interfaces { ethernet eth0 { address 5.9.220.113/29 description WAN } ethernet eth1 { address 172.16.7.1/24 description "Freifunk WAN" } loopback lo { address 185.66.193.107/32 } tunnel tun0 { address 100.64.6.25/31 address 2a03:2260:0:30c::2/64 description gre_bb_a_ak_ber encapsulation gre remote 185.66.195.0 source-address 5.9.220.113 } tunnel tun1 { address 100.64.6.31/31 address 2a03:2260:0:30f::2/64 description gre_bb_b_ak_ber encapsulation gre remote 185.66.195.1 source-address 5.9.220.113 } tunnel tun2 { address 100.64.6.29/31 address 2a03:2260:0:30e::2/64 description gre_bb_a_ix_dus encapsulation gre remote 185.66.193.0 source-address 5.9.220.113 } tunnel tun3 { address 100.64.6.35/31 address 2a03:2260:0:311::2/64 description gre_bb_b_ix_dus encapsulation gre remote 185.66.193.1 source-address 5.9.220.113 } tunnel tun4 { address 100.64.6.27/31 address 2a03:2260:0:30d::2/64 description gre_bb_a_fra3_f encapsulation gre remote 185.66.194.0 source-address 5.9.220.113 } tunnel tun5 { address 100.64.6.33/31 address 2a03:2260:0:310::2/64 description gre-bb-b.fra3.f encapsulation gre remote 185.66.194.1 source-address 5.9.220.113 } } nat { destination { rule 1 { description "Allow SSH to VPN-01 Port 2222" destination { address 185.66.193.107/32 port 2222 } inbound-interface any protocol tcp translation { address 172.16.7.2 port 22 } } rule 2 { description "Wireguard VPN-01 42001" destination { address 185.66.193.107 port 42001 } inbound-interface any protocol udp translation { address 172.16.7.2 } } } source { rule 1 { outbound-interface any source { address 172.16.7.0/24 } translation { address 185.66.193.107 } } } } policy { local-route { rule 10 { set { table 42 } source 5.9.220.113 } } prefix-list FFRL-IN { rule 10 { action permit prefix 0.0.0.0/0 } } prefix-list FFRL-OUT { rule 10 { action permit prefix 185.66.193.107/32 } } route-map FFRL-IN { rule 10 { action permit match { ip { address { prefix-list FFRL-IN } } } } } route-map FFRL-OUT { rule 10 { action permit match { ip { address { prefix-list FFRL-OUT } } } } } } protocols { bgp { address-family { ipv4-unicast { network 185.66.193.107/32 { } } } neighbor 100.64.6.24 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_ak_ber remote-as 201701 update-source 100.64.6.25 } neighbor 100.64.6.26 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_fra3_fra remote-as 201701 update-source 100.64.6.27 } neighbor 100.64.6.28 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_ix_dus remote-as 201701 update-source 100.64.6.29 } neighbor 100.64.6.30 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_ak_ber remote-as 201701 update-source 100.64.6.31 } neighbor 100.64.6.32 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_fra3_fra remote-as 201701 update-source 100.64.6.33 } neighbor 100.64.6.34 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_ix_dus remote-as 201701 update-source 100.64.6.35 } parameters { router-id 10.188.255.7 } system-as 65066 } static { table 42 { route 0.0.0.0/0 { next-hop 5.9.220.112 { } } } } } service { dhcp-server { listen-address 172.16.7.1 shared-network-name freifunk { subnet 172.16.7.0/24 { default-router 172.16.7.1 name-server 1.1.1.1 name-server 1.0.0.1 range dhcp { start 172.16.7.10 stop 172.16.7.200 } static-mapping vpn-01 { ip-address 172.16.7.2 mac-address 36:f3:82:18:9b:03 } } } } ntp { allow-client { address 0.0.0.0/0 address ::/0 } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } ssh { port 22 } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name 7.fftdf.de login { banner { post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n" } user vyos { authentication { encrypted-password $6$WJiQoTPHLN8qj3s2$3vPtbSA48u8axMRDuOTaH4Hzg6kUuUJ8rkNuuSBacLfJ3YKRhDu5q4hxyhYr22n9F7E5NtovDM3A1.Ahpralf0 plaintext-password "" public-keys nils { key AAAAB3NzaC1yc2EAAAADAQABAAACAQCvwA3/NDj7Oo28Q1XdRIgOp//35gFVvsDa1dnMkgRDqJYvlIDbRiQ+UIcgu5YhstPb8BAxfvqjRP4rnMKc7v69T2Lp+HOMx+1sOYrznEe2hC5lPr4+U1u4Fzqhq/keSoItifmdTgrE+01Zc5jMBosUIm79TDgEMuEGcYVJIyAzDv9ez4u+Bz/HubRO+qT/+UmOICEg9m/C+fiH/ZAJHi90dMsj7RF5YXrRHXTAdiecurwGAZx2Adug1fFTvzB1pqBUHje1PFtEI+LheYklpNtiJo8NQ2KDEiavSxBibJrywzQHaddf0bkeAhmiNY8PRoMpMNeiu94DyNFWgdm7bLzdzrN/o5U7MlnJlcn8D1tLtdp0ngTxaN6VIywI8mQ/Ukxz8p2Ce49vu6osz4CvYhKx4mrvOSmqg9VjKcL6/rIwK7y5CWgIrddktxrSpUHXkzoQSefgZ5Bnu3CNp0GixWV5JTHnFxCulJAGi3TTqx7IvsJ8gpuKkeGnIgnDhFbqVOKeEEnR13tTCJ7MgPQ+VHREQ68u73a5TfDxJd/ggnG4tQ67HOcqxwa74+X1lv7YiJ3AvbrR7FFPNM3o5N8ZmZWhBLDaUHrjElHkZdB/V2l2bCblWhD0INCYoskuK1dFGdf3gQQeKOivGzKtzI0xNKutrxfvarkikxCEV3Exj889rQ== type ssh-rsa } public-keys stefan { key AAAAB3NzaC1yc2EAAAADAQABAAABAQDM0d9uUUdkK80fYEAz+IwxbhQO2qsr87Q4uxxwqQCvjVWryL+IuKMBJJGroWDMz2d9UJcIXEYdMz4436U0DoPJuoXe5iDsVvum3Vz3276My+tqx1bZWCktPa8Isft7mO/wfELNjRNQduUiwh2y712s7/3GQI+5Rs/65HuLHTnpLKrlfptqmsmYw+IUFDzGwBLJ6sqP90ywjKkperPCAH3IWcTsQwnW3EJFPToMg6BrQslZlxx/z+co3e6jCWzUuuIRP9jp4SmNVfYaVGb1cOFdL1p1P0qWHBHdGUnXHZ+c773VKVSj+spUBxKGqNC1EhRCYTsPDLVrYrhKl2BRLcgB type ssh-rsa } } } } syslog { global { facility all { level info } facility protocols { level debug } } } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@11:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@2:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@2:quagga@10:rpki@1:salt@1:snmp@3:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.4-rolling-202302041536