firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-name DENY_6 { default-action drop } ipv6-name ESTAB_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } } ipv6-name ESTAB_DHCP_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } } ipv6-name ESTAB_DHCP_DNS_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } } ipv6-name HOME_LOCAL_6 { rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action accept description "Accept OSPFv3" protocol ospf } rule 20 { action accept description "Accept SSH" destination { port ssh } protocol tcp } rule 30 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } ipv6-name HOME_SERVICES_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action accept description "Accept Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action accept description "Accept SMB" destination { address xxxx:xxxx:c62e:10ec:ec4:7aff:fe02:41dd port 445 } protocol tcp } rule 40 { action accept description "Accept to Domain Controller" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe56:ff94 } } rule 50 { action accept description "Accept SMTP relay from Home IoT" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe0c:470f port smtp,submission,submissions } protocol tcp source { address xxxx:xxxx:e814:4::/64 } } } ipv6-name IOT_LAN_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action accept description "Accept Chromecast TCP" protocol tcp source { port 8008-8009,8443 } } rule 20 { action accept description "Accept Chromecast UDP (src)" protocol udp source { port 32768-61000 } } rule 30 { action accept description "Accept Chromecast UDP (dst)" destination { port 32768-61000 } protocol udp } } ipv6-name IOT_LOCAL_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } } ipv6-name IOT_SERVICES_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept SMTP" destination { port submission,smtp,submissions } protocol tcp } rule 20 { action accept description "Accept Jellyfin" destination { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe2b:8235 port 8096 } protocol tcp } rule 30 { action accept description "Accept Google Home Local Fulfillment" destination { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe44:9e40 port 3002 } protocol tcp } } ipv6-name LAN_LOCAL_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } ipv6-name LAN_MGMT_6 { default-action drop rule 1 { action accept description "Allow established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action accept description "Allow Vorik SSH" destination { address xxxx:xxxx:c62e:10ec:4c74:3ff:fe94:ea75 port ssh } protocol tcp } } ipv6-name LAN_SERVICES_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action accept description "Accept Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action accept description "Accept SMB" destination { address xxxx:xxxx:c62e:10ec:ec4:7aff:fe02:41dd port 445 } protocol tcp } rule 40 { action accept description "Accept to Domain Controller" destination { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe56:ff94 } } } ipv6-name MGMT_LOCAL_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action accept description "Accept SSH" destination { port ssh } protocol tcp } rule 40 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } ipv6-name PERMIT_6 { default-action accept } ipv6-name SERVICES_HOME_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action accept description "Accept SNMP" destination { port snmp } protocol udp source { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe87:296a } } rule 20 { action accept description "Accept Zabbix Agent" destination { port zabbix-agent } protocol tcp source { address xxxx:xxxx:c62e:7e29:4c74:3ff:fe87:296a } } rule 30 { action accept description "Accept HTTP" destination { port http } protocol tcp source { address xxxx:xxxx:c62e:28e0:4c74:3ff:fe8e:acd0 } } } ipv6-name SERVICES_LOCAL_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-server } protocol udp source { port dhcpv6-client } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address ff02::fb port mdns } protocol udp } rule 30 { action accept description "Accept SNMP" destination { port snmp } protocol udp } } ipv6-name SERVICES_MGMT_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 10 { action accept description "Accept Zabbix Agent" destination { port 10050 } protocol tcp } rule 20 { action accept description "Accept SNMP" destination { port snmp } protocol udp } } ipv6-name WAN_LOCAL_6 { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMPv6" protocol ipv6-icmp } rule 3 { action accept description "Accept DHCPv6" destination { port dhcpv6-client } protocol udp source { port dhcpv6-server } } rule 10 { action accept description "Accept Wireguard" destination { port 51820 } protocol udp } rule 20 { action accept description "Accept OpenVPN" destination { port 1194 } protocol udp } rule 30 { action accept description "Accept ISAKMP" destination { port isakmp } protocol udp source { port isakmp } } rule 31 { action accept description "Accept NAT-T" destination { port ipsec-nat-t } protocol udp } rule 32 { action accept description "Accept ESP" protocol esp } } ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name ALL { default-action accept } name DENY { default-action drop } name ESTAB { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } } name ESTAB_DHCP { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 3 { action accept description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } } name ESTAB_DHCP_DNS { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 3 { action accept description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } } name HOME_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept OSPF" protocol ospf } rule 20 { action accept description "Accept SSH" destination { port ssh } protocol tcp } rule 30 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } name HOME_SERVICES { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action accept description "Allow Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action accept description "Allow SMB" destination { address xxx.xxx.19.34 port 445 } protocol tcp } rule 40 { action accept description "Accept to Domain Controller" destination { address xxx.xxx.19.33 } } rule 50 { action accept description "Accept SMTP relay from Home IoT" destination { address xxx.xxx.19.36 port smtp,submission,submissions } protocol tcp source { address xxx.xxx.4.0/24 } } } name IOT_LAN { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept Chromecast TCP" protocol tcp source { port 8008-8009,8443 } } rule 20 { action accept description "Accept Chromecast UDP (src)" protocol udp source { port 32768-61000 } } rule 30 { action accept description "Accept Chromecast UDP (dst)" destination { port 32768-61000 } protocol udp } } name IOT_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 3 { action accept description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } } name IOT_SERVICES { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept SMTP" destination { port submission,smtp,submissions } protocol tcp } rule 20 { action accept description "Accept Jellyfin" destination { address xxx.xxx.16.45 port 8096 } protocol tcp } rule 30 { action accept description "Accept Google Home Local Fulfillment" destination { address xxx.xxx.16.50 port 3002 } protocol tcp } } name LAN_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 3 { action accept description "Accept DHCP" destination { port bootps } protocol udp source { port bootpc } } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } name LAN_MGMT { default-action drop rule 1 { action accept description "Allow established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Allow Vorik SSH" destination { address xxx.xxx.17.100 port ssh } protocol tcp } } name LAN_SERVICES { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 10 { action accept description "Accept Web" destination { port http,https } protocol tcp } rule 20 { action accept description "Allow Bareos" destination { port 9101,9103 } protocol tcp } rule 30 { action accept description "Allow SMB" destination { address xxx.xxx.19.34 port 445 } protocol tcp } rule 40 { action accept description "Accept to Domain Controller" destination { address xxx.xxx.19.33 } } } name MGMT_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action accept description "Accept SSH" destination { port ssh } protocol tcp } rule 40 { action accept description "Accept iPerf3" destination { port 5201 } protocol tcp } } name NONE { default-action drop } name PERMIT { default-action accept } name SERVICES_HOME { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept SNMP" destination { port snmp } protocol udp source { address xxx.xxx.16.40 } } rule 20 { action accept description "Accept Zabbix Agent" destination { port zabbix-agent } protocol tcp source { address xxx.xxx.16.40 } } rule 30 { action accept description "Accept HTTP" destination { port http } protocol tcp source { address xxx.xxx.19.38 } } } name SERVICES_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept DNS" destination { port domain } protocol udp } rule 20 { action accept description "Accept mDNS" destination { address xxx.xxx.0.251 port mdns } protocol udp } rule 30 { action accept description "Accept SNMP" destination { port snmp } protocol udp source { address xxx.xxx.5.35 } } } name SERVICES_MGMT { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept Zabbix Agent" destination { port 10050 } protocol tcp } rule 20 { action accept description "Accept SNMP" destination { port snmp } protocol udp } rule 30 { action accept description "Accept Node-RED to Voyager" destination { address xxx.xxx.17.1 port https } protocol tcp source { address xxx.xxx.16.50 } } rule 40 { action accept description "Accept Sisko to TrueNAS" destination { address xxx.xxx.17.2 port https } protocol tcp source { address xxx.xxx.19.49 } } } name WAN_LOCAL { default-action drop rule 1 { action accept description "Accept established/related" state { established enable related enable } } rule 2 { action accept description "Accept ICMP" protocol icmp } rule 10 { action accept description "Accept Wireguard" destination { port 51820 } protocol udp } rule 20 { action accept description "Accept OpenVPN" destination { port 1194 } protocol udp } rule 30 { action accept description "Accept ISAKMP" destination { port isakmp } protocol udp source { port isakmp } } rule 31 { action accept description "Accept NAT-T" destination { port ipsec-nat-t } protocol udp } rule 32 { action accept description "Accept ESP" protocol esp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable zone GUEST { default-action drop from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.310 } zone HOME { from LAN { firewall { ipv6-name PERMIT_6 name PERMIT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name SERVICES_HOME_6 name SERVICES_HOME } } interface tun0 interface br0 } zone IOT { default-action drop from LAN { firewall { ipv6-name PERMIT_6 name PERMIT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.100 } zone ISOLATED { default-action drop from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.230 } zone LAN { default-action drop from HOME { firewall { ipv6-name PERMIT_6 name PERMIT } } from IOT { firewall { ipv6-name IOT_LAN_6 name IOT_LAN } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name ESTAB_6 name ESTAB } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.300 interface wg0 } zone LOCAL { default-action drop from GUEST { firewall { ipv6-name ESTAB_DHCP_DNS_6 name ESTAB_DHCP_DNS } } from HOME { firewall { ipv6-name HOME_LOCAL_6 name HOME_LOCAL } } from IOT { firewall { ipv6-name IOT_LOCAL_6 name IOT_LOCAL } } from ISOLATED { firewall { ipv6-name ESTAB_DHCP_6 name ESTAB_DHCP } } from LAN { firewall { ipv6-name LAN_LOCAL_6 name LAN_LOCAL } } from MGMT { firewall { ipv6-name MGMT_LOCAL_6 name MGMT_LOCAL } } from SERVICES { firewall { ipv6-name SERVICES_LOCAL_6 name SERVICES_LOCAL } } from WAN { firewall { ipv6-name WAN_LOCAL_6 name WAN_LOCAL } } local-zone } zone MGMT { default-action drop from HOME { firewall { ipv6-name ESTAB_6 name ESTAB } } from IOT { firewall { ipv6-name ESTAB_6 name ESTAB } } from LAN { firewall { ipv6-name LAN_MGMT_6 name LAN_MGMT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name SERVICES_MGMT_6 name SERVICES_MGMT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.10 } zone SERVICES { default-action drop from HOME { firewall { ipv6-name HOME_SERVICES_6 name HOME_SERVICES } } from IOT { firewall { ipv6-name IOT_SERVICES_6 name IOT_SERVICES } } from LAN { firewall { ipv6-name LAN_SERVICES_6 name LAN_SERVICES } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from WAN { firewall { ipv6-name ESTAB_6 name ESTAB } } interface eth1.200 interface eth1.210 interface eth1.220 interface eth1.240 } zone WAN { default-action drop from GUEST { firewall { ipv6-name PERMIT_6 name PERMIT } } from IOT { firewall { ipv6-name PERMIT_6 name PERMIT } } from ISOLATED { firewall { ipv6-name PERMIT_6 name PERMIT } } from LAN { firewall { ipv6-name PERMIT_6 name PERMIT } } from LOCAL { firewall { ipv6-name PERMIT_6 name PERMIT } } from MGMT { firewall { ipv6-name PERMIT_6 name PERMIT } } from SERVICES { firewall { ipv6-name PERMIT_6 name PERMIT } } interface eth0 interface peth0 } } high-availability { } interfaces { bridge br0 { address xxx.xxx.3.205/30 address fe80::1/64 description "Site-Home OpenVPN endpoint" member { interface vtun0 { } } } dummy dum0 { address xxx.xxx.168.26/32 description "Site-Home GRE endpoint" } ethernet eth0 { address dhcp description WAN hw-id xx:xx:xx:xx:xx:58 ipv6 { address { no-default-link-local } } } ethernet eth1 { hw-id xx:xx:xx:xx:xx:59 vif 10 { address xxx.xxx.17.126/25 description Management ipv6 { address { eui64 xxxx:xxxx:c62e:10ec::/64 } } } vif 100 { address xxx.xxx.18.126/25 description IoT ipv6 { address { eui64 xxxx:xxxx:c62e:ec56::/64 } } } vif 200 { address xxx.xxx.19.46/28 description Infrastructure ipv6 { address { eui64 xxxx:xxxx:c62e:28e0::/64 } } } vif 210 { address xxx.xxx.16.254/24 description Services ipv6 { address { eui64 xxxx:xxxx:c62e:7e29::/64 } } } vif 220 { address xxx.xxx.17.254/25 description Testing ipv6 { address { eui64 xxxx:xxxx:c62e:dc8a::/64 } } } vif 230 { address xxx.xxx.18.254/26 description Isolated ipv6 { address { eui64 xxxx:xxxx:c62e:16d9::/64 } } } vif 240 { address xxx.xxx.19.62/28 description Jails ipv6 { address { eui64 xxxx:xxxx:c62e:f0ba::/64 } } } vif 300 { address xxx.xxx.18.190/26 description LAN ipv6 { address { eui64 xxxx:xxxx:c62e:b4c5::/64 } } } vif 310 { address xxx.xxx.19.30/27 description Guest } } loopback lo { } openvpn vtun0 { description "Site-Home OpenVPN" device-type tap encryption { cipher aes256 } hash sha256 local-port 1194 mode site-to-site openvpn-option "--proto udp4" persistent-tunnel remote-host xxxxx.tld remote-port 1194 shared-secret-key **************** } pseudo-ethernet peth0 { description WANv6 dhcpv6-options { pd 0 { interface eth1.10 { sla-id 0 } interface eth1.100 { sla-id 1 } interface eth1.200 { sla-id 2 } interface eth1.210 { sla-id 3 } interface eth1.220 { sla-id 4 } interface eth1.230 { sla-id 5 } interface eth1.240 { sla-id 6 } interface eth1.300 { sla-id 7 } interface eth1.310 { sla-id 8 } length 60 } rapid-commit } ipv6 { address { autoconf } } source-interface eth0 } tunnel tun0 { address xxx.xxx.219.173/30 address fe80::1/64 description "Site-Home GRE" enable-multicast encapsulation gre mtu 1420 parameters { ipv6 { hoplimit 255 } } remote xxx.xxx.168.27 source-address xxx.xxx.168.26 } wireguard wg0 { address xxx.xxx.134.238/28 description VPN ipv6 { address { eui64 xxxx:xxxx:926e:e5af::/64 } } peer Sulu { allowed-ips xxxx:xxxx:926e:e5af:8245:DDFF:FE75:E50E/128 allowed-ips xxx.xxx.134.225/32 public-key **************** } peer Tilly { allowed-ips xxx.xxx.134.226/32 allowed-ips xxxx:xxxx:926e:e5af:1098:c3ff:fe0f:46d0/128 public-key **************** } port 51820 private-key xxxxxx } } nat { source { rule 10 { description "Masquerade to WAN" outbound-interface eth0 source { address xxx.xxx.16.0/20 } translation { address masquerade } } } } pki { key-pair Site-DHSF { private { key xxxxxx } public { key xxxxxx } } key-pair Site-Home { public { key xxxxxx } } openvpn { shared-secret s2s { key xxxxxx version 1 } } } protocols { ospf { area 0 { network xxx.xxx.219.172/30 network xxx.xxx.16.0/24 network xxx.xxx.17.0/25 network xxx.xxx.17.128/25 network xxx.xxx.18.0/25 network xxx.xxx.18.128/26 network xxx.xxx.18.192/26 network xxx.xxx.19.0/27 network xxx.xxx.19.32/28 network xxx.xxx.19.48/28 network xxx.xxx.3.204/30 } interface br0 { cost 2 passive { disable } } interface tun0 { cost 1 passive { disable } } parameters { router-id xxx.xxx.0.0 } passive-interface default } ospfv3 { area xxx.xxx.0.0 { range xxxx:xxxx:c62e:1ac8::/64 { } range xxxx:xxxx:c62e:7e29::/64 { } range xxxx:xxxx:c62e:10ec::/64 { } range xxxx:xxxx:c62e:16d9::/64 { } range xxxx:xxxx:c62e:28e0::/64 { } range xxxx:xxxx:c62e:b4c5::/64 { } range xxxx:xxxx:c62e:dc8a::/64 { } range xxxx:xxxx:c62e:ec56::/64 { } range xxxx:xxxx:c62e:f0ba::/64 { } } interface tun0 { area xxx.xxx.0.0 ifmtu 1420 mtu-ignore network broadcast } parameters { router-id xxx.xxx.0.0 } } static { route xxx.xxx.0.0/0 { dhcp-interface eth0 } } } service { dhcp-server { shared-network-name xxxxxx { subnet xxx.xxx.19.0/27 { default-router xxx.xxx.19.30 name-server xxx.xxx.19.30 range GUEST { start xxx.xxx.19.1 stop xxx.xxx.19.29 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.0/25 { default-router xxx.xxx.18.126 name-server xxx.xxx.18.126 range IOT { start xxx.xxx.18.1 stop xxx.xxx.18.63 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.192/26 { default-router xxx.xxx.18.254 name-server xxx.xxx.1.1 name-server xxx.xxx.0.1 range ISOLATED { start xxx.xxx.18.193 stop xxx.xxx.18.253 } } } shared-network-name xxxxxx { subnet xxx.xxx.18.128/26 { default-router xxx.xxx.18.190 domain-name xxxxxx name-server xxx.xxx.18.190 range LAN { start xxx.xxx.18.129 stop xxx.xxx.18.189 } } } shared-network-name xxxxxx { subnet xxx.xxx.17.0/25 { default-router xxx.xxx.17.126 domain-name xxxxxx name-server xxx.xxx.17.126 range MGMT { start xxx.xxx.17.110 stop xxx.xxx.17.119 } } } shared-network-name xxxxxx { subnet xxx.xxx.17.128/25 { default-router xxx.xxx.17.254 domain-name xxxxxx name-server xxx.xxx.17.254 range TESTING { start xxx.xxx.17.129 stop xxx.xxx.17.191 } } } } dns { dynamic { interface eth0 { service nsupdate { host-name xxxxxx login xxxxxx password xxxxxx protocol dyndns2 server xxxxx.tld } } } forwarding { allow-from xxx.xxx.0.0/0 allow-from ::/0 cache-size 1000000 dnssec process domain ad.xxxxx.tld { name-server xxx.xxx.19.33 { } } listen-address xxx.xxx.0.0 listen-address :: name-server xxx.xxx.0.1 { } name-server xxx.xxx.1.1 { } } } lldp { interface eth0 { } interface eth1 { } } mdns { repeater { interface eth1.100 interface eth1.300 interface eth1.10 interface eth1.210 } } ntp { allow-client xxxxxx address xxx.xxx.0.0/0 address ::/0 } server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } router-advert { interface eth1.10 { name-server xxxx:xxxx:c62e:10ec:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:10ec::/64 { } } interface eth1.100 { name-server xxxx:xxxx:c62e:ec56:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:ec56::/64 { } } interface eth1.200 { name-server xxxx:xxxx:c62e:28e0:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:28e0::/64 { } } interface eth1.210 { name-server xxxx:xxxx:c62e:7e29:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:7e29::/64 { } } interface eth1.220 { name-server xxxx:xxxx:c62e:dc8a:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:dc8a::/64 { } } interface eth1.230 { name-server xxxx:xxxx:4700::1111 name-server xxxx:xxxx:4700::1001 prefix ::/64 { } prefix xxxx:xxxx:c62e:16d9::/64 { } } interface eth1.240 { name-server xxxx:xxxx:c62e:f0ba:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:f0ba::/64 { } } interface eth1.300 { name-server xxxx:xxxx:c62e:b4c5:210:f3ff:fe3c:8959 prefix ::/64 { } prefix xxxx:xxxx:c62e:b4c5::/64 { } } interface eth1.310 { name-server xxxx:xxxx:4700::1111 name-server xxxx:xxxx:4700::1001 prefix ::/64 { } } } snmp { community public { } } ssh { listen-address xxx.xxx.0.0 listen-address :: } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } device ttyS2 { speed 115200 } } host-name xxxxxx login { user xxxxxx { authentication { public-keys xxxx@xxx.xxx { key xxxxxx type ssh-ed25519 } } } user xxxxxx { authentication { encrypted-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-ed25519 } } } } syslog { global { facility all { level info } facility protocols { level debug } } host ayala.xxxxx.tld { facility authpriv { level info } facility kern { level notice } } } time-zone America/Los_Angeles } vpn { ipsec { esp-group Site-Home { proposal 1 { encryption aes256 hash sha256 } } ike-group Site-Home { dead-peer-detection { action restart } key-exchange ikev2 proposal 1 { dh-group 20 encryption aes256 hash sha256 } } interface eth0 site-to-site { peer Site-Home { authentication { local-id @Site-DHSF mode rsa remote-id @Site-Home rsa { local-key **************** remote-key **************** } } connection-type initiate default-esp-group Site-Home description Site-Home ike-group Site-Home local-address any remote-address home.xxxxx.tld tunnel 1 { local { prefix xxx.xxx.168.26/32 } remote { prefix xxx.xxx.168.27/32 } } } } } }