Last active
September 4, 2023 20:51
-
-
Save anthr76/4b091d952bcd69b1ac8d4c7d08aaaac6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
container { | |
name coredns-1 { | |
cap-add net-bind-service | |
environment SECONDAY_COREDNS { | |
value 10.7.0.8 | |
} | |
image ghcr.io/damomurf/coredns-tailscale:v0.2.5 | |
network lb { | |
address 10.7.0.7 | |
} | |
volume corefile { | |
destination /Corefile | |
source /config/Corefile | |
} | |
volume hosts { | |
destination /etc/hosts | |
source /etc/hosts | |
} | |
volume tailsocket { | |
destination /var/run/tailscale/ | |
source /config/tailscaled/ | |
} | |
} | |
name coredns-2 { | |
cap-add net-bind-service | |
environment APEX { | |
value coredns-2.omit2.rabbito.tech | |
} | |
environment SECONDAY_COREDNS { | |
value 10.7.0.7 | |
} | |
image ghcr.io/damomurf/coredns-tailscale:v0.2.5 | |
network lb { | |
address 10.7.0.8 | |
} | |
volume corefile { | |
destination /Corefile | |
source /config/Corefile | |
} | |
volume hosts { | |
destination /etc/hosts | |
source /etc/hosts | |
} | |
volume tailsocket { | |
destination /var/run/tailscale/ | |
source /config/tailscaled/ | |
} | |
} | |
name tailscale { | |
allow-host-networks | |
cap-add net-admin | |
cap-add net-raw | |
cap-add net-bind-service | |
cap-add sys-admin | |
environment TS_AUTHKEY { | |
value omit | |
} | |
environment TS_EXTRA_ARGS { | |
value --accept-routes | |
} | |
environment TS_HOSTNAME { | |
value omit | |
} | |
environment TS_ROUTES { | |
value 192.168.14.0/24,10.40.99.0/24,10.7.0.0/24 | |
} | |
environment TS_SOCKET { | |
value /config/tailscaled.sock | |
} | |
environment TS_STATE_DIR { | |
value /config | |
} | |
environment TS_TAILSCALED_EXTRA_ARGS { | |
value "-port 51820" | |
} | |
environment TS_USERSPACE { | |
value false | |
} | |
image ghcr.io/tailscale/tailscale:v1.48.1 | |
volume lib-mod { | |
destination /lib/modules | |
source /lib/modules | |
} | |
volume state { | |
destination /config | |
source /config/tailscaled | |
} | |
volume tun { | |
destination /dev/net/tun | |
source /dev/net/tun | |
} | |
} | |
network lb { | |
description general | |
prefix 10.7.0.0/24 | |
} | |
} | |
firewall { | |
all-ping enable | |
config-trap disable | |
group { | |
address-group local { | |
address 192.168.17.1-192.168.17.255 | |
address 192.168.14.1-192.168.14.255 | |
} | |
interface-group local { | |
interface eth1.10 | |
interface eth1.100 | |
interface eth1.8 | |
interface eth1.99 | |
} | |
ipv6-address-group local { | |
address 2600:4041:42f7:fa00:0000:0000:0000:0000-2600:4041:42f7:fa00:ffff:ffff:ffff:ffff | |
} | |
port-group chromecast { | |
port 32768-61000 | |
} | |
} | |
interface eth0 { | |
in { | |
ipv6-name OUT-IN-V6 | |
name OUTSIDE-IN | |
} | |
local { | |
ipv6-name OUT-LOCAL-V6 | |
name OUTSIDE-LOCAL | |
} | |
} | |
interface tailscale0 { | |
in { | |
ipv6-name WG-IN | |
name WG-IN | |
} | |
local { | |
ipv6-name WG-LOCAL | |
name WG-LOCAL | |
} | |
out { | |
ipv6-name WG-OUT | |
name WG-OUT | |
} | |
} | |
ipv6-name OUT-IN-V6 { | |
default-action drop | |
rule 10 { | |
action accept | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action accept | |
protocol icmpv6 | |
} | |
} | |
ipv6-name OUT-LOCAL-V6 { | |
default-action drop | |
rule 10 { | |
action accept | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 11 { | |
action accept | |
destination { | |
port 546 | |
} | |
protocol udp | |
source { | |
port 547 | |
} | |
} | |
rule 21 { | |
action accept | |
description "Allow link-local" | |
protocol icmpv6 | |
source { | |
address fe80::/10 | |
} | |
} | |
rule 22 { | |
action accept | |
limit { | |
burst 1 | |
} | |
protocol icmpv6 | |
} | |
rule 30 { | |
action drop | |
destination { | |
port 22 | |
} | |
protocol tcp | |
recent { | |
count 4 | |
time minute | |
} | |
state { | |
new enable | |
} | |
} | |
rule 31 { | |
action accept | |
destination { | |
port 22 | |
} | |
protocol tcp | |
state { | |
new enable | |
} | |
} | |
rule 5182 { | |
action accept | |
destination { | |
port 51820 | |
} | |
protocol udp | |
} | |
} | |
ipv6-name WG-IN { | |
default-action accept | |
rule 10 { | |
action drop | |
description "block TCP traffic from chromecast" | |
destination { | |
group { | |
address-group local | |
} | |
} | |
protocol tcp | |
source { | |
port 8008-8009,8443 | |
} | |
} | |
rule 11 { | |
action drop | |
description "block UDP traffic from chromecast" | |
destination { | |
address 2001:559:87dd:629::/64 | |
} | |
protocol udp | |
source { | |
group { | |
port-group chromecast | |
} | |
} | |
} | |
} | |
ipv6-name WG-LOCAL { | |
default-action accept | |
} | |
ipv6-name WG-OUT { | |
default-action accept | |
rule 20 { | |
action drop | |
protocol igmp | |
} | |
} | |
name OUTSIDE-IN { | |
default-action drop | |
description "incoming WAN ruleset" | |
rule 10 { | |
action accept | |
state { | |
established enable | |
related enable | |
} | |
} | |
} | |
name OUTSIDE-LOCAL { | |
default-action drop | |
description "local WAN ruleset" | |
rule 10 { | |
action accept | |
state { | |
established enable | |
related enable | |
} | |
} | |
rule 20 { | |
action accept | |
icmp { | |
type-name echo-request | |
} | |
protocol icmp | |
state { | |
new enable | |
} | |
} | |
rule 30 { | |
action drop | |
destination { | |
port 22 | |
} | |
protocol tcp | |
recent { | |
count 60 | |
time second | |
} | |
state { | |
new enable | |
} | |
} | |
rule 31 { | |
action accept | |
destination { | |
port 22 | |
} | |
protocol tcp | |
state { | |
new enable | |
} | |
} | |
rule 5182 { | |
action accept | |
description wireguard | |
destination { | |
port 51820 | |
} | |
log enable | |
protocol udp | |
} | |
rule 5201 { | |
action accept | |
destination { | |
port 5201 | |
} | |
disable | |
protocol tcp | |
} | |
} | |
name WG-IN { | |
default-action accept | |
rule 10 { | |
action drop | |
description "block TCP traffic from chromecast" | |
destination { | |
group { | |
address-group local | |
} | |
} | |
protocol tcp | |
source { | |
port 8008-8009,8443 | |
} | |
} | |
rule 11 { | |
action drop | |
description "block UDP traffic from chromecast" | |
destination { | |
address 10.200.200.0/24 | |
} | |
protocol udp | |
source { | |
group { | |
port-group chromecast | |
} | |
} | |
} | |
} | |
name WG-LOCAL { | |
default-action accept | |
} | |
name WG-OUT { | |
default-action accept | |
rule 20 { | |
action drop | |
protocol igmp | |
} | |
} | |
receive-redirects disable | |
send-redirects enable | |
source-validation disable | |
syn-cookies enable | |
twa-hazards-protection disable | |
} | |
interfaces { | |
ethernet eth0 { | |
address dhcp | |
address dhcpv6 | |
description OUTSIDE | |
dhcpv6-options { | |
duid 00:e0:67:26:40:d8 | |
pd 0 { | |
interface eth1.10 { | |
sla-id 2 | |
} | |
interface eth1.100 { | |
sla-id 0 | |
} | |
length 56 | |
} | |
rapid-commit | |
} | |
hw-id 00:e0:67:26:40:d8 | |
ip { | |
} | |
ipv6 { | |
address { | |
autoconf | |
} | |
} | |
} | |
ethernet eth1 { | |
address 192.168.1.1/24 | |
description INSIDE | |
hw-id 00:e0:67:26:40:d9 | |
ipv6 { | |
} | |
vif 8 { | |
address 192.168.17.1/24 | |
description VLAN_8 | |
} | |
vif 10 { | |
address 192.168.16.1/24 | |
description VLAN_10 | |
} | |
vif 99 { | |
address 10.40.99.1/24 | |
description VLAN_99 | |
} | |
vif 100 { | |
address 192.168.14.1/24 | |
description VLAN_100 | |
} | |
vif 101 { | |
address 192.168.13.1/24 | |
description VLAN_101 | |
} | |
} | |
ethernet eth2 { | |
address 192.168.2.1/30 | |
hw-id 00:e0:67:26:40:da | |
} | |
ethernet eth3 { | |
hw-id 00:e0:67:26:40:db | |
} | |
loopback lo { | |
} | |
wireguard wg0 { | |
address 10.200.200.6/24 | |
address 2001:0559:87dd:0629:0000:0000:0000:0006/64 | |
disable | |
ip { | |
adjust-mss clamp-mss-to-pmtu | |
} | |
ipv6 { | |
adjust-mss clamp-mss-to-pmtu | |
} | |
mtu 1420 | |
peer omit2 { | |
address 2600:4041:42f2:cf00:2e0:67ff:fe27:82e9 | |
allowed-ips 10.200.200.5/32 | |
allowed-ips 2001:0559:87dd:0629:0000:0000:0000:0005/128 | |
allowed-ips 2600:4041:42f2:cf00::/64 | |
allowed-ips 192.168.11.0/24 | |
allowed-ips 192.168.7.0/24 | |
port 51820 | |
preshared-key **************** | |
public-key **************** | |
} | |
peer omit1 { | |
address 50.223.56.162 | |
allowed-ips 192.168.4.0/24 | |
allowed-ips 192.168.8.0/24 | |
allowed-ips 10.5.0.0/24 | |
allowed-ips 2001:0559:87dd:0629:0000:0000:0000:0004/128 | |
allowed-ips 10.20.99.0/24 | |
allowed-ips 10.200.200.4/32 | |
allowed-ips 10.45.0.0/16 | |
allowed-ips 2001:559:87dd:a00::/56 | |
persistent-keepalive 20 | |
port 51820 | |
preshared-key **************** | |
public-key **************** | |
} | |
port 51820 | |
private-key **************** | |
} | |
} | |
nat { | |
source { | |
rule 11 { | |
description 1G-Outside | |
outbound-interface eth0 | |
source { | |
address 0.0.0.0/0 | |
} | |
translation { | |
address masquerade | |
} | |
} | |
} | |
} | |
policy { | |
prefix-list announce-nets { | |
rule 10 { | |
action permit | |
prefix 192.168.16.0/24 | |
} | |
rule 53 { | |
action permit | |
prefix 10.7.0.0/24 | |
} | |
rule 99 { | |
action permit | |
prefix 10.40.99.0/24 | |
} | |
rule 100 { | |
action permit | |
prefix 192.168.14.0/24 | |
} | |
} | |
prefix-list deny-default { | |
rule 1 { | |
action deny | |
prefix 0.0.0.0/0 | |
} | |
} | |
prefix-list6 denytest { | |
rule 1 { | |
action deny | |
prefix ::/0 | |
} | |
} | |
} | |
protocols { | |
static { | |
route 0.0.0.0/0 { | |
dhcp-interface eth0 | |
interface eth0 { | |
distance 1 | |
} | |
} | |
} | |
} | |
service { | |
dhcp-server { | |
hostfile-update | |
shared-network-name LAN { | |
subnet 192.168.1.0/24 { | |
default-router 192.168.1.1 | |
domain-name omit.rabbito.tech | |
lease 86400 | |
name-server 10.6.0.8 | |
name-server 10.7.0.7 | |
range 0 { | |
start 192.168.1.3 | |
stop 192.168.1.10 | |
} | |
} | |
} | |
shared-network-name VLAN_8 { | |
subnet 192.168.17.0/24 { | |
default-router 192.168.17.1 | |
lease 86400 | |
name-server 10.6.0.8 | |
name-server 10.7.0.7 | |
range 0 { | |
start 192.168.17.9 | |
stop 192.168.17.254 | |
} | |
} | |
} | |
shared-network-name VLAN_10 { | |
subnet 192.168.16.0/24 { | |
default-router 192.168.16.1 | |
domain-name omit.rabbito.tech | |
domain-search omit.rabbito.tech | |
domain-search rabbito.tech | |
lease 86400 | |
name-server 10.6.0.8 | |
name-server 10.7.0.7 | |
range 0 { | |
start 192.168.16.9 | |
stop 192.168.16.254 | |
} | |
} | |
} | |
shared-network-name VLAN_99 { | |
subnet 10.40.99.0/24 { | |
default-router 10.40.99.1 | |
domain-name omit.rabbito.tech | |
domain-search omit.rabbito.tech | |
domain-search rabbito.tech | |
lease 86400 | |
name-server 10.6.0.8 | |
name-server 10.7.0.7 | |
range 0 { | |
start 10.40.99.9 | |
stop 10.40.99.254 | |
} | |
vendor-option { | |
ubiquiti { | |
unifi-controller 10.45.0.6 | |
} | |
} | |
} | |
} | |
shared-network-name VLAN_100 { | |
subnet 192.168.14.0/24 { | |
default-router 192.168.14.1 | |
domain-name omit.rabbito.tech | |
domain-search omit.rabbito.tech | |
domain-search rabbito.tech | |
lease 86400 | |
name-server 10.7.0.7 | |
name-server 10.7.0.8 | |
range 0 { | |
start 192.168.14.9 | |
stop 192.168.14.254 | |
} | |
vendor-option { | |
ubiquiti { | |
unifi-controller 10.45.0.6 | |
} | |
} | |
} | |
} | |
shared-network-name VLAN_101 { | |
subnet 192.168.13.0/24 { | |
default-router 192.168.13.1 | |
domain-name omit.rabbito.tech | |
domain-search omit.rabbito.tech | |
domain-search rabbito.tech | |
lease 86400 | |
name-server 10.6.0.8 | |
name-server 10.7.0.7 | |
range 0 { | |
start 192.168.13.9 | |
stop 192.168.13.254 | |
} | |
} | |
} | |
} | |
dns { | |
dynamic { | |
interface eth0 { | |
service cloudflare { | |
host-name omit.rabbito.tech | |
login omit@gmail.com | |
password **************** | |
protocol cloudflare | |
server api.cloudflare.com/client/v4 | |
zone rabbito.tech | |
} | |
} | |
interface eth1.100 { | |
ipv6-enable | |
service cloudflare { | |
host-name omit.rabbito.tech | |
login omit@gmail.com | |
password **************** | |
protocol cloudflare | |
server api.cloudflare.com/client/v4 | |
zone rabbito.tech | |
} | |
} | |
} | |
} | |
router-advert { | |
interface eth1.10 { | |
prefix ::/0 { | |
} | |
} | |
interface eth1.100 { | |
prefix ::/0 { | |
} | |
} | |
} | |
ssh { | |
disable-password-authentication | |
port 22 | |
} | |
} | |
system { | |
config-management { | |
commit-revisions 100 | |
} | |
console { | |
device ttyS0 { | |
speed 115200 | |
} | |
} | |
domain-name omit.rabbito.tech | |
domain-search { | |
domain omit.rabbito.tech | |
} | |
host-name omit-fw-1 | |
login { | |
banner { | |
post-login "Welcome to omit" | |
pre-login "WARNING: Unauthorized access to this system is forbidden and will be\nprosecuted by law. By accessing this system, you agree that your actions\nmay be monitored if unauthorized usage is suspected." | |
} | |
user vyos { | |
authentication { | |
encrypted-password **************** | |
plaintext-password **************** | |
public-keys anthony@toolbox { | |
key **************** | |
type ssh-ed25519 | |
} | |
public-keys anthony@tpme39 { | |
key **************** | |
type ecdsa-sha2-nistp256 | |
} | |
public-keys anthony@yubi { | |
key **************** | |
type ecdsa-sha2-nistp256 | |
} | |
} | |
} | |
} | |
name-server 1.1.1.1 | |
name-server 10.7.0.7 | |
ntp { | |
server time.cloudflate.com { | |
} | |
} | |
option { | |
startup-beep | |
} | |
sysctl { | |
parameter net.core.default_qdisc { | |
value fq_codel | |
} | |
parameter net.ipv4.tcp_congestion_control { | |
value bbr | |
} | |
parameter net.ipv4.tcp_mtu_probing { | |
value 1 | |
} | |
parameter net.ipv4.tcp_window_scaling { | |
value 1 | |
} | |
} | |
syslog { | |
global { | |
facility all { | |
level info | |
} | |
facility protocols { | |
level debug | |
} | |
} | |
} | |
} | |
// Warning: Do not remove the following line. | |
// vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@9:flow-accounting@1:https@4:ids@1:interfaces@26:ipoe-server@1:ipsec@10:isis@2:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@1:openconnect@2:ospf@1:policy@5:pppoe-server@6:pptp@2:qos@1:quagga@10:rpki@1:salt@1:snmp@2:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" | |
// Release version: 1.4-rolling-202212310809 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment