commit 8feffb0a1b2c7e14cbc7c022dc7c62556de902a1 Author: lewellien Date: Wed Apr 8 08:17:40 2026 +0200 commit diff --git a/config.boot-router b/config.boot-router new file mode 100644 index 0000000..b51a778 --- /dev/null +++ b/config.boot-router @@ -0,0 +1,1449 @@ +firewall { + group { + interface-group GUEST { + interface "br1.17" + interface "br1.20" + } + port-group HTTP { + description "HTTP Standard Ports" + port "80" + port "443" + } + port-group MAIL { + description "MAIL standard ports" + port "25" + port "110" + port "143" + port "465" + port "587" + port "993" + port "995" + } + } + ipv4 { + forward { + filter { + default-action "accept" + rule 5 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "MAIN-IN-v4" + } + rule 50 { + action "jump" + inbound-interface { + group "GUEST" + } + jump-target "GUEST-OUT-v4" + } + rule 51 { + action "jump" + jump-target "GUEST-IN-v4" + outbound-interface { + group "GUEST" + } + } + rule 100 { + action "jump" + jump-target "MAIN-OUT-v4" + outbound-interface { + name "pppoe0" + } + } + } + } + input { + filter { + default-action "accept" + rule 5 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "MAIN-LOCAL-v4" + } + } + } + name GUEST-IN-v4 { + default-action "reject" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 101 { + action "accept" + description "Allow ping" + icmp { + type "8" + } + protocol "icmp" + } + } + name GUEST-OUT-v4 { + default-action "reject" + default-log + rule 100 { + action "accept" + description "Allow DNS-Access" + destination { + port "53" + } + protocol "tcp_udp" + } + rule 300 { + action "accept" + description "Forbid Local Traffic" + outbound-interface { + name "pppoe0" + } + } + rule 301 { + action "accept" + description "Allow Traefik Access" + destination { + address "10.35.0.201" + } + protocol "tcp_udp" + } + } + name MAIN-IN-v4 { + default-action "reject" + description "Filtering of incoming Gateway traffic" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 100 { + action "accept" + description "Allow ping" + icmp { + type "8" + } + protocol "icmp" + } + rule 300 { + action "accept" + description "Allow https" + destination { + group { + port-group "HTTP" + } + } + protocol "tcp" + } + rule 301 { + action "accept" + description "Allow Mail" + destination { + group { + port-group "MAIL" + } + } + protocol "tcp" + } + rule 302 { + action "accept" + description "Allow SSH for git" + destination { + port "2222" + } + protocol "tcp" + } + rule 303 { + action "accept" + description "Minecraft Server" + destination { + port "25565-25570" + } + log + protocol "tcp" + } + rule 304 { + action "accept" + description "Matrix Federation" + destination { + port "8448" + } + log + protocol "tcp" + } + rule 305 { + action "accept" + description "ark" + destination { + address "10.38.0.41" + port "7777" + } + log + protocol "udp" + } + } + name MAIN-LOCAL-v4 { + default-action "reject" + description "Filtering of traffic for this host" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 100 { + action "accept" + description "Allow SSH" + destination { + port "22" + } + protocol "tcp_udp" + } + rule 101 { + action "accept" + description "Allow ping" + icmp { + type "8" + } + protocol "icmp" + } + rule 300 { + action "accept" + description "allow wireguard" + destination { + port "2224" + } + protocol "udp" + } + } + name MAIN-OUT-v4 { + default-action "accept" + description "Filtering of outgoing Gateway traffic" + rule 200 { + action "drop" + log + source { + mac-address "50:8b:b9:bb:5a:df" + } + } + } + } + ipv6 { + forward { + filter { + default-action "accept" + rule 5 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "MAIN-IN-v6" + } + rule 50 { + action "jump" + inbound-interface { + group "GUEST" + } + jump-target "GUEST-OUT-v6" + } + rule 51 { + action "jump" + jump-target "GUEST-IN-v6" + outbound-interface { + group "GUEST" + } + } + rule 100 { + action "jump" + jump-target "MAIN-OUT-v6" + outbound-interface { + name "pppoe0" + } + } + } + } + input { + filter { + default-action "accept" + rule 5 { + action "jump" + inbound-interface { + name "pppoe0" + } + jump-target "MAIN-LOCAL-v6" + } + } + } + name GUEST-IN-v6 { + default-action "reject" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 101 { + action "accept" + description "Allow icmpv6" + protocol "icmpv6" + } + rule 102 { + action "accept" + description "Allow outgoing link-local" + source { + address "fe80::/10" + } + } + rule 103 { + action "accept" + description "Allow outgoing multicast" + destination { + address "ff00::/8" + } + } + rule 104 { + action "accept" + description "Allow outgoing multicast" + destination { + address "ff00::/8" + } + } + } + name GUEST-OUT-v6 { + default-action "reject" + default-log + rule 100 { + action "accept" + description "Allow DNS-Access" + destination { + port "53" + } + outbound-interface { + name "pppoe0" + } + protocol "tcp_udp" + } + rule 101 { + action "accept" + description "Enable DNS Access" + destination { + address "fd74:af:0:30::53" + } + protocol "tcp_udp" + } + rule 300 { + action "accept" + description "Forbid Local Traffic" + outbound-interface { + name "pppoe0" + } + } + rule 301 { + action "accept" + description "Allow Traefik Access" + destination { + address "fd74:af:0:35::201" + } + protocol "tcp_udp" + } + } + name MAIN-IN-v6 { + default-action "reject" + description "Filtering of incoming Gateway traffic" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 100 { + action "accept" + description "Allow ping" + icmpv6 { + type "8" + } + } + rule 101 { + action "accept" + description "Allow http" + destination { + group { + port-group "HTTP" + } + } + protocol "tcp_udp" + } + rule 102 { + action "accept" + description "Allow icmp" + protocol "icmpv6" + } + rule 103 { + action "accept" + description "Allow outgoing link-local" + source { + address "fe80::/10" + } + } + rule 104 { + action "accept" + description "Allow outgoing multicast" + destination { + address "ff00::/8" + } + } + rule 301 { + action "accept" + description "Allow Mail" + destination { + group { + port-group "MAIL" + } + } + protocol "tcp" + } + rule 302 { + action "accept" + description "Allow SSH for git" + destination { + port "2222" + } + protocol "tcp" + } + rule 303 { + action "accept" + description "Minecraft Server" + destination { + port "25565-25570" + } + log + protocol "tcp" + } + rule 304 { + action "accept" + description "Matrix Federation" + destination { + port "8448" + } + log + protocol "tcp" + } + } + name MAIN-LOCAL-v6 { + default-action "reject" + description "Filtering of traffic for this host" + rule 1 { + action "accept" + description "Allow related and established" + state "established" + state "related" + } + rule 100 { + action "accept" + description "Allow SSH" + destination { + port "22" + } + protocol "tcp_udp" + } + rule 101 { + action "accept" + description "Allow icmpv6" + protocol "icmpv6" + } + rule 102 { + action "accept" + description "Allow outgoing link-local" + source { + address "fe80::/10" + } + } + rule 103 { + action "accept" + description "Allow outgoing multicast" + destination { + address "ff00::/8" + } + } + } + name MAIN-OUT-v6 { + default-action "accept" + description "Filtering of outgoing Gateway traffic" + rule 200 { + action "drop" + log + source { + mac-address "50:8b:b9:bb:5a:df" + } + } + } + } +} +interfaces { + bridge br1 { + description "LAN" + enable-vlan + member { + interface eth1 { + allowed-vlan "35" + native-vlan "35" + } + interface eth2 { + allowed-vlan "35" + allowed-vlan "15" + allowed-vlan "16" + allowed-vlan "31" + allowed-vlan "38" + allowed-vlan "50" + native-vlan "35" + } + interface eth3 { + allowed-vlan "35" + allowed-vlan "15" + allowed-vlan "16" + allowed-vlan "17" + allowed-vlan "20" + allowed-vlan "31" + allowed-vlan "38" + allowed-vlan "50" + allowed-vlan "39" + native-vlan "35" + } + } + vif 15 { + address "10.15.0.1/24" + address "fd74:af:0:15::1/64" + description "wlan_mgmt" + } + vif 16 { + address "10.16.0.1/24" + description "wlan_client" + } + vif 17 { + address "10.17.0.1/24" + description "wlan_guest" + } + vif 20 { + address "10.20.0.1/24" + description "guest" + } + vif 31 { + address "10.31.0.1/24" + description "workstations" + } + vif 35 { + address "10.35.0.1/24" + address "fd74:af:0:35::1/64" + description "server" + } + vif 38 { + address "10.38.0.1/24" + address "fd74:af:0:38::1/64" + description "dmz" + } + vif 39 { + address "10.39.0.1/24" + address "fd74:af:0:39::1/64" + description "kit" + } + vif 50 { + address "10.50.0.1/24" + address "fd74:af:0:50::1/64" + description "iot" + } + } + dummy dum1 { + address "10.10.0.1/32" + address "fd74:af:0:10::1/128" + } + ethernet eth0 { + description "2.5G-1 - WAN" + hw-id "64:62:66:2f:3b:ae" + offload { + gro + gso + sg + tso + } + } + ethernet eth1 { + description "2.5G-2" + hw-id "64:62:66:2f:3b:af" + offload { + gro + gso + sg + tso + } + } + ethernet eth2 { + description "2.5G-3" + hw-id "64:62:66:2f:3b:b0" + offload { + gro + gso + sg + tso + } + } + ethernet eth3 { + description "2.5G-4" + hw-id "64:62:66:2f:3b:b1" + offload { + gro + gso + sg + tso + } + } + loopback lo { + } + pppoe pppoe0 { + authentication { + password "26571316" + username "551013112907" + } + dhcpv6-options { + pd 0 { + interface br1.16 { + address "1" + sla-id "16" + } + interface br1.17 { + address "1" + sla-id "17" + } + interface br1.31 { + address "1" + sla-id "31" + } + interface br1.35 { + address "1" + sla-id "35" + } + interface br1.38 { + address "1" + sla-id "38" + } + interface br1.39 { + address "1" + sla-id "39" + } + length "56" + } + } + ip { + adjust-mss "1452" + } + ipv6 { + address { + autoconf + } + adjust-mss "1452" + } + source-interface "eth0" + } + wireguard wg1 { + address "fd74:af:0:401::1/64" + address "10.40.1.1/24" + peer jenny-handy { + allowed-ips "10.40.1.12/32" + allowed-ips "fd74:af:0:401::12/128" + persistent-keepalive "30" + public-key "sYUoQrXxFVp2rZRGunzeRqXk2NjvLm67taBOu+6Z9Vk=" + } + peer oberon { + allowed-ips "10.40.1.11/32" + allowed-ips "fd74:af:0:401::11/128" + persistent-keepalive "30" + public-key "jYnEKBfCNHf3Q9pA34ZJnUeZwbsF1Zv5AwFOfhNepw8=" + } + peer oma { + allowed-ips "10.40.1.13/32" + allowed-ips "fd74:af:0:401::13/128" + persistent-keepalive "30" + public-key "luCTIvLZuy8zAezOBT1Na9acK35wK9u8x2EMwJxifxk=" + } + peer s23-FE { + allowed-ips "10.40.1.10/32" + allowed-ips "fd74:af:0:401::10/128" + persistent-keepalive "30" + public-key "jOsFAM8H2WhO3gao3gSkIq8IyvAFsmnKl99/SfCZFV0=" + } + port "2224" + private-key "GMNxomUWZPGQv60+AK0Z6ZEK54RrtwI/lgarcqSTkmM=" + } +} +nat { + destination { + rule 1 { + destination { + port "80,443,2222,8448" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "10.35.0.201" + } + } + rule 2 { + destination { + port "25,110,143,465,857,993,995,587" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "10.35.0.111" + } + } + rule 3 { + description "minecraft" + destination { + port "25565-25570" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "10.38.0.10" + } + } + rule 4 { + description "ark" + destination { + port "7777" + } + inbound-interface { + name "br1.31" + } + protocol "udp" + translation { + address "10.38.0.41" + } + } + rule 5 { + description "ark" + destination { + port "7777" + } + inbound-interface { + name "pppoe0" + } + protocol "udp" + translation { + address "10.38.0.41" + } + } + } + source { + rule 1 { + outbound-interface { + name "pppoe0" + } + source { + address "10.0.0.0/8" + } + translation { + address "masquerade" + } + } + } +} +nat66 { + destination { + rule 1 { + destination { + port "80,443,2222,8448" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "fd74:af:0:35::201" + } + } + rule 2 { + destination { + port "25,110,143,465,857,993,995,587" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "fd74:af:0:35::111" + } + } + rule 3 { + description "minecraft" + destination { + port "25565-25570" + } + inbound-interface { + name "pppoe0" + } + protocol "tcp" + translation { + address "fd74:af:0:38::10" + } + } + } + source { + rule 1 { + outbound-interface { + name "pppoe0" + } + source { + prefix "fd74:af::/56" + } + translation { + address "masquerade" + } + } + } +} +protocols { + static { + route 10.10.64.2/32 { + next-hop 10.35.0.105 { + } + } + route 10.30.0.53/32 { + next-hop 10.35.0.210 { + } + } + route6 64:ff9b::/96 { + next-hop fd74:af:0:35::105 { + } + } + route6 fd74:af:0:30::53/128 { + next-hop fd74:af:0:35::210 { + } + } + } +} +service { + broadcast-relay { + id 1 { + interface "br1.31" + interface "br1.16" + port "24727" + } + } + dhcp-server { + hostfile-update + shared-network-name games { + authoritative + option { + name-server "10.30.0.53" + name-server "10.10.0.1" + } + subnet 10.38.0.0/24 { + option { + default-router "10.38.0.1" + } + range 1 { + start "10.38.0.2" + stop "10.38.0.254" + } + static-mapping factorio { + ip-address "10.38.0.11" + mac "1E:84:D7:00:62:D1" + } + static-mapping minecraft { + ip-address "10.38.0.10" + mac "EA:CB:21:4D:87:5A" + } + subnet-id "1" + } + } + shared-network-name guest { + authoritative + option { + ipv6-only-preferred "86400" + name-server "10.30.0.53" + name-server "10.10.0.1" + } + subnet 10.20.0.0/24 { + option { + default-router "10.20.0.1" + } + range 1 { + start "10.20.0.2" + stop "10.20.0.254" + } + subnet-id "2" + } + } + shared-network-name iot { + authoritative + option { + name-server "10.30.0.53" + name-server "10.10.0.1" + ntp-server "10.10.0.1" + } + subnet 10.50.0.0/24 { + option { + default-router "10.50.0.1" + } + range 1 { + start "10.50.0.2" + stop "10.50.0.254" + } + static-mapping ag-wohnzimmer { + ip-address "10.50.0.4" + mac "40:4c:ca:67:0f:ec" + } + static-mapping kueche { + ip-address "10.50.0.6" + mac "c8:c9:a3:70:12:34" + } + static-mapping schlafzimmer { + ip-address "10.50.0.7" + mac "c8:c9:a3:70:1a:64" + } + static-mapping shelly-3dp { + ip-address "10.50.0.19" + mac "90:70:69:45:51:C0" + } + static-mapping shelly-desktop { + ip-address "10.50.0.2" + mac "34:94:54:8f:fe:a8" + } + static-mapping shelly-server { + ip-address "10.50.0.3" + mac "34:94:54:8f:8a:3c" + } + static-mapping shelly-tv { + ip-address "10.50.0.8" + mac "08:3A:8D:F4:39:9E" + } + static-mapping terasse { + ip-address "10.50.0.5" + mac "c8:c9:a3:70:19:df" + } + subnet-id "3" + } + } + shared-network-name kit { + authoritative + option { + name-server "10.30.0.53" + } + subnet 10.39.0.0/24 { + option { + default-router "10.39.0.1" + } + range 1 { + start "10.39.0.10" + stop "10.39.0.250" + } + subnet-id "39" + } + } + shared-network-name server { + authoritative + option { + name-server "10.30.0.53" + name-server "10.10.0.1" + ntp-server "10.10.0.1" + } + subnet 10.35.0.0/24 { + option { + default-router "10.35.0.1" + } + range 1 { + start "10.35.0.2" + stop "10.35.0.254" + } + static-mapping atlas { + ip-address "10.35.0.3" + mac "26:5d:59:65:6c:30" + } + static-mapping automation { + ip-address "10.35.0.107" + mac "02:A2:DA:98:97:5C" + } + static-mapping backup { + ip-address "10.35.0.155" + mac "9E:F2:32:EA:53:8D" + } + static-mapping bitwarden { + ip-address "10.35.0.152" + mac "2E:85:FB:30:0F:81" + } + static-mapping calendar { + ip-address "10.35.0.157" + mac "9A:59:DC:93:6C:6A" + } + static-mapping ci { + ip-address "10.35.0.109" + mac "1E:19:A2:E9:71:73" + } + static-mapping cloud { + ip-address "10.35.0.104" + mac "96:16:94:EE:5C:97" + } + static-mapping dns { + ip-address "10.35.0.160" + mac "12:14:C0:AF:94:7B" + } + static-mapping docker { + ip-address "10.35.0.101" + mac "bc:24:11:80:17:e6" + } + static-mapping documents { + ip-address "10.35.0.102" + mac "9A:59:AC:E0:25:A5" + } + static-mapping entry { + ip-address "10.35.0.110" + mac "D6:AB:3D:41:B1:F2" + } + static-mapping equinox { + ip-address "10.35.0.2" + mac "74:56:3c:55:e9:d7" + } + static-mapping finance { + ip-address "10.35.0.158" + mac "76:69:81:6F:67:1D" + } + static-mapping gauss { + ip-address "10.35.0.8" + mac "48:a9:8a:cc:c1:4b" + } + static-mapping grafana { + ip-address "10.35.0.153" + mac "6A:6D:C0:A8:0C:A4" + } + static-mapping ittools { + ip-address "10.35.0.159" + mac "7E:F0:F5:C3:5C:45" + } + static-mapping lounge { + ip-address "10.35.0.150" + mac "56:3E:C5:EE:EE:5E" + } + static-mapping mail { + ip-address "10.35.0.111" + mac "BC:24:11:EE:23:C2" + } + static-mapping matrix { + ip-address "10.35.0.108" + mac "02:84:E0:99:0F:2C" + } + static-mapping media { + ip-address "10.35.0.106" + mac "4A:87:40:F3:8F:F2" + } + static-mapping monitor { + ip-address "10.35.0.100" + mac "0A:73:14:54:C2:E2" + } + static-mapping nova { + disable + ip-address "10.35.0.7" + mac "48:a9:8a:cc:c1:4b" + } + static-mapping printer { + ip-address "10.35.0.15" + mac "30:05:5c:17:26:f3" + } + static-mapping projects { + ip-address "10.35.0.156" + mac "A2:38:B8:7B:83:8E" + } + static-mapping sensors { + ip-address "10.35.0.10" + mac "70:b3:d5:50:91:bd" + } + static-mapping speedtest { + ip-address "10.35.0.154" + mac "86:00:BC:4A:1B:30" + } + static-mapping traefik { + ip-address "10.35.0.151" + mac "62:80:2D:4E:1A:C8" + } + static-mapping trinity { + ip-address "10.35.0.4" + mac "00:11:32:86:93:49" + } + static-mapping ultrastar { + ip-address "10.35.0.103" + mac "8A:77:95:29:0E:D0" + } + static-mapping voip { + ip-address "10.35.0.113" + mac "86:F5:5B:BA:CB:74" + } + subnet-id "4" + } + } + shared-network-name wlan_client { + authoritative + option { + domain-name "home" + ipv6-only-preferred "86400" + name-server "10.30.0.53" + name-server "10.10.0.1" + ntp-server "10.10.0.1" + } + subnet 10.16.0.0/24 { + option { + default-router "10.16.0.1" + } + range 1 { + start "10.16.0.2" + stop "10.16.0.254" + } + static-mapping wax615 { + ip-address "10.16.0.2" + mac "94:18:65:c2:ea:ff" + } + subnet-id "5" + } + } + shared-network-name wlan_guest { + authoritative + option { + ipv6-only-preferred "86400" + name-server "10.30.0.53" + name-server "10.10.0.1" + } + subnet 10.17.0.0/24 { + option { + default-router "10.17.0.1" + } + range 1 { + start "10.17.0.2" + stop "10.17.0.254" + } + subnet-id "6" + } + } + shared-network-name wlan_mgmt { + authoritative + option { + name-server "10.30.0.53" + } + subnet 10.15.0.0/24 { + option { + default-router "10.15.0.1" + } + range 1 { + start "10.15.0.2" + stop "10.15.0.254" + } + static-mapping gyre { + ip-address "10.15.0.4" + mac "A8:52:D4:91:FF:39" + } + static-mapping volt { + ip-address "10.15.0.5" + mac "00:a0:57:6c:4a:3e" + } + subnet-id "7" + } + } + shared-network-name workstations { + authoritative + option { + name-server "10.30.0.53" + name-server "10.10.0.1" + ntp-server "10.10.0.1" + } + subnet 10.31.0.0/24 { + option { + default-router "10.31.0.1" + } + range 1 { + start "10.31.0.2" + stop "10.31.0.254" + } + static-mapping oberon { + ip-address "10.31.0.11" + mac "30:24:a9:91:70:61" + } + static-mapping titania { + ip-address "10.31.0.10" + mac "d8:5e:d3:40:f9:5b" + } + subnet-id "8" + } + } + } + dns { + dynamic { + name service-lewellien-net-pppoe0 { + address { + interface "pppoe0" + } + host-name "gw.lewellien.net" + ip-version "ipv4" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + name service-lewellien-net-v6-pppoe0 { + address { + interface "pppoe0" + } + host-name "gw.lewellien.net" + ip-version "ipv6" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + name service-mail-lewellien-net-pppoe0 { + address { + interface "pppoe0" + } + host-name "mail.lewellien.net" + ip-version "ipv4" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + name service-mail-lewellien-net-v6-pppoe0 { + address { + interface "pppoe0" + } + host-name "mail.lewellien.net" + ip-version "ipv6" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + name service-matrix-lewellien-net-pppoe0 { + address { + interface "pppoe0" + } + host-name "matrix.lewellien.net" + ip-version "ipv4" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + name service-matrix-lewellien-net-v6-pppoe0 { + address { + interface "pppoe0" + } + host-name "matrix.lewellien.net" + ip-version "ipv6" + password "q9tCHSBUGifWmb2DZV7rvLDrHsD5gxfL" + protocol "dyndns2" + server "dyndns.strato.com" + username "lewellien.net" + } + } + forwarding { + allow-from "10.0.0.0/8" + allow-from "fd74:af::/56" + authoritative-domain lewellien.net { + records { + a any { + address "10.35.0.201" + } + aaaa any { + address "fd74:af:0:35::201" + } + } + } + listen-address "10.10.0.1" + listen-address "fd74:af:0:10::1" + zone-cache afinfra.de { + options { + refresh { + interval "1800" + } + } + source { + axfr "fd74:af:0:30::53" + } + } + } + } + lldp { + interface eth0 { + } + interface eth1 { + } + interface eth2 { + } + management-address "10.10.0.1" + management-address "fd74:af:0:10::1" + } + monitoring { + prometheus { + frr-exporter { + listen-address "fd74:af:0:10::1" + } + node-exporter { + listen-address "10.10.0.1" + } + } + telegraf { + prometheus-client { + allow-from "fd74:af:0:35::/64" + allow-from "10.35.0.0/24" + listen-address "10.10.0.1" + } + } + } + ntp { + allow-client { + address "127.0.0.0/8" + address "169.254.0.0/16" + address "10.0.0.0/8" + address "172.16.0.0/12" + address "192.168.0.0/16" + address "::1/128" + address "fe80::/10" + address "fc00::/7" + address "0.0.0.0/0" + address "::/0" + } + server ntp1.sda.t-online.de { + } + server ntp1.sul.t-online.de { + } + server time1.vyos.net { + } + server time2.vyos.net { + } + } + router-advert { + interface br1.15 { + name-server "fd74:af:0:10::1" + } + interface br1.16 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + name-server "fd74:af:0:10::1" + nat64prefix 64:ff9b::/96 { + } + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.17 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + name-server "fd74:af:0:10::1" + nat64prefix 64:ff9b::/96 { + } + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.20 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + name-server "fd74:af:0:10::1" + nat64prefix 64:ff9b::/96 { + } + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.31 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + name-server "fd74:af:0:10::1" + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.35 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + name-server "fd74:af:0:10::1" + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.38 { + name-server "fd74:af:0:10::1" + } + interface br1.39 { + link-mtu "1492" + name-server "fd74:af:0:30::53" + prefix ::/64 { + valid-lifetime "172800" + } + } + interface br1.50 { + name-server "fd74:af:0:10::1" + } + } + ssh { + listen-address "10.10.0.1" + listen-address "fd74:af:0:10::1" + } +} +system { + config-management { + commit-archive { + location "git+https://vyos:uLLPLpARiKLe5ViFJm3dDUNA5m9wMMym@git.lewellien.net/lewellien/vyos-config.git" + } + commit-revisions "101" + } + console { + device ttyS0 { + speed "115200" + } + } + host-name "router" + login { + user lewellien { + authentication { + public-keys lewellien@server { + key "AAAAC3NzaC1lZDI1NTE5AAAAIIC2v6gFjGdq47jGeqoamDLdLVmvEYpQrIFEqZnmnaCb" + type "ssh-ed25519" + } + } + } + user vyos { + authentication { + encrypted-password "$6$rounds=656000$DD0L1d4zCpPTFRm6$85IGUPK9OvLhF6f/N5BZR9ABOpBpLkVZCpTTLoWpRgBlLjZgn0iaEiPAk5O4M.g/wA58bx/VnfgZ2SYuJ7V/w0" + plaintext-password "" + } + } + } + name-server "10.30.0.53" + name-server "fd74:af:0:30::53" + name-server "1.1.1.1" + option { + keyboard-layout "de" + } + syslog { + local { + facility all { + level "info" + } + facility local7 { + level "debug" + } + } + } + time-zone "Europe/Berlin" +} + + +// Warning: Do not remove the following line. +// vyos-config-version: "bgp@6:broadcast-relay@1:cluster@2:config-management@1:conntrack@6:conntrack-sync@2:container@3:dhcp-relay@2:dhcp-server@11:dhcpv6-server@6:dns-dynamic@4:dns-forwarding@4:firewall@20:flow-accounting@3:https@7:ids@2:interfaces@34:ipoe-server@4:ipsec@14:isis@3:l2tp@9:lldp@3:mdns@1:monitoring@2:nat@8:nat66@3:nhrp@1:ntp@3:openconnect@3:openvpn@5:ospf@2:pim@1:policy@9:pppoe-server@11:pptp@5:qos@3:quagga@12:reverse-proxy@3:rip@1:rpki@2:salt@1:snmp@3:ssh@3:sstp@6:system@30:vpp@4:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@4:webproxy@2" +// Release version: 2026.01.16-0022-rolling