firewall {
    global-options {
        state-policy {
            established {
                action "accept"
            }
            related {
                action "accept"
            }
        }
    }
    ipv4 {
        name lan2local {
            default-action "accept"
        }
        name lan2wan {
            default-action "accept"
        }
        name local2lan {
            default-action "accept"
        }
        name local2wan {
            default-action "accept"
        }
        name wan2lan {
            default-action "drop"
            default-log
            rule 100 {
                action "accept"
                description "Allow HTTP and HTTPS to lan"
                destination {
                    port "http,https"
                }
                protocol "tcp"
            }
            rule 200 {
                action "accept"
                protocol "icmp"
            }
        }
        name wan2local {
            default-action "drop"
            default-log
            rule 100 {
                action "accept"
                description "Allow HTTP and HTTPS"
                destination {
                    port "http,https"
                }
                protocol "tcp"
            }
        }
    }
    ipv6 {
        forward {
            filter {
                rule 100 {
                    action "jump"
                    inbound-interface {
                        name "pppoe0"
                    }
                    jump-target "wan2lan"
                }
            }
        }
        input {
            filter {
                rule 100 {
                    action "jump"
                    inbound-interface {
                        name "pppoe0"
                    }
                    jump-target "wan2local"
                }
            }
        }
        name lan2local {
            default-action "accept"
        }
        name lan2wan {
            default-action "accept"
        }
        name local2lan {
            default-action "accept"
        }
        name local2wan {
            default-action "accept"
        }
        name wan2lan {
            rule 100 {
                action "accept"
                description "Allow HTTP and HTTPS to lan"
                destination {
                    port "http,https"
                }
                protocol "tcp"
            }
            rule 200 {
                action "accept"
                protocol "ipv6-icmp"
            }
        }
        name wan2local {
            rule 200 {
                action "accept"
                protocol "ipv6-icmp"
            }
            rule 300 {
                action "accept"
                destination {
                    port "546"
                }
                protocol "udp"
                source {
                    port "547"
                }
            }
        }
    }
    zone lan {
        from local {
            firewall {
                ipv6-name "local2lan"
                name "local2lan"
            }
        }
        from wan {
            firewall {
                ipv6-name "wan2lan"
                name "wan2lan"
            }
        }
        interface "eth1"
    }
    zone local {
        from lan {
            firewall {
                ipv6-name "lan2local"
                name "lan2local"
            }
        }
        from wan {
            firewall {
                ipv6-name "wan2local"
                name "wan2local"
            }
        }
        local-zone
    }
    zone wan {
        from lan {
            firewall {
                ipv6-name "lan2wan"
                name "lan2wan"
            }
        }
        from local {
            firewall {
                ipv6-name "local2wan"
                name "local2wan"
            }
        }
        interface "pppoe0"
    }
}
interfaces {
    ethernet eth0 {
        hw-id "00:e0:67:2c:81:b4"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth1 {
        address "10.0.0.254/24"
        hw-id "00:e0:67:2c:81:b5"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth2 {
        hw-id "00:e0:67:2c:81:b6"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    ethernet eth3 {
        hw-id "00:e0:67:2c:81:b7"
        offload {
            gro
            gso
            sg
            tso
        }
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password "CVDQ72qfcB"
            username "prem-vdsl.de/12006575-1%11"
        }
        dhcpv6-options {
            pd 0 {
                interface eth1 {
                    address "100"
                }
            }
        }
        ipv6 {
            address {
                autoconf
            }
        }
        source-interface "eth0"
    }
}
nat {
    destination {
        rule 100 {
            description "wan to k8s"
            destination {
                port "http,https"
            }
            inbound-interface {
                name "pppoe0"
            }
            protocol "tcp"
            translation {
                address "10.0.1.0"
            }
        }
    }
    source {
        rule 100 {
            description "nat for internet at home"
            outbound-interface {
                name "pppoe0"
            }
            source {
                address "10.0.0.0/24"
            }
            translation {
                address "masquerade"
            }
        }
    }
}
protocols {
    static {
        route 10.0.1.0/24 {
            next-hop 10.0.0.253 {
                interface "eth1"
            }
        }
    }
}
service {
    dhcp-server {
        hostfile-update
        shared-network-name home.stinnesbeck.com {
            authoritative
            option {
                domain-name "home.stinnesbeck.com"
            }
            subnet 10.0.0.0/24 {
                option {
                    default-router "10.0.0.254"
                    name-server "10.0.0.254"
                }
                range clients {
                    start "10.0.0.100"
                    stop "10.0.0.199"
                }
                static-mapping nils-sy-nas {
                    ip-address "10.0.0.250"
                    mac "00:11:32:dd:2f:2b"
                }
                static-mapping talos-50m-nc7 {
                    description "Kubernetes Laptop Lenovo"
                    ip-address "10.0.0.253"
                    mac "54:e1:ad:75:c8:04"
                }
                subnet-id "1"
            }
        }
    }
    dns {
        forwarding {
            allow-from "10.0.0.0/24"
            allow-from "127.0.0.1/32"
            authoritative-domain stinnesbeck.com {
                records {
                    a ci {
                        address "10.0.1.0"
                    }
                    a git {
                        address "10.0.1.0"
                    }
                    a pw {
                        address "10.0.1.0"
                    }
                    a traefik {
                        address "10.0.1.0"
                    }
                }
            }
            listen-address "10.0.0.254"
            system
        }
    }
    ntp {
        allow-client {
            address "127.0.0.0/8"
            address "169.254.0.0/16"
            address "10.0.0.0/8"
            address "172.16.0.0/12"
            address "192.168.0.0/16"
            address "::1/128"
            address "fe80::/10"
            address "fc00::/7"
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    router-advert {
        interface eth1 {
            link-mtu "1492"
            prefix ::/64 {
                valid-lifetime "172800"
            }
        }
    }
    ssh {
        port "22"
    }
}
system {
    config-management {
        commit-archive {
            location "git+https://nils:0013d29811ffb7ee783bf7c581b3fd0a87a0936f@git.stinnesbeck.com/nils/vyos_config"
        }
        commit-revisions "100"
    }
    console {
        device ttyS0 {
            speed "115200"
        }
    }
    host-name "vyos"
    login {
        user nils {
            authentication {
                encrypted-password "$6$rounds=656000$rsZk8wL54kEl9FOC$GyN9J0WKcrqOHn1ehs63/jSjcbwRBYHQvHKn2JfCYAWuKAT4C6rTGb56U7iBuAUpBplzPLkDlH34S1bK6gkcJ1"
                public-keys nils {
                    key "AAAAB3NzaC1yc2EAAAADAQABAAACAQCzn3TRRfOh8jFBpBUme7FgUoe3/WJnB+esrkBc1cEcsPYbsfXsRJfv4mk+vVshN2n53vp5XwPcaF73lPMv8NpNx/JdaGky19rz8b22tBlDe6NGckWfJEUSfcGve74JhSOlt3iBTe2q8251Z6Lg8FCBKUor6bembMi32s2PTbQkWuV/ZsEvTc5Y0wg+Wm5qPahsUyAiwYew9Lt5v0fEv3PF0NBQqo7unIHH7ETVubbzOp1OGG8umZLpH/qId9ZcvU3jr56InUO4bMddt9Rho5LBL1z8l/5N2Zr4XXptStxIMjtjV+Whg7eEPJ8+TcpYWVFsyP3fKTA2CcKkpOt095iFqWWyo+ucK4XLNbPu8+0nefFUZFsu6WNFVMO2mtnUSEzptrJHdixa/3+0TntFM2oS637N0odNMfx0OnEIfGhbhdZo4dFsbOmeN/gNVZiKquvVPN1bMGNtYe1H1nx0C0TWmxybfv+GNxkuzXxZF/QY7oOsBoddgJFkBkhVmBSV05Mt3Vd10RXoUqqCQXJstdUmCBxd+BpxksoOvbaKrUxXJxkgVabu4BsowO8w3pgrJz0eFct/9fTHj6vSQSeMlW6wqXMlkW+wx3dVGZghYglCi+htryDQj+Dd0TMBXkuBjsM+JE+fSl3MGPoERSttDd2y21TiTv6HRhTKVOmJyWJRvw=="
                    type "ssh-rsa"
                }
            }
        }
    }
    name-server "127.0.0.1"
    name-server "1.0.0.1"
    name-server "1.1.1.1"
    static-host-mapping {
        host-name git.stinnesbeck.com {
            inet "10.0.1.0"
        }
    }
    syslog {
        global {
            facility all {
                level "info"
            }
            facility local7 {
                level "debug"
            }
        }
    }
}


// Warning: Do not remove the following line.
// vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2"
// Release version: 1.5-rolling-202411270007