set firewall all-ping 'enable'
set firewall broadcast-ping 'enable'
set firewall config-trap 'disable'
set firewall group address-group dns-servers address 'xxx.xxx.68.22'
set firewall group network-group country-whitelist
set firewall group network-group mullvad-gb network 'xxx.xxx.110.0/24'
set firewall group network-group mullvad-us network 'xxx.xxx.32.0/24'
set firewall group network-group mullvad-us network 'xxx.xxx.100.0/24'
set firewall group network-group nets4-blacklist
set firewall group network-group private-nets network 'xxx.xxx.0.0/16'
set firewall group network-group private-nets network 'xxx.xxx.0.0/12'
set firewall group network-group private-nets network 'xxx.xxx.0.0/8'
set firewall group port-group gaming-ports port '54330'
set firewall group port-group mail-ports port '25'
set firewall group port-group mail-ports port '465'
set firewall group port-group mail-ports port '587'
set firewall group port-group mail-ports port '143'
set firewall group port-group mail-ports port '993'
set firewall group port-group mail-ports port '110'
set firewall group port-group mail-ports port '995'
set firewall group port-group mail-ports port '4190'
set firewall group port-group plex-ports port '32400'
set firewall group port-group rp-ports port '80'
set firewall group port-group rp-ports port '443'
set firewall group port-group wg-ports port '51820'
set firewall group port-group wg-ports port '51822'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'disable'
set firewall name lan-local default-action 'accept'
set firewall name lan-mullvadgb default-action 'drop'
set firewall name lan-mullvadgb rule 100 action 'accept'
set firewall name lan-mullvadgb rule 100 state established 'enable'
set firewall name lan-mullvadgb rule 100 state related 'enable'
set firewall name lan-mullvadgb rule 110 action 'drop'
set firewall name lan-mullvadgb rule 110 state invalid 'enable'
set firewall name lan-mullvadus default-action 'drop'
set firewall name lan-mullvadus rule 100 action 'accept'
set firewall name lan-mullvadus rule 100 state established 'enable'
set firewall name lan-mullvadus rule 100 state related 'enable'
set firewall name lan-mullvadus rule 110 action 'drop'
set firewall name lan-mullvadus rule 110 state invalid 'enable'
set firewall name lan-wan default-action 'accept'
set firewall name lan-wg0 default-action 'drop'
set firewall name lan-wg0 rule 100 action 'accept'
set firewall name lan-wg0 rule 100 state established 'enable'
set firewall name lan-wg0 rule 100 state related 'enable'
set firewall name lan-wg0 rule 110 action 'drop'
set firewall name lan-wg0 rule 110 state invalid 'enable'
set firewall name lan-wg1 default-action 'drop'
set firewall name lan-wg1 rule 100 action 'accept'
set firewall name lan-wg1 rule 100 state established 'enable'
set firewall name lan-wg1 rule 100 state related 'enable'
set firewall name lan-wg1 rule 110 action 'drop'
set firewall name lan-wg1 rule 110 state invalid 'enable'
set firewall name lan-wg7 default-action 'drop'
set firewall name lan-wg7 rule 100 action 'accept'
set firewall name lan-wg7 rule 100 state established 'enable'
set firewall name lan-wg7 rule 100 state related 'enable'
set firewall name lan-wg7 rule 110 action 'drop'
set firewall name lan-wg7 rule 110 state invalid 'enable'
set firewall name lan-wg8 default-action 'drop'
set firewall name lan-wg8 rule 100 action 'accept'
set firewall name lan-wg8 rule 100 state established 'enable'
set firewall name lan-wg8 rule 100 state related 'enable'
set firewall name lan-wg8 rule 110 action 'drop'
set firewall name lan-wg8 rule 110 state invalid 'enable'
set firewall name local-lan default-action 'accept'
set firewall name local-mullvadgb default-action 'accept'
set firewall name local-mullvadus default-action 'accept'
set firewall name local-wan default-action 'accept'
set firewall name local-wg0 default-action 'accept'
set firewall name local-wg1 default-action 'accept'
set firewall name local-wg7 default-action 'accept'
set firewall name local-wg8 default-action 'accept'
set firewall name mullvadgb-lan default-action 'accept'
set firewall name mullvadgb-local default-action 'accept'
set firewall name mullvadgb-mullvadus default-action 'drop'
set firewall name mullvadgb-wan default-action 'drop'
set firewall name mullvadgb-wg0 default-action 'drop'
set firewall name mullvadgb-wg1 default-action 'accept'
set firewall name mullvadgb-wg7 default-action 'drop'
set firewall name mullvadgb-wg8 default-action 'drop'
set firewall name mullvadus-lan default-action 'accept'
set firewall name mullvadus-local default-action 'accept'
set firewall name mullvadus-mullvadgb default-action 'drop'
set firewall name mullvadus-wan default-action 'drop'
set firewall name mullvadus-wg0 default-action 'accept'
set firewall name mullvadus-wg1 default-action 'drop'
set firewall name mullvadus-wg7 default-action 'drop'
set firewall name mullvadus-wg8 default-action 'drop'
set firewall name wan-lan default-action 'drop'
set firewall name wan-lan rule 100 action 'accept'
set firewall name wan-lan rule 100 state established 'enable'
set firewall name wan-lan rule 100 state related 'enable'
set firewall name wan-lan rule 110 action 'drop'
set firewall name wan-lan rule 110 state invalid 'enable'
set firewall name wan-lan rule 200 action 'accept'
set firewall name wan-lan rule 200 destination group port-group 'rp-ports'
set firewall name wan-lan rule 200 protocol 'tcp'
set firewall name wan-lan rule 300 action 'accept'
set firewall name wan-lan rule 300 destination group port-group 'mail-ports'
set firewall name wan-lan rule 300 protocol 'tcp'
set firewall name wan-lan rule 500 action 'accept'
set firewall name wan-lan rule 500 destination group port-group 'plex-ports'
set firewall name wan-lan rule 500 protocol 'tcp'
set firewall name wan-lan rule 600 action 'accept'
set firewall name wan-lan rule 600 destination group port-group 'gaming-ports'
set firewall name wan-lan rule 600 protocol 'tcp_udp'
set firewall name wan-local default-action 'drop'
set firewall name wan-local rule 100 action 'accept'
set firewall name wan-local rule 100 state established 'enable'
set firewall name wan-local rule 100 state related 'enable'
set firewall name wan-local rule 110 action 'drop'
set firewall name wan-local rule 110 state invalid 'enable'
set firewall name wan-local rule 400 action 'accept'
set firewall name wan-local rule 400 destination group port-group 'wg-ports'
set firewall name wan-local rule 400 protocol 'udp'
set firewall name wan-mullvadgb default-action 'drop'
set firewall name wan-mullvadgb rule 100 action 'accept'
set firewall name wan-mullvadgb rule 100 state established 'enable'
set firewall name wan-mullvadgb rule 100 state related 'enable'
set firewall name wan-mullvadgb rule 110 action 'drop'
set firewall name wan-mullvadgb rule 110 state invalid 'enable'
set firewall name wan-mullvadus default-action 'drop'
set firewall name wan-mullvadus rule 100 action 'accept'
set firewall name wan-mullvadus rule 100 state established 'enable'
set firewall name wan-mullvadus rule 100 state related 'enable'
set firewall name wan-mullvadus rule 110 action 'drop'
set firewall name wan-mullvadus rule 110 state invalid 'enable'
set firewall name wan-wg0 default-action 'drop'
set firewall name wan-wg0 rule 100 action 'accept'
set firewall name wan-wg0 rule 100 state established 'enable'
set firewall name wan-wg0 rule 100 state related 'enable'
set firewall name wan-wg0 rule 110 action 'drop'
set firewall name wan-wg0 rule 110 state invalid 'enable'
set firewall name wan-wg1 default-action 'drop'
set firewall name wan-wg1 rule 100 action 'accept'
set firewall name wan-wg1 rule 100 state established 'enable'
set firewall name wan-wg1 rule 100 state related 'enable'
set firewall name wan-wg1 rule 110 action 'drop'
set firewall name wan-wg1 rule 110 state invalid 'enable'
set firewall name wan-wg7 default-action 'drop'
set firewall name wan-wg7 rule 100 action 'accept'
set firewall name wan-wg7 rule 100 state established 'enable'
set firewall name wan-wg7 rule 100 state related 'enable'
set firewall name wan-wg7 rule 110 action 'drop'
set firewall name wan-wg7 rule 110 state invalid 'enable'
set firewall name wan-wg8 default-action 'drop'
set firewall name wan-wg8 rule 100 action 'accept'
set firewall name wan-wg8 rule 100 state established 'enable'
set firewall name wan-wg8 rule 100 state related 'enable'
set firewall name wan-wg8 rule 110 action 'drop'
set firewall name wan-wg8 rule 110 state invalid 'enable'
set firewall name wg0-lan default-action 'drop'
set firewall name wg0-local default-action 'drop'
set firewall name wg0-mullvadgb default-action 'drop'
set firewall name wg0-mullvadus default-action 'drop'
set firewall name wg0-mullvadus rule 100 action 'accept'
set firewall name wg0-mullvadus rule 100 state established 'enable'
set firewall name wg0-mullvadus rule 100 state related 'enable'
set firewall name wg0-mullvadus rule 110 action 'drop'
set firewall name wg0-mullvadus rule 110 state invalid 'enable'
set firewall name wg0-wan default-action 'drop'
set firewall name wg0-wg1 default-action 'drop'
set firewall name wg0-wg7 default-action 'drop'
set firewall name wg0-wg7 rule 100 action 'accept'
set firewall name wg0-wg7 rule 100 state established 'enable'
set firewall name wg0-wg7 rule 100 state related 'enable'
set firewall name wg0-wg7 rule 110 action 'drop'
set firewall name wg0-wg7 rule 110 state invalid 'enable'
set firewall name wg0-wg8 default-action 'drop'
set firewall name wg1-lan default-action 'drop'
set firewall name wg1-local default-action 'drop'
set firewall name wg1-mullvadgb default-action 'drop'
set firewall name wg1-mullvadgb rule 100 action 'accept'
set firewall name wg1-mullvadgb rule 100 state established 'enable'
set firewall name wg1-mullvadgb rule 100 state related 'enable'
set firewall name wg1-mullvadgb rule 110 action 'drop'
set firewall name wg1-mullvadgb rule 110 state invalid 'enable'
set firewall name wg1-mullvadus default-action 'drop'
set firewall name wg1-wan default-action 'drop'
set firewall name wg1-wg0 default-action 'drop'
set firewall name wg1-wg7 default-action 'drop'
set firewall name wg1-wg7 rule 100 action 'accept'
set firewall name wg1-wg7 rule 100 state established 'enable'
set firewall name wg1-wg7 rule 100 state related 'enable'
set firewall name wg1-wg7 rule 110 action 'drop'
set firewall name wg1-wg7 rule 110 state invalid 'enable'
set firewall name wg1-wg8 default-action 'drop'
set firewall name wg7-lan default-action 'accept'
set firewall name wg7-local default-action 'accept'
set firewall name wg7-mullvadgb default-action 'drop'
set firewall name wg7-mullvadus default-action 'drop'
set firewall name wg7-wan default-action 'drop'
set firewall name wg7-wg0 default-action 'accept'
set firewall name wg7-wg1 default-action 'drop'
set firewall name wg7-wg8 default-action 'drop'
set firewall name wg8-lan default-action 'accept'
set firewall name wg8-local default-action 'accept'
set firewall name wg8-mullvadgb default-action 'drop'
set firewall name wg8-mullvadus default-action 'drop'
set firewall name wg8-wan default-action 'accept'
set firewall name wg8-wg0 default-action 'drop'
set firewall name wg8-wg1 default-action 'drop'
set firewall name wg8-wg7 default-action 'drop'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'xxx.xxx.255.6/30'
set interfaces ethernet eth0 description 'wan'
set interfaces ethernet eth0 duplex 'full'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:2e'
set interfaces ethernet eth0 ring-buffer rx '4096'
set interfaces ethernet eth0 ring-buffer tx '4096'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed '1000'
set interfaces ethernet eth1 address 'xxx.xxx.68.1/24'
set interfaces ethernet eth1 description 'lan'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:38'
set interfaces ethernet eth1 policy route 'vpn-routing'
set interfaces ethernet eth1 ring-buffer rx '4096'
set interfaces ethernet eth1 ring-buffer tx '4096'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address 'xxx.xxx.100.1/24'
set interfaces ethernet eth2 description 'mullvad-us'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:42'
set interfaces ethernet eth2 policy route 'vpn-routing'
set interfaces ethernet eth2 ring-buffer rx '4096'
set interfaces ethernet eth2 ring-buffer tx '4096'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 address 'xxx.xxx.110.1/24'
set interfaces ethernet eth3 description 'mullvad-gb'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 hw-id 'XX:XX:XX:XX:XX:4c'
set interfaces ethernet eth3 policy route 'vpn-routing'
set interfaces ethernet eth3 ring-buffer rx '4096'
set interfaces ethernet eth3 ring-buffer tx '4096'
set interfaces ethernet eth3 smp-affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
set interfaces wireguard wg0 address 'xxx.xxx.134.85/32'
set interfaces wireguard wg0 description 'mullvad-us'
set interfaces wireguard wg0 mtu '1420'
set interfaces wireguard wg0 peer mullvad-us60 address 'xxx.xxx.90.93'
set interfaces wireguard wg0 peer mullvad-us60 allowed-ips 'xxx.xxx.0.0/0'
set interfaces wireguard wg0 peer mullvad-us60 persistent-keepalive '15'
set interfaces wireguard wg0 peer mullvad-us60 port '51820'
set interfaces wireguard wg0 peer mullvad-us60 pubkey '/NKEAnIB2uTUG7K0bvb+zd6HPqay1tzz0cNrv8nngRQ='
set interfaces wireguard wg0 private-key 'wg0'
set interfaces wireguard wg1 address 'xxx.xxx.136.97/32'
set interfaces wireguard wg1 description 'mullvad-gb'
set interfaces wireguard wg1 mtu '1420'
set interfaces wireguard wg1 peer mullvad-gb32 address 'xxx.xxx.96.146'
set interfaces wireguard wg1 peer mullvad-gb32 allowed-ips 'xxx.xxx.0.0/0'
set interfaces wireguard wg1 peer mullvad-gb32 persistent-keepalive '15'
set interfaces wireguard wg1 peer mullvad-gb32 port '51820'
set interfaces wireguard wg1 peer mullvad-gb32 pubkey 'u/CMY/BfJDTQk6n7WXbhHvM7LUvHIqJRuzGk0V8y/U8='
set interfaces wireguard wg1 private-key 'wg1'
set interfaces wireguard wg7 address 'xxx.xxx.32.1/24'
set interfaces wireguard wg7 description 'vpn +lan +mullvad-us'
set interfaces wireguard wg7 mtu '1420'
set interfaces wireguard wg7 peer inuc allowed-ips 'xxx.xxx.32.102/32'
set interfaces wireguard wg7 peer inuc pubkey 'Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8='
set interfaces wireguard wg7 peer iphone allowed-ips 'xxx.xxx.32.103/32'
set interfaces wireguard wg7 peer iphone pubkey 'vun6APmZZAE+ImcCur9OMoFfZU4dtsGHReJF3arBnAU='
set interfaces wireguard wg7 peer laptop allowed-ips 'xxx.xxx.32.101/32'
set interfaces wireguard wg7 peer laptop pubkey 's3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo='
set interfaces wireguard wg7 peer pixel3a allowed-ips 'xxx.xxx.32.100/32'
set interfaces wireguard wg7 peer pixel3a pubkey '8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA='
set interfaces wireguard wg7 policy route 'vpn-routing'
set interfaces wireguard wg7 port '51820'
set interfaces wireguard wg7 private-key 'wg7'
set interfaces wireguard wg8 address 'xxx.xxx.10.1/24'
set interfaces wireguard wg8 description 'vpn +lan +swisscom'
set interfaces wireguard wg8 mtu '1420'
set interfaces wireguard wg8 peer inuc allowed-ips 'xxx.xxx.10.102/32'
set interfaces wireguard wg8 peer inuc pubkey 'Y3FdYykl3oSUPRuTwrqOVIf1imFL/wC3y1xsC7Z6Ql8='
set interfaces wireguard wg8 peer iphone allowed-ips 'xxx.xxx.10.103/32'
set interfaces wireguard wg8 peer iphone pubkey 'vun6APmZZAE+ImcCur9OMoFfZU4dtsGHReJF3arBnAU='
set interfaces wireguard wg8 peer laptop allowed-ips 'xxx.xxx.10.101/32'
set interfaces wireguard wg8 peer laptop pubkey 's3KPJRRQHs/gjVSBGQMZMulDVMzraAsUpfQk8nU3lGo='
set interfaces wireguard wg8 peer pixel3a allowed-ips 'xxx.xxx.10.100/32'
set interfaces wireguard wg8 peer pixel3a pubkey '8TTb3W6emQg5nZGO08IapamDyyr5bKeFID9AyFJb4wA='
set interfaces wireguard wg8 policy route 'vpn-routing'
set interfaces wireguard wg8 port '51822'
set interfaces wireguard wg8 private-key 'wg8'
set nat destination rule 201 description 'http reverse proxy'
set nat destination rule 201 destination address 'xxx.xxx.255.6'
set nat destination rule 201 destination port '80'
set nat destination rule 201 inbound-interface 'eth0'
set nat destination rule 201 protocol 'tcp'
set nat destination rule 201 translation address 'xxx.xxx.68.49'
set nat destination rule 201 translation port '80'
set nat destination rule 202 description 'hairpin80'
set nat destination rule 202 destination address 'xxx.xxx.255.6'
set nat destination rule 202 destination port '80'
set nat destination rule 202 inbound-interface 'eth1'
set nat destination rule 202 protocol 'tcp'
set nat destination rule 202 translation address 'xxx.xxx.68.49'
set nat destination rule 202 translation port '80'
set nat destination rule 211 description 'https reverse proxy'
set nat destination rule 211 destination address 'xxx.xxx.255.6'
set nat destination rule 211 destination port '443'
set nat destination rule 211 inbound-interface 'eth0'
set nat destination rule 211 protocol 'tcp'
set nat destination rule 211 translation address 'xxx.xxx.68.49'
set nat destination rule 211 translation port '443'
set nat destination rule 212 description 'hairpin443'
set nat destination rule 212 destination address 'xxx.xxx.255.6'
set nat destination rule 212 destination port '443'
set nat destination rule 212 inbound-interface 'eth1'
set nat destination rule 212 protocol 'tcp'
set nat destination rule 212 translation address 'xxx.xxx.68.49'
set nat destination rule 212 translation port '443'
set nat destination rule 301 description 'postfix smtp'
set nat destination rule 301 destination address 'xxx.xxx.255.6'
set nat destination rule 301 destination port '25'
set nat destination rule 301 inbound-interface 'eth0'
set nat destination rule 301 protocol 'tcp'
set nat destination rule 301 translation address 'xxx.xxx.68.15'
set nat destination rule 301 translation port '25'
set nat destination rule 302 description 'hairpin25'
set nat destination rule 302 destination address 'xxx.xxx.255.6'
set nat destination rule 302 destination port '25'
set nat destination rule 302 inbound-interface 'eth1'
set nat destination rule 302 protocol 'tcp'
set nat destination rule 302 translation address 'xxx.xxx.68.15'
set nat destination rule 302 translation port '25'
set nat destination rule 311 description 'postfix smtps'
set nat destination rule 311 destination address 'xxx.xxx.255.6'
set nat destination rule 311 destination port '465'
set nat destination rule 311 inbound-interface 'eth0'
set nat destination rule 311 protocol 'tcp'
set nat destination rule 311 translation address 'xxx.xxx.68.15'
set nat destination rule 311 translation port '465'
set nat destination rule 312 description 'hairpin465'
set nat destination rule 312 destination address 'xxx.xxx.255.6'
set nat destination rule 312 destination port '465'
set nat destination rule 312 inbound-interface 'eth1'
set nat destination rule 312 protocol 'tcp'
set nat destination rule 312 translation address 'xxx.xxx.68.15'
set nat destination rule 312 translation port '465'
set nat destination rule 321 description 'postfix submission'
set nat destination rule 321 destination address 'xxx.xxx.255.6'
set nat destination rule 321 destination port '587'
set nat destination rule 321 inbound-interface 'eth0'
set nat destination rule 321 protocol 'tcp'
set nat destination rule 321 translation address 'xxx.xxx.68.15'
set nat destination rule 321 translation port '587'
set nat destination rule 322 description 'hairpin587'
set nat destination rule 322 destination address 'xxx.xxx.255.6'
set nat destination rule 322 destination port '587'
set nat destination rule 322 inbound-interface 'eth1'
set nat destination rule 322 protocol 'tcp'
set nat destination rule 322 translation address 'xxx.xxx.68.15'
set nat destination rule 322 translation port '587'
set nat destination rule 331 description 'dovecot imap'
set nat destination rule 331 destination address 'xxx.xxx.255.6'
set nat destination rule 331 destination port '143'
set nat destination rule 331 inbound-interface 'eth0'
set nat destination rule 331 protocol 'tcp'
set nat destination rule 331 translation address 'xxx.xxx.68.15'
set nat destination rule 331 translation port '143'
set nat destination rule 332 description 'hairpin143'
set nat destination rule 332 destination address 'xxx.xxx.255.6'
set nat destination rule 332 destination port '143'
set nat destination rule 332 inbound-interface 'eth1'
set nat destination rule 332 protocol 'tcp'
set nat destination rule 332 translation address 'xxx.xxx.68.15'
set nat destination rule 332 translation port '143'
set nat destination rule 341 description 'dovecot imaps'
set nat destination rule 341 destination address 'xxx.xxx.255.6'
set nat destination rule 341 destination port '993'
set nat destination rule 341 inbound-interface 'eth0'
set nat destination rule 341 protocol 'tcp'
set nat destination rule 341 translation address 'xxx.xxx.68.15'
set nat destination rule 341 translation port '993'
set nat destination rule 342 description 'hairpin993'
set nat destination rule 342 destination address 'xxx.xxx.255.6'
set nat destination rule 342 destination port '993'
set nat destination rule 342 inbound-interface 'eth1'
set nat destination rule 342 protocol 'tcp'
set nat destination rule 342 translation address 'xxx.xxx.68.15'
set nat destination rule 342 translation port '993'
set nat destination rule 351 description 'dovecot pop3'
set nat destination rule 351 destination address 'xxx.xxx.255.6'
set nat destination rule 351 destination port '110'
set nat destination rule 351 inbound-interface 'eth0'
set nat destination rule 351 protocol 'tcp'
set nat destination rule 351 translation address 'xxx.xxx.68.15'
set nat destination rule 351 translation port '110'
set nat destination rule 352 description 'hairpin110'
set nat destination rule 352 destination address 'xxx.xxx.255.6'
set nat destination rule 352 destination port '110'
set nat destination rule 352 inbound-interface 'eth1'
set nat destination rule 352 protocol 'tcp'
set nat destination rule 352 translation address 'xxx.xxx.68.15'
set nat destination rule 352 translation port '110'
set nat destination rule 361 description 'dovecot pop3s'
set nat destination rule 361 destination address 'xxx.xxx.255.6'
set nat destination rule 361 destination port '995'
set nat destination rule 361 inbound-interface 'eth0'
set nat destination rule 361 protocol 'tcp'
set nat destination rule 361 translation address 'xxx.xxx.68.15'
set nat destination rule 361 translation port '995'
set nat destination rule 362 description 'hairpin995'
set nat destination rule 362 destination address 'xxx.xxx.255.6'
set nat destination rule 362 destination port '995'
set nat destination rule 362 inbound-interface 'eth1'
set nat destination rule 362 protocol 'tcp'
set nat destination rule 362 translation address 'xxx.xxx.68.15'
set nat destination rule 362 translation port '995'
set nat destination rule 371 description 'dovecot managesieve'
set nat destination rule 371 destination address 'xxx.xxx.255.6'
set nat destination rule 371 destination port '4190'
set nat destination rule 371 inbound-interface 'eth0'
set nat destination rule 371 protocol 'tcp'
set nat destination rule 371 translation address 'xxx.xxx.68.15'
set nat destination rule 371 translation port '4190'
set nat destination rule 372 description 'hairpin4190'
set nat destination rule 372 destination address 'xxx.xxx.255.6'
set nat destination rule 372 destination port '4190'
set nat destination rule 372 inbound-interface 'eth1'
set nat destination rule 372 protocol 'tcp'
set nat destination rule 372 translation address 'xxx.xxx.68.15'
set nat destination rule 372 translation port '4190'
set nat destination rule 501 description 'plex'
set nat destination rule 501 destination address 'xxx.xxx.255.6'
set nat destination rule 501 destination port '32400'
set nat destination rule 501 inbound-interface 'eth0'
set nat destination rule 501 protocol 'tcp'
set nat destination rule 501 translation address 'xxx.xxx.68.28'
set nat destination rule 501 translation port '32400'
set nat destination rule 502 description 'hairpin32400'
set nat destination rule 502 destination address 'xxx.xxx.255.6'
set nat destination rule 502 destination port '32400'
set nat destination rule 502 inbound-interface 'eth1'
set nat destination rule 502 protocol 'tcp'
set nat destination rule 502 translation address 'xxx.xxx.68.28'
set nat destination rule 502 translation port '32400'
set nat destination rule 601 description 'xbox one'
set nat destination rule 601 destination address 'xxx.xxx.255.6'
set nat destination rule 601 destination port '54330'
set nat destination rule 601 inbound-interface 'eth0'
set nat destination rule 601 protocol 'tcp_udp'
set nat destination rule 601 translation address 'xxx.xxx.68.40'
set nat destination rule 601 translation port '54330'
set nat destination rule 602 description 'hairpin54330'
set nat destination rule 602 destination address 'xxx.xxx.255.6'
set nat destination rule 602 destination port '54330'
set nat destination rule 602 inbound-interface 'eth1'
set nat destination rule 602 protocol 'tcp_udp'
set nat destination rule 602 translation address 'xxx.xxx.68.40'
set nat destination rule 602 translation port '54330'
set nat source rule 201 description 'hairpin'
set nat source rule 201 destination address 'xxx.xxx.68.49'
set nat source rule 201 destination port '80'
set nat source rule 201 outbound-interface 'eth1'
set nat source rule 201 protocol 'tcp'
set nat source rule 201 source address 'xxx.xxx.68.0/24'
set nat source rule 201 translation address 'masquerade'
set nat source rule 211 description 'hairpin'
set nat source rule 211 destination address 'xxx.xxx.68.49'
set nat source rule 211 destination port '443'
set nat source rule 211 outbound-interface 'eth1'
set nat source rule 211 protocol 'tcp'
set nat source rule 211 source address 'xxx.xxx.68.0/24'
set nat source rule 211 translation address 'masquerade'
set nat source rule 301 description 'hairpin'
set nat source rule 301 destination address 'xxx.xxx.68.15'
set nat source rule 301 destination port '25'
set nat source rule 301 outbound-interface 'eth1'
set nat source rule 301 protocol 'tcp'
set nat source rule 301 source address 'xxx.xxx.68.0/24'
set nat source rule 301 translation address 'masquerade'
set nat source rule 311 description 'hairpin'
set nat source rule 311 destination address 'xxx.xxx.68.15'
set nat source rule 311 destination port '465'
set nat source rule 311 outbound-interface 'eth1'
set nat source rule 311 protocol 'tcp'
set nat source rule 311 source address 'xxx.xxx.68.0/24'
set nat source rule 311 translation address 'masquerade'
set nat source rule 321 description 'hairpin'
set nat source rule 321 destination address 'xxx.xxx.68.15'
set nat source rule 321 destination port '587'
set nat source rule 321 outbound-interface 'eth1'
set nat source rule 321 protocol 'tcp'
set nat source rule 321 source address 'xxx.xxx.68.0/24'
set nat source rule 321 translation address 'masquerade'
set nat source rule 331 description 'hairpin'
set nat source rule 331 destination address 'xxx.xxx.68.15'
set nat source rule 331 destination port '143'
set nat source rule 331 outbound-interface 'eth1'
set nat source rule 331 protocol 'tcp'
set nat source rule 331 source address 'xxx.xxx.68.0/24'
set nat source rule 331 translation address 'masquerade'
set nat source rule 341 description 'hairpin'
set nat source rule 341 destination address 'xxx.xxx.68.15'
set nat source rule 341 destination port '993'
set nat source rule 341 outbound-interface 'eth1'
set nat source rule 341 protocol 'tcp'
set nat source rule 341 source address 'xxx.xxx.68.0/24'
set nat source rule 341 translation address 'masquerade'
set nat source rule 351 description 'hairpin'
set nat source rule 351 destination address 'xxx.xxx.68.15'
set nat source rule 351 destination port '110'
set nat source rule 351 outbound-interface 'eth1'
set nat source rule 351 protocol 'tcp'
set nat source rule 351 source address 'xxx.xxx.68.0/24'
set nat source rule 351 translation address 'masquerade'
set nat source rule 361 description 'hairpin'
set nat source rule 361 destination address 'xxx.xxx.68.15'
set nat source rule 361 destination port '995'
set nat source rule 361 outbound-interface 'eth1'
set nat source rule 361 protocol 'tcp'
set nat source rule 361 source address 'xxx.xxx.68.0/24'
set nat source rule 361 translation address 'masquerade'
set nat source rule 371 description 'hairpin'
set nat source rule 371 destination address 'xxx.xxx.68.15'
set nat source rule 371 destination port '4190'
set nat source rule 371 outbound-interface 'eth1'
set nat source rule 371 protocol 'tcp'
set nat source rule 371 source address 'xxx.xxx.68.0/24'
set nat source rule 371 translation address 'masquerade'
set nat source rule 501 description 'hairpin'
set nat source rule 501 destination address 'xxx.xxx.68.28'
set nat source rule 501 destination port '32400'
set nat source rule 501 outbound-interface 'eth1'
set nat source rule 501 protocol 'tcp'
set nat source rule 501 source address 'xxx.xxx.68.0/24'
set nat source rule 501 translation address 'masquerade'
set nat source rule 601 description 'hairpin'
set nat source rule 601 destination address 'xxx.xxx.68.40'
set nat source rule 601 destination port '54330'
set nat source rule 601 outbound-interface 'eth1'
set nat source rule 601 protocol 'tcp_udp'
set nat source rule 601 source address 'xxx.xxx.68.0/24'
set nat source rule 601 translation address 'masquerade'
set nat source rule 9001 outbound-interface 'eth0'
set nat source rule 9001 protocol 'all'
set nat source rule 9001 translation address 'masquerade'
set nat source rule 9011 outbound-interface 'wg0'
set nat source rule 9011 protocol 'all'
set nat source rule 9011 translation address 'masquerade'
set nat source rule 9021 outbound-interface 'wg1'
set nat source rule 9021 protocol 'all'
set nat source rule 9021 translation address 'masquerade'
set policy route vpn-routing rule 10 destination group network-group 'private-nets'
set policy route vpn-routing rule 10 set table 'main'
set policy route vpn-routing rule 100 set table '100'
set policy route vpn-routing rule 100 source group network-group 'mullvad-us'
set policy route vpn-routing rule 110 set table '110'
set policy route vpn-routing rule 110 source group network-group 'mullvad-gb'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.255.5
set protocols static route xxx.xxx.0.0/8 blackhole
set protocols static route xxx.xxx.0.0/12 blackhole
set protocols static route xxx.xxx.0.0/16 blackhole
set protocols static table 100 interface-route xxx.xxx.0.0/0 next-hop-interface wg0
set protocols static table 100 route xxx.xxx.0.0/0 blackhole distance '255'
set protocols static table 110 interface-route xxx.xxx.0.0/0 next-hop-interface wg1
set protocols static table 110 route xxx.xxx.0.0/0 blackhole distance '255'
set service dhcp-relay interface 'eth2'
set service dhcp-relay interface 'eth3'
set service dhcp-relay relay-options relay-agents-packets 'discard'
set service dhcp-relay server 'xxx.xxx.68.22'
set service ssh listen-address 'xxx.xxx.68.1'
set service ssh port '22'
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system ipv6 disable
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type 'ecdsa-sha2-nistp521'
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type ssh-xxx
set system name-server 'xxx.xxx.68.22'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system task-scheduler task update-blacklist crontab-spec '30 4 * * *'
set system task-scheduler task update-blacklist executable path '/config/scripts/update-blacklist.sh'
set system task-scheduler task update-time crontab-spec '0 */1 * * *'
set system task-scheduler task update-time executable path '/config/scripts/update-time.sh'
set system task-scheduler task update-vyos crontab-spec '0 4 * * SUN'
set system task-scheduler task update-vyos executable path '/config/scripts/update-vyos.sh'
set system task-scheduler task update-whitelist crontab-spec '15 4 * * *'
set system task-scheduler task update-whitelist executable path '/config/scripts/update-whitelist.sh'
set system time-zone 'Europe/Zurich'
set zone-policy zone lan default-action 'drop'
set zone-policy zone lan from local firewall name 'local-lan'
set zone-policy zone lan from mullvadgb firewall name 'mullvadgb-lan'
set zone-policy zone lan from mullvadus firewall name 'mullvadus-lan'
set zone-policy zone lan from wan firewall name 'wan-lan'
set zone-policy zone lan from wg0 firewall name 'wg0-lan'
set zone-policy zone lan from wg1 firewall name 'wg1-lan'
set zone-policy zone lan from wg7 firewall name 'wg7-lan'
set zone-policy zone lan from wg8 firewall name 'wg8-lan'
set zone-policy zone lan interface 'eth1'
set zone-policy zone local default-action 'drop'
set zone-policy zone local from lan firewall name 'lan-local'
set zone-policy zone local from mullvadgb firewall name 'mullvadgb-local'
set zone-policy zone local from mullvadus firewall name 'mullvadus-local'
set zone-policy zone local from wan firewall name 'wan-local'
set zone-policy zone local from wg0 firewall name 'wg0-local'
set zone-policy zone local from wg1 firewall name 'wg1-local'
set zone-policy zone local from wg7 firewall name 'wg7-local'
set zone-policy zone local from wg8 firewall name 'wg8-local'
set zone-policy zone local local-zone
set zone-policy zone mullvadgb default-action 'drop'
set zone-policy zone mullvadgb from lan firewall name 'lan-mullvadgb'
set zone-policy zone mullvadgb from local firewall name 'local-mullvadgb'
set zone-policy zone mullvadgb from mullvadus firewall name 'mullvadus-mullvadgb'
set zone-policy zone mullvadgb from wan firewall name 'wan-mullvadgb'
set zone-policy zone mullvadgb from wg0 firewall name 'wg0-mullvadgb'
set zone-policy zone mullvadgb from wg1 firewall name 'wg1-mullvadgb'
set zone-policy zone mullvadgb from wg7 firewall name 'wg7-mullvadgb'
set zone-policy zone mullvadgb from wg8 firewall name 'wg8-mullvadgb'
set zone-policy zone mullvadgb interface 'eth3'
set zone-policy zone mullvadus default-action 'drop'
set zone-policy zone mullvadus from lan firewall name 'lan-mullvadus'
set zone-policy zone mullvadus from local firewall name 'local-mullvadus'
set zone-policy zone mullvadus from mullvadgb firewall name 'mullvadgb-mullvadus'
set zone-policy zone mullvadus from wan firewall name 'wan-mullvadus'
set zone-policy zone mullvadus from wg0 firewall name 'wg0-mullvadus'
set zone-policy zone mullvadus from wg1 firewall name 'wg1-mullvadus'
set zone-policy zone mullvadus from wg7 firewall name 'wg7-mullvadus'
set zone-policy zone mullvadus from wg8 firewall name 'wg8-mullvadus'
set zone-policy zone mullvadus interface 'eth2'
set zone-policy zone wan default-action 'drop'
set zone-policy zone wan from lan firewall name 'lan-wan'
set zone-policy zone wan from local firewall name 'local-wan'
set zone-policy zone wan from mullvadgb firewall name 'mullvadgb-wan'
set zone-policy zone wan from mullvadus firewall name 'mullvadus-wan'
set zone-policy zone wan from wg0 firewall name 'wg0-wan'
set zone-policy zone wan from wg1 firewall name 'wg1-wan'
set zone-policy zone wan from wg7 firewall name 'wg7-wan'
set zone-policy zone wan from wg8 firewall name 'wg8-wan'
set zone-policy zone wan interface 'eth0'
set zone-policy zone wg0 default-action 'drop'
set zone-policy zone wg0 from lan firewall name 'lan-wg0'
set zone-policy zone wg0 from local firewall name 'local-wg0'
set zone-policy zone wg0 from mullvadgb firewall name 'mullvadgb-wg0'
set zone-policy zone wg0 from mullvadus firewall name 'mullvadus-wg0'
set zone-policy zone wg0 from wan firewall name 'wan-wg0'
set zone-policy zone wg0 from wg1 firewall name 'wg1-wg0'
set zone-policy zone wg0 from wg7 firewall name 'wg7-wg0'
set zone-policy zone wg0 from wg8 firewall name 'wg8-wg0'
set zone-policy zone wg0 interface 'wg0'
set zone-policy zone wg1 default-action 'drop'
set zone-policy zone wg1 from lan firewall name 'lan-wg1'
set zone-policy zone wg1 from local firewall name 'local-wg1'
set zone-policy zone wg1 from mullvadgb firewall name 'mullvadgb-wg1'
set zone-policy zone wg1 from mullvadus firewall name 'mullvadus-wg1'
set zone-policy zone wg1 from wan firewall name 'wan-wg1'
set zone-policy zone wg1 from wg0 firewall name 'wg0-wg1'
set zone-policy zone wg1 from wg7 firewall name 'wg7-wg1'
set zone-policy zone wg1 from wg8 firewall name 'wg8-wg1'
set zone-policy zone wg1 interface 'wg1'
set zone-policy zone wg7 default-action 'drop'
set zone-policy zone wg7 from lan firewall name 'lan-wg7'
set zone-policy zone wg7 from local firewall name 'local-wg7'
set zone-policy zone wg7 from mullvadgb firewall name 'mullvadgb-wg7'
set zone-policy zone wg7 from mullvadus firewall name 'mullvadus-wg7'
set zone-policy zone wg7 from wan firewall name 'wan-wg7'
set zone-policy zone wg7 from wg0 firewall name 'wg0-wg7'
set zone-policy zone wg7 from wg1 firewall name 'wg1-wg7'
set zone-policy zone wg7 from wg8 firewall name 'wg8-wg7'
set zone-policy zone wg7 interface 'wg7'
set zone-policy zone wg8 default-action 'drop'
set zone-policy zone wg8 from lan firewall name 'lan-wg8'
set zone-policy zone wg8 from local firewall name 'local-wg8'
set zone-policy zone wg8 from mullvadgb firewall name 'mullvadgb-wg8'
set zone-policy zone wg8 from mullvadus firewall name 'mullvadus-wg8'
set zone-policy zone wg8 from wan firewall name 'wan-wg8'
set zone-policy zone wg8 from wg0 firewall name 'wg0-wg8'
set zone-policy zone wg8 from wg1 firewall name 'wg1-wg8'
set zone-policy zone wg8 from wg7 firewall name 'wg7-wg8'
set zone-policy zone wg8 interface 'wg8'