firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group MEDIA-STREAMING-CLIENTS {
            address 172.16.35.241
            address 172.16.35.242
            address 172.16.35.243
        }
        address-group DMZ-WEBSERVER {
            address 172.16.36.10
            address 172.16.36.40
            address 172.16.36.20
        }
        address-group DMZ-RDP-SERVER {
            address 172.16.33.40
        }
        address-group DOMAIN-CONTROLLER {
            address 172.16.100.10
            address 172.16.100.20
        }
        address-group AUDIO-STREAM {
            address 172.16.35.20
            address 172.16.35.21
            address 172.16.35.22
            address 172.16.35.23
        }
        ipv6-network-group LOCAL-ADDRESSES {
            network ff02::/64
            network fe80::/10
        }
        network-group SSH-IN-ALLOW {
            network 192.0.2.0/24
            network 10.0.0.0/8
            network 172.16.0.0/12
            network 192.168.0.0/16
        }
        port-group SMART-TV-PORTS {
            port 5005-5006
            port 80
            port 443
            port 3722
        }
    }
    ipv6-name ALLOW-ALL-6 {
        default-action accept
    }
    ipv6-name ALLOW-BASIC-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            protocol icmpv6
        }
    }
    ipv6-name ALLOW-ESTABLISHED-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                group {
                    network-group LOCAL-ADDRESSES
                }
            }
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
        rule 20 {
            action accept
            icmpv6 {
                type echo-request
            }
            protocol icmpv6
        }
        rule 21 {
            action accept
            icmpv6 {
                type destination-unreachable
            }
            protocol icmpv6
        }
        rule 22 {
            action accept
            icmpv6 {
                type packet-too-big
            }
            protocol icmpv6
        }
        rule 23 {
            action accept
            icmpv6 {
                type time-exceeded
            }
            protocol icmpv6
        }
        rule 24 {
            action accept
            icmpv6 {
                type parameter-problem
            }
            protocol icmpv6
        }
    }
    ipv6-name WAN-LOCAL-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                address ff02::/64
            }
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
        rule 50 {
            action accept
            description DHCPv6
            destination {
                address fe80::/10
                port 546
            }
            protocol udp
            source {
                address fe80::/10
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZ-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name DMZ-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            description "NTP and LDAP to AD DC"
            destination {
                group {
                    address-group DOMAIN-CONTROLLER
                }
                port 123,389,636
            }
            protocol tcp_udp
        }
        rule 300 {
            action accept
            destination {
                group {
                    address-group DMZ-RDP-SERVER
                }
                port 3389
            }
            protocol tcp_udp
            source {
                address 172.16.36.20
            }
        }
    }
    name DMZ-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            destination {
                address 172.16.254.30
                port 53
            }
            protocol tcp_udp
        }
        rule 123 {
            action accept
            destination {
                port 123
            }
            protocol udp
        }
        rule 800 {
            action drop
            description "SSH anti brute force"
            destination {
                port ssh
            }
            log enable
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
    }
    name DMZ-WAN {
        default-action accept
    }
    name GUEST-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
    }
    name GUEST-IOT {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            description "MEDIA-STREAMING-CLIENTS Devices to GUEST"
            destination {
                group {
                    address-group MEDIA-STREAMING-CLIENTS
                }
            }
            protocol tcp_udp
        }
        rule 110 {
            action accept
            description "AUDIO-STREAM Devices to GUEST"
            destination {
                group {
                    address-group AUDIO-STREAM
                }
            }
            protocol tcp_udp
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 300 {
            action accept
            description "BCAST relay"
            destination {
                port 1900
            }
            protocol udp
        }
    }
    name GUEST-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name GUEST-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            description DNS
            destination {
                address 172.31.0.254
                port 53
            }
            protocol tcp_udp
        }
        rule 11 {
            action accept
            description DHCP
            destination {
                port 67
            }
            protocol udp
        }
        rule 15 {
            action accept
            destination {
                address 172.31.0.254
            }
            protocol icmp
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 210 {
            action accept
            description "AUDIO-STREAM Broadcast"
            destination {
                port 1900
            }
            protocol udp
        }
    }
    name GUEST-WAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 25 {
            action accept
            description SMTP
            destination {
                port 25,587
            }
            protocol tcp
        }
        rule 53 {
            action accept
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 60 {
            action accept
            source {
                address 172.31.0.200
            }
        }
        rule 80 {
            action accept
            source {
                address 172.31.0.200
            }
        }
        rule 100 {
            action accept
            protocol icmp
        }
        rule 110 {
            action accept
            description POP3
            destination {
                port 110,995
            }
            limit {
                rate "10/minute"
            }
            protocol tcp
        }
        rule 123 {
            action accept
            description "NTP Client"
            destination {
                port 123
            }
            protocol udp
        }
        rule 143 {
            action accept
            description IMAP
            destination {
                port 143,993
            }
            protocol tcp
        }
        rule 200 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 500 {
            action accept
            description "L2TP IPSec"
            destination {
                port 500,4500
            }
            protocol udp
        }
        rule 600 {
            action accept
            destination {
                port 5222-5224
            }
            protocol tcp
        }
        rule 601 {
            action accept
            destination {
                port 3478-3497,4500,16384-16387,16393-16402
            }
            protocol udp
        }
        rule 1000 {
            action accept
            source {
                address 172.31.0.184
            }
        }
    }
    name IOT-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            description "MEDIA-STREAMING-CLIENTS Devices to IOT"
            protocol tcp_udp
            source {
                group {
                    address-group MEDIA-STREAMING-CLIENTS
                }
            }
        }
        rule 110 {
            action accept
            description "AUDIO-STREAM Devices to IOT"
            protocol tcp_udp
            source {
                group {
                    address-group AUDIO-STREAM
                }
            }
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 300 {
            action accept
            description "BCAST relay"
            destination {
                port 1900
            }
            protocol udp
        }
    }
    name IOT-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            description "AppleTV to LAN"
            destination {
                group {
                    port-group SMART-TV-PORTS
                }
            }
            protocol tcp_udp
            source {
                group {
                    address-group MEDIA-STREAMING-CLIENTS
                }
            }
        }
        rule 110 {
            action accept
            description "AUDIO-STREAM Devices to LAN"
            protocol tcp_udp
            source {
                group {
                    address-group AUDIO-STREAM
                }
            }
        }
    }
    name IOT-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            description DNS
            destination {
                address 172.16.254.30
                port 53
            }
            protocol tcp_udp
        }
        rule 11 {
            action accept
            description DHCP
            destination {
                port 67
            }
            protocol udp
        }
        rule 15 {
            action accept
            destination {
                address 172.16.35.254
            }
            protocol icmp
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 201 {
            action accept
            description "MCAST relay"
            destination {
                address 172.16.35.254
                port 5353
            }
            protocol udp
        }
        rule 210 {
            action accept
            description "AUDIO-STREAM Broadcast"
            destination {
                port 1900,1902,6969
            }
            protocol udp
        }
    }
    name IOT-WAN {
        default-action accept
    }
    name LAN-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            description "SSH into DMZ"
            destination {
                port 22
            }
            protocol tcp
        }
        rule 100 {
            action accept
            destination {
                group {
                    address-group DMZ-WEBSERVER
                }
                port 22,80,443
            }
            protocol tcp
        }
    }
    name LAN-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name LAN-IOT {
        default-action accept
    }
    name LAN-LOCAL {
        default-action accept
    }
    name LAN-WAN {
        default-action accept
    }
    name LOCAL-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name LOCAL-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            protocol icmp
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 300 {
            action accept
            description "BCAST relay"
            destination {
                port 1900
            }
            protocol udp
        }
    }
    name LOCAL-IOT {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            protocol icmp
        }
        rule 200 {
            action accept
            description "MCAST relay"
            destination {
                address 224.0.0.251
                port 5353
            }
            protocol udp
        }
        rule 300 {
            action accept
            description "BCAST relay"
            destination {
                port 1900,6969
            }
            protocol udp
        }
    }
    name LOCAL-LAN {
        default-action accept
    }
    name LOCAL-WAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            protocol icmp
        }
        rule 50 {
            action accept
            description DNS
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 80 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 123 {
            action accept
            description NTP
            destination {
                port 123
            }
            protocol udp
        }
    }
    name WAN-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            destination {
                address 172.16.36.10
                port 80,443
            }
            protocol tcp
        }
    }
    name WAN-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 1000 {
            action accept
            destination {
                address 172.31.0.184
            }
        }
        rule 8000 {
            action accept
            destination {
                address 172.31.0.200
                port 10000
            }
            protocol udp
        }
    }
    name WAN-IOT {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 1000 {
            action accept
            destination {
                address 172.16.33.40
                port 3389
            }
            protocol tcp
            source {
                group {
                    network-group SSH-IN-ALLOW
                }
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            source {
                group {
                    network-group SSH-IN-ALLOW
                }
            }
        }
    }
    options {
        interface pppoe0 {
            adjust-mss 1452
            adjust-mss6 1432
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    dummy dum0 {
        address 172.16.254.30/32
    }
    ethernet eth0 {
        duplex auto
        speed auto
        vif 5 {
            address 172.16.37.254/24
        }
        vif 10 {
            address 172.16.33.254/24
        }
        vif 20 {
            address 172.31.0.254/24
        }
        vif 35 {
            address 172.16.35.254/24
        }
        vif 50 {
            address 172.16.36.254/24
        }
        vif 100 {
            address 172.16.100.254/24
        }
        vif 201 {
            address 172.18.201.254/24
        }
        vif 202 {
            address 172.18.202.254/24
        }
        vif 203 {
            address 172.18.203.254/24
        }
        vif 204 {
            address 172.18.204.254/24
        }
    }
    ethernet eth1 {
        vif 7 {
            description FTTH-PPPoE
        }
    }
    loopback lo {
        address 172.16.254.30/32
    }
    pppoe pppoe0 {
        authentication {
            password vyos
            user vyos
        }
        default-route auto
        description "FTTH 100/50MBit"
        dhcpv6-options {
            pd 0 {
                interface eth0.10 {
                    address 1
                    sla-id 10
                }
                interface eth0.20 {
                    address 1
                    sla-id 20
                }
                length 56
            }
        }
        ipv6 {
            address {
                autoconf
            }
        }
        mtu 1492
        no-peer-dns
        source-interface eth1.7
    }
}
nat {
    destination {
        rule 100 {
            description HTTP(S)
            destination {
                port 80,443
            }
            inbound-interface pppoe0
            log
            protocol tcp
            translation {
                address 172.16.36.10
            }
        }
        rule 1000 {
            destination {
                port 3389
            }
            disable
            inbound-interface pppoe0
            protocol tcp
            translation {
                address 172.16.33.40
            }
        }
        rule 8000 {
            destination {
                port 10000
            }
            inbound-interface pppoe0
            log
            protocol udp
            translation {
                address 172.31.0.200
            }
        }
    }
    source {
        rule 100 {
            log
            outbound-interface pppoe0
            source {
                address 172.16.32.0/19
            }
            translation {
                address masquerade
            }
        }
        rule 200 {
            outbound-interface pppoe0
            source {
                address 172.16.100.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 300 {
            outbound-interface pppoe0
            source {
                address 172.31.0.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 400 {
            outbound-interface pppoe0
            source {
                address 172.18.200.0/21
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        interface-route6 2000::/3 {
            next-hop-interface pppoe0 {
            }
        }
        route 10.0.0.0/8 {
            blackhole {
                distance 254
            }
        }
        route 169.254.0.0/16 {
            blackhole {
                distance 254
            }
        }
        route 172.16.0.0/12 {
            blackhole {
                distance 254
            }
        }
        route 192.168.0.0/16 {
            blackhole {
                distance 254
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name BACKBONE {
            authoritative
            subnet 172.16.37.0/24 {
                default-router 172.16.37.254
                dns-server 172.16.254.30
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                ntp-server 172.16.254.30
                range 0 {
                    start 172.16.37.120
                    stop 172.16.37.149
                }
                static-mapping AP1.wue3 {
                    ip-address 172.16.37.231
                    mac-address 18:e8:29:6c:c3:a5
                }
            }
        }
        shared-network-name GUEST {
            authoritative
            subnet 172.31.0.0/24 {
                default-router 172.31.0.254
                dns-server 172.31.0.254
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                range 0 {
                    start 172.31.0.100
                    stop 172.31.0.199
                }
                static-mapping host01 {
                    ip-address 172.31.0.200
                    mac-address 00:50:00:00:00:01
                }
                static-mapping host02 {
                    ip-address 172.31.0.184
                    mac-address 00:50:00:00:00:02
                }
            }
        }
        shared-network-name IOT {
            authoritative
            subnet 172.16.35.0/24 {
                default-router 172.16.35.254
                dns-server 172.16.254.30
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                ntp-server 172.16.254.30
                range 0 {
                    start 172.16.35.101
                    stop 172.16.35.149
                }
            }
        }
        shared-network-name LAN {
            authoritative
            subnet 172.16.33.0/24 {
                default-router 172.16.33.254
                dns-server 172.16.254.30
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                ntp-server 172.16.254.30
                range 0 {
                    start 172.16.33.100
                    stop 172.16.33.189
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 172.16.0.0/12
            cache-size 0
            domain 16.172.in-addr.arpa {
                addnta
                recursion-desired
                server 172.16.100.10
                server 172.16.100.20
                server 172.16.110.30
            }
            domain 18.172.in-addr.arpa {
                addnta
                recursion-desired
                server 172.16.100.10
                server 172.16.100.20
                server 172.16.110.30
            }
            domain vyos.net {
                addnta
                recursion-desired
                server 172.16.100.20
                server 172.16.100.10
                server 172.16.110.30
            }
            ignore-hosts-file
            listen-address 172.16.254.30
            listen-address 172.31.0.254
            negative-ttl 60
        }
    }
    lldp {
        legacy-protocols {
            cdp
        }
        snmp {
            enable
        }
    }
    mdns {
        repeater {
            interface eth0.35
            interface eth0.10
        }
    }
    router-advert {
        interface eth0.10 {
            prefix ::/64 {
                preferred-lifetime 2700
                valid-lifetime 5400
            }
        }
        interface eth0.20 {
            prefix ::/64 {
                preferred-lifetime 2700
                valid-lifetime 5400
            }
        }
    }
    snmp {
        community fooBar {
            authorization ro
            network 172.16.100.0/24
        }
        contact "VyOS maintainers and contributors <maintainers@vyos.io>"
        listen-address 172.16.254.30 {
            port 161
        }
        location "The Internet"
    }
    ssh {
        disable-host-validation
        port 22
    }
}
system {
    config-management {
        commit-revisions 200
    }
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
        timeout {
            icmp 30
            other 600
            udp {
                other 300
                stream 300
            }
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name vyos.net
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
                plaintext-password ""
            }
        }
    }
    name-server 172.16.254.30
    ntp {
        allow-clients {
            address 172.16.0.0/12
        }
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    option {
        ctrl-alt-delete ignore
        reboot-on-panic
        startup-beep
    }
    syslog {
        global {
            facility all {
                level debug
            }
            facility protocols {
                level debug
            }
        }
        host 172.16.100.1 {
            facility all {
                level warning
            }
        }
    }
    time-zone Europe/Berlin
}
traffic-policy {
    shaper QoS {
        bandwidth 50mbit
        default {
            bandwidth 100%
            burst 15k
            queue-limit 1000
            queue-type fq-codel
        }
    }
}
zone-policy {
    zone DMZ {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-DMZ
            }
        }
        from LAN {
            firewall {
                name LAN-DMZ
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-DMZ
            }
        }
        from WAN {
            firewall {
                name WAN-DMZ
            }
        }
        interface eth0.50
    }
    zone GUEST {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-GUEST
            }
        }
        from IOT {
            firewall {
                name IOT-GUEST
            }
        }
        from LAN {
            firewall {
                name LAN-GUEST
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-GUEST
            }
        }
        from WAN {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name WAN-GUEST
            }
        }
        interface eth0.20
    }
    zone IOT {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-IOT
            }
        }
        from LAN {
            firewall {
                name LAN-IOT
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-IOT
            }
        }
        from WAN {
            firewall {
                name WAN-IOT
            }
        }
        interface eth0.35
    }
    zone LAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LAN
            }
        }
        from GUEST {
            firewall {
                name GUEST-LAN
            }
        }
        from IOT {
            firewall {
                name IOT-LAN
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name WAN-LAN
            }
        }
        interface eth0.5
        interface eth0.10
        interface eth0.100
        interface eth0.201
        interface eth0.202
        interface eth0.203
        interface eth0.204
    }
    zone LOCAL {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LOCAL
            }
        }
        from GUEST {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name GUEST-LOCAL
            }
        }
        from IOT {
            firewall {
                name IOT-LOCAL
            }
        }
        from LAN {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                ipv6-name WAN-LOCAL-6
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-WAN
            }
        }
        from GUEST {
            firewall {
                ipv6-name ALLOW-ALL-6
                name GUEST-WAN
            }
        }
        from IOT {
            firewall {
                name IOT-WAN
            }
        }
        from LAN {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-WAN
            }
        }
        interface pppoe0
    }
}


// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3-beta-202101091250