firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name 00LAN-LOCAL { default-action accept } name 00LAN-WAN { default-action reject rule 20 { action accept protocol icmp state { new enable } } rule 50 { action accept destination { address 10.31.20.51 } state { new enable } } } name 20LAN-LOCAL { default-action accept } name 20LAN-WAN { default-action reject rule 100 { action accept destination { port 80,443 } protocol tcp_udp source { address 10.31.20.51 } state { new enable } } } name LOCAL-LAN { default-action accept } name LOCAL-WAN { default-action accept } name WAN-00LAN { default-action drop rule 20 { action accept description "Allow HTTP/s traffic to proxy" destination { address 10.31.0.51 port 80,443 } protocol tcp state { new enable } } } name WAN-20LAN { default-action drop } name WAN-LOCAL { default-action drop rule 20 { action accept protocol icmp state { new enable } } } receive-redirects disable send-redirects enable source-validation disable state-policy { established { action accept log { enable } } invalid { action drop log { enable } } related { action accept log { enable } } } syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth0 { address dhcp description WAN hw-id a2:fe:e0:75:33:6c } ethernet eth1 { address 10.31.0.1/24 description INFRA hw-id 66:bc:2c:3b:41:2e } ethernet eth2 { address 10.31.20.1/24 description UTILS hw-id de:41:65:05:d9:70 } loopback lo { } } nat { destination { rule 20 { description "Web proxy" destination { port 80,443 } inbound-interface eth0 protocol tcp_udp translation { address 10.31.0.51 } } } source { rule 100 { outbound-interface eth0 source { address 10.31.0.0/16 } translation { address masquerade } } } } service { dhcp-server { shared-network-name 00LAN { subnet 10.31.0.0/24 { default-router 10.31.0.1 dns-server 10.31.0.1 domain-name INFRA range 0 { start 10.31.0.71 stop 10.31.0.254 } static-mapping web01 { ip-address 10.31.0.51 mac-address be:18:a7:44:54:73 } } } shared-network-name 20LAN { subnet 10.31.20.0/24 { default-router 10.31.20.1 dns-server 10.31.20.1 domain-name UTILS range 0 { start 10.31.20.71 stop 10.31.20.254 } static-mapping hass { ip-address 10.31.20.51 mac-address e6:20:ed:69:8f:b5 } } } } dns { forwarding { allow-from 10.31.0.0/16 cache-size 0 listen-address 10.31.0.1 listen-address 10.31.20.1 name-server 1.1.1.1 name-server 1.0.0.1 } } ssh { port xxxxx } } system { config-management { commit-revisions 100 } console { device ttyS0 { speed 115200 } } host-name vyos login { user vyos { authentication { encrypted-password xxxxxx plaintext-password "" } } } name-server 10.31.0.1 ntp { server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } static-host-mapping { host-name web01 { alias subnet.example.com inet 10.31.0.51 } } syslog { global { facility all { level info } facility protocols { level debug } } } } zone-policy { zone 00LAN { default-action drop from LOCAL { firewall { name LOCAL-LAN } } from WAN { firewall { name WAN-00LAN } } interface eth1 } zone 20LAN { default-action drop from LOCAL { firewall { name LOCAL-LAN } } from WAN { firewall { name WAN-20LAN } } interface eth2 } zone LOCAL { default-action drop from 00LAN { firewall { name 00LAN-LOCAL } } from 20LAN { firewall { name 20LAN-LOCAL } } from WAN { firewall { name WAN-LOCAL } } local-zone } zone WAN { default-action drop from 00LAN { firewall { name 00LAN-WAN } } from 20LAN { firewall { name 20LAN-WAN } } from LOCAL { firewall { name LOCAL-WAN } } interface eth0 } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@1:broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@2:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@6:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:nat66@1:ntp@1:policy@1:pppoe-server@5:pptp@2:qos@1:quagga@9:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrf@2:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" // Release version: 1.4-rolling-202106260417