set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-receive-redirects 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'enable' set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'enable' set firewall global-options source-validation 'disable' set firewall global-options syn-cookies 'disable' set firewall global-options twa-hazards-protection 'enable' set firewall ipv4 name test_tcp_flags rule 1 action 'drop' set firewall ipv4 name test_tcp_flags rule 1 protocol 'tcp' set firewall ipv4 name test_tcp_flags rule 1 tcp flags ack set firewall ipv4 name test_tcp_flags rule 1 tcp flags not fin set firewall ipv4 name test_tcp_flags rule 1 tcp flags not rst set firewall ipv4 name test_tcp_flags rule 1 tcp flags syn set high-availability vrrp group LAN address 192.168.0.1/24 set high-availability vrrp group LAN hello-source-address '192.168.0.250' set high-availability vrrp group LAN interface 'eth1' set high-availability vrrp group LAN peer-address '192.168.0.251' set high-availability vrrp group LAN priority '200' set high-availability vrrp group LAN vrid '1' set high-availability vrrp sync-group failover-group member 'LAN' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 mtu '9000' set interfaces ethernet eth0 offload gro set interfaces ethernet eth0 offload gso set interfaces ethernet eth0 offload sg set interfaces ethernet eth0 offload tso set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address '192.168.0.250/24' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 ip source-validation 'strict' set interfaces ethernet eth1 mtu '9000' set interfaces ethernet eth1 offload gro set interfaces ethernet eth1 offload gso set interfaces ethernet eth1 offload sg set interfaces ethernet eth1 offload tso set interfaces ethernet eth1 speed 'auto' set interfaces loopback lo set interfaces openvpn vtun0 encryption cipher 'aes256' set interfaces openvpn vtun0 hash 'sha512' set interfaces openvpn vtun0 ip adjust-mss '1380' set interfaces openvpn vtun0 ip source-validation 'strict' set interfaces openvpn vtun0 keep-alive failure-count '3' set interfaces openvpn vtun0 keep-alive interval '30' set interfaces openvpn vtun0 mode 'client' set interfaces openvpn vtun0 openvpn-option 'comp-lzo adaptive' set interfaces openvpn vtun0 openvpn-option 'fast-io' set interfaces openvpn vtun0 openvpn-option 'persist-key' set interfaces openvpn vtun0 openvpn-option 'reneg-sec 86400' set interfaces openvpn vtun0 persistent-tunnel set interfaces openvpn vtun0 remote-host '192.0.2.10' set interfaces openvpn vtun0 tls auth-key 'openvpn_vtun0_auth' set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_1' set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_2' set interfaces openvpn vtun0 tls certificate 'openvpn_vtun0' set interfaces openvpn vtun1 authentication password 'vyos1' set interfaces openvpn vtun1 authentication username 'vyos1' set interfaces openvpn vtun1 encryption cipher 'aes256' set interfaces openvpn vtun1 hash 'sha1' set interfaces openvpn vtun1 ip adjust-mss '1380' set interfaces openvpn vtun1 keep-alive failure-count '3' set interfaces openvpn vtun1 keep-alive interval '30' set interfaces openvpn vtun1 mode 'client' set interfaces openvpn vtun1 openvpn-option 'comp-lzo adaptive' set interfaces openvpn vtun1 openvpn-option 'tun-mtu 1500' set interfaces openvpn vtun1 openvpn-option 'tun-mtu-extra 32' set interfaces openvpn vtun1 openvpn-option 'mssfix 1300' set interfaces openvpn vtun1 openvpn-option 'persist-key' set interfaces openvpn vtun1 openvpn-option 'mute 10' set interfaces openvpn vtun1 openvpn-option 'route-nopull' set interfaces openvpn vtun1 openvpn-option 'fast-io' set interfaces openvpn vtun1 openvpn-option 'reneg-sec 86400' set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 protocol 'udp' set interfaces openvpn vtun1 remote-host '01.foo.com' set interfaces openvpn vtun1 remote-port '1194' set interfaces openvpn vtun1 tls auth-key 'openvpn_vtun1_auth' set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_1' set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_2' set interfaces openvpn vtun2 authentication password 'vyos2' set interfaces openvpn vtun2 authentication username 'vyos2' set interfaces openvpn vtun2 disable set interfaces openvpn vtun2 encryption cipher 'aes256' set interfaces openvpn vtun2 hash 'sha512' set interfaces openvpn vtun2 ip adjust-mss '1380' set interfaces openvpn vtun2 keep-alive failure-count '3' set interfaces openvpn vtun2 keep-alive interval '30' set interfaces openvpn vtun2 mode 'client' set interfaces openvpn vtun2 openvpn-option 'tun-mtu 1500' set interfaces openvpn vtun2 openvpn-option 'tun-mtu-extra 32' set interfaces openvpn vtun2 openvpn-option 'mssfix 1300' set interfaces openvpn vtun2 openvpn-option 'persist-key' set interfaces openvpn vtun2 openvpn-option 'mute 10' set interfaces openvpn vtun2 openvpn-option 'route-nopull' set interfaces openvpn vtun2 openvpn-option 'fast-io' set interfaces openvpn vtun2 openvpn-option 'remote-random' set interfaces openvpn vtun2 openvpn-option 'reneg-sec 86400' set interfaces openvpn vtun2 persistent-tunnel set interfaces openvpn vtun2 protocol 'udp' set interfaces openvpn vtun2 remote-host '01.myvpn.com' set interfaces openvpn vtun2 remote-host '02.myvpn.com' set interfaces openvpn vtun2 remote-host '03.myvpn.com' set interfaces openvpn vtun2 remote-port '1194' set interfaces openvpn vtun2 tls auth-key 'openvpn_vtun2_auth' set interfaces openvpn vtun2 tls ca-certificate 'openvpn_vtun2_1' set interfaces pppoe pppoe0 authentication password 'password' set interfaces pppoe pppoe0 authentication username 'vyos' set interfaces pppoe pppoe0 mtu '1500' set interfaces pppoe pppoe0 source-interface 'eth0' set interfaces wireguard wg0 address '192.168.10.1/24' set interfaces wireguard wg0 ip adjust-mss '1380' set interfaces wireguard wg0 peer blue allowed-ips '192.168.10.3/32' set interfaces wireguard wg0 peer blue persistent-keepalive '20' set interfaces wireguard wg0 peer blue preshared-key 'ztFDOY9UyaDvn8N3X97SFMDwIfv7EEfuUIPP2yab6UI=' set interfaces wireguard wg0 peer blue public-key 'G4pZishpMRrLmd96Kr6V7LIuNGdcUb81gWaYZ+FWkG0=' set interfaces wireguard wg0 peer green allowed-ips '192.168.10.21/32' set interfaces wireguard wg0 peer green persistent-keepalive '25' set interfaces wireguard wg0 peer green preshared-key 'LQ9qmlTh9G4nZu4UgElxRUwg7JB/qoV799aADJOijnY=' set interfaces wireguard wg0 peer green public-key '5iQUD3VoCDBTPXAPHOwUJ0p7xzKGHEY/wQmgvBVmaFI=' set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.14/32' set interfaces wireguard wg0 peer pink allowed-ips '192.168.10.16/32' set interfaces wireguard wg0 peer pink persistent-keepalive '25' set interfaces wireguard wg0 peer pink preshared-key 'Qi9Odyx0/5itLPN5C5bEy3uMX+tmdl15QbakxpKlWqQ=' set interfaces wireguard wg0 peer pink public-key 'i4qNPmxyy9EETL4tIoZOLKJF4p7IlVmpAE15gglnAk4=' set interfaces wireguard wg0 peer red allowed-ips '192.168.10.4/32' set interfaces wireguard wg0 peer red persistent-keepalive '20' set interfaces wireguard wg0 peer red preshared-key 'CumyXX7osvUT9AwnS+m2TEfCaL0Ptc2LfuZ78Sujuk8=' set interfaces wireguard wg0 peer red public-key 'ALGWvMJCKpHF2tVH3hEIHqUe9iFfAmZATUUok/WQzks=' set interfaces wireguard wg0 port '7777' set interfaces wireguard wg1 address '10.89.90.2/30' set interfaces wireguard wg1 ip adjust-mss '1380' set interfaces wireguard wg1 peer sam address '192.0.2.45' set interfaces wireguard wg1 peer sam allowed-ips '10.1.1.0/24' set interfaces wireguard wg1 peer sam allowed-ips '10.89.90.1/32' set interfaces wireguard wg1 peer sam persistent-keepalive '20' set interfaces wireguard wg1 peer sam port '1200' set interfaces wireguard wg1 peer sam preshared-key 'XpFtzx2Z+nR8pBv9/sSf7I94OkZkVYTz0AeU5Q/QQUE=' set interfaces wireguard wg1 peer sam public-key 'v5zfKGvH6W/lfDXJ0en96lvKo1gfFxMUWxe02+Fj5BU=' set interfaces wireguard wg1 port '7778' set nat destination rule 50 destination port '49371' set nat destination rule 50 inbound-interface name 'pppoe0' set nat destination rule 50 protocol 'tcp_udp' set nat destination rule 50 translation address '192.168.0.5' set nat destination rule 51 destination port '58050-58051' set nat destination rule 51 inbound-interface name 'pppoe0' set nat destination rule 51 protocol 'tcp' set nat destination rule 51 translation address '192.168.0.5' set nat destination rule 52 destination port '22067-22070' set nat destination rule 52 inbound-interface name 'pppoe0' set nat destination rule 52 protocol 'tcp' set nat destination rule 52 translation address '192.168.0.5' set nat destination rule 53 destination port '34342' set nat destination rule 53 inbound-interface name 'pppoe0' set nat destination rule 53 protocol 'tcp_udp' set nat destination rule 53 translation address '192.168.0.121' set nat destination rule 54 destination port '45459' set nat destination rule 54 inbound-interface name 'pppoe0' set nat destination rule 54 protocol 'tcp_udp' set nat destination rule 54 translation address '192.168.0.120' set nat destination rule 55 destination port '22' set nat destination rule 55 inbound-interface name 'pppoe0' set nat destination rule 55 protocol 'tcp' set nat destination rule 55 translation address '192.168.0.5' set nat destination rule 56 destination port '8920' set nat destination rule 56 inbound-interface name 'pppoe0' set nat destination rule 56 protocol 'tcp' set nat destination rule 56 translation address '192.168.0.5' set nat destination rule 60 destination port '80,443' set nat destination rule 60 inbound-interface name 'pppoe0' set nat destination rule 60 protocol 'tcp' set nat destination rule 60 translation address '192.168.0.5' set nat destination rule 70 destination port '5001' set nat destination rule 70 inbound-interface name 'pppoe0' set nat destination rule 70 protocol 'tcp' set nat destination rule 70 translation address '192.168.0.5' set nat destination rule 80 destination port '25' set nat destination rule 80 inbound-interface name 'pppoe0' set nat destination rule 80 protocol 'tcp' set nat destination rule 80 translation address '192.168.0.5' set nat destination rule 90 destination port '8123' set nat destination rule 90 inbound-interface name 'pppoe0' set nat destination rule 90 protocol 'tcp' set nat destination rule 90 translation address '192.168.0.7' set nat destination rule 91 destination port '1880' set nat destination rule 91 inbound-interface name 'pppoe0' set nat destination rule 91 protocol 'tcp' set nat destination rule 91 translation address '192.168.0.7' set nat destination rule 500 destination address '!192.168.0.0/24' set nat destination rule 500 destination port '53' set nat destination rule 500 inbound-interface name 'eth1' set nat destination rule 500 protocol 'tcp_udp' set nat destination rule 500 source address '!192.168.0.1-192.168.0.5' set nat destination rule 500 translation address '192.168.0.1' set nat source rule 1000 outbound-interface name 'pppoe0' set nat source rule 1000 translation address 'masquerade' set nat source rule 2000 outbound-interface name 'vtun0' set nat source rule 2000 source address '192.168.0.0/16' set nat source rule 2000 translation address 'masquerade' set nat source rule 3000 outbound-interface name 'vtun1' set nat source rule 3000 translation address 'masquerade' set policy prefix-list user1-routes rule 1 action 'permit' set policy prefix-list user1-routes rule 1 prefix '192.168.0.0/24' set policy prefix-list user2-routes rule 1 action 'permit' set policy prefix-list user2-routes rule 1 prefix '10.1.1.0/24' set policy route LAN-POLICY-BASED-ROUTING interface 'eth1' set policy route LAN-POLICY-BASED-ROUTING rule 10 destination set policy route LAN-POLICY-BASED-ROUTING rule 10 disable set policy route LAN-POLICY-BASED-ROUTING rule 10 set table '10' set policy route LAN-POLICY-BASED-ROUTING rule 10 source address '192.168.0.119/32' set policy route LAN-POLICY-BASED-ROUTING rule 20 destination set policy route LAN-POLICY-BASED-ROUTING rule 20 set table '100' set policy route LAN-POLICY-BASED-ROUTING rule 20 source address '192.168.0.240' set policy route-map rm-static-to-bgp rule 10 action 'permit' set policy route-map rm-static-to-bgp rule 10 match ip address prefix-list 'user1-routes' set policy route-map rm-static-to-bgp rule 100 action 'deny' set policy route6 LAN6-POLICY-BASED-ROUTING interface 'eth1' set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 destination set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 disable set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 set table '10' set policy route6 LAN6-POLICY-BASED-ROUTING rule 10 source address '2002::1' set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 destination set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 set table '100' set policy route6 LAN6-POLICY-BASED-ROUTING rule 20 source address '2008::f' set protocols bgp address-family ipv4-unicast redistribute connected route-map 'rm-static-to-bgp' set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast nexthop-self set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list export 'user1-routes' set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast prefix-list import 'user2-routes' set protocols bgp neighbor 10.89.90.1 address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp neighbor 10.89.90.1 password 'ericandre2020' set protocols bgp neighbor 10.89.90.1 remote-as '64589' set protocols bgp parameters log-neighbor-changes set protocols bgp parameters router-id '10.89.90.2' set protocols bgp system-as '64590' set protocols static route 100.64.160.23/32 interface pppoe0 set protocols static route 100.64.165.25/32 interface pppoe0 set protocols static route 100.64.165.26/32 interface pppoe0 set protocols static route 100.64.198.0/24 interface vtun0 set protocols static table 10 route 0.0.0.0/0 interface vtun1 set protocols static table 100 route 0.0.0.0/0 next-hop 192.168.10.5 set service conntrack-sync accept-protocol 'tcp' set service conntrack-sync accept-protocol 'udp' set service conntrack-sync accept-protocol 'icmp' set service conntrack-sync disable-external-cache set service conntrack-sync event-listen-queue-size '8' set service conntrack-sync expect-sync 'all' set service conntrack-sync failover-mechanism vrrp sync-group 'failover-group' set service conntrack-sync interface eth1 peer '192.168.0.251' set service conntrack-sync sync-queue-size '8' set service dhcp-server failover name 'DHCP02' set service dhcp-server failover remote '192.168.0.251' set service dhcp-server failover source-address '192.168.0.250' set service dhcp-server failover status 'primary' set service dhcp-server shared-network-name LAN authoritative set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-search 'vyos.net' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 name-server '192.168.0.1' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic start '192.168.0.200' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range LANDynamic stop '192.168.0.240' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio ip-address '192.168.0.107' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Audio mac '00:50:01:dc:91:14' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV ip-address '192.168.0.104' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping IPTV mac '00:50:01:31:b5:f6' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus ip-address '192.168.0.60' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping McPrintus mac '00:50:01:58:ac:95' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 ip-address '192.168.0.109' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping Mobile01 mac '00:50:01:bc:ac:51' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 ip-address '192.168.0.11' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera1 mac '00:50:01:70:b9:4d' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 ip-address '192.168.0.12' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping camera2 mac '00:50:01:70:b7:4f' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV ip-address '192.168.0.101' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping pearTV mac '00:50:01:ba:62:79' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand ip-address '192.168.0.110' set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping sand mac '00:50:01:af:c5:d2' set service dns forwarding allow-from '192.168.0.0/16' set service dns forwarding cache-size '8192' set service dns forwarding dnssec 'off' set service dns forwarding listen-address '192.168.0.1' set service dns forwarding name-server 100.64.0.1 set service dns forwarding name-server 100.64.0.2 set service ntp allow-client address '192.168.0.0/16' set service ntp server nz.pool.ntp.org prefer set service snmp community AwesomeCommunity authorization 'ro' set service snmp community AwesomeCommunity client '127.0.0.1' set service snmp community AwesomeCommunity network '192.168.0.0/24' set service ssh access-control allow user 'vyos' set service ssh client-keepalive-interval '60' set service ssh listen-address '192.168.0.1' set service ssh listen-address '192.168.10.1' set service ssh listen-address '192.168.0.250' set system config-management commit-revisions '100' set system console device ttyS0 speed '115200' set system host-name 'vyos' set system ip arp table-size '1024' set system name-server '192.168.0.1' set system name-server 'pppoe0' set system option ctrl-alt-delete 'ignore' set system option reboot-on-panic set system option startup-beep set system static-host-mapping host-name host60.vyos.net inet '192.168.0.60' set system static-host-mapping host-name host104.vyos.net inet '192.168.0.104' set system static-host-mapping host-name host107.vyos.net inet '192.168.0.107' set system static-host-mapping host-name host109.vyos.net inet '192.168.0.109' set system sysctl parameter net.core.default_qdisc value 'fq' set system sysctl parameter net.ipv4.tcp_congestion_control value 'bbr' set system syslog global facility all level 'info' set system syslog host 192.168.0.252 facility all level 'debug' set system syslog host 192.168.0.252 protocol 'udp' set system task-scheduler task Update-Blacklists executable path '/config/scripts/vyos-foo-update.script' set system task-scheduler task Update-Blacklists interval '3h' set system time-zone 'Pacific/Auckland'