set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group AG-Guest address 'xxx.xxx.21.1-xxx.xxx.21.254'
set firewall group address-group AG-Lan address 'xxx.xxx.2.1-xxx.xxx.2.254'
set firewall group address-group AG-Vpn address 'xxx.xxx.200.1-xxx.xxx.200.254'
set firewall group address-group AG-Wifi address 'xxx.xxx.20.1-xxx.xxx.20.254'
set firewall group network-group internalnets network 'xxx.xxx.2.0/24'
set firewall group network-group internalnets network 'xxx.xxx.20.0/24'
set firewall group network-group internalnets network 'xxx.xxx.200.0/24'
set firewall group network-group nonroutable network 'xxx.xxx.0.0/8'
set firewall group network-group nonroutable network 'xxx.xxx.0.0/12'
set firewall group network-group nonroutable network 'xxx.xxx.0.0/16'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name guest-lan default-action 'drop'
set firewall name guest-lan enable-default-log
set firewall name guest-wan default-action 'accept'
set firewall name guest-wlan default-action 'drop'
set firewall name guest-wlan enable-default-log
set firewall name lan-guest default-action 'drop'
set firewall name lan-local default-action 'accept'
set firewall name lan-wan default-action 'accept'
set firewall name lan-wlan default-action 'accept'
set firewall name local-lan default-action 'accept'
set firewall name local-wan default-action 'accept'
set firewall name local-wlan default-action 'accept'
set firewall name wan-guest default-action 'drop'
set firewall name wan-guest rule 1 action 'accept'
set firewall name wan-guest rule 1 state established 'enable'
set firewall name wan-guest rule 1 state related 'enable'
set firewall name wan-guest rule 2 action 'drop'
set firewall name wan-guest rule 2 log 'enable'
set firewall name wan-guest rule 2 state invalid 'enable'
set firewall name wan-lan default-action 'drop'
set firewall name wan-lan rule 1 action 'accept'
set firewall name wan-lan rule 1 state established 'enable'
set firewall name wan-lan rule 1 state related 'enable'
set firewall name wan-lan rule 2 action 'drop'
set firewall name wan-lan rule 2 log 'enable'
set firewall name wan-lan rule 2 state invalid 'enable'
set firewall name wan-lan rule 100 action 'accept'
set firewall name wan-lan rule 100 description 'allow incoming openhab'
set firewall name wan-lan rule 100 destination address 'xxx.xxx.2.8'
set firewall name wan-lan rule 100 destination port '9439'
set firewall name wan-lan rule 100 log 'enable'
set firewall name wan-lan rule 100 protocol 'tcp'
set firewall name wan-lan rule 100 state established 'enable'
set firewall name wan-lan rule 100 state new 'enable'
set firewall name wan-lan rule 200 action 'accept'
set firewall name wan-lan rule 200 description 'allow incoming syncthing'
set firewall name wan-lan rule 200 destination address 'xxx.xxx.2.3'
set firewall name wan-lan rule 200 destination port '22000'
set firewall name wan-lan rule 200 protocol 'tcp'
set firewall name wan-lan rule 200 state established 'enable'
set firewall name wan-lan rule 200 state new 'enable'
set firewall name wan-lan rule 300 action 'accept'
set firewall name wan-lan rule 300 description 'allow incoming openvpn'
set firewall name wan-lan rule 300 destination address 'xxx.xxx.2.6'
set firewall name wan-lan rule 300 destination port '1194'
set firewall name wan-lan rule 300 protocol 'udp'
set firewall name wan-lan rule 300 state established 'enable'
set firewall name wan-lan rule 300 state new 'enable'
set firewall name wan-lan rule 400 action 'accept'
set firewall name wan-lan rule 400 description 'allow incoming ssh 3nuc'
set firewall name wan-lan rule 400 destination address 'xxx.xxx.2.3'
set firewall name wan-lan rule 400 destination port '22'
set firewall name wan-lan rule 400 protocol 'tcp'
set firewall name wan-lan rule 400 recent count '2'
set firewall name wan-lan rule 400 recent time '300'
set firewall name wan-lan rule 400 state established 'enable'
set firewall name wan-lan rule 400 state new 'enable'
set firewall name wan-lan rule 500 action 'accept'
set firewall name wan-lan rule 500 description 'incoming port 80 temp'
set firewall name wan-lan rule 500 destination address 'xxx.xxx.2.8'
set firewall name wan-lan rule 500 destination port '80'
set firewall name wan-lan rule 500 disable
set firewall name wan-lan rule 500 protocol 'tcp'
set firewall name wan-lan rule 500 state established 'enable'
set firewall name wan-lan rule 500 state new 'enable'
set firewall name wan-local default-action 'drop'
set firewall name wan-local rule 1 action 'accept'
set firewall name wan-local rule 1 description 'accept valid state'
set firewall name wan-local rule 1 state established 'enable'
set firewall name wan-local rule 1 state related 'enable'
set firewall name wan-local rule 2 action 'drop'
set firewall name wan-local rule 2 log 'enable'
set firewall name wan-local rule 2 state invalid 'enable'
set firewall name wan-local rule 3 action 'drop'
set firewall name wan-local rule 3 description 'drop rfc 1918 source addresses'
set firewall name wan-local rule 3 log 'enable'
set firewall name wan-local rule 3 source group network-group 'nonroutable'
set firewall name wan-wlan default-action 'drop'
set firewall name wan-wlan rule 1 action 'accept'
set firewall name wan-wlan rule 1 state established 'enable'
set firewall name wan-wlan rule 1 state related 'enable'
set firewall name wan-wlan rule 2 action 'drop'
set firewall name wan-wlan rule 2 log 'enable'
set firewall name wan-wlan rule 2 state invalid 'enable'
set firewall name wlan-guest default-action 'drop'
set firewall name wlan-lan default-action 'accept'
set firewall name wlan-local default-action 'accept'
set firewall name wlan-wan default-action 'accept'
set firewall name wlan-wan rule 100 action 'drop'
set firewall name wlan-wan rule 100 description 'drop BS DNS'
set firewall name wlan-wan rule 100 destination port '53'
set firewall name wlan-wan rule 100 protocol 'tcp_udp'
set firewall name wlan-wan rule 100 state established 'enable'
set firewall name wlan-wan rule 100 state new 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 firewall
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:2b'
set interfaces ethernet eth0 traffic-policy out 'WAN_EGRESS'
set interfaces ethernet eth1 address 'xxx.xxx.2.1/24'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:ba'
set interfaces ethernet eth2 address 'xxx.xxx.20.1/24'
set interfaces ethernet eth2 firewall in
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:89'
set interfaces ethernet eth3 address 'xxx.xxx.21.1/24'
set interfaces ethernet eth3 firewall in
set interfaces ethernet eth3 hw-id 'XX:XX:XX:XX:XX:b3'
set interfaces loopback lo
set nat destination rule 100 description 'inbound ssh to 3nuc'
set nat destination rule 100 destination port '5122'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address 'xxx.xxx.2.3'
set nat destination rule 100 translation port '22'
set nat destination rule 200 description 'inbound syncthing to 3nuc'
set nat destination rule 200 destination port '22000'
set nat destination rule 200 inbound-interface 'eth0'
set nat destination rule 200 protocol 'tcp'
set nat destination rule 200 translation address 'xxx.xxx.2.3'
set nat destination rule 200 translation port '22000'
set nat destination rule 300 description 'inbound openvpn to vpn vm'
set nat destination rule 300 destination port '1194'
set nat destination rule 300 inbound-interface 'eth0'
set nat destination rule 300 protocol 'udp'
set nat destination rule 300 translation address 'xxx.xxx.2.6'
set nat destination rule 300 translation port '1194'
set nat destination rule 400 description 'inbound openhab to openhab vm'
set nat destination rule 400 destination port '9439'
set nat destination rule 400 inbound-interface 'eth0'
set nat destination rule 400 protocol 'tcp'
set nat destination rule 400 translation address 'xxx.xxx.2.8'
set nat destination rule 400 translation port '9439'
set nat destination rule 500 destination port '80'
set nat destination rule 500 inbound-interface 'eth0'
set nat destination rule 500 protocol 'tcp'
set nat destination rule 500 translation address 'xxx.xxx.2.8'
set nat destination rule 500 translation port '80'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.2.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface 'eth0'
set nat source rule 200 source address 'xxx.xxx.20.0/24'
set nat source rule 200 translation address 'masquerade'
set nat source rule 300 outbound-interface 'eth0'
set nat source rule 300 source address 'xxx.xxx.21.0/24'
set nat source rule 300 translation address 'masquerade'
set nat source rule 400 outbound-interface 'eth0'
set nat source rule 400 source address 'xxx.xxx.200.0/24'
set nat source rule 400 translation address 'masquerade'
set protocols static route xxx.xxx.0.0/12 next-hop xxx.xxx.2.17
set protocols static route xxx.xxx.200.0/24 next-hop xxx.xxx.2.6
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.21.0/24 default-router 'xxx.xxx.21.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.21.0/24 dns-server 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.21.0/24 lease '3600'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.21.0/24 range 0 start 'xxx.xxx.21.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.21.0/24 range 0 stop 'xxx.xxx.21.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 default-router 'xxx.xxx.2.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 dns-server 'xxx.xxx.2.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 lease '3600'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 ntp-server 'xxx.xxx.2.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 range 0 start 'xxx.xxx.2.30'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.2.0/24 range 0 stop 'xxx.xxx.2.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 default-router 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 dns-server 'xxx.xxx.2.9'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 lease '3600'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 ntp-server 'xxx.xxx.20.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 start 'xxx.xxx.20.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.20.0/24 range 0 stop 'xxx.xxx.20.50'
set service dns dynamic interface eth0 service noip host-name xxxxxx
set service dns dynamic interface eth0 service noip login 'xxxxxxxxxxxxxxxxxxxxxx'
set service dns dynamic interface eth0 service noip password xxxxxx
set service dns forwarding allow-from 'xxx.xxx.2.0/24'
set service dns forwarding allow-from 'xxx.xxx.20.0/24'
set service dns forwarding allow-from 'xxx.xxx.200.0/24'
set service dns forwarding cache-size '10000'
set service dns forwarding listen-address 'xxx.xxx.2.1'
set service dns forwarding listen-address 'xxx.xxx.20.1'
set service dns forwarding name-server 'xxx.xxx.1.1'
set service dns forwarding system
set service snmp community homecj
set service snmp listen-address xxx.xxx.2.1
set service ssh listen-address 'xxx.xxx.2.1'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type ssh-xxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type ssh-xxx
set system name-server 'xxx.xxx.1.1'
set system name-servers-dhcp 'eth0'
set system ntp listen-address 'xxx.xxx.2.1'
set system ntp listen-address 'xxx.xxx.20.1'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system option reboot-on-panic
set system static-host-mapping host-name xxxxxx alias '3nuc'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.3'
set system static-host-mapping host-name xxxxxx alias 'ap-downstairs'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.11'
set system static-host-mapping host-name xxxxxx alias 'ap-upstairs'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.12'
set system static-host-mapping host-name xxxxxx alias 'dev'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.4'
set system static-host-mapping host-name xxxxxx alias 'dns'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.2'
set system static-host-mapping host-name xxxxxx alias 'eqserver'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.16'
set system static-host-mapping host-name xxxxxx alias 'k8scontrol'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.14'
set system static-host-mapping host-name xxxxxx alias 'k8smstr'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.14'
set system static-host-mapping host-name xxxxxx alias 'k8swrk1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.17'
set system static-host-mapping host-name xxxxxx alias 'k8swrk2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.18'
set system static-host-mapping host-name xxxxxx alias 'k8swrk3'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.19'
set system static-host-mapping host-name xxxxxx alias 'nfs1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.15'
set system static-host-mapping host-name xxxxxx alias 'pihole'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.9'
set system static-host-mapping host-name xxxxxx alias 'router'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.1'
set system static-host-mapping host-name xxxxxx alias 'server1'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.7'
set system static-host-mapping host-name xxxxxx alias 'server2'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.8'
set system static-host-mapping host-name xxxxxx alias 'sw-downstairs'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.13'
set system static-host-mapping host-name xxxxxx alias 'unifi'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.5'
set system static-host-mapping host-name xxxxxx alias 'vpn'
set system static-host-mapping host-name xxxxxx inet 'xxx.xxx.2.6'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'America/Chicago'
set traffic-policy limiter LAN_INGRESS default bandwidth '90mbit'
set traffic-policy limiter LAN_INGRESS default burst '10mb'
set traffic-policy limiter LAN_INGRESS description 'Inbound Rate Limiter'
set traffic-policy shaper WAN_EGRESS bandwidth '10Mbit'
set traffic-policy shaper WAN_EGRESS class 10 bandwidth '30%'
set traffic-policy shaper WAN_EGRESS class 10 burst '15kb'
set traffic-policy shaper WAN_EGRESS class 10 ceiling '100%'
set traffic-policy shaper WAN_EGRESS class 10 match tiny4 ip tcp ack
set traffic-policy shaper WAN_EGRESS class 10 match tiny4 ip tcp syn
set traffic-policy shaper WAN_EGRESS class 10 priority '5'
set traffic-policy shaper WAN_EGRESS class 10 queue-type 'fq-codel'
set traffic-policy shaper WAN_EGRESS default bandwidth '70%'
set traffic-policy shaper WAN_EGRESS default burst '2kb'
set traffic-policy shaper WAN_EGRESS default ceiling '100%'
set traffic-policy shaper WAN_EGRESS default priority '3'
set traffic-policy shaper WAN_EGRESS default queue-type 'fq-codel'
set zone-policy zone guest default-action 'drop'
set zone-policy zone guest from lan firewall name 'lan-guest'
set zone-policy zone guest from wan firewall name 'wan-guest'
set zone-policy zone guest from wlan firewall name 'wlan-guest'
set zone-policy zone guest interface 'eth3'
set zone-policy zone lan default-action 'drop'
set zone-policy zone lan from guest firewall name 'guest-lan'
set zone-policy zone lan from local firewall name 'local-lan'
set zone-policy zone lan from wan firewall name 'wan-lan'
set zone-policy zone lan from wlan firewall name 'wlan-lan'
set zone-policy zone lan interface 'eth1'
set zone-policy zone local default-action 'drop'
set zone-policy zone local from lan firewall name 'lan-local'
set zone-policy zone local from wan firewall name 'wan-local'
set zone-policy zone local from wlan firewall name 'wlan-local'
set zone-policy zone local local-zone
set zone-policy zone wan default-action 'drop'
set zone-policy zone wan from guest firewall name 'guest-wan'
set zone-policy zone wan from lan firewall name 'lan-wan'
set zone-policy zone wan from local firewall name 'local-wan'
set zone-policy zone wan from wlan firewall name 'wlan-wan'
set zone-policy zone wan interface 'eth0'
set zone-policy zone wlan default-action 'drop'
set zone-policy zone wlan from guest firewall name 'guest-wlan'
set zone-policy zone wlan from lan firewall name 'lan-wlan'
set zone-policy zone wlan from local firewall name 'local-wlan'
set zone-policy zone wlan from wan firewall name 'wan-wlan'
set zone-policy zone wlan interface 'eth2'