interfaces { ethernet eth0 { address 5.9.220.113/29 description WAN } ethernet eth1 { address 172.16.7.1/24 description "Freifunk WAN" ipv6 { address { autoconf } } } loopback lo { address 185.66.193.107/32 address 2a03:2260:121:600::0/128 } tunnel tun0 { address 100.64.6.25/31 address 2a03:2260:0:30c::2/64 description gre_bb_a_ak_ber encapsulation gre remote 185.66.195.0 source-address 5.9.220.113 } tunnel tun1 { address 100.64.6.31/31 address 2a03:2260:0:30f::2/64 description gre_bb_b_ak_ber encapsulation gre remote 185.66.195.1 source-address 5.9.220.113 } tunnel tun2 { address 100.64.6.29/31 address 2a03:2260:0:30e::2/64 description gre_bb_a_ix_dus encapsulation gre remote 185.66.193.0 source-address 5.9.220.113 } tunnel tun3 { address 100.64.6.35/31 address 2a03:2260:0:311::2/64 description gre_bb_b_ix_dus encapsulation gre remote 185.66.193.1 source-address 5.9.220.113 } tunnel tun4 { address 100.64.6.27/31 address 2a03:2260:0:30d::2/64 description gre_bb_a_fra3_f encapsulation gre remote 185.66.194.0 source-address 5.9.220.113 } tunnel tun5 { address 100.64.6.33/31 address 2a03:2260:0:310::2/64 description gre-bb-b.fra3.f encapsulation gre remote 185.66.194.1 source-address 5.9.220.113 } } nat { destination { rule 1 { description "Allow SSH to VPN-01 Port 2222" destination { address 185.66.193.107/32 port 2222 } inbound-interface any protocol tcp translation { address 172.16.7.2 port 22 } } rule 2 { description "Wireguard VPN-01 42001" destination { address 185.66.193.107 port 42001 } inbound-interface any protocol udp translation { address 172.16.7.2 } } } source { rule 1 { outbound-interface any source { address 172.16.7.0/24 } translation { address 185.66.193.107 } } } } policy { local-route { rule 10 { set { table 42 } source 5.9.220.113 } } prefix-list FFRL-IN { rule 10 { action permit prefix 0.0.0.0/0 } } prefix-list FFRL-OUT { rule 10 { action permit prefix 185.66.193.107/32 } } prefix-list6 FFRL-IN-6 { rule 10 { action permit prefix ::/0 } } prefix-list6 FFRL-OUT-6 { rule 10 { action permit prefix 2a03:2260:121:600::/55 } } route-map FFRL-IN { rule 10 { action permit match { ip { address { prefix-list FFRL-IN } } } } } route-map FFRL-OUT { rule 10 { action permit match { ip { address { prefix-list FFRL-OUT } } } } } route-map FFRL-IN-6 { rule 10 { action permit match { ipv6 { address { prefix-list FFRL-IN-6 } } } } } route-map FFRL-OUT-6 { rule 10 { action permit match { ipv6 { address { prefix-list FFRL-OUT-6 } } } } } } protocols { bgp { address-family { ipv4-unicast { network 185.66.193.107/32 { } } ipv6-unicast { network 2a03:2260:121:600::/55 { } } } neighbor 100.64.6.24 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_ak_ber remote-as 201701 update-source 100.64.6.25 } neighbor 100.64.6.26 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_fra3_fra remote-as 201701 update-source 100.64.6.27 } neighbor 100.64.6.28 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_a_ix_dus remote-as 201701 update-source 100.64.6.29 } neighbor 100.64.6.30 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_ak_ber remote-as 201701 update-source 100.64.6.31 } neighbor 100.64.6.32 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_fra3_fra remote-as 201701 update-source 100.64.6.33 } neighbor 100.64.6.34 { address-family { ipv4-unicast { route-map { export FFRL-OUT import FFRL-IN } } } description ffrl_bb_b_ix_dus remote-as 201701 update-source 100.64.6.35 } neighbor 2a03:2260:0:30c::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:30c::2 } neighbor 2a03:2260:0:30d::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:30d::2 } neighbor 2a03:2260:0:30e::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:30e::2 } neighbor 2a03:2260:0:30f::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:30f::2 } neighbor 2a03:2260:0:310::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:310::2 } neighbor 2a03:2260:0:311::1 { address-family { ipv6-unicast { route-map { export FFRL-OUT-6 import FFRL-IN-6 } } } remote-as 201701 update-source 2a03:2260:0:311::2 } parameters { router-id 10.188.255.7 } system-as 65066 } static { route6 2a03:2260:121:e000::/54 { interface eth1 { } } table 42 { route 0.0.0.0/0 { next-hop 5.9.220.112 { } } } } } service { dhcp-server { listen-address 172.16.7.1 shared-network-name freifunk { subnet 172.16.7.0/24 { default-router 172.16.7.1 name-server 1.1.1.1 name-server 1.0.0.1 range dhcp { start 172.16.7.10 stop 172.16.7.200 } static-mapping vpn-01 { ip-address 172.16.7.2 mac-address 36:f3:82:18:9b:03 } } } } ntp { allow-client { address 0.0.0.0/0 address ::/0 } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } router-advert { interface eth1 { default-lifetime 300 default-preference high hop-limit 64 interval { max 30 } link-mtu 1500 name-server 2001:4860:4860::8888 other-config-flag prefix 2a03:2260:121:600::/58 { preferred-lifetime 300 valid-lifetime 900 } reachable-time 90000 retrans-timer 0 } } ssh { port 22 } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name 7.fftdf.de login { banner { post-login "Welcome to the core Freifunk Router for Troisdorf!\n\nEnjoy it while you are here!\n" } user vyos { authentication { encrypted-password **************** plaintext-password **************** public-keys nils { key **************** type ssh-rsa } public-keys stefan { key **************** type ssh-rsa } } } } syslog { global { facility all { level info } facility protocols { level debug } } } }