firewall { ipv4 { forward { filter { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept inbound-interface { interface-name br0 } } } } input { filter { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action drop state { invalid enable } } rule 30 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 40 { action drop destination { port 22 } inbound-interface { interface-name eth0 } protocol tcp recent { count 4 time minute } state { new enable } } rule 41 { action accept destination { port 22 } protocol tcp state { new enable } } rule 42 { action accept destination { port 53 } protocol udp state { new enable } } rule 43 { action accept destination { port 53 } protocol tcp state { new enable } } rule 44 { action accept destination { port 51820 } protocol udp } } } } } interfaces { bridge br0 { address xxx.xxx.5.1/24 description INSIDE member { interface eth1 { } interface eth2 { } interface eth3 { } } } ethernet eth0 { address dhcp description OUTSIDE hw-id xx:xx:xx:xx:xx:34 } ethernet eth1 { description LAN1 hw-id xx:xx:xx:xx:xx:35 } ethernet eth2 { description LAN2 hw-id xx:xx:xx:xx:xx:36 } ethernet eth3 { description LAN3 hw-id xx:xx:xx:xx:xx:37 } loopback lo { } wireguard wg222 { address xxx.xxx.100.222/32 description vpn1.gateway.tld peer vpn1 { address xxx.xxx.100.196 allowed-ips xxx.xxx.0.0/0 persistent-keepalive 25 port 52394 public-key **************** } port 51820 private-key xxxxxx } } nat { source { rule 100 { outbound-interface eth0 translation { address masquerade } } rule 222 { outbound-interface wg222 translation { address masquerade } } rule 333 { outbound-interface tailscale0 translation { address masquerade } } } } policy { local-route { rule 300 { set { table 41 } source xxx.xxx.100.222 } } } protocols { static { table 41 { route xxx.xxx.0.0/0 { interface wg222 { } } } } } service { dhcp-server { shared-network-name xxxxxx { subnet xxx.xxx.5.0/24 { default-router xxx.xxx.5.1 domain-name xxxxxx lease 86400 name-server xxx.xxx.5.1 range 0 { start xxx.xxx.5.9 stop xxx.xxx.5.254 } } } } dns { forwarding { allow-from xxx.xxx.5.0/24 cache-size 0 dhcp eth0 listen-address xxx.xxx.5.1 listen-address xxx.xxx.0.1 } } ntp { allow-client xxxxxx address xxx.xxx.0.0/0 address ::/0 } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } ssh { port 22 } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name xxxxxx login { user xxxxxx { authentication { encrypted-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-rsa } } } user xxxxxx { authentication { encrypted-password xxxxxx plaintext-password xxxxxx } } } name-server xxx.xxx.1.1 name-server xxx.xxx.0.1 syslog { global { facility all { level info } facility local7 { level debug } } } }