firewall { all-ping enable broadcast-ping enable config-trap disable group { address-group dns-servers { address 192.168.68.22 } network-group country-whitelist { } network-group mullvad-gb { network 192.168.110.0/24 } network-group mullvad-us { network 192.168.32.0/24 network 192.168.100.0/24 } network-group nets4-blacklist { } network-group private-nets { network 192.168.0.0/16 network 172.16.0.0/12 network 10.0.0.0/8 } port-group gaming-ports { port 54330 } port-group mail-ports { port 25 port 465 port 587 port 143 port 993 port 110 port 995 port 4190 } port-group plex-ports { port 32400 } port-group rp-ports { port 80 port 443 } port-group wg-ports { port 51820 port 51822 } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians disable name lan-local { default-action accept } name lan-mullvadgb { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-mullvadus { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wan { default-action accept } name lan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg7 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name lan-wg8 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name local-lan { default-action accept } name local-mullvadgb { default-action accept } name local-mullvadus { default-action accept } name local-wan { default-action accept } name local-wg0 { default-action accept } name local-wg1 { default-action accept } name local-wg7 { default-action accept } name local-wg8 { default-action accept } name mullvadgb-lan { default-action accept } name mullvadgb-local { default-action accept } name mullvadgb-mullvadus { default-action drop } name mullvadgb-wan { default-action drop } name mullvadgb-wg0 { default-action drop } name mullvadgb-wg1 { default-action accept } name mullvadgb-wg7 { default-action drop } name mullvadgb-wg8 { default-action drop } name mullvadus-lan { default-action accept } name mullvadus-local { default-action accept } name mullvadus-mullvadgb { default-action drop } name mullvadus-wan { default-action drop } name mullvadus-wg0 { default-action accept } name mullvadus-wg1 { default-action drop } name mullvadus-wg7 { default-action drop } name mullvadus-wg8 { default-action drop } name wan-lan { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 200 { action accept destination { group { port-group rp-ports } } protocol tcp } rule 300 { action accept destination { group { port-group mail-ports } } protocol tcp } rule 500 { action accept destination { group { port-group plex-ports } } protocol tcp } rule 600 { action accept destination { group { port-group gaming-ports } } protocol tcp_udp } } name wan-local { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } rule 400 { action accept destination { group { port-group wg-ports } } protocol udp } } name wan-mullvadgb { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-mullvadus { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg0 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg1 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg7 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wan-wg8 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-lan { default-action drop } name wg0-local { default-action drop } name wg0-mullvadgb { default-action drop } name wg0-mullvadus { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-wan { default-action drop } name wg0-wg1 { default-action drop } name wg0-wg7 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg0-wg8 { default-action drop } name wg1-lan { default-action drop } name wg1-local { default-action drop } name wg1-mullvadgb { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg1-mullvadus { default-action drop } name wg1-wan { default-action drop } name wg1-wg0 { default-action drop } name wg1-wg7 { default-action drop rule 100 { action accept state { established enable related enable } } rule 110 { action drop state { invalid enable } } } name wg1-wg8 { default-action drop } name wg7-lan { default-action accept } name wg7-local { default-action accept } name wg7-mullvadgb { default-action drop } name wg7-mullvadus { default-action drop } name wg7-wan { default-action drop } name wg7-wg0 { default-action accept } name wg7-wg1 { default-action drop } name wg7-wg8 { default-action drop } name wg8-lan { default-action accept } name wg8-local { default-action accept } name wg8-mullvadgb { default-action drop } name wg8-mullvadus { default-action drop } name wg8-wan { default-action accept } name wg8-wg0 { default-action drop } name wg8-wg1 { default-action drop } name wg8-wg7 { default-action drop } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address 172.31.255.6/30 description wan duplex full hw-id 00:0d:b9:51:90:74 ring-buffer { rx 4096 tx 4096 } smp-affinity auto speed 1000 } ethernet eth1 { disable duplex auto hw-id 00:0d:b9:51:90:75 ring-buffer { rx 4096 tx 4096 } smp-affinity auto speed auto } ethernet eth2 { address 192.168.68.1/24 description lan duplex auto hw-id 00:0d:b9:51:90:76 policy { route vpn-routing } ring-buffer { rx 4096 tx 4096 } smp-affinity auto speed auto vif 100 { address 192.168.100.1/24 description mullvad-us policy { route vpn-routing } } vif 110 { address 192.168.110.1/24 description mullvad-gb policy { route vpn-routing } } } loopback lo { } wireguard wg0 { address 10.67.134.85/32 description mullvad-us mtu 1420 peer mullvad-us60 { address 89.45.90.93 allowed-ips 0.0.0.0/0 persistent-keepalive 15 port 51820 pubkey **************** } private-key **************** } wireguard wg1 { address 10.67.136.97/32 description mullvad-gb mtu 1420 peer mullvad-gb32 { address 194.37.96.146 allowed-ips 0.0.0.0/0 persistent-keepalive 15 port 51820 pubkey **************** } private-key **************** } wireguard wg7 { address 192.168.32.1/24 description "vpn +lan +mullvad-us" mtu 1420 peer inuc { allowed-ips 192.168.32.102/32 pubkey **************** } peer iphone { allowed-ips 192.168.32.103/32 pubkey **************** } peer laptop { allowed-ips 192.168.32.101/32 pubkey **************** } peer pixel3a { allowed-ips 192.168.32.100/32 pubkey **************** } policy { route vpn-routing } port 51820 private-key **************** } wireguard wg8 { address 10.0.10.1/24 description "vpn +lan +swisscom" mtu 1420 peer inuc { allowed-ips 10.0.10.102/32 pubkey **************** } peer iphone { allowed-ips 10.0.10.103/32 pubkey **************** } peer laptop { allowed-ips 10.0.10.101/32 pubkey **************** } peer pixel3a { allowed-ips 10.0.10.100/32 pubkey **************** } policy { route vpn-routing } port 51822 private-key **************** } } nat { destination { rule 201 { description "http reverse proxy" destination { address 172.31.255.6 port 80 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 80 } } rule 202 { description hairpin80 destination { address 172.31.255.6 port 80 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 80 } } rule 211 { description "https reverse proxy" destination { address 172.31.255.6 port 443 } inbound-interface eth0 protocol tcp translation { address 192.168.68.49 port 443 } } rule 212 { description hairpin443 destination { address 172.31.255.6 port 443 } inbound-interface eth2 protocol tcp translation { address 192.168.68.49 port 443 } } rule 301 { description "postfix smtp" destination { address 172.31.255.6 port 25 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 25 } } rule 302 { description hairpin25 destination { address 172.31.255.6 port 25 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 25 } } rule 311 { description "postfix smtps" destination { address 172.31.255.6 port 465 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 465 } } rule 312 { description hairpin465 destination { address 172.31.255.6 port 465 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 465 } } rule 321 { description "postfix submission" destination { address 172.31.255.6 port 587 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 587 } } rule 322 { description hairpin587 destination { address 172.31.255.6 port 587 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 587 } } rule 331 { description "dovecot imap" destination { address 172.31.255.6 port 143 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 143 } } rule 332 { description hairpin143 destination { address 172.31.255.6 port 143 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 143 } } rule 341 { description "dovecot imaps" destination { address 172.31.255.6 port 993 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 993 } } rule 342 { description hairpin993 destination { address 172.31.255.6 port 993 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 993 } } rule 351 { description "dovecot pop3" destination { address 172.31.255.6 port 110 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 110 } } rule 352 { description hairpin110 destination { address 172.31.255.6 port 110 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 110 } } rule 361 { description "dovecot pop3s" destination { address 172.31.255.6 port 995 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 995 } } rule 362 { description hairpin995 destination { address 172.31.255.6 port 995 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 995 } } rule 371 { description "dovecot managesieve" destination { address 172.31.255.6 port 4190 } inbound-interface eth0 protocol tcp translation { address 192.168.68.15 port 4190 } } rule 372 { description hairpin4190 destination { address 172.31.255.6 port 4190 } inbound-interface eth2 protocol tcp translation { address 192.168.68.15 port 4190 } } rule 501 { description plex destination { address 172.31.255.6 port 32400 } inbound-interface eth0 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 502 { description hairpin32400 destination { address 172.31.255.6 port 32400 } inbound-interface eth2 protocol tcp translation { address 192.168.68.28 port 32400 } } rule 601 { description "xbox one" destination { address 172.31.255.6 port 54330 } inbound-interface eth0 protocol tcp_udp translation { address 192.168.68.40 port 54330 } } rule 602 { description hairpin54330 destination { address 172.31.255.6 port 54330 } inbound-interface eth2 protocol tcp_udp translation { address 192.168.68.40 port 54330 } } } source { rule 201 { description hairpin destination { address 192.168.68.49 port 80 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 211 { description hairpin destination { address 192.168.68.49 port 443 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 301 { description hairpin destination { address 192.168.68.15 port 25 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 311 { description hairpin destination { address 192.168.68.15 port 465 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 321 { description hairpin destination { address 192.168.68.15 port 587 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 331 { description hairpin destination { address 192.168.68.15 port 143 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 341 { description hairpin destination { address 192.168.68.15 port 993 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 351 { description hairpin destination { address 192.168.68.15 port 110 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 361 { description hairpin destination { address 192.168.68.15 port 995 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 371 { description hairpin destination { address 192.168.68.15 port 4190 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 501 { description hairpin destination { address 192.168.68.28 port 32400 } outbound-interface eth2 protocol tcp source { address 192.168.68.0/24 } translation { address masquerade } } rule 601 { description hairpin destination { address 192.168.68.40 port 54330 } outbound-interface eth2 protocol tcp_udp source { address 192.168.68.0/24 } translation { address masquerade } } rule 9001 { outbound-interface eth0 protocol all translation { address masquerade } } rule 9011 { outbound-interface wg0 protocol all translation { address masquerade } } rule 9021 { outbound-interface wg1 protocol all translation { address masquerade } } } } policy { route vpn-routing { rule 10 { destination { group { network-group private-nets } } set { table main } } rule 100 { set { table 100 } source { group { network-group mullvad-us } } } rule 110 { set { table 110 } source { group { network-group mullvad-gb } } } } } protocols { static { route 0.0.0.0/0 { next-hop 172.31.255.5 { } } route 10.0.0.0/8 { blackhole { } } route 172.16.0.0/12 { blackhole { } } route 192.168.0.0/16 { blackhole { } } table 100 { interface-route 0.0.0.0/0 { next-hop-interface wg0 { } } route 0.0.0.0/0 { blackhole { distance 255 } } } table 110 { interface-route 0.0.0.0/0 { next-hop-interface wg1 { } } route 0.0.0.0/0 { blackhole { distance 255 } } } } } service { dhcp-server { shared-network-name mullvad-gb { subnet 192.168.110.0/24 { default-router 192.168.110.1 dns-server 192.168.68.22 domain-name phillipmcmahon.com lease 3600 range mullvad-gb { start 192.168.110.100 stop 192.168.110.163 } static-mapping xboxone { ip-address 192.168.110.200 mac-address f0:6e:0b:46:c8:74 } } } shared-network-name mullvad-us { subnet 192.168.100.0/24 { default-router 192.168.100.1 dns-server 192.168.68.22 domain-name phillipmcmahon.com lease 3600 range mullvad-us { start 192.168.100.100 stop 192.168.100.163 } static-mapping xboxone { ip-address 192.168.100.200 mac-address f0:6e:0b:46:c8:74 } } } } ssh { listen-address 192.168.68.1 port 22 } } system { console { device ttyS0 { speed 115200 } } domain-name phillipmcmahon.com host-name router login { user phillipmcmahon { authentication { encrypted-password **************** plaintext-password **************** public-keys phillipmcmahon-ecdsa { key **************** type ecdsa-sha2-nistp521 } public-keys phillipmcmahon-rsa { key **************** type ssh-rsa } } } } name-server 192.168.68.22 ntp { server time.google.com { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone Europe/Zurich } zone-policy { zone lan { default-action drop from local { firewall { name local-lan } } from mullvadgb { firewall { name mullvadgb-lan } } from mullvadus { firewall { name mullvadus-lan } } from wan { firewall { name wan-lan } } from wg0 { firewall { name wg0-lan } } from wg1 { firewall { name wg1-lan } } from wg7 { firewall { name wg7-lan } } from wg8 { firewall { name wg8-lan } } interface eth2 } zone local { default-action drop from lan { firewall { name lan-local } } from mullvadgb { firewall { name mullvadgb-local } } from mullvadus { firewall { name mullvadus-local } } from wan { firewall { name wan-local } } from wg0 { firewall { name wg0-local } } from wg1 { firewall { name wg1-local } } from wg7 { firewall { name wg7-local } } from wg8 { firewall { name wg8-local } } local-zone } zone mullvadgb { default-action drop from lan { firewall { name lan-mullvadgb } } from local { firewall { name local-mullvadgb } } from mullvadus { firewall { name mullvadus-mullvadgb } } from wan { firewall { name wan-mullvadgb } } from wg0 { firewall { name wg0-mullvadgb } } from wg1 { firewall { name wg1-mullvadgb } } from wg7 { firewall { name wg7-mullvadgb } } from wg8 { firewall { name wg8-mullvadgb } } interface eth2.110 } zone mullvadus { default-action drop from lan { firewall { name lan-mullvadus } } from local { firewall { name local-mullvadus } } from mullvadgb { firewall { name mullvadgb-mullvadus } } from wan { firewall { name wan-mullvadus } } from wg0 { firewall { name wg0-mullvadus } } from wg1 { firewall { name wg1-mullvadus } } from wg7 { firewall { name wg7-mullvadus } } from wg8 { firewall { name wg8-mullvadus } } interface eth2.100 } zone wan { default-action drop from lan { firewall { name lan-wan } } from local { firewall { name local-wan } } from mullvadgb { firewall { name mullvadgb-wan } } from mullvadus { firewall { name mullvadus-wan } } from wg0 { firewall { name wg0-wan } } from wg1 { firewall { name wg1-wan } } from wg7 { firewall { name wg7-wan } } from wg8 { firewall { name wg8-wan } } interface eth0 } zone wg0 { default-action drop from lan { firewall { name lan-wg0 } } from local { firewall { name local-wg0 } } from mullvadgb { firewall { name mullvadgb-wg0 } } from mullvadus { firewall { name mullvadus-wg0 } } from wan { firewall { name wan-wg0 } } from wg1 { firewall { name wg1-wg0 } } from wg7 { firewall { name wg7-wg0 } } from wg8 { firewall { name wg8-wg0 } } interface wg0 } zone wg1 { default-action drop from lan { firewall { name lan-wg1 } } from local { firewall { name local-wg1 } } from mullvadgb { firewall { name mullvadgb-wg1 } } from mullvadus { firewall { name mullvadus-wg1 } } from wan { firewall { name wan-wg1 } } from wg0 { firewall { name wg0-wg1 } } from wg7 { firewall { name wg7-wg1 } } from wg8 { firewall { name wg8-wg1 } } interface wg1 } zone wg7 { default-action drop from lan { firewall { name lan-wg7 } } from local { firewall { name local-wg7 } } from mullvadgb { firewall { name mullvadgb-wg7 } } from mullvadus { firewall { name mullvadus-wg7 } } from wan { firewall { name wan-wg7 } } from wg0 { firewall { name wg0-wg7 } } from wg1 { firewall { name wg1-wg7 } } from wg8 { firewall { name wg8-wg7 } } interface wg7 } zone wg8 { default-action drop from lan { firewall { name lan-wg8 } } from local { firewall { name local-wg8 } } from mullvadgb { firewall { name mullvadgb-wg8 } } from mullvadus { firewall { name mullvadus-wg8 } } from wan { firewall { name wan-wg8 } } from wg0 { firewall { name wg0-wg8 } } from wg1 { firewall { name wg1-wg8 } } from wg7 { firewall { name wg7-wg8 } } interface wg8 } }