firewall { group { address-group MobileDevices-IPv4 { address xxx.xxx.10.30 address xxx.xxx.10.32 } address-group Unsafe_IRC_Servers { address xxx.xxx.77.134 address xxx.xxx.239.136 } ipv6-address-group Unsafe_IRC_Servers { address xxxx:xxxx:8:1::1aa } ipv6-network-group LAN-GuestNetwork-Blocked { network fc00::/56 } ipv6-network-group LAN-IoTNetwork-Blocked { network fc00::/56 } ipv6-network-group LAN-SecureNetwork-Blocked { network fc00::/56 } ipv6-network-group LocalNetworksBlockedOut { network xxxx:xxxx:0:3::/64 network xxxx:xxxx:0:4::/64 network xxxx:xxxx:0:5::/64 } network-group InternalNetVPNOnly { network xxx.xxx.69.0/24 } network-group LAN-GuestNetwork-Blocked { network xxx.xxx.0.0/8 } network-group LAN-IoTNetwork-Blocked { network xxx.xxx.0.0/8 } network-group LAN-SecureNetwork-Blocked { network xxx.xxx.0.0/8 } network-group LocalNetworksBlockedOut { network xxx.xxx.51.0/24 network xxx.xxx.69.0/24 network xxx.xxx.52.0/24 network xxx.xxx.53.0/24 } network-group YouTube-Google-IPv4 { network xxx.xxx.4.0/24 network xxx.xxx.8.0/24 network xxx.xxx.202.0/24 network xxx.xxx.208.0/20 network xxx.xxx.192.0/20 network xxx.xxx.48.0/20 network xxx.xxx.128.0/19 network xxx.xxx.0.0/10 network xxx.xxx.0.0/10 network xxx.xxx.0.0/13 network xxx.xxx.0.0/11 network xxx.xxx.0.0/12 network xxx.xxx.0.0/13 network xxx.xxx.228.0/22 network xxx.xxx.112.0/20 network xxx.xxx.160.0/19 network xxx.xxx.0.0/20 network xxx.xxx.64.0/19 network xxx.xxx.128.0/19 network xxx.xxx.192.0/18 network xxx.xxx.24.0/21 network xxx.xxx.0.0/16 network xxx.xxx.231.0/24 network xxx.xxx.64.0/22 network xxx.xxx.0.0/16 network xxx.xxx.0.0/17 network xxx.xxx.92.0/24 network xxx.xxx.128.0/17 network xxx.xxx.0.0/15 network xxx.xxx.0.0/14 network xxx.xxx.160.0/19 network xxx.xxx.192.0/18 network xxx.xxx.80.0/20 network xxx.xxx.192.0/18 network xxx.xxx.0.0/17 network xxx.xxx.106.0/24 network xxx.xxx.0.0/16 network xxx.xxx.64.0/23 network xxx.xxx.86.0/23 network xxx.xxx.0.0/12 network xxx.xxx.0.0/15 network xxx.xxx.0.0/17 network xxx.xxx.148.0/22 network xxx.xxx.176.0/21 network xxx.xxx.32.0/21 network xxx.xxx.0.0/16 network xxx.xxx.0.0/16 network xxx.xxx.0.0/16 network xxx.xxx.112.0/20 network xxx.xxx.28.0/23 network xxx.xxx.28.0/22 network xxx.xxx.0.0/15 network xxx.xxx.4.0/24 network xxx.xxx.154.0/23 network xxx.xxx.156.0/23 network xxx.xxx.112.0/22 network xxx.xxx.232.0/21 network xxx.xxx.144.0/20 network xxx.xxx.160.0/20 network xxx.xxx.152.0/22 network xxx.xxx.108.0/22 network xxx.xxx.68.0/22 network xxx.xxx.188.0/22 network xxx.xxx.172.0/22 network xxx.xxx.224.0/19 network xxx.xxx.128.0/17 network xxx.xxx.192.0/19 network xxx.xxx.80.0/20 network xxx.xxx.32.0/19 } port-group FaceTime_TCP_Ports { port 5223 } port-group FaceTime_UDP_Ports { port 3478-3497 port 16384-16387 port 16393-16402 } port-group Unsafe_IRC_Ports { port 6660-6669 port 9999 port 7000 } port-group WhatsApp_TCP_Ports { port 5222 } port-group WhatsApp_UDP_Ports { port 5222 } port-group Wifi_Calling_UDP_Ports { port 500 port 4500 } port-group Zoom_TCP_Ports { port 8801-8802 } port-group Zoom_UDP_Ports { port 3478 port 3479 port 8801-8810 } } ipv6-name LAN-GuestNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-GuestNetwork-Blocked } } } } ipv6-name LAN-IoTNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-IoTNetwork-Blocked } } } } ipv6-name LAN-SecureNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-SecureNetwork-Blocked } } } } ipv6-name OUTSIDE-6-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept protocol ipv6-icmp } } ipv6-name OUTSIDE-6-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept description "Allow DHCPv6" destination { address fc00::/6 port 546 } protocol udp source { address fc00::/6 } } rule 21 { action accept description "Allow MLD" protocol icmpv6 source { address fe80::/10 } } rule 22 { action accept description "Allow ICMPv6" limit { burst 1 rate 5/minute } protocol icmpv6 } } ipv6-name OUTSIDE-6-OUT { default-action accept rule 10 { action drop description "Block Unsafe IRC Ports Unless Through Encrypted Tunnel" destination { group { port-group Unsafe_IRC_Ports } } protocol tcp } rule 20 { action drop description "Block Unsafe IRC IPv6 Addresses Unless Through Encrypted Tunnel" destination { group { address-group Unsafe_IRC_Servers } } } rule 30 { action drop description "Block Some Local Networks From Out Unless Through VPN" source { group { network-group LocalNetworksBlockedOut } } } } ipv6-name PUB-WIREGUARD-6-IN { default-action drop rule 10 { action accept state { established enable related enable } } } ipv6-name PUB-WIREGUARD-6-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept protocol ipv6-icmp state { new enable } } } name LAN-IN { default-action accept rule 10 { action drop destination { } source { address xxx.xxx.3.4/32 } } } name LAN-GuestNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-GuestNetwork-Blocked } } } } name LAN-IoTNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-IoTNetwork-Blocked } } } } name LAN-SecureNetwork-Out { default-action accept rule 10 { action accept state { established enable related enable } } rule 20 { action drop destination { group { network-group LAN-SecureNetwork-Blocked } } } } name OUTSIDE-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept description "Allow Plex Forwarder" destination { port 32400 } protocol tcp state { new enable } } rule 30 { action accept description "Allow WireGuard" destination { port 51820-51830 } protocol udp state { new enable } } rule 40 { action accept description "Allow HTTP" destination { port 80 } protocol tcp state { new enable } } rule 50 { action accept description "Allow HTTPS" destination { port 443 } protocol tcp state { new enable } } } name OUTSIDE-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 30 { action accept destination { port 22 } protocol tcp state { new enable } } rule 40 { action accept destination { port 51820-51830 } protocol udp } rule 50 { action accept protocol esp } rule 51 { action accept destination { port 500 } protocol udp } rule 52 { action accept destination { port 4500 } protocol udp } rule 53 { action accept destination { port 1701 } ipsec { match-ipsec } protocol udp } } name OUTSIDE-OUT { default-action accept rule 10 { action drop destination { } source { address xxx.xxx.69.0/24 } } rule 20 { action drop description "Block Unsafe IRC IPs Unless Through Encrypted Tunnel" destination { group { address-group Unsafe_IRC_Servers } } protocol all } rule 30 { action drop description "Block Unsafe IRC Ports Unless Through Encrypted Tunnel" destination { group { port-group Unsafe_IRC_Ports } } protocol tcp } rule 40 { action drop description "Block Some Local Networks From Out Unless Through VPN" destination { } source { group { network-group LocalNetworksBlockedOut } } } } name PUB-WIREGUARD-IN { default-action drop rule 10 { action accept state { established enable related enable } } } name PUB-WIREGUARD-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } } state-policy { established { } related { } } } interfaces { ethernet eth0 { address dhcp description VZ firewall { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } out { ipv6-name OUTSIDE-6-OUT name OUTSIDE-OUT } } hw-id xx:xx:xx:xx:xx:4c policy { } ring-buffer { rx 4096 tx 4096 } traffic-policy { out VZFiOSOut } } ethernet eth1 { address dhcp address dhcpv6 description SpectrumTWC dhcpv6-options { pd 0 { interface eth3 { address 1 sla-id 0 } interface eth4.100 { address 1 sla-id 6 } length 56 } rapid-commit } firewall { in { ipv6-name OUTSIDE-6-IN name OUTSIDE-IN } local { ipv6-name OUTSIDE-6-LOCAL name OUTSIDE-LOCAL } out { ipv6-name OUTSIDE-6-OUT name OUTSIDE-OUT } } hw-id xx:xx:xx:xx:xx:4d policy { } ring-buffer { rx 4096 tx 4096 } traffic-policy { out SpectrumOut } } ethernet eth2 { address dhcp description NaturalWireless firewall { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } out { ipv6-name OUTSIDE-6-OUT name OUTSIDE-OUT } } hw-id xx:xx:xx:xx:xx:4e policy { } ring-buffer { rx 4096 tx 4096 } traffic-policy { out NWOut } } ethernet eth3 { address xxx.xxx.50.1/24 description NetworkTest hw-id xx:xx:xx:xx:xx:4f ipv6 { address { autoconf } } ring-buffer { rx 4096 tx 4096 } } ethernet eth4 { address xxx.xxx.0.1/16 address fc00::1/64 description LAN firewall { in { name LAN-IN } out { } } hw-id xx:xx:xx:xx:xx:f8 ipv6 { address { autoconf } } policy { route LAN-Policy route6 LAN-Policy } ring-buffer { rx 4096 tx 4096 } vif 100 { address xxx.xxx.54.1/24 description "G-IPv6 Network" } vif 110 { address xxx.xxx.53.1/24 address xxxx:xxxx:0:5::1/64 description "G-Secure Network" firewall { out { ipv6-name LAN-SecureNetwork-Out name LAN-SecureNetwork-Out } } policy { route LAN-SecureNetwork-Policy route6 LAN-SecureNetwork-Policy } } vif 120 { address xxx.xxx.52.1/24 address xxxx:xxxx:0:4::1/64 description "G-IoT Network" firewall { out { ipv6-name LAN-IoTNetwork-Out name LAN-IoTNetwork-Out } } policy { route LAN-IoTNetwork-Policy route6 LAN-IoTNetwork-Policy } } vif 130 { address xxx.xxx.51.1/24 address xxxx:xxxx:0:3::1/64 description G-Guest firewall { out { ipv6-name LAN-GuestNetwork-Out name LAN-GuestNetwork-Out } } policy { route LAN-GuestNetwork-Policy route6 LAN-GuestNetwork-Policy } } } ethernet eth5 { disable hw-id xx:xx:xx:xx:xx:f9 ring-buffer { rx 4096 tx 4096 } } loopback lo { } wireguard wg100 { address xxx.xxx.10.1/24 address xxxx:xxxx:0:1::1/64 description "WireGuard VPN RoadWarrior" peer usersiPad { allowed-ips xxx.xxx.10.2/32 allowed-ips xxxx:xxxx:0:1::2/128 persistent-keepalive 15 public-key **************** } peer usersiPhone { allowed-ips xxx.xxx.10.3/32 allowed-ips xxxx:xxxx:0:1::3/128 persistent-keepalive 15 public-key **************** } port 51820 private-key xxxxxx } wireguard wg101 { address xxx.xxx.98.57/32 address xxxx:xxxx:bbbb:bb01::3:6238/128 description "WireGuard Mullvad FLA" firewall { in { ipv6-name PUB-WIREGUARD-6-IN name PUB-WIREGUARD-IN } local { ipv6-name PUB-WIREGUARD-6-LOCAL name PUB-WIREGUARD-LOCAL } } peer mullvad { address xxx.xxx.143.106 allowed-ips xxx.xxx.0.0/0 allowed-ips ::0/0 persistent-keepalive 10 port 51820 public-key **************** } private-key xxxxxx } wireguard wg102 { address xxx.xxx.32.65/32 address xxxx:xxxx:bbbb:bb01::3:2040/128 description "WireGuard Mullvad FLA us123" firewall { in { ipv6-name PUB-WIREGUARD-6-IN name PUB-WIREGUARD-IN } local { ipv6-name PUB-WIREGUARD-6-LOCAL name PUB-WIREGUARD-LOCAL } } peer mullvad { address xxx.xxx.224.184 allowed-ips xxx.xxx.0.0/0 allowed-ips ::0/0 persistent-keepalive 10 port 51820 public-key **************** } private-key xxxxxx } wireguard wg103 { address xxx.xxx.215.200/32 address xxxx:xxxx:bbbb:bb01::1:d7c7/128 description "WireGuard Mullvad FLA us119" firewall { in { ipv6-name PUB-WIREGUARD-6-IN name PUB-WIREGUARD-IN } local { ipv6-name PUB-WIREGUARD-6-LOCAL name PUB-WIREGUARD-LOCAL } } peer mullvad { address xxx.xxx.224.132 allowed-ips xxx.xxx.0.0/0 allowed-ips ::0/0 persistent-keepalive 10 port 51820 public-key **************** } private-key xxxxxx } wireguard wg104 { address xxx.xxx.126.218/32 address xxxx:xxxx:bbbb:bb01::1:7ed9/128 description "WireGuard Mullvad Multihop Brazil-Sweden" firewall { in { ipv6-name PUB-WIREGUARD-6-IN name PUB-WIREGUARD-IN } local { ipv6-name PUB-WIREGUARD-6-LOCAL name PUB-WIREGUARD-LOCAL } } peer mullvad { address xxx.xxx.152.43 allowed-ips xxx.xxx.0.0/0 allowed-ips ::0/0 port 3049 public-key **************** } private-key xxxxxx } wireguard wg110 { address xxx.xxx.60.2/32 description aws.xyz.net mtu 1420 peer xxxxx.tld { address xxx.xxx.218.53 allowed-ips xxx.xxx.0.0/0 allowed-ips ::/0 persistent-keepalive 10 port 51820 preshared-key **************** public-key **************** } port 51822 private-key xxxxxx } wireguard wg111 { address xxx.xxx.60.8/32 description colorado.xyz.net mtu 1420 peer location1 { address xxx.xxx.10.171 allowed-ips xxx.xxx.0.0/0 allowed-ips ::/0 persistent-keepalive 10 port 51821 preshared-key **************** public-key **************** } port 51824 private-key xxxxxx } wireguard wg112 { address xxx.xxx.60.4/32 description ia.xyz.net mtu 1420 peer location1 { address xxx.xxx.101.188 allowed-ips xxx.xxx.0.0/0 allowed-ips ::/0 persistent-keepalive 10 port 51822 preshared-key **************** public-key **************** } port 51823 private-key xxxxxx } wireguard wg113 { address xxx.xxx.60.12/32 description zaius.xyz.net mtu 1420 peer location1 { address xxx.xxx.247.162 allowed-ips xxx.xxx.0.0/0 allowed-ips ::/0 persistent-keepalive 10 port 51822 preshared-key **************** public-key **************** } port 51825 private-key xxxxxx } wireguard wg120 { address xxx.xxx.60.21/31 address xxxx:xxxx:0000:20::2/64 description dn42-peer.remote.network peer dn42-peer { address xxx.xxx.132.194 allowed-ips xxx.xxx.0.0/0 allowed-ips ::0/0 persistent-keepalive 10 port 51820 preshared-key **************** public-key **************** } private-key xxxxxx } } load-balancing { wan { interface-health eth0 { failure-count 5 nexthop dhcp success-count 1 test 10 { resp-time 5 target xxx.xxx.1.1 ttl-limit 1 type ttl } test 20 { resp-time 5 target xxx.xxx.0.1 ttl-limit 1 type ping } } interface-health eth1 { failure-count 5 nexthop dhcp success-count 1 test 10 { resp-time 5 target xxx.xxx.8.8 ttl-limit 1 type ttl } test 20 { resp-time 5 target xxx.xxx.4.4 ttl-limit 1 type ping } } interface-health eth2 { failure-count 5 nexthop dhcp success-count 1 test 10 { resp-time 5 target xxx.xxx.9.9 ttl-limit 1 type ttl } test 20 { resp-time 5 target xxx.xxx.112.112 ttl-limit 1 type ping } } interface-health wg101 { failure-count 5 nexthop dhcp success-count 1 test 10 { resp-time 5 target xxx.xxx.9.10 ttl-limit 1 type ttl } test 20 { resp-time 5 target xxx.xxx.112.10 ttl-limit 1 type ping } } rule 100 { description "SpeedTest - Spectrum" destination { address xxx.xxx.97.0/24 } inbound-interface eth4 interface eth1 { weight 1 } protocol all source { address xxx.xxx.0.0/0 } } sticky-connections { inbound } } } nat { destination { rule 10 { description "Port Forward: PLEX to xxx.xxx.10.1" destination { port 32408 } inbound-interface eth0 protocol tcp translation { address xxx.xxx.10.1 port 32400 } } rule 20 { description "Port Forward: PLEX to xxx.xxx.10.1" destination { port 32408 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.10.1 port 32400 } } rule 30 { description "Port Forward: PLEX to xxx.xxx.10.1" destination { port 32408 } inbound-interface eth2 protocol tcp translation { address xxx.xxx.10.1 port 32400 } } rule 40 { description "Port Forward: HTTP to xxx.xxx.10.10 for NGINX" destination { port 80 } inbound-interface eth0 protocol tcp translation { address xxx.xxx.10.1 port 80 } } rule 41 { description "Port Forward: HTTP to xxx.xxx.10.10 for NGINX" destination { port 80 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.10.1 port 80 } } rule 42 { description "Port Forward: HTTP to xxx.xxx.10.10 for NGINX" destination { port 80 } inbound-interface eth2 protocol tcp translation { address xxx.xxx.10.1 port 80 } } rule 50 { description "Port Forward: HTTPS to xxx.xxx.10.10 for NGINX" destination { port 443 } inbound-interface eth0 protocol tcp translation { address xxx.xxx.10.1 port 443 } } rule 51 { description "Port Forward: HTTPS to xxx.xxx.10.10 for NGINX" destination { port 443 } inbound-interface eth1 protocol tcp translation { address xxx.xxx.10.1 port 443 } } rule 52 { description "Port Forward: HTTPS to xxx.xxx.10.10 for NGINX" destination { port 443 } inbound-interface eth2 protocol tcp translation { address xxx.xxx.10.1 port 443 } } } source { rule 100 { outbound-interface eth0 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 101 { outbound-interface eth0 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 102 { outbound-interface eth0 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 103 { outbound-interface eth0 source { address xxx.xxx.54.0/24 } translation { address masquerade } } rule 110 { outbound-interface eth1 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 111 { outbound-interface eth1 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 112 { outbound-interface eth1 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 113 { outbound-interface eth1 source { address xxx.xxx.54.0/24 } translation { address masquerade } } rule 120 { outbound-interface eth2 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 121 { outbound-interface eth2 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 122 { outbound-interface eth2 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 123 { outbound-interface eth2 source { address xxx.xxx.54.0/24 } translation { address masquerade } } rule 130 { outbound-interface wg101 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 131 { outbound-interface wg101 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 132 { outbound-interface wg101 source { address xxx.xxx.51.0/24 } translation { address masquerade } } rule 133 { outbound-interface wg101 source { address xxx.xxx.52.0/24 } translation { address masquerade } } rule 134 { outbound-interface wg101 source { address xxx.xxx.54.0/24 } translation { address masquerade } } rule 135 { outbound-interface wg101 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 140 { outbound-interface wg102 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 141 { outbound-interface wg102 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 142 { outbound-interface wg102 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 143 { outbound-interface wg102 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 150 { outbound-interface wg103 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 151 { outbound-interface wg103 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 152 { outbound-interface wg103 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 153 { outbound-interface wg103 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 160 { outbound-interface wg104 source { address xxx.xxx.0.0/16 } translation { address masquerade } } rule 161 { outbound-interface wg104 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 162 { outbound-interface wg104 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 163 { outbound-interface wg104 source { address xxx.xxx.10.0/24 } translation { address masquerade } } rule 164 { outbound-interface wg104 source { address xxx.xxx.53.0/24 } translation { address masquerade } } rule 170 { outbound-interface wg120 source { address xxx.xxx.0.0/8 } translation { address masquerade } } rule 171 { outbound-interface wg120 source { address xxx.xxx.60.0/24 } translation { address masquerade } } rule 172 { outbound-interface wg120 source { address xxx.xxx.50.0/24 } translation { address masquerade } } rule 173 { outbound-interface wg120 source { address xxx.xxx.10.0/24 } translation { address masquerade } } } } nat66 { destination { rule 10 { inbound-interface eth1 translation { address fc00::/56 } } } source { rule 10 { outbound-interface eth1 source { prefix fc00::/56 } translation { address xxxx:xxxx:3b00:6f00::/56 } } rule 20 { outbound-interface wg101 source { prefix fc00::/56 } translation { address masquerade } } rule 30 { outbound-interface wg120 source { prefix fc00::/56 } translation { address masquerade } } rule 104 { outbound-interface wg104 source { prefix fc00::/56 } translation { address masquerade } } } } policy { local-route { rule 100 { set { table 100 } source xxx.xxx.42.182 } rule 101 { set { table 101 } source xxx.xxx.176.177 } rule 102 { set { table 102 } source xxx.xxx.1.182 } rule 200 { destination xxx.xxx.42.182 set { table 100 } } rule 201 { destination xxx.xxx.176.177 set { table 101 } } rule 202 { destination xxx.xxx.1.182 set { table 102 } } } prefix-list xyz-Network-v4 { rule 10 { action permit le 32 prefix xxx.xxx.0.0/8 } rule 20 { action permit le 32 prefix xxx.xxx.10.0/24 } rule 30 { action permit le 32 prefix xxx.xxx.54.0/24 } } prefix-list BlockIPConflicts { description "Prevent Conflicting Routes" rule 10 { action permit description "Internal IP Space" le 32 prefix xxx.xxx.60.0/24 } rule 20 { action permit description "Internal IP Space" le 32 prefix xxx.xxx.0.0/16 } } prefix-list DN42-Network-v4 { rule 10 { action permit le 32 prefix xxx.xxx.0.0/14 } } prefix-list6 xyz-Network-v6 { rule 10 { action permit le 128 prefix fc00::/56 } } prefix-list6 BlockIPConflicts-v6 { description "Prevent Conflicting Routes" rule 10 { action permit description "Internal IP Space" le 128 prefix fc00::/64 } } prefix-list6 DN42-Network-v6 { rule 10 { action permit le 128 prefix fd00::/8 } } route LAN-Policy { rule 10 { description "IRC Through Secure VPN Tunnel" destination { group { address-group Unsafe_IRC_Servers } } set { table 114 } } rule 20 { description "IRC Ports Through Secure VPN Tunnel" destination { group { port-group Unsafe_IRC_Ports } } protocol tcp set { table 114 } } rule 30 { description "Local Net Hosts Through VPN Tunnel" set { table 114 } source { group { network-group InternalNetVPNOnly } } } rule 40 { description "Youtube & Google Through NW" destination { group { network-group YouTube-Google-IPv4 } } set { table 102 } } rule 50 { description "Mobile Devices Through NW" destination { group { } } set { table 102 } source { group { address-group MobileDevices-IPv4 } } } rule 60 { description "WhatsApp UDP Through NW" destination { group { port-group WhatsApp_UDP_Ports } } protocol udp set { table 102 } } rule 70 { description "WhatsApp TCP Through NW" destination { group { port-group WhatsApp_TCP_Ports } } protocol tcp set { table 102 } } rule 80 { description "Facetime TCP Through NW" destination { group { port-group FaceTime_TCP_Ports } } protocol tcp set { table 102 } } rule 90 { description "Facetime UDP Through NW" destination { group { port-group FaceTime_UDP_Ports } } protocol udp set { table 102 } } rule 100 { description "Wifi Calling UDP Through NW" destination { group { port-group Wifi_Calling_UDP_Ports } } protocol udp set { table 102 } } rule 110 { description "Zoom TCP Through NW" destination { group { port-group Zoom_TCP_Ports } } protocol tcp set { table 102 } } rule 120 { description "Zoom UDP Through NW" destination { group { port-group Zoom_UDP_Ports } } protocol udp set { table 102 } } } route LAN-GuestNetwork-Policy { rule 10 { description "All Traffic Through Secure VPN" set { table 111 } } } route LAN-IoTNetwork-Policy { rule 10 { description "All Traffic Through Secure VPN" set { table 111 } } } route LAN-SecureNetwork-Policy { rule 10 { description "All Traffic Through 2H Secure VPN" set { table 114 } } } route-map xyz-Peering-Export { rule 10 { action permit description "Allow xyz-Network" match { ip { address { prefix-list xyz-Network-v4 } } } } rule 20 { action permit description "Allow xyz-Network" match { ipv6 { address { prefix-list xyz-Network-v6 } } } } rule 30 { action permit description "Allow DN42-Network" match { ip { address { prefix-list DN42-Network-v4 } } } } rule 40 { action permit description "Allow DN42-Network" match { ipv6 { address { prefix-list DN42-Network-v6 } } } } rule 50 { action deny match { rpki invalid } } rule 100 { action deny } } route-map xyz-Peering-Import { rule 10 { action deny description "Prevent IP Conflicts" match { ip { address { prefix-list BlockIPConflicts } } } } rule 20 { action deny description "Prevent IP Conflicts" match { ipv6 { address { prefix-list BlockIPConflicts-v6 } } } } rule 30 { action permit description "Allow xyz-Network" match { ip { address { prefix-list xyz-Network-v4 } } } } rule 40 { action permit description "Allow xyz-Network" match { ipv6 { address { prefix-list xyz-Network-v6 } } } } rule 50 { action deny match { rpki invalid } } rule 100 { action deny } } route6 LAN-Policy { rule 10 { description "IRC Through Secure VPN Tunnel" destination { group { address-group Unsafe_IRC_Servers } } set { table 114 } } rule 20 { description "IRC Ports Through Secure VPN Tunnel" destination { group { port-group Unsafe_IRC_Ports } } protocol tcp set { table 114 } } } route6 LAN-GuestNetwork-Policy { rule 10 { description "All Traffic Through Secure VPN" set { table 111 } } } route6 LAN-IoTNetwork-Policy { rule 10 { description "All Traffic Through Secure VPN" set { table 111 } } } route6 LAN-SecureNetwork-Policy { rule 10 { description "All Traffic Through 2H Secure VPN" set { table 114 } } } } protocols { bgp { address-family { ipv4-unicast { network xxx.xxx.0.0/16 { } network xxx.xxx.54.0/24 { } network xxx.xxx.0.0/14 { } network xxx.xxx.10.0/24 { } } ipv6-unicast { network fc00::/56 { } } } local-as 4242423340 neighbor xxx.xxx.60.3 { address-family { ipv4-unicast { route-map { export xyz-Peering-Export import xyz-Peering-Import } } } bfd { check-control-plane-failure } description xyz-AWS ebgp-multihop 255 interface { remote-as XXXXXX source-interface wg110 } remote-as XXXXXX update-source wg110 } neighbor xxx.xxx.60.5 { address-family { ipv4-unicast { route-map { export xyz-Peering-Export import xyz-Peering-Import } } } bfd { check-control-plane-failure } description xyz-LAR ebgp-multihop 255 interface { remote-as XXXXXX source-interface wg112 } remote-as XXXXXX update-source wg112 } neighbor xxx.xxx.60.9 { address-family { ipv4-unicast { route-map { export xyz-Peering-Export import xyz-Peering-Import } } } bfd { check-control-plane-failure } description xyz-COL ebgp-multihop 255 interface { remote-as XXXXXX source-interface wg111 } remote-as XXXXXX update-source wg111 } neighbor xxx.xxx.60.13 { address-family { ipv4-unicast { route-map { export xyz-Peering-Export import xyz-Peering-Import } } } bfd { check-control-plane-failure } description xyz-ZAI ebgp-multihop 255 interface { remote-as XXXXXX source-interface wg113 } remote-as XXXXXX update-source wg113 } } static { route xxx.xxx.0.0/0 { interface eth0 { distance 200 } } route xxx.xxx.0.1/32 { dhcp-interface eth0 } route xxx.xxx.1.1/32 { dhcp-interface eth0 } route xxx.xxx.4.4/32 { dhcp-interface eth1 } route xxx.xxx.8.8/32 { dhcp-interface eth1 } route xxx.xxx.9.9/32 { dhcp-interface eth2 } route xxx.xxx.9.10/32 { interface wg101 { } } route xxx.xxx.0.0/16 { blackhole { distance 254 } } route xxx.xxx.0.0/24 { next-hop xxx.xxx.60.3 { } } route xxx.xxx.218.53/32 { interface eth2 { } } route xxx.xxx.112.10/32 { interface wg101 { } } route xxx.xxx.112.112/32 { interface eth2 { } } route xxx.xxx.54.0/24 { blackhole { distance 254 } } route xxx.xxx.60.3/32 { interface wg110 { } } route xxx.xxx.60.5/32 { interface wg112 { } } route xxx.xxx.60.9/32 { interface wg111 { } } route xxx.xxx.60.13/32 { interface wg113 { } } route xxx.xxx.60.20/32 { interface wg120 { } } route xxx.xxx.0.0/14 { interface wg120 { } } route xxx.xxx.10.0/24 { blackhole { distance 254 } interface wg100 { } } route xxx.xxx.100.1/32 { interface eth1 { } } route6 xxxx:xxxx::10/128 { interface wg101 { } } route6 xxxx:xxxx::fe:10/128 { interface wg101 { } } route6 xxxx:xxxx:bbbb:bb01::1:7ed9/128 { } route6 fc00::/56 { blackhole { distance 254 } } route6 fd00::/8 { interface wg120 { } } table 100 { route xxx.xxx.0.0/0 { dhcp-interface eth0 } route6 ::/0 { interface eth0 { } } } table 101 { route xxx.xxx.0.0/0 { dhcp-interface eth1 } route6 ::/0 { interface eth1 { } } } table 102 { route xxx.xxx.0.0/0 { dhcp-interface eth2 } route6 ::/0 { interface eth2 { } } } table 111 { route xxx.xxx.0.0/0 { interface wg101 { } } route6 ::/0 { interface wg101 { } } } table 112 { route xxx.xxx.0.0/0 { interface wg102 { } } route6 ::/0 { interface wg102 { } } } table 113 { route xxx.xxx.0.0/0 { interface wg103 { } } route6 ::/0 { interface wg103 { } } } table 114 { route xxx.xxx.0.0/0 { interface wg104 { } } route6 ::/0 { interface wg104 { } } } } } service { dhcp-server { hostfile-update host-decl-name shared-network-name xxxxxx { authoritative domain-name xxxxxx ping-check subnet xxx.xxx.51.0/24 { default-router xxx.xxx.51.1 lease 86400 name-server xxx.xxx.51.1 range 0 { start xxx.xxx.51.100 stop xxx.xxx.51.200 } } } shared-network-name xxxxxx { authoritative domain-name xxxxxx ping-check subnet xxx.xxx.54.0/24 { default-router xxx.xxx.54.1 lease 86400 name-server xxx.xxx.54.1 range 0 { start xxx.xxx.54.100 stop xxx.xxx.54.200 } } } shared-network-name xxxxxx { authoritative domain-name xxxxxx ping-check subnet xxx.xxx.52.0/24 { default-router xxx.xxx.52.1 lease 86400 name-server xxx.xxx.52.1 range 0 { start xxx.xxx.52.100 stop xxx.xxx.52.200 } } } shared-network-name xxxxxx { authoritative ping-check subnet xxx.xxx.0.0/16 { default-router xxx.xxx.0.1 domain-name xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx lease 86400 name-server xxx.xxx.0.4 name-server xxx.xxx.0.5 range 0 { start xxx.xxx.100.1 stop xxx.xxx.199.254 } static-mapping xxxxxx { ip-address xxx.xxx.10.26 mac-address xx:xx:xx:xx:xx:dc } static-mapping xxxxxx { ip-address xxx.xxx.10.17 mac-address xx:xx:xx:xx:xx:51 } static-mapping xxxxxx { ip-address xxx.xxx.10.16 mac-address xx:xx:xx:xx:xx:1e } static-mapping xxxxxx { ip-address xxx.xxx.10.3 mac-address xx:xx:xx:xx:xx:d1 } static-mapping xxxxxx { ip-address xxx.xxx.10.32 mac-address xx:xx:xx:xx:xx:9b } static-mapping xxxxxx { ip-address xxx.xxx.10.30 mac-address xx:xx:xx:xx:xx:7b } static-mapping xxxxxx { ip-address xxx.xxx.10.8 mac-address xx:xx:xx:xx:xx:cc } static-mapping xxxxxx { ip-address xxx.xxx.10.24 mac-address xx:xx:xx:xx:xx:1e } static-mapping xxxxxx { ip-address xxx.xxx.10.31 mac-address xx:xx:xx:xx:xx:84 } static-mapping xxxxxx { ip-address xxx.xxx.10.12 mac-address xx:xx:xx:xx:xx:fb } static-mapping xxxxxx { ip-address xxx.xxx.10.13 mac-address xx:xx:xx:xx:xx:5a } static-mapping xxxxxx { ip-address xxx.xxx.10.14 mac-address xx:xx:xx:xx:xx:40 } static-mapping xxxxxx { ip-address xxx.xxx.10.33 mac-address xx:xx:xx:xx:xx:3b } static-mapping xxxxxx { ip-address xxx.xxx.10.34 mac-address xx:xx:xx:xx:xx:37 } static-mapping xxxxxx { ip-address xxx.xxx.10.36 mac-address xx:xx:xx:xx:xx:d5 } static-mapping xxxxxx { ip-address xxx.xxx.10.23 mac-address xx:xx:xx:xx:xx:aa } static-mapping xxxxxx { ip-address xxx.xxx.10.19 mac-address xx:xx:xx:xx:xx:39 } static-mapping xxxxxx { ip-address xxx.xxx.10.7 mac-address xx:xx:xx:xx:xx:18 } static-mapping xxxxxx { ip-address xxx.xxx.10.9 mac-address xx:xx:xx:xx:xx:bf } static-mapping xxxxxx { ip-address xxx.xxx.10.2 mac-address xx:xx:xx:xx:xx:31 } static-mapping xxxxxx { ip-address xxx.xxx.0.4 mac-address xx:xx:xx:xx:xx:6b } static-mapping xxxxxx { ip-address xxx.xxx.0.5 mac-address xx:xx:xx:xx:xx:69 } static-mapping xxxxxx { ip-address xxx.xxx.10.5 mac-address xx:xx:xx:xx:xx:50 } static-mapping xxxxxx { ip-address xxx.xxx.10.40 mac-address xx:xx:xx:xx:xx:ef } static-mapping xxxxxx { ip-address xxx.xxx.10.1 mac-address xx:xx:xx:xx:xx:10 } static-mapping xxxxxx { ip-address xxx.xxx.0.7 mac-address xx:xx:xx:xx:xx:f5 } static-mapping xxxxxx { ip-address xxx.xxx.10.38 mac-address xx:xx:xx:xx:xx:e5 } static-mapping xxxxxx { ip-address xxx.xxx.10.6 mac-address xx:xx:xx:xx:xx:9f } static-mapping xxxxxx { ip-address xxx.xxx.10.29 mac-address xx:xx:xx:xx:xx:d0 } } } shared-network-name xxxxxx { authoritative domain-name xxxxxx ping-check subnet xxx.xxx.50.0/24 { default-router xxx.xxx.50.1 domain-name xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx domain-search xxxxxx lease 86400 name-server xxx.xxx.50.1 range 0 { start xxx.xxx.50.10 stop xxx.xxx.50.100 } } } shared-network-name xxxxxx { authoritative domain-name xxxxxx ping-check subnet xxx.xxx.53.0/24 { default-router xxx.xxx.53.1 lease 86400 name-server xxx.xxx.218.74 range 0 { start xxx.xxx.53.100 stop xxx.xxx.53.200 } } } } dns { dynamic { interface eth0 { service dyndns { host-name xxxxxx host-name xxxxxx login xyznet password xxxxxx } } interface eth1 { service dyndns { host-name xxxxxx login xyznet password xxxxxx } } interface eth2 { service dyndns { host-name xxxxxx login xyznet password xxxxxx } use-web { } } } forwarding { allow-from xxx.xxx.0.0/16 allow-from xxx.xxx.50.0/24 allow-from xxx.xxx.10.0/24 allow-from ::1/128 allow-from xxx.xxx.0.1/32 allow-from xxx.xxx.51.0/24 allow-from fc00::/56 allow-from xxx.xxx.54.0/24 authoritative-domain 0.0.10.in-addr.arpa { records { ptr 1 { target gw01.fern.xyz.net } } } authoritative-domain 0.1.10.in-addr.arpa { records { ptr 1 { target unraid.colorado.xyz.net } } } authoritative-domain 0.5.10.in-addr.arpa { records { ptr 1 { target gw01.zaius.xyz.net } } } authoritative-domain 0.10.10.in-addr.arpa { records { ptr 5 { target 3cx.aws.xyz.net } ptr 254 { target gw01.aws.xyz.net } } } authoritative-domain 10.0.10.in-addr.arpa { records { ptr 1 { target teracube.fern.xyz.net } } } authoritative-domain 10.3.10.in-addr.arpa { records { ptr 1 { target gw01.ia.xyz.net } ptr 10 { target xyzbox.ia.xyz.net } ptr 80 { target unraid.ia.xyz.net } } } authoritative-domain 41.20.172.in-addr.arpa { records { ptr 100 { target exabyte.dn42 } } } authoritative-domain 60.18.172.in-addr.arpa { records { ptr 0 { target transit-aws-lar.aws.xyz.net } ptr 1 { target transit-lar-aws.ia.xyz.net } ptr 2 { target transit-FLA-aws.fern.xyz.net } ptr 3 { target transit-aws-FLA.aws.xyz.net } ptr 4 { target transit-FLA-lar.fern.xyz.net } ptr 5 { target transit-lar-FLA.ia.xyz.net } ptr 6 { target transit-aws-col.aws.xyz.net } ptr 7 { target transit-col-aws.colorado.xyz.net } ptr 9 { target transit-FLA-col.fern.xyz.net } ptr 10 { target transit-lar-col.ia.xyz.net } ptr 11 { target transit-col-lar.colorado.xyz.net } ptr 12 { target transit-FLA-zai.fern.xyz.net } ptr 13 { target transit-zai-FLA.zaius.xyz.net } ptr 14 { target transit-aws-zai.aws.xyz.net } ptr 15 { target transit-zai-aws.zaius.xyz.net } ptr 16 { target transit-lar-zai.ia.xyz.net } ptr 17 { target transit-zai-lar.zaius.xyz.net } ptr 18 { target transit-col-zai.colorado.xyz.net } ptr 19 { target transit-zai-col.zaius.xyz.net } ptr 20 { target ex-xyz.remote.network } ptr 21 { target xyz-ex.fern.xyz.net } } } authoritative-domain 100.5.10.in-addr.arpa { records { ptr 201 { target unraid.zaius.xyz.net } } } authoritative-domain aws.xyz.net { records { a 3cx { address xxx.xxx.0.5 } a gw01 { address xxx.xxx.0.254 } a transit-aws-col { address xxx.xxx.60.6 } a transit-aws-lar { address xxx.xxx.60.0 } a transit-aws-FLA { address xxx.xxx.60.3 } a transit-aws-zai { address xxx.xxx.60.14 } } } authoritative-domain colorado.xyz.net { records { a gw01 { address xxx.xxx.0.1 } a transit-col-aws { address xxx.xxx.60.7 } a transit-col-lar { address xxx.xxx.60.11 } a transit-col-FLA { address xxx.xxx.60.9 } a transit-col-zai { address xxx.xxx.60.18 } a unraid { address xxx.xxx.10.1 } } } authoritative-domain dn42 { records { a exabyte { address xxx.xxx.41.100 } } } authoritative-domain remote.network { records { a dn42-us-nj01 { address xxx.xxx.132.194 } a ex-xyz { address xxx.xxx.60.20 } aaaa dn42-us-nj01 { address xxxx:xxxx:5:850::1 } aaaa ex-xyz { address xxxx:xxxx:0:20::1 } } } authoritative-domain ia.xyz.net { records { a xyzbox { address xxx.xxx.10.10 } a gw01 { address xxx.xxx.0.1 } a transit-lar-aws { address xxx.xxx.60.1 } a transit-lar-col { address xxx.xxx.60.10 } a transit-lar-FLA { address xxx.xxx.60.5 } a transit-lar-zai { address xxx.xxx.60.16 } a unraid { address xxx.xxx.100.80 } } } authoritative-domain in-addr.arpa { records { ptr xxx.xxx.18.172 { target transit-zai-FLA.zaius.xyz.net } } } authoritative-domain zaius.xyz.net { records { a gw01 { address xxx.xxx.0.1 } a transit-zai-aws { address xxx.xxx.60.15 } a transit-zai-col { address xxx.xxx.60.19 } a transit-zai-lar { address xxx.xxx.60.17 } a transit-zai-FLA { address xxx.xxx.60.13 } a unraid { address xxx.xxx.100.201 } } } cache-size 2147483647 domain 10.in-addr.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain 20.172.in-addr.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain 21.172.in-addr.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain 22.172.in-addr.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain 23.172.in-addr.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain dn42 { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } domain d.f.ip6.arpa { recursion-desired server xxxxx.tld server xxxx:xxxx:d42:54::1 } listen-address xxx.xxx.0.1 listen-address fc00::1 listen-address xxx.xxx.50.1 listen-address xxx.xxx.10.1 listen-address xxxx:xxxx:0:1::1 listen-address xxx.xxx.0.1 listen-address xxx.xxx.51.1 listen-address xxxx:xxxx:0:2::1 listen-address xxxx:xxxx:0:3::1 listen-address xxxx:xxxx:0:4::1 listen-address xxxx:xxxx:0:5::1 listen-address xxx.xxx.54.1 no-serve-rfc1918 } } router-advert { interface eth3 { dnssl fern.xyz.net name-server fc00::4 name-server fc00::5 prefix xxxx:xxxx:0:2::/64 { } } interface eth4 { dnssl fern.xyz.net managed-flag name-server fc00::4 name-server fc00::5 prefix xxxx:xxxx:0:0::/64 { } } interface eth4.100 { default-lifetime 300 default-preference high hop-limit 64 interval { max 30 } link-mtu 1500 managed-flag name-server xxxx:xxxx:4700::1111 name-server xxxx:xxxx:4700::1001 other-config-flag prefix ::/64 { preferred-lifetime 300 valid-lifetime 900 } reachable-time 900000 retrans-timer 0 } interface eth4.110 { managed-flag prefix xxxx:xxxx:0:5::/64 { } } interface eth4.120 { managed-flag name-server xxxx:xxxx:0:4::1 prefix xxxx:xxxx:0:4::/64 { } } interface eth4.130 { managed-flag name-server xxxx:xxxx:0:3::1 prefix xxxx:xxxx:0:3::/64 { } } } ssh { disable-password-authentication port 22 } } system { acceleration { qat } config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } domain-name xxxxxx host-name xxxxxx login { user xxxxxx { authentication { encrypted-password xxxxxx public-keys xxxx@xxx.xxx { key xxxxxx type ssh-ed25519 } } } } name-server xxx.xxx.0.1 name-server ::1 ntp { server xxxxx.tld { } server xxxxx.tld { } server xxxxx.tld { } } static-host-mapping { host-name xxxxxx { inet xxx.xxx.60.21 inet xxxx:xxxx:0:20::2 } host-name xxxxxx { inet xxx.xxx.0.1 inet fc00::1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.60.2 } host-name xxxxxx { inet xxx.xxx.60.9 } host-name xxxxxx { inet xxx.xxx.60.4 } host-name xxxxxx { inet xxx.xxx.60.12 } host-name xxxxxx { inet xxx.xxx.10.1 } host-name xxxxxx { inet xxx.xxx.10.1 } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone America/Denver } traffic-policy { shaper NWOut { bandwidth 800mbit default { bandwidth 100% burst 10mbit queue-type fq-codel } } shaper SpectrumOut { bandwidth 35mbit default { bandwidth 100% burst 10mbit queue-type fq-codel } } shaper VZFiOSOut { bandwidth 800mbit default { bandwidth 100% burst 10mbit queue-type fq-codel } } }