$ sh conf c | strip-private set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall name TO-ROUTER default-action 'drop' set firewall name TO-ROUTER rule 10 action 'accept' set firewall name TO-ROUTER rule 10 protocol 'all' set firewall name TO-ROUTER rule 10 source address 'xxx.xxx.42.0/24' set firewall name TO-ROUTER rule 20 action 'accept' set firewall name TO-ROUTER rule 20 protocol 'all' set firewall name TO-ROUTER rule 20 source address 'xxx.xxx.95.24/29' set firewall name TO-ROUTER rule 21 action 'accept' set firewall name TO-ROUTER rule 21 protocol 'all' set firewall name TO-ROUTER rule 21 source address 'xxx.xxx.69.65/29' set firewall name TO-ROUTER rule 30 action 'accept' set firewall name TO-ROUTER rule 30 protocol 'all' set firewall name TO-ROUTER rule 30 source address 'xxx.xxx.203.32/29' set firewall name TO-ROUTER rule 31 action 'accept' set firewall name TO-ROUTER rule 31 protocol 'all' set firewall name TO-ROUTER rule 31 source address 'xxx.xxx.203.24/29' set firewall name TO-ROUTER rule 40 action 'accept' set firewall name TO-ROUTER rule 40 protocol 'all' set firewall name TO-ROUTER rule 40 source address 'xxx.xxx.4.208/29' set firewall name TO-ROUTER rule 41 action 'accept' set firewall name TO-ROUTER rule 41 protocol 'all' set firewall name TO-ROUTER rule 41 source address 'xxx.xxx.23.0/29' set firewall name TO-ROUTER rule 42 action 'accept' set firewall name TO-ROUTER rule 42 protocol 'all' set firewall name TO-ROUTER rule 42 source address 'xxx.xxx.12.56/31' set firewall name TO-ROUTER rule 45 action 'accept' set firewall name TO-ROUTER rule 45 protocol 'all' set firewall name TO-ROUTER rule 45 source address 'xxx.xxx.10.53/32' set firewall name TO-ROUTER rule 46 action 'accept' set firewall name TO-ROUTER rule 46 protocol 'all' set firewall name TO-ROUTER rule 46 source address 'xxx.xxx.27.93/32' set firewall name TO-ROUTER rule 50 action 'accept' set firewall name TO-ROUTER rule 50 destination port 'ssh' set firewall name TO-ROUTER rule 50 protocol 'tcp' set firewall name TO-ROUTER rule 50 source address 'xxx.xxx.144.150/32' set firewall name TO-ROUTER rule 51 action 'accept' set firewall name TO-ROUTER rule 51 destination port 'ssh' set firewall name TO-ROUTER rule 51 protocol 'tcp' set firewall name TO-ROUTER rule 51 source address 'xxx.xxx.34.123/32' set firewall name TO-ROUTER rule 301 action 'accept' set firewall name TO-ROUTER rule 301 description 'BGP from Vultr' set firewall name TO-ROUTER rule 301 destination port 'bgp' set firewall name TO-ROUTER rule 301 protocol 'tcp' set firewall name TO-ROUTER rule 301 source address 'xxx.xxx.169.254' set firewall name TO-ROUTER rule 302 action 'accept' set firewall name TO-ROUTER rule 302 destination port '1199' set firewall name TO-ROUTER rule 302 protocol 'udp' set firewall name TO-ROUTER rule 302 source address 'xxx.xxx.69.0/24' set firewall name TO-ROUTER rule 303 action 'accept' set firewall name TO-ROUTER rule 303 destination port '1199' set firewall name TO-ROUTER rule 303 protocol 'udp' set firewall name TO-ROUTER rule 303 source address 'xxx.xxx.70.0/24' set firewall name TO-ROUTER rule 996 action 'accept' set firewall name TO-ROUTER rule 996 description 'ICMP Throughout' set firewall name TO-ROUTER rule 996 protocol 'icmp' set firewall name TO-ROUTER rule 999 action 'reject' set firewall name TO-ROUTER rule 999 description 'Block' set firewall name TO-ROUTER rule 999 log 'disable' set firewall name TO-ROUTER rule 999 protocol 'all' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable' set interfaces ethernet eth0 address 'xxx.xxx.63.136/23' set interfaces ethernet eth0 description 'Vultr Outside' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 firewall local name 'TO-ROUTER' set interfaces ethernet eth0 smp-affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 description 'Vultr Inside' set interfaces ethernet eth1 disable set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 smp-affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces loopback lo address 'xxx.xxx.42.214/32' set interfaces openvpn vtun5 encryption 'aes256' set interfaces openvpn vtun5 firewall local name 'TO-ROUTER' set interfaces openvpn vtun5 hash 'sha256' set interfaces openvpn vtun5 ip ospf cost '15' set interfaces openvpn vtun5 ip ospf dead-interval '4' set interfaces openvpn vtun5 ip ospf hello-interval '1' set interfaces openvpn vtun5 ip ospf network 'point-to-point' set interfaces openvpn vtun5 ip ospf priority '1' set interfaces openvpn vtun5 ip ospf retransmit-interval '5' set interfaces openvpn vtun5 ip ospf transmit-delay '1' set interfaces openvpn vtun5 local-address xxx.xxx.42.242 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun5 local-port '1198' set interfaces openvpn vtun5 mode 'site-to-site' set interfaces openvpn vtun5 remote-address 'xxx.xxx.42.241' set interfaces openvpn vtun5 remote-host 'xxx.xxx.10.53' set interfaces openvpn vtun5 remote-port '1198' set interfaces openvpn vtun5 shared-secret-key-file xxxxxx set interfaces openvpn vtun6 encryption 'aes256' set interfaces openvpn vtun6 firewall local name 'TO-ROUTER' set interfaces openvpn vtun6 hash 'sha256' set interfaces openvpn vtun6 ip ospf cost '20' set interfaces openvpn vtun6 ip ospf dead-interval '4' set interfaces openvpn vtun6 ip ospf hello-interval '1' set interfaces openvpn vtun6 ip ospf network 'point-to-point' set interfaces openvpn vtun6 ip ospf priority '1' set interfaces openvpn vtun6 ip ospf retransmit-interval '5' set interfaces openvpn vtun6 ip ospf transmit-delay '1' set interfaces openvpn vtun6 local-address xxx.xxx.42.246 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun6 local-port '1199' set interfaces openvpn vtun6 mode 'site-to-site' set interfaces openvpn vtun6 remote-address 'xxx.xxx.42.245' set interfaces openvpn vtun6 remote-port '1199' set interfaces openvpn vtun6 shared-secret-key-file xxxxxx set interfaces openvpn vtun7 encryption 'aes256' set interfaces openvpn vtun7 firewall local name 'TO-ROUTER' set interfaces openvpn vtun7 hash 'sha256' set interfaces openvpn vtun7 ip ospf cost '16' set interfaces openvpn vtun7 ip ospf dead-interval '4' set interfaces openvpn vtun7 ip ospf hello-interval '1' set interfaces openvpn vtun7 ip ospf network 'point-to-point' set interfaces openvpn vtun7 ip ospf priority '1' set interfaces openvpn vtun7 ip ospf retransmit-interval '5' set interfaces openvpn vtun7 ip ospf transmit-delay '1' set interfaces openvpn vtun7 local-address xxx.xxx.42.202 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun7 local-port '1200' set interfaces openvpn vtun7 mode 'site-to-site' set interfaces openvpn vtun7 remote-address 'xxx.xxx.42.201' set interfaces openvpn vtun7 remote-host 'xxx.xxx.27.93' set interfaces openvpn vtun7 remote-port '1200' set interfaces openvpn vtun7 shared-secret-key-file xxxxxx set interfaces openvpn vtun8 encryption 'aes256' set interfaces openvpn vtun8 firewall local name 'TO-ROUTER' set interfaces openvpn vtun8 hash 'sha256' set interfaces openvpn vtun8 ip ospf cost '20' set interfaces openvpn vtun8 ip ospf dead-interval '4' set interfaces openvpn vtun8 ip ospf hello-interval '1' set interfaces openvpn vtun8 ip ospf network 'point-to-point' set interfaces openvpn vtun8 ip ospf priority '1' set interfaces openvpn vtun8 ip ospf retransmit-interval '5' set interfaces openvpn vtun8 ip ospf transmit-delay '1' set interfaces openvpn vtun8 local-address xxx.xxx.42.206 subnet-mask 'xxx.xxx.255.252' set interfaces openvpn vtun8 local-port '1201' set interfaces openvpn vtun8 mode 'site-to-site' set interfaces openvpn vtun8 remote-address 'xxx.xxx.42.205' set interfaces openvpn vtun8 remote-host 'xxx.xxx.95.29' set interfaces openvpn vtun8 remote-port '1201' set interfaces openvpn vtun8 shared-secret-key-file xxxxxx set policy as-path-list itconsult rule 10 action 'permit' set policy as-path-list itconsult rule 10 regex '^$' set policy prefix-list default-route rule 10 action 'permit' set policy prefix-list default-route rule 10 prefix '0.0.0.0/0' set policy prefix-list itconsult-aggregated rule 10 action 'permit' set policy prefix-list itconsult-aggregated rule 10 prefix 'xxx.xxx.42.0/24' set policy prefix-list rfc1918 rule 10 action 'permit' set policy prefix-list rfc1918 rule 10 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 11 action 'permit' set policy prefix-list rfc1918 rule 11 ge '9' set policy prefix-list rfc1918 rule 11 prefix 'xxx.xxx.0.0/8' set policy prefix-list rfc1918 rule 20 action 'permit' set policy prefix-list rfc1918 rule 20 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 21 action 'permit' set policy prefix-list rfc1918 rule 21 ge '13' set policy prefix-list rfc1918 rule 21 prefix 'xxx.xxx.0.0/12' set policy prefix-list rfc1918 rule 30 action 'permit' set policy prefix-list rfc1918 rule 30 prefix 'xxx.xxx.0.0/16' set policy prefix-list rfc1918 rule 31 action 'permit' set policy prefix-list rfc1918 rule 31 ge '17' set policy prefix-list rfc1918 rule 31 prefix 'xxx.xxx.0.0/16' set policy route-map as20473-in rule 10 action 'deny' set policy route-map as20473-in rule 10 description 'Block rfc1918' set policy route-map as20473-in rule 10 match ip address prefix-list 'rfc1918' set policy route-map as20473-in rule 20 action 'deny' set policy route-map as20473-in rule 20 description 'Block Default route' set policy route-map as20473-in rule 20 match ip address prefix-list 'default-route' set policy route-map as20473-in rule 40 action 'permit' set policy route-map as20473-in rule 40 description 'Prefixes via Vultr' set policy route-map as20473-in rule 40 set as-path-exclude '64515 65534' set policy route-map as20473-in rule 40 set as-path-prepend '20473' set policy route-map as20473-in rule 40 set local-preference '130' set policy route-map as20473-in rule 40 set metric '80' set policy route-map as20473-in rule 50 action 'deny' set policy route-map as20473-out rule 10 action 'permit' set policy route-map as20473-out rule 10 match as-path 'itconsult' set policy route-map as20473-out rule 10 set as-path-prepend '25040 25040 25040' set policy route-map as20473-out rule 20 action 'deny' set policy route-map bgp-local-no-export rule 10 action 'permit' set policy route-map bgp-local-no-export rule 10 set community 'no-export' set policy route-map bgp-no-advertise rule 10 action 'deny' set policy route-map ebgp-to-ibgp rule 10 action 'deny' set policy route-map ebgp-to-ibgp rule 10 description 'Do not propagate default route' set policy route-map ebgp-to-ibgp rule 10 match ip address prefix-list 'default-route' set policy route-map ebgp-to-ibgp rule 20 action 'deny' set policy route-map ebgp-to-ibgp rule 20 description 'Do not propagate local aggregated route' set policy route-map ebgp-to-ibgp rule 20 match ip address prefix-list 'itconsult-aggregated' set policy route-map ebgp-to-ibgp rule 30 action 'permit' set policy route-map ebgp-to-ibgp rule 30 description 'Allow everything else' set protocols bgp XXXXXX address-family ipv4-unicast aggregate-address xxx.xxx.42.0/24 set protocols bgp XXXXXX neighbor xxx.xxx.169.254 address-family ipv4-unicast route-map export 'as20473-out' set protocols bgp XXXXXX neighbor xxx.xxx.169.254 address-family ipv4-unicast route-map import 'as20473-in' set protocols bgp XXXXXX neighbor xxx.xxx.169.254 description 'Vultr' set protocols bgp XXXXXX neighbor xxx.xxx.169.254 ebgp-multihop '2' set protocols bgp XXXXXX neighbor xxx.xxx.169.254 password xxxxxx set protocols bgp XXXXXX neighbor xxx.xxx.169.254 remote-as '64515' set protocols bgp XXXXXX neighbor xxx.xxx.42.213 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.215 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.250 peer-group 'ITCONSULT' set protocols bgp XXXXXX neighbor xxx.xxx.42.251 peer-group 'ITCONSULT' set protocols bgp XXXXXX parameters log-neighbor-changes set protocols bgp XXXXXX parameters no-fast-external-failover set protocols bgp XXXXXX peer-group ITCONSULT address-family ipv4-unicast nexthop-self set protocols bgp XXXXXX peer-group ITCONSULT address-family ipv4-unicast route-map export 'ebgp-to-ibgp' set protocols bgp XXXXXX peer-group ITCONSULT remote-as '25040' set protocols bgp XXXXXX peer-group ITCONSULT update-source 'xxx.xxx.42.214' set protocols ospf area 0 area-type normal set protocols ospf area 0 network 'xxx.xxx.42.214/32' set protocols ospf area 0 network 'xxx.xxx.42.240/30' set protocols ospf area 0 network 'xxx.xxx.42.244/30' set protocols ospf area 0 network 'xxx.xxx.42.200/30' set protocols ospf area 0 network 'xxx.xxx.42.204/30' set protocols ospf log-adjacency-changes detail set protocols ospf passive-interface 'default' set protocols ospf passive-interface-exclude 'vtun5' set protocols ospf passive-interface-exclude 'vtun6' set protocols ospf passive-interface-exclude 'vtun7' set protocols ospf passive-interface-exclude 'vtun8' set protocols static route xxx.xxx.169.254/32 next-hop xxx.xxx.62.1 set protocols static route xxx.xxx.69.0/24 next-hop xxx.xxx.62.1 set protocols static route xxx.xxx.70.0/24 next-hop xxx.xxx.62.1 set protocols static route xxx.xxx.42.0/24 blackhole distance '210' set protocols static route xxx.xxx.10.53/32 next-hop xxx.xxx.62.1 set protocols static route xxx.xxx.27.93/32 next-hop xxx.xxx.62.1 set protocols static route xxx.xxx.95.29/32 next-hop xxx.xxx.62.1 set service snmp community xxx authorization 'ro' set service snmp community xxx network 'xxx.xxx.42.0/24' set service ssh set system config-management commit-revisions '100' set system host-name xxxxxx set system login user xxxxxx authentication encrypted-password xxxxxx set system login user xxxxxx authentication plaintext-password xxxxxx set system login user xxxxxx level 'admin' set system name-server 'xxx.xxx.42.9' set system name-server 'xxx.xxx.42.130' set system ntp listen-address 'xxx.xxx.42.214' set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system ntp server xxxxx.tld set system syslog global facility all level 'debug' set system syslog global facility protocols level 'debug' set system syslog host xxx.xxx.42.2 facility all level 'debug' set system time-zone 'GB' $ sudo lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 2 Socket(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel Xeon Processor (Cascadelake) Stepping: 6 CPU MHz: 2893.202 BogoMIPS: 5786.40 Hypervisor vendor: KVM Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 4096K L3 cache: 16384K $ sh ver Version: VyOS 1.2.6 Release Train: crux Built by: Sentrium S.L. Built on: Fri 11 Sep 2020 09:26 UTC Build UUID: b7236651-5383-482d-93e5-043470b5e2e0 Build Commit ID: 706d01f247bb83 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Standard PC (i440FX + PIIX, 1996) Hardware S/N: Hardware UUID: 7b7d5164-f808-4ebc-91cf-9250e5f4741e Copyright: VyOS maintainers and contributors $ sudo free -h total used free shared buffers cached Mem: 3.9G 2.5G 1.4G 9.5M 147M 173M -/+ buffers/cache: 2.2G 1.7G Swap: 0B 0B 0B