firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group NET-VYOS-HTTPS-4 {
            address 10.0.150.73
        }
        ipv6-network-group NET-VYOS-6 {
            network 2001:db8:200::/40
        }
        network-group NET-VYOS-4 {
            network 10.0.150.0/23
            network 192.168.189.0/24
        }
        port-group MY-NAS-PORTS {
            port 80
            port 5000
            port 5001
            port 6022
            port 9443
        }
    }
    ipv6-name WAN-TO-VLAN15-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            source {
                group {
                    network-group NET-VYOS-6
                }
            }
        }
        rule 1010 {
            action accept
            destination {
                address 2001:db8:200:15::a
                group {
                    port-group MY-NAS-PORTS
                }
            }
            protocol tcp
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN-TO-VLAN15-4 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            source {
                group {
                    network-group NET-VYOS-4
                }
            }
        }
        rule 1000 {
            action accept
            destination {
                group {
                    address-group NET-VYOS-HTTPS-4
                }
                port 80,443
            }
            protocol tcp
        }
        rule 1010 {
            action accept
            destination {
                address 10.0.150.74
                group {
                    port-group MY-NAS-PORTS
                }
            }
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
high-availability {
    vrrp {
        group VLAN5-IPv4 {
            interface eth0.5
            preempt-delay 180
            priority 250
            virtual-address 10.0.150.120/28
            vrid 5
        }
        group VLAN5-IPv6 {
            interface eth0.5
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:f0::ffff/64
            vrid 6
        }
        group VLAN10-IPv4 {
            interface eth0.10
            preempt-delay 180
            priority 250
            virtual-address 10.0.150.62/26
            vrid 10
        }
        group VLAN10-IPv6 {
            interface eth0.10
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:10::ffff/64
            virtual-address 2001:db8:200::ffff/64
            vrid 11
        }
        group VLAN15-IPv4 {
            interface eth0.15
            preempt-delay 180
            priority 250
            virtual-address 10.0.150.78/28
            vrid 15
        }
        group VLAN15-IPv6 {
            interface eth0.15
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:15::ffff/64
            vrid 16
        }
        group VLAN500-IPv4 {
            interface eth0.500
            preempt-delay 180
            priority 250
            virtual-address 10.0.151.238/28
            vrid 238
        }
        group VLAN500-IPv6 {
            interface eth0.500
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:50::ffff/64
            vrid 239
        }
        group VLAN520-IPv4 {
            interface eth0.520
            preempt-delay 180
            priority 250
            virtual-address 10.0.150.190/28
            vrid 52
        }
        group VLAN520-IPv6 {
            interface eth0.520
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:520::ffff/64
            vrid 53
        }
        group VLAN810-IPv4 {
            interface eth0.810
            preempt-delay 180
            priority 250
            virtual-address 10.0.151.30/27
            vrid 80
        }
        group VLAN810-IPv6 {
            interface eth0.810
            preempt-delay 180
            priority 250
            virtual-address 2001:db8:200:102::ffff/64
            vrid 81
        }
        sync-group VYOS {
            member VLAN5-IPv4
            member VLAN5-IPv6
            member VLAN10-IPv4
            member VLAN10-IPv6
            member VLAN500-IPv4
            member VLAN500-IPv6
            member VLAN15-IPv4
            member VLAN15-IPv6
            member VLAN810-IPv6
            member VLAN810-IPv4
            member VLAN520-IPv4
            member VLAN520-IPv6
        }
    }
}
interfaces {
    dummy dum0 {
        address 2001:db8:200:ffff::2/128
        address 10.0.151.251/32
    }
    ethernet eth0 {
        vif 5 {
            address 10.0.150.121/28
            address 2001:db8:200:f0::4/64
            ip {
                ospf {
                    authentication {
                        md5 {
                            key-id 10 {
                                md5-key vyosospfkey
                            }
                        }
                    }
                    cost 10
                    dead-interval 40
                    hello-interval 10
                    network broadcast
                    priority 200
                    retransmit-interval 5
                    transmit-delay 5
                }
            }
        }
        vif 10 {
            address 2001:db8:200:10::1:ffff/64
            address 2001:db8:200::1:ffff/64
            address 10.0.150.60/26
        }
        vif 15 {
            address 10.0.150.76/28
            address 2001:db8:200:15::1:ffff/64
            firewall {
                out {
                    ipv6-name WAN-TO-VLAN15-6
                    name WAN-TO-VLAN15-4
                }
            }
        }
        vif 50 {
            address 192.168.189.2/24
        }
        vif 110 {
            address 2001:db8:200:101::ffff/64
            address 10.0.151.190/27
            address 10.0.151.158/28
        }
        vif 410 {
            address 10.0.151.206/28
            address 2001:db8:200:104::ffff/64
        }
        vif 450 {
            address 2001:db8:200:103::ffff/64
            address 10.0.151.142/29
            disable
        }
        vif 500 {
            address 10.0.151.236/28
            address 2001:db8:200:50::1:ffff/64
        }
        vif 520 {
            address 10.0.150.188/26
            address 2001:db8:200:520::1:ffff/64
        }
        vif 800 {
            address 2001:db8:200:ff::104:1/112
            address 10.0.151.212/31
        }
        vif 810 {
            address 10.0.151.28/27
            address 2001:db8:200:102::1:ffff/64
        }
    }
    ethernet eth1 {
    }
    loopback lo {
    }
}
policy {
    prefix-list as65000-origin-v4 {
        rule 10 {
            action permit
            prefix 10.0.150.0/23
        }
        rule 100 {
            action permit
            prefix 0.0.0.0/0
        }
    }
    prefix-list6 as65000-origin-v6 {
        rule 10 {
            action permit
            prefix 2001:db8:200::/40
        }
    }
    route-map as65010-in {
        rule 10 {
            action permit
            set {
                local-preference 30
            }
        }
    }
    route-map as65010-out {
        rule 10 {
            action permit
            set {
                as-path-prepend "65000 65000"
            }
        }
    }
}
protocols {
    bgp 65000 {
        address-family {
            ipv4-unicast {
                network 10.0.150.0/23 {
                }
            }
            ipv6-unicast {
                network 2001:db8:200::/40 {
                }
            }
        }
        neighbor 10.0.151.222 {
            disable-send-community {
                extended
                standard
            }
            address-family {
                ipv4-unicast {
                    default-originate {
                    }
                    prefix-list {
                        export as65000-origin-v4
                    }
                    route-map {
                        export as65010-out
                        import as65010-in
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            capability {
                dynamic
            }
            remote-as 65010
        }
        neighbor 10.0.151.252 {
            peer-group VYOSv4
        }
        neighbor 10.0.151.254 {
            peer-group VYOSv4
        }
        neighbor 2001:db8:200:ffff::3 {
            peer-group VYOSv6
        }
        neighbor 2001:db8:200:ffff::a {
            peer-group VYOSv6
        }
        neighbor 2001:db8:200:ff::101:2 {
            address-family {
                ipv6-unicast {
                    capability {
                        dynamic
                    }
                    prefix-list {
                        export as65000-origin-v6
                    }
                    route-map {
                        import as65010-in
                    }
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            remote-as 65010
        }
        parameters {
            default {
                no-ipv4-unicast
            }
            log-neighbor-changes
            router-id 10.0.151.251
        }
        peer-group VYOSv4 {
            address-family {
                ipv4-unicast {
                    nexthop-self {
                    }
                }
            }
            capability {
                dynamic
            }
            remote-as 65000
            update-source dum0
        }
        peer-group VYOSv6 {
            address-family {
                ipv6-unicast {
                    nexthop-self {
                    }
                }
            }
            capability {
                dynamic
            }
            remote-as 65000
            update-source dum0
        }
        timers {
            holdtime 30
            keepalive 10
        }
    }
    ospf {
        area 0 {
            area-type {
                normal
            }
            authentication md5
            network 10.0.151.251/32
            network 10.0.151.208/31
            network 10.0.150.112/28
        }
        parameters {
            abr-type cisco
            router-id 10.0.151.251
        }
        passive-interface default
        passive-interface-exclude dum0
        passive-interface-exclude eth0.5
        redistribute {
            connected {
                metric-type 2
            }
            static {
                metric-type 2
            }
        }
    }
    ospfv3 {
        area 0.0.0.0 {
            interface dum0
            interface eth0.5
        }
        parameters {
            router-id 10.0.151.251
        }
        redistribute {
            connected {
            }
            static {
            }
        }
    }
    static {
        route 10.0.0.0/8 {
            MY-NAS {
                distance 254
            }
        }
        route 172.16.0.0/12 {
            MY-NAS {
                distance 254
            }
        }
        route 192.168.0.0/16 {
            MY-NAS {
                distance 254
            }
        }
        route 193.148.249.144/32 {
            next-hop 192.168.189.1 {
            }
        }
        route 10.0.150.0/23 {
            MY-NAS {
                distance 254
            }
        }
        route 10.0.151.32/27 {
            next-hop 10.0.151.5 {
            }
        }
        route6 2001:db8:2fe:ffff::/64 {
            next-hop 2001:db8:200:102::4 {
            }
        }
        route6 2001:db8:2ff::/48 {
            next-hop 2001:db8:200:101::1 {
            }
        }
        route6 2001:db8:200::/40 {
            MY-NAS {
                distance 254
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name NET-VYOS-DHCP-1 {
            subnet 10.0.151.224/28 {
                default-router 10.0.151.238
                dns-server 10.0.150.2
                dns-server 10.0.150.1
                domain-name vyos.net
                failover {
                    local-address 10.0.151.236
                    name NET-VYOS-DHCP-1
                    peer-address 10.0.151.237
                    status primary
                }
                lease 1800
                range 0 {
                    start 10.0.151.225
                    stop 10.0.151.237
                }
            }
        }
        shared-network-name NET-VYOS-HOSTING-1 {
            subnet 10.0.150.128/26 {
                default-router 10.0.150.190
                dns-server 10.0.150.2
                dns-server 10.0.150.1
                domain-name vyos.net
                failover {
                    local-address 10.0.150.188
                    name NET-VYOS-HOSTING-1
                    peer-address 10.0.150.189
                    status primary
                }
                lease 604800
                range 0 {
                    start 10.0.150.129
                    stop 10.0.150.187
                }
            }
        }
    }
    lldp {
        interface all {
        }
        management-address 10.0.151.251
        snmp {
            enable
        }
    }
    router-advert {
        interface eth4.500 {
            default-preference high
            name-server 2001:db8:200::1
            name-server 2001:db8:200::2
            prefix 2001:db8:200:50::/64 {
                valid-lifetime infinity
            }
        }
        interface eth4.520 {
            default-preference high
            name-server 2001:db8:200::1
            name-server 2001:db8:200::2
            prefix 2001:db8:200:520::/64 {
                valid-lifetime infinity
            }
        }
    }
    snmp {
        community public {
            network 10.0.150.0/26
            network 2001:db8:200:10::/64
        }
        contact noc@vyos.net
        listen-address 10.0.151.251 {
        }
        listen-address 2001:db8:200:ffff::2 {
        }
        location "Jenkins"
    }
    ssh {
        disable-host-validation
        listen-address 10.0.151.251
        listen-address 2001:db8:200:ffff::2
        listen-address 192.168.189.2
        loglevel fatal
        port 22
    }
}
system {
    config-management {
        commit-revisions 200
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name vyos.net
    host-name vyos
    login {
        banner {
            pre-login "VyOS - Network\n"
        }
        radius {
            server 192.0.2.1 {
                key SuperS3cretRADIUSkey
                timeout 1
            }
            server 192.0.2.2 {
                key SuperS3cretRADIUSkey
                timeout 1
            }
            source-address 192.0.2.254
        }
        user vyos {
            authentication {
                encrypted-password $6$O5gJRlDYQpj$MtrCV9lxMnZPMbcxlU7.FI793MImNHznxGoMFgm3Q6QP3vfKJyOSRCt3Ka/GzFQyW1yZS4NS616NLHaIPPFHc0
                plaintext-password ""
            }
        }
    }
    name-server 192.0.2.1
    name-server 192.0.2.2
    name-server 2001:db8:200::1
    name-server 2001:db8:200::2
    ntp {
        allow-clients {
            address 10.0.150.0/23
            address 2001:db8:200::/40
        }
        listen-address 10.0.151.251
        listen-address 2001:db8:200:ffff::2
        server 0.de.pool.ntp.org {
        }
        server 1.de.pool.ntp.org {
        }
        server 2.de.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
        host 10.0.150.26 {
            facility all {
                level all
            }
        }
    }
    time-zone Europe/Berlin
}


// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3-beta-202101151942