firewall { global-options { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } ipv4 { name ALL { default-action return } name ALL_WAN { default-action return description "Restricted egress" rule 10 { action reject description "Reject cable modem network" destination { address xxx.xxx.100.0/24 } } } name DENY { default-action drop } name ESTAB { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } } name ESTAB_DHCP { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 3 { action return description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } } name ESTAB_DHCP_DNS { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 3 { action return description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } } name HOME_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept OSPF" protocol ospf } rule 20 { action return description "Accept SSH" destination { port ssh } protocol tcp } rule 30 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name HOME_MGMT { default-action drop rule 1 { action return description "Allow established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Allow Vorik SSH" destination { address xxx.xxx.17.100 port ssh } protocol tcp } } name HOME_SERVICES { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action return description "Allow Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action return description "Allow SMB" destination { address xxx.xxx.19.34 port 445 } protocol tcp } rule 40 { action return description "Accept to Domain Controller" destination { address xxx.xxx.19.33 } } rule 50 { action return description "Accept SMTP relay from Home IoT" destination { address xxx.xxx.19.36 port smtp,submission,submissions } protocol tcp source { address xxx.xxx.4.0/24 } } } name IOT_HOME { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept HTTP to Tuvok (Wired)" destination { address xxx.xxx.1.11 port http-alt } protocol tcp } rule 11 { action return description "Accept HTTP to Tuvok (Wireless)" destination { address xxx.xxx.1.12 port http-alt } protocol tcp } } name IOT_LAN { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept Chromecast TCP" protocol tcp source { port 8008-8009,8443 } } rule 20 { action return description "Accept Chromecast UDP (src)" protocol udp source { port 32768-61000 } } rule 30 { action return description "Accept Chromecast UDP (dst)" destination { port 32768-61000 } protocol udp } } name IOT_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 3 { action return description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } } name IOT_SERVICES { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept SMTP" destination { port submission,smtp,submissions } protocol tcp } rule 20 { action return description "Accept Jellyfin" destination { address xxx.xxx.16.45 port 8096 } protocol tcp } rule 30 { action return description "Accept Google Home Local Fulfillment" destination { address xxx.xxx.16.50 port 3002 } protocol tcp } rule 40 { action return description "Accept HLS to Tuvok" destination { address xxx.xxx.16.46 port http-alt } protocol tcp } } name LAN_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 3 { action return description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name LAN_MGMT { default-action drop rule 1 { action return description "Allow established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Allow Vorik SSH" destination { address xxx.xxx.17.100 port ssh } protocol tcp } } name LAN_SERVICES { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action return description "Allow Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action return description "Allow SMB" destination { address xxx.xxx.19.34 port 445 } protocol tcp } rule 40 { action return description "Accept to Domain Controller" destination { address xxx.xxx.19.33 } } rule 50 { action return description "Accept HLS to Tuvok" destination { address xxx.xxx.16.46 port http-alt } protocol tcp } rule 60 { action return description "Accept Minecraft to Chell" destination { address xxx.xxx.16.48 port 25555-25565 } protocol tcp } } name MGMT_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action return description "Accept SSH" destination { port ssh } protocol tcp } rule 40 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name NONE { default-action drop } name PERMIT { default-action return } name SERVICES_HOME { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept SNMP" destination { port snmp } protocol udp source { address xxx.xxx.16.40 } } rule 20 { action return description "Accept Zabbix Agent" destination { port zabbix-agent } protocol tcp source { address xxx.xxx.16.40 } } rule 30 { action return description "Accept HTTP" destination { port http } protocol tcp source { address xxx.xxx.19.38 } } rule 40 { action return description "Accept RTSP to Kes" destination { address xxx.xxx.4.10-xxx.xxx.4.11 port rtsp } protocol tcp_udp source { address xxx.xxx.16.46 } } } name SERVICES_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action return description "Accept SNMP" destination { port snmp } protocol udp source { address xxx.xxx.5.35 } } } name SERVICES_MGMT { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept Zabbix Agent" destination { port 10050 } protocol tcp } rule 20 { action return description "Accept SNMP" destination { port snmp } protocol udp } rule 30 { action return description "Accept Node-RED to Voyager" destination { address xxx.xxx.17.1 port https } protocol tcp source { address xxx.xxx.16.50 } } rule 40 { action return description "Accept Sisko to TrueNAS" destination { address xxx.xxx.17.2 port https } protocol tcp source { address xxx.xxx.19.49 } } } name WAN_LOCAL { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMP" protocol icmp } rule 10 { action return description "Accept Wireguard" destination { port 51820 } protocol udp } rule 20 { action return description "Accept OpenVPN" destination { port 1194 } protocol udp } rule 30 { action return description "Accept ISAKMP" destination { port isakmp } protocol udp source { port isakmp } } rule 31 { action return description "Accept NAT-T" destination { port ipsec-nat-t } protocol udp } rule 32 { action return description "Accept ESP" protocol esp } rule 40 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } } ipv6 { name DENY_6 { default-action drop } name ESTAB_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } } name ESTAB_DHCP_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } } name ESTAB_DHCP_DNS_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } } name HOME_LOCAL_6 { rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Accept OSPFv3" protocol ospf } rule 20 { action return description "Accept SSH" destination { port ssh } protocol tcp } rule 30 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name HOME_MGMT_6 { default-action drop rule 1 { action return description "Allow established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Allow Vorik SSH" destination { address xxxx:xxxx:c62e:10ec:4c74:3ff:fe94:ea75 port ssh } protocol tcp } } name HOME_SERVICES_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action return description "Accept Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action return description "Accept SMB" destination { address xxxx:xxxx:c62e:10ec:ec4:7aff:fe02:41dd port 445 } protocol tcp } rule 40 { action return description "Accept to Domain Controller" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe56:ff94 } } rule 50 { action return description "Accept SMTP relay from Home IoT" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe0c:470f port smtp,submission,submissions } protocol tcp source { address xxxx:xxxx:e814:4::/64 } } } name IOT_HOME_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept HTTP to Tuvok (Wired)" destination { address xxxx:xxxx:e814:1:b2a7:b9ff:fe2c:b825 port http-alt } protocol tcp } rule 11 { action return description "Accept HTTP to Tuvok (Wireless)" destination { address xxxx:xxxx:e814:1:3252:cbff:fee7:8889 port http-alt } protocol tcp } } name IOT_LAN_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Accept Chromecast TCP" protocol tcp source { port 8008-8009,8443 } } rule 20 { action return description "Accept Chromecast UDP (src)" protocol udp source { port 32768-61000 } } rule 30 { action return description "Accept Chromecast UDP (dst)" destination { port 32768-61000 } protocol udp } } name IOT_LOCAL_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } } name IOT_SERVICES_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept SMTP" destination { port submission,smtp,submissions } protocol tcp } rule 20 { action return description "Accept Jellyfin" destination { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe2b:8235 port 8096 } protocol tcp } rule 30 { action return description "Accept Google Home Local Fulfillment" destination { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe44:9e40 port 3002 } protocol tcp } rule 40 { action return description "Accept HLS to Tuvok" destination { address xxxx:xxxx:c62e:7e29:529a:4cff:fecc:62e3 port http-alt } protocol tcp } } name LAN_LOCAL_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name LAN_MGMT_6 { default-action drop rule 1 { action return description "Allow established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Allow Vorik SSH" destination { address xxxx:xxxx:c62e:10ec:4c74:3ff:fe94:ea75 port ssh } protocol tcp } } name LAN_SERVICES_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 10 { action return description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action return description "Accept Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action return description "Accept SMB" destination { address xxxx:xxxx:c62e:10ec:ec4:7aff:fe02:41dd port 445 } protocol tcp } rule 40 { action return description "Accept to Domain Controller" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe56:ff94 } } rule 50 { action return description "Accept HLS to Tuvok" destination { address xxxx:xxxx:c62e:7e29:529a:4cff:fecc:62e3 port http-alt } protocol tcp } rule 60 { action return description "Accept Minecraft to Chell" destination { address xxxx:xxxx:c62e:7e29:4c74:3ff:fece:84a4 port 25555-25565 } protocol tcp } } name MGMT_LOCAL_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action return description "Accept SSH" destination { port ssh } protocol tcp } rule 40 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } name PERMIT_6 { default-action return } name SERVICES_HOME_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Accept SNMP" destination { port snmp } protocol udp source { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe87:296a } } rule 20 { action return description "Accept Zabbix Agent" destination { port zabbix-agent } protocol tcp source { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe87:296a } } rule 30 { action return description "Accept HTTP" destination { port http } protocol tcp source { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe8e:acd0 } } } name SERVICES_LOCAL_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action return description "Accept DNS" destination { port domain } protocol udp } rule 20 { action return description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action return description "Accept SNMP" destination { port snmp } protocol udp } } name SERVICES_MGMT_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action return description "Accept Zabbix Agent" destination { port 10050 } protocol tcp } rule 20 { action return description "Accept SNMP" destination { port snmp } protocol udp } rule 30 { action return description "Accept Node-RED to Voyager" destination { address xxxx:xxxx:c62e:10ec:7285:c2ff:fef9:8cff port https } protocol tcp source { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe44:9e40 } } } name WAN_LOCAL_6 { default-action drop rule 1 { action return description "Accept established/related" state established state related } rule 2 { action return description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action return description "Accept DHCPv6" destination { port dhcpv6-client } protocol udp source { port dhcpv6-server } } rule 10 { action return description "Accept Wireguard" destination { port 51820 } protocol udp } rule 20 { action return description "Accept OpenVPN" destination { port 1194 } protocol udp } rule 30 { action return description "Accept ISAKMP" destination { port isakmp } protocol udp source { port isakmp } } rule 31 { action return description "Accept NAT-T" destination { port ipsec-nat-t } protocol udp } rule 32 { action return description "Accept ESP" protocol esp } rule 40 { action return description "Accept iPerf3" destination { port 5201 } protocol tcp } } } zone GUEST { default-action drop from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.310 } zone HOME { from IOT { firewall { ipv6-name IOT_HOME_6 name IOT_HOME } } from LAN { firewall { ipv6-name PERMIT_6 name PERMIT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name SERVICES_HOME_6 name SERVICES_HOME } } interface tun0 interface br0 } zone IOT { default-action drop from HOME { firewall { ipv6-name ESTAB_6 name ESTAB } } from LAN { firewall { ipv6-name PERMIT_6 name PERMIT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.100 } zone ISOLATED { default-action drop from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.230 } zone LAN { default-action drop from HOME { firewall { ipv6-name PERMIT_6 name PERMIT } } from IOT { firewall { ipv6-name IOT_LAN_6 name IOT_LAN } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name ESTAB_6 name ESTAB } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.300 interface wg0 } zone LOCAL { default-action drop from GUEST { firewall { ipv6-name ESTAB_DHCP_DNS_6 name ESTAB_DHCP_DNS } } from HOME { firewall { ipv6-name HOME_LOCAL_6 name HOME_LOCAL } } from IOT { firewall { ipv6-name IOT_LOCAL_6 name IOT_LOCAL } } from ISOLATED { firewall { ipv6-name ESTAB_DHCP_6 name ESTAB_DHCP } } from LAN { firewall { ipv6-name LAN_LOCAL_6 name LAN_LOCAL } } from MGMT { firewall { ipv6-name MGMT_LOCAL_6 name MGMT_LOCAL } } from SERVICES { firewall { ipv6-name SERVICES_LOCAL_6 name SERVICES_LOCAL } } from WAN { firewall { ipv6-name WAN_LOCAL_6 name WAN_LOCAL } } local-zone } zone MGMT { default-action drop from HOME { firewall { ipv6-name HOME_MGMT_6 name HOME_MGMT } } from IOT { firewall { ipv6-name ESTAB_6 name ESTAB } } from LAN { firewall { ipv6-name LAN_MGMT_6 name LAN_MGMT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name SERVICES_MGMT_6 name SERVICES_MGMT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.10 } zone SERVICES { default-action drop from HOME { firewall { ipv6-name HOME_SERVICES_6 name HOME_SERVICES } } from IOT { firewall { ipv6-name IOT_SERVICES_6 name IOT_SERVICES } } from LAN { firewall { ipv6-name LAN_SERVICES_6 name LAN_SERVICES } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.200 interface eth1.210 interface eth1.220 interface eth1.240 } zone WAN { default-action drop from GUEST { firewall { ipv6-name PERMIT_6 name ALL_WAN } } from IOT { firewall { ipv6-name PERMIT_6 name ALL_WAN } } from ISOLATED { firewall { ipv6-name PERMIT_6 name ALL_WAN } } from LAN { firewall { ipv6-name PERMIT_6 name ALL_WAN } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name PERMIT_6 name ALL_WAN } } interface eth0 interface peth0 interface eth0.50 interface eth0.60 interface peth0.50 interface peth0.60 } } high-availability { } interfaces { bridge br0 { address xxx.xxx.3.205/30 address fe80::1/64 description "Site-Home OpenVPN endpoint" member { interface vtun0 { } } } dummy dum0 { address xxx.xxx.168.26/32 description "Site-Home GRE endpoint" ipv6 { address { no-default-link-local } } } ethernet eth0 { hw-id xx:xx:xx:xx:xx:58 ipv6 { address { no-default-link-local } } vif 50 { address dhcp description WAN1 ipv6 { address { no-default-link-local } } } vif 60 { address dhcp description WAN2 ipv6 { address { no-default-link-local } } } } ethernet eth1 { hw-id xx:xx:xx:xx:xx:59 vif 10 { address xxx.xxx.17.126/25 description Management ipv6 { address { eui64 xxxx:xxxx:c62e:10ec::/64 } } } vif 100 { address xxx.xxx.18.126/25 description IoT ipv6 { address { eui64 xxxx:xxxx:c62e:ec56::/64 } } } vif 200 { address xxx.xxx.19.46/28 description Infrastructure ipv6 { address { eui64 xxxx:xxxx:c62e:28e0::/64 } } } vif 210 { address xxx.xxx.16.254/24 description Services ipv6 { address { eui64 xxxx:xxxx:c62e:7e29::/64 } } } vif 220 { address xxx.xxx.17.254/25 description Testing ipv6 { address { eui64 xxxx:xxxx:c62e:dc8a::/64 } } } vif 230 { address xxx.xxx.18.254/26 description Isolated ipv6 { address { eui64 xxxx:xxxx:c62e:16d9::/64 } } } vif 240 { address xxx.xxx.19.62/28 description Jails ipv6 { address { eui64 xxxx:xxxx:c62e:f0ba::/64 } } } vif 300 { address xxx.xxx.18.190/26 description LAN ipv6 { address { eui64 xxxx:xxxx:c62e:b4c5::/64 } } } vif 310 { address xxx.xxx.19.30/27 description Guest } } loopback lo { } openvpn vtun0 { description "Site-Home OpenVPN" device-type tap encryption { cipher aes256 } hash sha256 local-port 1194 mode site-to-site openvpn-option "--proto udp4" persistent-tunnel remote-host xxxxx.tld remote-port 1194 shared-secret-key **************** } pseudo-ethernet peth0 { disable source-interface eth0 vif 50 { description WAN1v6 dhcpv6-options { pd 0 { interface eth1.10 { sla-id 0 } interface eth1.100 { sla-id 1 } interface eth1.200 { sla-id 2 } interface eth1.210 { sla-id 3 } interface eth1.220 { sla-id 4 } interface eth1.230 { sla-id 5 } interface eth1.240 { sla-id 6 } interface eth1.300 { sla-id 7 } interface eth1.310 { sla-id 8 } length 60 } } ipv6 { address { autoconf } } } vif 60 { description WAN2v6 ipv6 { address { autoconf } } } } tunnel tun0 { address xxx.xxx.219.173/30 address fe80::1/64 description "Site-Home GRE" enable-multicast encapsulation gre mtu 1420 parameters { ipv6 { hoplimit 255 } } remote xxx.xxx.168.27 source-address xxx.xxx.168.26 } wireguard wg0 { address xxx.xxx.134.238/28 description VPN ipv6 { address { eui64 xxxx:xxxx:926e:e5af::/64 } } peer Geordi { allowed-ips xxx.xxx.134.227/32 allowed-ips xxxx:xxxx:926e:e5af:94b4:54f5:b990:ac03/128 public-key **************** } peer Sulu { allowed-ips xxxx:xxxx:926e:e5af:8245:DDFF:FE75:E50E/128 allowed-ips xxx.xxx.134.225/32 public-key **************** } peer Tilly { allowed-ips xxx.xxx.134.226/32 allowed-ips xxxx:xxxx:926e:e5af:1098:c3ff:fe0f:46d0/128 public-key **************** } port 51820 private-key xxxxxx } } load-balancing { wan { enable-local-traffic flush-connections interface-health eth0.50 { failure-count 2 nexthop dhcp success-count 3 test 10 { resp-time 5 target 1.1.1.1 ttl-limit 1 type ping } test 20 { resp-time 5 target 8.8.8.8 ttl-limit 1 type ping } } interface-health eth0.60 { failure-count 2 nexthop dhcp success-count 3 test 10 { resp-time 5 target 1.0.0.1 ttl-limit 1 type ping } test 20 { resp-time 5 target 8.8.4.4 ttl-limit 1 type ping } } rule 1 { description "Primary DNS/health endpoint for eth0.50" destination { address 1.1.1.1 } inbound-interface lo interface eth0.50 { weight 1 } protocol icmp } rule 2 { description "Primary DNS/health endpoint for eth0.60" destination { address 1.0.0.1 } inbound-interface lo interface eth0.60 { weight 1 } protocol icmp } rule 3 { description "Backup DNS/health endpoint for eth0.50" destination { address 8.8.8.8 } inbound-interface lo interface eth0.50 { weight 1 } protocol icmp } rule 4 { description "Backup DNS/health endpoint for eth0.60" destination { address 8.8.4.4 } inbound-interface lo interface eth0.60 { weight 1 } protocol icmp } rule 10 { description "Modem network SNAT" destination { address 192.168.100.0/24 } inbound-interface eth1+ interface eth0.60 { weight 1 } protocol all } rule 11 { description "Temporary Fix" inbound-interface eth1+ interface eth0.60 { } source { address xxx.xxx.18.132 } } rule 20 { description "Exclude RFC1918" destination { address 192.168.0.0/16 } exclude inbound-interface eth1+ protocol all } rule 21 { description "Exclude RFC1918" destination { address 10.0.0.0/8 } exclude inbound-interface eth1+ protocol all } rule 22 { description "Exclude RFC1918" destination { address 172.16.0.0/12 } exclude inbound-interface eth1+ protocol all } rule 23 { description "Exclude RFC1918" destination { address 192.168.0.0/16 } exclude inbound-interface lo protocol all } rule 24 { description "Exclude RFC1918" destination { address 10.0.0.0/8 } exclude inbound-interface lo protocol all } rule 25 { description "Exclude RFC1918" destination { address 172.16.0.0/12 } exclude inbound-interface lo protocol all } rule 26 { description "Exclude RFC1918" destination { address 192.168.0.0/16 } exclude inbound-interface wg+ protocol all } rule 27 { description "Exclude RFC1918" destination { address 10.0.0.0/8 } exclude inbound-interface wg+ protocol all } rule 28 { description "Exclude RFC1918" destination { address 172.16.0.0/12 } exclude inbound-interface wg+ protocol all } rule 30 { description "Exclude WAN" exclude inbound-interface eth0.50 protocol all } rule 31 { description "Exclude WAN" exclude inbound-interface eth0.60 protocol all } rule 90 { description "WAN load-balance" inbound-interface eth1+ interface eth0.50 { weight 1 } interface eth0.60 { weight 2 } protocol all } rule 91 { description "WAN load-balance" inbound-interface lo interface eth0.50 { weight 1 } interface eth0.60 { weight 2 } protocol all } rule 92 { description "WAN load-balance" inbound-interface wg+ interface eth0.50 { weight 1 } interface eth0.60 { weight 2 } protocol all } sticky-connections { inbound } } } nat { source { rule 10 { description "Masquerade to WAN1" outbound-interface { name eth0.50 } source { address xxx.xxx.16.0/20 } translation { address masquerade } } rule 20 { description "Masquerade to WAN2" outbound-interface { name eth0.60 } source { address xxx.xxx.16.0/20 } translation { address masquerade } } rule 100 { description "Translate to modem network" destination { address 192.168.100.0/24 } outbound-interface { name eth0.60 } translation { address 192.168.100.10 } } } } pki { key-pair Site-DHSF { private { key xxxxxx } public { key xxxxxx } } key-pair Site-Home { public { key xxxxxx } } openvpn { shared-secret xxxxxx { key xxxxxx version 1 } } } protocols { ospf { area 0 { network xxx.xxx.219.172/30 network xxx.xxx.16.0/24 network xxx.xxx.17.0/25 network xxx.xxx.17.128/25 network xxx.xxx.18.0/25 network xxx.xxx.18.128/26 network xxx.xxx.18.192/26 network xxx.xxx.19.0/27 network xxx.xxx.19.32/28 network xxx.xxx.19.48/28 network xxx.xxx.3.204/30 } interface br0 { cost 2 passive { disable } } interface tun0 { cost 1 passive { disable } } parameters { router-id xxx.xxx.0.0 } passive-interface default } ospfv3 { area xxx.xxx.0.0 { range xxxx:xxxx:c62e:1ac8::/64 { } range xxxx:xxxx:c62e:7e29::/64 { } range xxxx:xxxx:c62e:10ec::/64 { } range xxxx:xxxx:c62e:16d9::/64 { } range xxxx:xxxx:c62e:28e0::/64 { } range xxxx:xxxx:c62e:b4c5::/64 { } range xxxx:xxxx:c62e:dc8a::/64 { } range xxxx:xxxx:c62e:ec56::/64 { } range xxxx:xxxx:c62e:f0ba::/64 { } } interface tun0 { area xxx.xxx.0.0 ifmtu 1420 mtu-ignore network broadcast } parameters { router-id xxx.xxx.0.0 } } } service { dhcp-server { shared-network-name xxxxxx { subnet xxx.xxx.19.0/27 { default-router xxx.xxx.19.30 name-server xxx.xxx.19.30 range GUEST { start xxx.xxx.19.1 stop xxx.xxx.19.29 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.0/25 { default-router xxx.xxx.18.126 name-server xxx.xxx.18.126 range IOT { start xxx.xxx.18.1 stop xxx.xxx.18.63 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.192/26 { default-router xxx.xxx.18.254 name-server xxx.xxx.1.1 name-server xxx.xxx.0.1 range ISOLATED { start xxx.xxx.18.193 stop xxx.xxx.18.253 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.128/26 { default-router xxx.xxx.18.190 domain-name xxxxxx name-server xxx.xxx.18.190 range LAN { start xxx.xxx.18.129 stop xxx.xxx.18.189 } } } shared-network-name xxxxxx { subnet xxx.xxx.17.0/25 { default-router xxx.xxx.17.126 domain-name xxxxxx name-server xxx.xxx.17.126 range MGMT { start xxx.xxx.17.110 stop xxx.xxx.17.119 } } } shared-network-name xxxxxx { subnet xxx.xxx.17.128/25 { default-router xxx.xxx.17.254 domain-name xxxxxx name-server xxx.xxx.17.254 range TESTING { start xxx.xxx.17.129 stop xxx.xxx.17.191 } } } } dns { dynamic { name service-nsupdate-eth0-50 { address { interface eth0.50 } host-name xxxxxx password xxxxxx protocol dyndns2 server xxxxx.tld username xxxxxx } name service-nsupdate-eth0-60-web { address { interface eth0.60 } host-name xxxxxx password xxxxxx protocol dyndns2 server xxxxx.tld username xxxxxx } } forwarding { allow-from xxx.xxx.0.0/0 allow-from ::/0 cache-size 1000000 dnssec process domain ad.example.com { name-server xxx.xxx.19.33 { } } listen-address xxx.xxx.0.0 listen-address :: name-server xxx.xxx.0.1 { } name-server xxx.xxx.1.1 { } name-server xxx.xxx.4.4 { } name-server xxx.xxx.8.8 { } } } lldp { interface eth0 { } interface eth1 { } } mdns { repeater { interface eth1.100 interface eth1.300 interface eth1.10 interface eth1.210 } } ntp { allow-client xxxxxx address xxx.xxx.0.0/0 address ::/0 } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } router-advert { interface eth1.10 { name-server xxxx:xxxx:c62e:10ec:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:10ec::/64 { } } interface eth1.100 { name-server xxxx:xxxx:c62e:ec56:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:ec56::/64 { } } interface eth1.200 { name-server xxxx:xxxx:c62e:28e0:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:28e0::/64 { } } interface eth1.210 { name-server xxxx:xxxx:c62e:7e29:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:7e29::/64 { } } interface eth1.220 { name-server xxxx:xxxx:c62e:dc8a:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:dc8a::/64 { } } interface eth1.230 { name-server xxxx:xxxx:4700::1111 name-server xxxx:xxxx:4700::1001 prefix ::/64 { } prefix xxxx:xxxx:c62e:16d9::/64 { } } interface eth1.240 { name-server xxxx:xxxx:c62e:f0ba:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:f0ba::/64 { } } interface eth1.300 { name-server xxxx:xxxx:c62e:b4c5:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:b4c5::/64 { } } interface eth1.310 { name-server xxxx:xxxx:4700::1111 name-server xxxx:xxxx:4700::1001 prefix ::/64 { } } } snmp { community public { } } ssh { listen-address xxx.xxx.0.0 listen-address :: } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } device ttyS2 { speed 115200 } } host-name xxxxxx login { user xxxxxx { authentication { public-keys xxxx@xxx.xxx { key xxxxxx type ssh-ed25519 } } } user xxxxxx { authentication { encrypted-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-ed25519 } } } } syslog { global { facility all { level info } facility local7 { level debug } } host ayala.example.com { facility authpriv { level info } facility kern { level notice } } } time-zone America/Los_Angeles } vpn { ipsec { esp-group Site-Home { proposal 1 { encryption aes256 hash sha256 } } ike-group Site-Home { dead-peer-detection { action restart } key-exchange ikev2 proposal 1 { dh-group 20 encryption aes256 hash sha256 } } interface eth0.50 interface eth0.60 site-to-site { peer Site-Home { authentication { local-id @Site-DHSF mode rsa remote-id @Site-Home rsa { local-key **************** remote-key **************** } } connection-type initiate default-esp-group Site-Home description Site-Home ike-group Site-Home local-address any remote-address home.example.com tunnel 1 { local { prefix xxx.xxx.168.26/32 } remote { prefix xxx.xxx.168.27/32 } } } } } }