firewall { global-options { state-policy { established { action "accept" } related { action "accept" } } } ipv4 { name lan2local { default-action "accept" } name lan2wan { default-action "accept" } name local2lan { default-action "accept" } name local2wan { default-action "accept" } name wan2lan { default-action "drop" default-log rule 100 { action "accept" description "Allow HTTP and HTTPS to lan" destination { port "http,https" } protocol "tcp" } rule 200 { action "accept" protocol "icmp" } } name wan2local { default-action "drop" default-log rule 100 { action "accept" description "Allow HTTP and HTTPS" destination { port "http,https" } protocol "tcp" } } } ipv6 { forward { filter { rule 100 { action "jump" inbound-interface { name "pppoe0" } jump-target "wan2lan" } } } input { filter { rule 100 { action "jump" inbound-interface { name "pppoe0" } jump-target "wan2local" } } } name lan2local { default-action "accept" } name lan2wan { default-action "accept" } name local2lan { default-action "accept" } name local2wan { default-action "accept" } name wan2lan { rule 100 { action "accept" description "Allow HTTP and HTTPS to lan" destination { port "http,https" } protocol "tcp" } rule 200 { action "accept" protocol "ipv6-icmp" } } name wan2local { rule 200 { action "accept" protocol "ipv6-icmp" } rule 300 { action "accept" destination { port "546" } protocol "udp" source { port "547" } } } } zone lan { from local { firewall { ipv6-name "local2lan" name "local2lan" } } from wan { firewall { ipv6-name "wan2lan" name "wan2lan" } } interface "eth1" } zone local { from lan { firewall { ipv6-name "lan2local" name "lan2local" } } from wan { firewall { ipv6-name "wan2local" name "wan2local" } } local-zone } zone wan { from lan { firewall { ipv6-name "lan2wan" name "lan2wan" } } from local { firewall { ipv6-name "local2wan" name "local2wan" } } interface "pppoe0" } } interfaces { ethernet eth0 { hw-id "00:e0:67:2c:81:b4" offload { gro gso sg tso } } ethernet eth1 { address "10.0.0.254/24" hw-id "00:e0:67:2c:81:b5" offload { gro gso sg tso } } ethernet eth2 { hw-id "00:e0:67:2c:81:b6" offload { gro gso sg tso } } ethernet eth3 { hw-id "00:e0:67:2c:81:b7" offload { gro gso sg tso } } loopback lo { } pppoe pppoe0 { authentication { password "CVDQ72qfcB" username "prem-vdsl.de/12006575-1%11" } dhcpv6-options { pd 0 { interface eth1 { address "100" } } } ipv6 { address { autoconf } } source-interface "eth0" } } nat { destination { rule 100 { description "wan to k8s" destination { port "http,https" } inbound-interface { name "pppoe0" } protocol "tcp" translation { address "10.0.1.0" } } } source { rule 100 { description "nat for internet at home" outbound-interface { name "pppoe0" } source { address "10.0.0.0/24" } translation { address "masquerade" } } } } protocols { static { route 10.0.1.0/24 { next-hop 10.0.0.253 { interface "eth1" } } } } service { dhcp-server { hostfile-update shared-network-name home.stinnesbeck.com { authoritative option { domain-name "home.stinnesbeck.com" } subnet 10.0.0.0/24 { option { default-router "10.0.0.254" name-server "10.0.0.254" } range clients { start "10.0.0.100" stop "10.0.0.199" } static-mapping nils-sy-nas { ip-address "10.0.0.250" mac "00:11:32:dd:2f:2b" } static-mapping talos-50m-nc7 { description "Kubernetes Laptop Lenovo" ip-address "10.0.0.253" mac "54:e1:ad:75:c8:04" } subnet-id "1" } } } dns { forwarding { allow-from "10.0.0.0/24" authoritative-domain stinnesbeck.com { records { a ci { address "10.0.1.0" } a git { address "10.0.1.0" } a pw { address "10.0.1.0" } a traefik { address "10.0.1.0" } } } listen-address "10.0.0.254" system } } ntp { allow-client { address "127.0.0.0/8" address "169.254.0.0/16" address "10.0.0.0/8" address "172.16.0.0/12" address "192.168.0.0/16" address "::1/128" address "fe80::/10" address "fc00::/7" } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } router-advert { interface eth1 { link-mtu "1492" prefix ::/64 { valid-lifetime "172800" } } } ssh { port "22" } } system { config-management { commit-archive { location "git+https://nils:0013d29811ffb7ee783bf7c581b3fd0a87a0936f@git.stinnesbeck.com/nils/vyos_config" } commit-revisions "100" } console { device ttyS0 { speed "115200" } } host-name "vyos" login { user nils { authentication { encrypted-password "$6$rounds=656000$rsZk8wL54kEl9FOC$GyN9J0WKcrqOHn1ehs63/jSjcbwRBYHQvHKn2JfCYAWuKAT4C6rTGb56U7iBuAUpBplzPLkDlH34S1bK6gkcJ1" public-keys nils { key "AAAAB3NzaC1yc2EAAAADAQABAAACAQCzn3TRRfOh8jFBpBUme7FgUoe3/WJnB+esrkBc1cEcsPYbsfXsRJfv4mk+vVshN2n53vp5XwPcaF73lPMv8NpNx/JdaGky19rz8b22tBlDe6NGckWfJEUSfcGve74JhSOlt3iBTe2q8251Z6Lg8FCBKUor6bembMi32s2PTbQkWuV/ZsEvTc5Y0wg+Wm5qPahsUyAiwYew9Lt5v0fEv3PF0NBQqo7unIHH7ETVubbzOp1OGG8umZLpH/qId9ZcvU3jr56InUO4bMddt9Rho5LBL1z8l/5N2Zr4XXptStxIMjtjV+Whg7eEPJ8+TcpYWVFsyP3fKTA2CcKkpOt095iFqWWyo+ucK4XLNbPu8+0nefFUZFsu6WNFVMO2mtnUSEzptrJHdixa/3+0TntFM2oS637N0odNMfx0OnEIfGhbhdZo4dFsbOmeN/gNVZiKquvVPN1bMGNtYe1H1nx0C0TWmxybfv+GNxkuzXxZF/QY7oOsBoddgJFkBkhVmBSV05Mt3Vd10RXoUqqCQXJstdUmCBxd+BpxksoOvbaKrUxXJxkgVabu4BsowO8w3pgrJz0eFct/9fTHj6vSQSeMlW6wqXMlkW+wx3dVGZghYglCi+htryDQj+Dd0TMBXkuBjsM+JE+fSl3MGPoERSttDd2y21TiTv6HRhTKVOmJyWJRvw==" type "ssh-rsa" } } } } name-server "127.0.0.1" name-server "1.0.0.1" name-server "1.1.1.1" static-host-mapping { host-name git.stinnesbeck.com { inet "10.0.1.0" } } syslog { global { facility all { level "info" } facility local7 { level "debug" } } } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@5:broadcast-relay@1:cluster@2:config-management@1:conntrack@5:conntrack-sync@2:container@2:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@17:flow-accounting@1:https@7:ids@1:interfaces@33:ipoe-server@4:ipsec@13:isis@3:l2tp@9:lldp@2:mdns@1:monitoring@1:nat@8:nat66@3:ntp@3:openconnect@3:openvpn@4:ospf@2:pim@1:policy@8:pppoe-server@11:pptp@5:qos@3:quagga@11:reverse-proxy@2:rip@1:rpki@2:salt@1:snmp@3:ssh@2:sstp@6:system@28:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.5-rolling-202411270007