firewall { all-ping enable broadcast-ping enable config-trap disable group { address-group dns-servers { address 192.168.68.22 } network-group private-nets { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/8 } network-group wireguard-allowed { network 192.168.32.0/24 network 192.168.128.0/24 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable name lan-local { default-action accept } name lan-wan { default-action accept rule 110 { action drop state { invalid enable } } } name lan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg2 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wglan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name local-lan { default-action accept } name local-wan { default-action accept rule 110 { action drop state { invalid enable } } } name local-wg0 { default-action accept } name local-wg1 { default-action accept } name local-wg2 { default-action accept } name local-wglan { default-action accept } name wan-lan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 200 { action accept destination { port 80 } protocol tcp } rule 210 { action accept destination { port 443 } protocol tcp } rule 220 { action accept destination { port 32400 } protocol tcp } rule 230 { action accept destination { port 25 } protocol tcp } rule 240 { action accept destination { port 465 } protocol tcp } rule 250 { action accept destination { port 587 } protocol tcp } rule 260 { action accept destination { port 143 } protocol tcp } rule 270 { action accept destination { port 993 } protocol tcp } rule 280 { action accept destination { port 110 } protocol tcp } rule 290 { action accept destination { port 995 } protocol tcp } rule 300 { action accept destination { port 4190 } protocol tcp } } name wan-local { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 400 { action accept destination { port 51820 } protocol udp } rule 410 { action accept destination { port 51822 } protocol udp } } name wan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg2 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wglan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-lan { default-action drop } name wg0-local { default-action drop } name wg0-wan { default-action drop } name wg0-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-wg2 { default-action drop } name wg0-wglan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg1-lan { default-action accept } name wg1-local { default-action accept } name wg1-wan { default-action drop } name wg1-wg0 { default-action accept } name wg1-wg2 { default-action drop } name wg1-wglan { default-action drop } name wg2-lan { default-action accept } name wg2-local { default-action accept } name wg2-wan { default-action accept rule 110 { action drop state { invalid enable } } } name wg2-wg0 { default-action drop } name wg2-wg1 { default-action drop } name wg2-wglan { default-action drop } name wglan-lan { default-action accept } name wglan-local { default-action accept } name wglan-wan { default-action drop } name wglan-wg0 { default-action accept } name wglan-wg1 { default-action drop } name wglan-wg2 { default-action drop } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address 172.31.255.6/30 description wan duplex full hw-id 00:0d:b9:51:90:74 redirect ifb0 speed 1000 traffic-policy { out egress } } ethernet eth1 { disable duplex auto hw-id 00:0d:b9:51:90:75 speed auto } ethernet eth2 { address 192.168.68.1/24 description lan duplex auto hw-id 00:0d:b9:51:90:76 policy { route vpn-routing } speed auto vif 64 { address 192.168.128.1/24 description "mullvad (lan)" policy { route vpn-routing } } } input ifb0 { traffic-policy { out ingress } } loopback lo { } wireguard wg0 { address 10.65.140.116/32 description mullvad mtu 1420 peer mullvad-us60 { address 89.45.90.93 allowed-ips 0.0.0.0/0 port 51820 pubkey **************** } private-key **************** } wireguard wg1 { address 192.168.32.1/24 description "vpn +lan +mullvad" mtu 1420 peer inuc { allowed-ips 192.168.32.102/32 pubkey **************** } peer iphone { allowed-ips 192.168.32.103/32 pubkey **************** } peer laptop { allowed-ips 192.168.32.101/32 pubkey **************** } peer pixel3a { allowed-ips 192.168.32.100/32 pubkey **************** } policy { route vpn-routing } port 51820 private-key **************** } wireguard wg2 { address 10.0.10.1/24 description "vpn +lan +swisscom" mtu 1420 peer inuc { allowed-ips 10.0.10.102/32 pubkey **************** } peer iphone { allowed-ips 10.0.10.103/32 pubkey **************** } peer laptop { allowed-ips 10.0.10.101/32 pubkey **************** } peer pixel3a { allowed-ips 10.0.10.100/32 pubkey **************** } policy { route vpn-routing } port 51822 private-key **************** } } nat { destination { rule 11 { description "http reverse proxy" destination { address 172.31.255.6 port 80 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 80 } } rule 12 { description hairpin80 destination { address 172.31.255.6 port 80 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 80 } } rule 21 { description "https reverse proxy" destination { address 172.31.255.6 port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 443 } } rule 22 { description hairpin443 destination { address 172.31.255.6 port 443 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 443 } } rule 31 { description plex destination { address 172.31.255.6 port 32400 } inbound-interface eth0 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 32 { description hairpin32400 destination { address 172.31.255.6 port 32400 } inbound-interface eth2 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 41 { description "postfix smtp" destination { address 172.31.255.6 port 25 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 25 } } rule 42 { description hairpin25 destination { address 172.31.255.6 port 25 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 25 } } rule 51 { description "postfix smtps" destination { address 172.31.255.6 port 465 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 465 } } rule 52 { description hairpin465 destination { address 172.31.255.6 port 465 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 465 } } rule 61 { description "postfix submission" destination { address 172.31.255.6 port 587 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 587 } } rule 62 { description hairpin587 destination { address 172.31.255.6 port 587 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 587 } } rule 71 { description "dovecot imap" destination { address 172.31.255.6 port 143 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 143 } } rule 72 { description hairpin143 destination { address 172.31.255.6 port 143 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 143 } } rule 81 { description "dovecot imaps" destination { address 172.31.255.6 port 993 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 993 } } rule 82 { description hairpin993 destination { address 172.31.255.6 port 993 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 993 } } rule 91 { description "dovecot pop3" destination { address 172.31.255.6 port 110 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 110 } } rule 92 { description hairpin110 destination { address 172.31.255.6 port 110 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 110 } } rule 101 { description "dovecot pop3s" destination { address 172.31.255.6 port 995 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 995 } } rule 102 { description hairpin995 destination { address 172.31.255.6 port 995 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 995 } } rule 111 { description "dovecot managesieve" destination { address 172.31.255.6 port 4190 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 4190 } } rule 112 { description hairpin4190 destination { address 172.31.255.6 port 4190 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 4190 } } } source { rule 11 { description hairpin destination { address 192.168.68.49 port 80 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 21 { description hairpin destination { address 192.168.68.49 port 443 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 31 { description hairpin destination { address 192.168.68.28 port 32400 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 41 { description hairpin destination { address 192.168.68.15 port 25 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 51 { description hairpin destination { address 192.168.68.15 port 465 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 61 { description hairpin destination { address 192.168.68.15 port 587 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 71 { description hairpin destination { address 192.168.68.15 port 143 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 81 { description hairpin destination { address 192.168.68.15 port 993 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 91 { description hairpin destination { address 192.168.68.15 port 110 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 101 { description hairpin destination { address 192.168.68.15 port 995 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 111 { description hairpin destination { address 192.168.68.15 port 4190 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 5000 { outbound-interface eth0 protocol all translation { address masquerade } } rule 5100 { outbound-interface wg0 protocol all translation { address masquerade } } } } policy { route vpn-routing { rule 10 { destination { group { network-group private-nets } } set { table main } } rule 100 { set { table 100 } source { group { network-group wireguard-allowed } } } } } protocols { static { route 0.0.0.0/0 { next-hop 172.31.255.5 { } } route 10.0.0.0/8 { blackhole { } } route 172.16.0.0/12 { blackhole { } } route 192.168.0.0/16 { blackhole { } } table 100 { interface-route 0.0.0.0/0 { next-hop-interface wg0 { } } route 0.0.0.0/0 { blackhole { distance 255 } } } } } service { dhcp-server { shared-network-name mullvad-lan { subnet 192.168.128.0/24 { default-router 192.168.128.1 dns-server 192.168.68.22 domain-name phillipmcmahon.com lease 3600 range mullvad-lan { start 192.168.128.100 stop 192.168.128.163 } } } } ssh { port 22022 } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 115200 } } domain-name phillipmcmahon.com host-name router login { user phillipmcmahon { authentication { encrypted-password **************** plaintext-password **************** public-keys phillipmcmahon-ecdsa { key **************** type ecdsa-sha2-nistp521 } } } } name-server 192.168.68.22 ntp { server time.google.com { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone Europe/Zurich } traffic-policy { shaper egress { bandwidth auto default { bandwidth 48mbit burst 15k codel-quantum 1514 flows 1024 queue-limit 10240 queue-type fq-codel } } shaper ingress { bandwidth 180mbit default { bandwidth 90% burst 15k codel-quantum 1514 flows 1024 queue-limit 10240 queue-type fq-codel } } } zone-policy { zone lan { default-action drop from local { firewall { name local-lan } } from wan { firewall { name wan-lan } } from wg0 { firewall { name wg0-lan } } from wg1 { firewall { name wg1-lan } } from wg2 { firewall { name wg2-lan } } from wglan { firewall { name wglan-lan } } interface eth2 } zone local { default-action drop from lan { firewall { name lan-local } } from wan { firewall { name wan-local } } from wg0 { firewall { name wg0-local } } from wg1 { firewall { name wg1-local } } from wg2 { firewall { name wg2-local } } from wglan { firewall { name wglan-local } } local-zone } zone wan { default-action drop from lan { firewall { name lan-wan } } from local { firewall { name local-wan } } from wg0 { firewall { name wg0-wan } } from wg1 { firewall { name wg1-wan } } from wg2 { firewall { name wg2-wan } } from wglan { firewall { name wglan-wan } } interface eth0 } zone wg0 { default-action drop from lan { firewall { name lan-wg0 } } from local { firewall { name local-wg0 } } from wan { firewall { name wan-wg0 } } from wg1 { firewall { name wg1-wg0 } } from wg2 { firewall { name wg2-wg0 } } from wglan { firewall { name wglan-wg0 } } interface wg0 } zone wg1 { default-action drop from lan { firewall { name lan-wg1 } } from local { firewall { name local-wg1 } } from wan { firewall { name wan-wg1 } } from wg0 { firewall { name wg0-wg1 } } from wg2 { firewall { name wg2-wg1 } } from wglan { firewall { name wglan-wg1 } } interface wg1 } zone wg2 { default-action drop from lan { firewall { name lan-wg2 } } from local { firewall { name local-wg2 } } from wan { firewall { name wan-wg2 } } from wg0 { firewall { name wg0-wg2 } } from wg1 { firewall { name wg1-wg2 } } from wglan { firewall { name wglan-wg2 } } interface wg2 } zone wglan { default-action drop from lan { firewall { name lan-wglan } } from local { firewall { name local-wglan } } from wan { firewall { name wan-wglan } } from wg0 { firewall { name wg0-wglan } } from wg1 { firewall { name wg1-wglan } } from wg2 { firewall { name wg2-wglan } } interface eth2.64 } }