firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group DMZ-WEBSERVER {
            address 172.16.36.10
            address 172.16.36.40
            address 172.16.36.20
        }
        address-group DMZ-RDP-SERVER {
            address 172.16.33.40
        }
        address-group DOMAIN-CONTROLLER {
            address 172.16.100.10
            address 172.16.100.20
            address 172.16.110.30
        }
        address-group VIDEO {
            address 172.16.33.211
            address 172.16.33.212
            address 172.16.33.213
            address 172.16.33.214
        }
        ipv6-network-group LOCAL-ADDRESSES {
            network ff02::/64
            network fe80::/10
        }
        network-group SSH-IN-ALLOW {
            network 100.65.150.0/23
            network 100.64.69.205/32
            network 100.64.8.67/32
            network 100.64.55.1/32
        }
    }
    ipv6-name ALLOW-ALL-6 {
        default-action accept
    }
    ipv6-name ALLOW-BASIC-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            protocol icmpv6
        }
    }
    ipv6-name ALLOW-ESTABLISHED-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                group {
                    network-group LOCAL-ADDRESSES
                }
            }
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
        rule 20 {
            action accept
            icmpv6 {
                type echo-request
            }
            protocol icmpv6
        }
        rule 21 {
            action accept
            icmpv6 {
                type destination-unreachable
            }
            protocol icmpv6
        }
        rule 22 {
            action accept
            icmpv6 {
                type packet-too-big
            }
            protocol icmpv6
        }
        rule 23 {
            action accept
            icmpv6 {
                type time-exceeded
            }
            protocol icmpv6
        }
        rule 24 {
            action accept
            icmpv6 {
                type parameter-problem
            }
            protocol icmpv6
        }
    }
    ipv6-name WAN-LOCAL-6 {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                address ff02::/64
            }
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
        rule 50 {
            action accept
            destination {
                address fe80::/10
                port 546
            }
            protocol udp
            source {
                address fe80::/10
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZ-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name DMZ-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            destination {
                group {
                    address-group DOMAIN-CONTROLLER
                }
                port 123,389,636
            }
            protocol tcp_udp
        }
        rule 300 {
            action accept
            destination {
                group {
                    address-group DMZ-RDP-SERVER
                }
                port 3389
            }
            protocol tcp_udp
            source {
                address 172.16.36.20
            }
        }
    }
    name DMZ-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            destination {
                address 172.16.254.30
                port 53
            }
            protocol tcp_udp
        }
        rule 123 {
            action accept
            destination {
                port 123
            }
            protocol udp
        }
    }
    name DMZ-WAN {
        default-action accept
    }
    name GUEST-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name GUEST-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name GUEST-LOCAL {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                address 172.31.0.254
                port 53
            }
            protocol tcp_udp
        }
        rule 11 {
            action accept
            destination {
                port 67
            }
            protocol udp
        }
        rule 15 {
            action accept
            destination {
                address 172.31.0.254
            }
            protocol icmp
        }
        rule 100 {
            action accept
            destination {
                address 172.31.0.254
                port 80,443
            }
            protocol tcp
        }
    }
    name GUEST-WAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 25 {
            action accept
            destination {
                port 25,587
            }
            protocol tcp
        }
        rule 53 {
            action accept
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 60 {
            action accept
            source {
                address 172.31.0.200
            }
        }
        rule 80 {
            action accept
            source {
                address 172.31.0.200
            }
        }
        rule 100 {
            action accept
            protocol icmp
        }
        rule 110 {
            action accept
            destination {
                port 110,995
            }
            protocol tcp
        }
        rule 123 {
            action accept
            destination {
                port 123
            }
            protocol udp
        }
        rule 143 {
            action accept
            destination {
                port 143,993
            }
            protocol tcp
        }
        rule 200 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 500 {
            action accept
            destination {
                port 500,4500
            }
            protocol udp
        }
        rule 600 {
            action accept
            destination {
                port 5222-5224
            }
            protocol tcp
        }
        rule 601 {
            action accept
            destination {
                port 3478-3497,4500,16384-16387,16393-16402
            }
            protocol udp
        }
        rule 1000 {
            action accept
            source {
                address 172.31.0.184
            }
        }
    }
    name LAN-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            destination {
                port 22
            }
            protocol tcp
        }
        rule 100 {
            action accept
            destination {
                group {
                    address-group DMZ-WEBSERVER
                }
                port 22
            }
            protocol tcp
        }
    }
    name LAN-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name LAN-LOCAL {
        default-action accept
    }
    name LAN-WAN {
        default-action accept
        rule 90 {
            action accept
            destination {
                address 100.65.150.0/23
                port 25
            }
            protocol tcp_udp
            source {
                group {
                    address-group VIDEO
                }
            }
        }
        rule 100 {
            action drop
            source {
                group {
                    address-group VIDEO
                }
            }
        }
    }
    name LOCAL-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            destination {
                address 172.16.36.40
                port 80,443
            }
            protocol tcp
        }
    }
    name LOCAL-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            protocol icmp
        }
        rule 300 {
            action accept
            destination {
                port 1900
            }
            protocol udp
        }
    }
    name LOCAL-LAN {
        default-action accept
    }
    name LOCAL-WAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            protocol icmp
        }
        rule 50 {
            action accept
            destination {
                port 53
            }
            protocol tcp_udp
        }
        rule 80 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 123 {
            action accept
            destination {
                port 123
            }
            protocol udp
        }
        rule 800 {
            action accept
            destination {
                address 100.65.151.213
            }
            protocol udp
        }
        rule 805 {
            action accept
            destination {
                address 100.65.151.2
            }
            protocol all
        }
        rule 1010 {
            action accept
            destination {
                address 100.64.69.205
                port 7705
            }
            protocol udp
            source {
                port 7705
            }
        }
        rule 1990 {
            action accept
            destination {
                address 100.64.55.1
                port 10666
            }
            protocol udp
        }
        rule 2000 {
            action accept
            destination {
                address 100.64.39.249
            }
        }
        rule 10200 {
            action accept
            destination {
                address 100.64.89.98
                port 10200
            }
            protocol udp
            source {
                port 10200
            }
        }
    }
    name WAN-DMZ {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 100 {
            action accept
            destination {
                address 172.16.36.10
                port 80,443
            }
            protocol tcp
        }
    }
    name WAN-GUEST {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 1000 {
            action accept
            destination {
                address 172.31.0.184
            }
        }
        rule 8000 {
            action accept
            destination {
                address 172.31.0.200
                port 10000
            }
            protocol udp
        }
    }
    name WAN-LAN {
        default-action drop
        enable-default-log
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 1000 {
            action accept
            destination {
                address 172.16.33.40
                port 3389
            }
            protocol tcp
            source {
                group {
                    network-group SSH-IN-ALLOW
                }
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 22 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            source {
                group {
                    network-group SSH-IN-ALLOW
                }
            }
        }
        rule 1990 {
            action accept
            destination {
                port 10666
            }
            protocol udp
            source {
                address 100.64.55.1
            }
        }
        rule 10000 {
            action accept
            destination {
                port 80,443
            }
            protocol tcp
        }
        rule 10100 {
            action accept
            destination {
                port 10100
            }
            protocol udp
            source {
                port 10100
            }
        }
        rule 10200 {
            action accept
            destination {
                port 10200
            }
            protocol udp
            source {
                address 100.64.89.98
                port 10200
            }
        }
    }
    options {
        interface pppoe0 {
            adjust-mss 1452
            adjust-mss6 1432
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    dummy dum0 {
        address 172.16.254.30/32
    }
    ethernet eth0 {
        duplex auto
        offload {
            gro
            gso
            sg
            tso
        }
        ring-buffer {
            rx 256
            tx 256
        }
        speed auto
        vif 5 {
            address 172.16.37.254/24
            ip {
                ospf {
                    authentication {
                        md5 {
                            key-id 10 {
                                md5-key ospf
                            }
                        }
                    }
                    dead-interval 40
                    hello-interval 10
                    priority 1
                    retransmit-interval 5
                    transmit-delay 1
                }
            }
        }
        vif 10 {
            address 172.16.33.254/24
            address 172.16.40.254/24
        }
        vif 50 {
            address 172.16.36.254/24
        }
    }
    ethernet eth1 {
        duplex auto
        offload {
            gro
            gso
            sg
            tso
        }
        speed auto
        vif 20 {
            address 172.31.0.254/24
        }
    }
    ethernet eth2 {
        disable
        duplex auto
        offload {
            gro
            gso
            sg
            tso
        }
        speed auto
    }
    ethernet eth3 {
        duplex auto
        offload {
            gro
            gso
            sg
            tso
        }
        ring-buffer {
            rx 256
            tx 256
        }
        speed auto
        vif 7 {
        }
    }
    loopback lo {
        address 172.16.254.30/32
    }
    pppoe pppoe0 {
        authentication {
            password vyos
            user vyos
        }
        default-route force
        dhcpv6-options {
            pd 0 {
                interface eth0.10 {
                    address 1
                    sla-id 10
                }
                interface eth1.20 {
                    address 1
                    sla-id 20
                }
                length 56
            }
        }
        ipv6 {
            address {
                autoconf
            }
        }
        no-peer-dns
        source-interface eth3.7
    }
    wireguard wg100 {
        address 172.16.252.128/31
        mtu 1500
        peer HR6 {
            address 100.65.151.213
            allowed-ips 0.0.0.0/0
            port 10100
            pubkey yLpi+UZuI019bmWH2h5fX3gStbpPPPLgEoYMyrdkOnQ=
        }
        port 10100
    }
    wireguard wg200 {
        address 172.16.252.130/31
        mtu 1500
        peer WH56 {
            address 80.151.69.205
            allowed-ips 0.0.0.0/0
            port 10200
            pubkey XQbkj6vnKKBJfJQyThXysU0iGxCvEOEb31kpaZgkrD8=
        }
        port 10200
    }
    wireguard wg666 {
        address 172.29.0.1/31
        mtu 1500
        peer WH34 {
            address 100.65.55.1
            allowed-ips 0.0.0.0/0
            port 10666
            pubkey yaTN4+xAafKM04D+Baeg5GWfbdaw35TE9HQivwRgAk0=
        }
        port 10666
    }
}
nat {
    destination {
        rule 8000 {
            destination {
                port 10000
            }
            inbound-interface pppoe0
            protocol udp
            translation {
                address 172.31.0.200
            }
        }
    }
    source {
        rule 50 {
            outbound-interface pppoe0
            source {
                address 100.64.0.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 100 {
            outbound-interface pppoe0
            source {
                address 172.16.32.0/21
            }
            translation {
                address masquerade
            }
        }
        rule 200 {
            outbound-interface pppoe0
            source {
                address 172.16.100.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 300 {
            outbound-interface pppoe0
            source {
                address 172.31.0.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 400 {
            outbound-interface pppoe0
            source {
                address 172.18.200.0/21
            }
            translation {
                address masquerade
            }
        }
        rule 1000 {
            destination {
                address 192.168.189.0/24
            }
            outbound-interface wg666
            source {
                address 172.16.32.0/21
            }
            translation {
                address 172.29.0.1
            }
        }
        rule 1001 {
            destination {
                address 192.168.189.0/24
            }
            outbound-interface wg666
            source {
                address 172.16.100.0/24
            }
            translation {
                address 172.29.0.1
            }
        }
    }
}
policy {
    route-map MAP-OSPF-CONNECTED {
        rule 1 {
            action deny
            match {
                interface eth1.20
            }
        }
        rule 20 {
            action permit
            match {
                interface eth0.10
            }
        }
        rule 40 {
            action permit
            match {
                interface eth0.50
            }
        }
    }
}
protocols {
    bfd {
        peer 172.16.252.129 {
        }
        peer 172.16.252.131 {
        }
        peer 172.18.254.201 {
        }
    }
    bgp 64503 {
        address-family {
            ipv4-unicast {
                network 172.16.32.0/21 {
                }
                network 172.16.100.0/24 {
                }
                network 172.16.252.128/31 {
                }
                network 172.16.252.130/31 {
                }
                network 172.16.254.30/32 {
                }
                network 172.18.0.0/16 {
                }
            }
        }
        neighbor 172.16.252.129 {
            peer-group WIREGUARD
        }
        neighbor 172.16.252.131 {
            peer-group WIREGUARD
        }
        neighbor 172.18.254.201 {
            address-family {
                ipv4-unicast {
                    nexthop-self {
                    }
                }
            }
            bfd {
            }
            remote-as 64503
            update-source dum0
        }
        parameters {
            default {
                no-ipv4-unicast
            }
            log-neighbor-changes
        }
        peer-group WIREGUARD {
            address-family {
                ipv4-unicast {
                    soft-reconfiguration {
                        inbound
                    }
                }
            }
            bfd
            remote-as external
        }
        timers {
            holdtime 30
            keepalive 10
        }
    }
    ospf {
        area 0 {
            network 172.16.254.30/32
            network 172.16.37.0/24
            network 172.18.201.0/24
            network 172.18.202.0/24
            network 172.18.203.0/24
            network 172.18.204.0/24
        }
        default-information {
            originate {
                always
                metric-type 2
            }
        }
        log-adjacency-changes {
            detail
        }
        parameters {
            abr-type cisco
            router-id 172.16.254.30
        }
        passive-interface default
        passive-interface-exclude eth0.5
        redistribute {
            connected {
                metric-type 2
                route-map MAP-OSPF-CONNECTED
            }
        }
    }
    static {
        interface-route6 2000::/3 {
            next-hop-interface pppoe0 {
            }
        }
        route 10.0.0.0/8 {
            blackhole {
                distance 254
            }
        }
        route 169.254.0.0/16 {
            blackhole {
                distance 254
            }
        }
        route 172.16.0.0/12 {
            blackhole {
                distance 254
            }
        }
        route 172.16.32.0/21 {
            blackhole {
            }
        }
        route 172.18.0.0/16 {
            blackhole {
            }
        }
        route 172.29.0.2/31 {
            next-hop 172.29.0.0 {
            }
        }
        route 192.168.0.0/16 {
            blackhole {
                distance 254
            }
        }
        route 192.168.189.0/24 {
            next-hop 172.29.0.0 {
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name BACKBONE {
            authoritative
            subnet 172.16.37.0/24 {
                default-router 172.16.37.254
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                name-server 172.16.254.30
                ntp-server 172.16.254.30
                range 0 {
                    start 172.16.37.120
                    stop 172.16.37.149
                }
                static-mapping AP1 {
                    ip-address 172.16.37.231
                    mac-address 02:00:00:00:ee:18
                }
                static-mapping AP2 {
                    ip-address 172.16.37.232
                    mac-address 02:00:00:00:52:84
                }
                static-mapping AP3 {
                    ip-address 172.16.37.233
                    mac-address 02:00:00:00:51:c0
                }
                static-mapping AP4 {
                    ip-address 172.16.37.234
                    mac-address 02:00:00:00:e6:fc
                }
                static-mapping AP5 {
                    ip-address 172.16.37.235
                    mac-address 02:00:00:00:c3:50
                }
            }
        }
        shared-network-name GUEST {
            authoritative
            subnet 172.31.0.0/24 {
                default-router 172.31.0.254
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                name-server 172.31.0.254
                range 0 {
                    start 172.31.0.101
                    stop 172.31.0.199
                }
            }
        }
        shared-network-name LAN {
            authoritative
            subnet 172.16.33.0/24 {
                default-router 172.16.33.254
                domain-name vyos.net
                domain-search vyos.net
                lease 86400
                name-server 172.16.254.30
                ntp-server 172.16.254.30
                range 0 {
                    start 172.16.33.100
                    stop 172.16.33.189
                }
                static-mapping one {
                    ip-address 172.16.33.221
                    mac-address 02:00:00:00:eb:a6
                }
                static-mapping two {
                    ip-address 172.16.33.211
                    mac-address 02:00:00:00:58:90
                }
                static-mapping three {
                    ip-address 172.16.33.212
                    mac-address 02:00:00:00:12:c7
                }
                static-mapping four {
                    ip-address 172.16.33.214
                    mac-address 02:00:00:00:c4:33
                }
            }
        }
    }
    dns {
        dynamic {
            interface pppoe0 {
                service vyos {
                    host-name r1.vyos.net
                    login vyos-vyos
                    password vyos
                    protocol dyndns2
                    server dyndns.vyos.io
                }
            }
        }
        forwarding {
            allow-from 172.16.0.0/12
            domain 16.172.in-addr.arpa {
                addnta
                recursion-desired
                server 172.16.100.10
                server 172.16.100.20
            }
            domain 18.172.in-addr.arpa {
                addnta
                recursion-desired
                server 172.16.100.10
                server 172.16.100.20
            }
            domain vyos.net {
                addnta
                recursion-desired
                server 172.16.100.20
                server 172.16.100.10
            }
            ignore-hosts-file
            listen-address 172.16.254.30
            listen-address 172.31.0.254
            negative-ttl 60
        }
    }
    lldp {
        legacy-protocols {
            cdp
            edp
            fdp
            sonmp
        }
        snmp {
            enable
        }
    }
    router-advert {
        interface eth0.10 {
            prefix ::/64 {
                preferred-lifetime 2700
                valid-lifetime 5400
            }
        }
        interface eth1.20 {
            prefix ::/64 {
                preferred-lifetime 2700
                valid-lifetime 5400
            }
        }
    }
    snmp {
        community ro-community {
            authorization ro
            network 172.16.100.0/24
        }
        contact "VyOS"
        listen-address 172.16.254.30 {
            port 161
        }
        location "CLOUD"
    }
    ssh {
        disable-host-validation
        port 22
    }
}
system {
    config-management {
        commit-revisions 200
    }
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            ftp
            h323
            nfs
            pptp
            sqlnet
            tftp
        }
        table-size 262144
        timeout {
            icmp 30
            other 600
            udp {
                other 300
                stream 300
            }
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name vyos.net
    host-name r1
    login {
        user vyos {
            authentication {
                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
                plaintext-password ""
            }
        }
    }
    name-server 172.16.254.30
    ntp {
        allow-clients {
            address 172.16.0.0/12
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
    }
    option {
        ctrl-alt-delete ignore
        performance latency
        reboot-on-panic
        startup-beep
    }
    syslog {
        global {
            facility all {
                level debug
            }
            facility protocols {
                level debug
            }
        }
        host 172.16.100.1 {
            facility all {
                level warning
            }
        }
    }
    time-zone Europe/Berlin
}
traffic-policy {
    shaper QoS {
        bandwidth 50mbit
        default {
            bandwidth 100%
            burst 15k
            queue-limit 1000
            queue-type fq-codel
        }
    }
}
zone-policy {
    zone DMZ {
        default-action drop
        from GUEST {
            firewall {
                name GUEST-DMZ
            }
        }
        from LAN {
            firewall {
                name LAN-DMZ
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-DMZ
            }
        }
        from WAN {
            firewall {
                name WAN-DMZ
            }
        }
        interface eth0.50
    }
    zone GUEST {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-GUEST
            }
        }
        from LAN {
            firewall {
                name LAN-GUEST
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-GUEST
            }
        }
        from WAN {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name WAN-GUEST
            }
        }
        interface eth1.20
    }
    zone LAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LAN
            }
        }
        from GUEST {
            firewall {
                name GUEST-LAN
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name WAN-LAN
            }
        }
        interface eth0.5
        interface eth0.10
        interface wg100
        interface wg200
    }
    zone LOCAL {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-LOCAL
            }
        }
        from GUEST {
            firewall {
                ipv6-name ALLOW-ESTABLISHED-6
                name GUEST-LOCAL
            }
        }
        from LAN {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                ipv6-name WAN-LOCAL-6
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from DMZ {
            firewall {
                name DMZ-WAN
            }
        }
        from GUEST {
            firewall {
                ipv6-name ALLOW-ALL-6
                name GUEST-WAN
            }
        }
        from LAN {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                ipv6-name ALLOW-ALL-6
                name LOCAL-WAN
            }
        }
        interface pppoe0
        interface wg666
    }
}


// Warning: Do not remove the following line.
// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
// Release version: 1.3.4