } } } shared-network-name PARENTS { name-server 10.4.10.1 subnet 192.168.20.0/24 { default-router 192.168.20.1 name-server 10.4.10.1 range 0 { start 192.168.20.10 stop 192.168.20.20 } } } } dns { dynamic { interface eth0 { service cloudflare { host-name r1.example.com login exapmle@example.com password protocol cloudflare zone example.com } use-web { skip ip= url https://cloudflare.com/cdn-cgi/trace } } } forwarding { allow-from 10.4.0.0/16 allow-from 10.5.0.0/16 allow-from 192.168.20.0/24 allow-from 172.16.10.0/24 domain 10.4.10.in-addr.arpa. { addnta server 10.4.20.11 server 10.4.20.12 } domain 20.4.10.in-addr.arpa. { addnta server 10.4.20.11 server 10.4.20.12 } domain 21.4.10.in-addr.arpa. { addnta server 10.4.20.11 server 10.4.20.12 } domain 22.4.10.in-addr.arpa. { addnta server 10.4.20.11 server 10.4.20.12 } domain 30.4.10.in-addr.arpa. { addnta server 10.4.30.11 server 10.4.30.12 } domain 31.4.10.in-addr.arpa. { addnta server 10.4.30.12 server 10.4.30.11 } domain 32.4.10.in-addr.arpa. { addnta server 10.4.30.11 server 10.4.30.12 } domain ad.example.com { addnta server 10.4.30.11 server 10.4.30.12 } domain example.com { addnta server 10.4.20.11 server 10.4.20.12 } domain int.example.com { addnta server 10.4.20.12 server 10.4.20.11 } domain k8s.example.com { addnta server 10.4.20.11 server 10.4.20.12 } domain mgmt.example.com { addnta server 10.4.20.11 server 10.4.20.12 } domain roc.example.com { server 10.4.20.11 server 10.4.20.12 } listen-address 10.4.10.1 source-address 10.4.10.1 system } } mdns { } ssh { port 22 } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name r1.example.com login { user vyos { authentication { encrypted-password } } } name-server 1.1.1.1 name-server 1.0.0.1 ntp { server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } syslog { global { facility all { level info } facility protocols { level debug } } } } zone-policy { zone lan { default-action drop from local { firewall { name local-lan } } from wan { firewall { name wan-lan } } interface wg01 interface bond0.10 interface bond0.20 interface bond0.30 interface bond0.68 interface br0.920 } zone local { default-action drop from lan { firewall { name lan-local } } from wan { firewall { name wan-local } } local-zone } zone wan { default-action drop from lan { firewall { name lan-wan } } from local { firewall { name local-wan } } interface eth0 interface eth0.0 } } // Warning: Do not remove the following line. // vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" // Release version: 1.3.4