set limit table-entries 400000
set optimization normal
set limit states 801000
set limit src-nodes 801000

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0.99 }"
VL10_LAN = "{ em0.10 }"
VL20_VPN = "{ em0.20 }"
VL30_IOT = "{ em0.30 }"
VL40_GUEST = "{ em0.40 }"
VPN_WAN = "{ ovpnc1 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <negate_networks>

# User Aliases
Admin_Ports = "{   443  80  22 }"
Allowed_IoT_VLAN_OUT_Ports = "{   53  123 }"
Allowed_OUT_Home_Ports_WAN = "{   80  443  5222:5223  5228  8883  9543  11095  22  8080  5060  3000:3001  123  8107 }"
Allowed_OUT_Ports_VLANs = "{   53  21  22  161  80  443  5001  9091  8888  137:139  445  9117  3478  10001  8080:8081  8443  8843  8880  6789  2049  111  32765  32767  123  8107 }"
Allowed_OUT_Work_Ports_WAN = "{   4433  3478:3481  5228:5230  10005  389  18107  10443  1025  8025 }"
table <Google_Devices> {   192.168.30.50  192.168.30.51 }
Google_Devices = "<Google_Devices>"
table <Local_Subnets> {   192.168.0.0/16 }
Local_Subnets = "<Local_Subnets>"
table <Selective_Routing> persist
Selective_Routing = "<Selective_Routing>"
table <VPN_Host> {   192.168.20.103 }
VPN_Host = "<VPN_Host>"
VPN_Inbound_Port = "{   8107 }"

# Gateways
GWWAN_DHCP = " route-to ( em0.99 104.163.184.1 ) "
GWVPN_WAN = " route-to ( ovpnc1 10.35.38.1 ) "


set loginterface em0.10

set skip on pfsync0

scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble
scrub on $VL10_LAN inet all    fragment reassemble
scrub on $VL10_LAN inet6 all    fragment reassemble
scrub on $VL20_VPN inet all    fragment reassemble
scrub on $VL20_VPN inet6 all    fragment reassemble
scrub on $VL30_IOT inet all    fragment reassemble
scrub on $VL30_IOT inet6 all    fragment reassemble
scrub on $VL40_GUEST inet all    fragment reassemble
scrub on $VL40_GUEST inet6 all    fragment reassemble
scrub on $VPN_WAN inet all    fragment reassemble
scrub on $VPN_WAN inet6 all    fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules (manual)
nat on $WAN inet from 127.0.0.0/8 to any -> 104.163.184.210/32 port 1024:65535  # Localhost to WAN
nat on $WAN inet from 192.168.10.0/24 to any -> 104.163.184.210/32 port 1024:65535  # VL10_LAN to WAN
nat on $WAN inet from 192.168.20.0/24 to any -> 104.163.184.210/32 port 1024:65535  # VL20_VPN to WAN
nat on $WAN inet from 192.168.30.0/24 to any -> 104.163.184.210/32 port 1024:65535  # VL30_IOT to WAN
nat on $WAN inet from 192.168.40.0/24 to any -> 104.163.184.210/32 port 1024:65535  # VL40_GUEST to WAN
nat on $VPN_WAN inet from 192.168.20.0/24 to any -> 10.35.38.107/32 port 1024:65535  # VL20_VPN to VPN_WAN
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on em0.10 inet proto udp from 192.168.10.0/24 to !192.168.10.1 port 123 -> 127.0.0.1
# Reflection redirect
rdr on { em0.20 em0.30 em0.40 openvpn } inet proto udp from 192.168.10.0/24 to !192.168.10.1 port 123 -> 127.0.0.1
rdr on em0.20 inet proto udp from 192.168.20.0/24 to !192.168.20.1 port 123 -> 127.0.0.1
# Reflection redirect
rdr on { em0.10 em0.30 em0.40 openvpn } inet proto udp from 192.168.20.0/24 to !192.168.20.1 port 123 -> 127.0.0.1
rdr on em0.30 inet proto udp from 192.168.30.0/24 to !192.168.30.1 port 123 -> 127.0.0.1
# Reflection redirect
rdr on { em0.10 em0.20 em0.40 openvpn } inet proto udp from 192.168.30.0/24 to !192.168.30.1 port 123 -> 127.0.0.1
rdr on em0.10 inet proto { tcp udp } from 192.168.10.0/24 to !192.168.10.1 port 53 -> 127.0.0.1
# Reflection redirect
rdr on { em0.20 em0.30 em0.40 openvpn } inet proto { tcp udp } from 192.168.10.0/24 to !192.168.10.1 port 53 -> 127.0.0.1
rdr on em0.20 inet proto { tcp udp } from 192.168.20.0/24 to !192.168.20.1 port 53 -> 127.0.0.1
# Reflection redirect
rdr on { em0.10 em0.30 em0.40 openvpn } inet proto { tcp udp } from 192.168.20.0/24 to !192.168.20.1 port 53 -> 127.0.0.1
rdr on em0.30 inet proto { tcp udp } from 192.168.30.0/24 to !192.168.30.1 port 53 -> 127.0.0.1
# Reflection redirect
rdr on { em0.10 em0.20 em0.40 openvpn } inet proto { tcp udp } from 192.168.30.0/24 to !192.168.30.1 port 53 -> 127.0.0.1
rdr on ovpnc1 inet proto { tcp udp } from any to 10.35.38.107 port $VPN_Inbound_Port -> $VPN_Host
# Reflection redirect
rdr on { em0.10 em0.20 em0.30 em0.40 openvpn } inet proto { tcp udp } from any to 10.35.38.107 port $VPN_Inbound_Port -> $VPN_Host
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "openvpn/*"
anchor "ipsec/*"
# Allow IPv6 on loopback
pass in  quick on $loopback inet6 all tracker 1000000001 label "pass IPv6 loopback"
pass out  quick on $loopback inet6 all tracker 1000000002 label "pass IPv6 loopback"
# Block all IPv6
block in log quick inet6 all tracker 1000000003 label "Block all IPv6"
block out log quick inet6 all tracker 1000000004 label "Block all IPv6"
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all tracker 1000000103 label "Default deny rule IPv4"
block out log inet all tracker 1000000104 label "Default deny rule IPv4"
block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000107 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000108 label "Block traffic to port 0"

# Snort package
block log quick from <snort2c> to any tracker 1000000109 label "Block snort2c hosts"
block log quick from any to <snort2c> tracker 1000000110 label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshguard> to (self) port 22 tracker 1000000301 label "sshguard"

# webConfigurator lockout
block in log quick proto tcp from <sshguard> to (self) port 443 tracker 1000000351 label "GUI Lockout"
block in log quick from <virusprot> to any tracker 1000000400 label "virusprot overload table"
# allow our DHCP client out to the WAN
pass in  quick on $WAN proto udp from any port = 67 to any port = 68 tracker 1000000561 label "allow dhcp client out WAN"
pass out  quick on $WAN proto udp from any port = 68 to any port = 67 tracker 1000000562 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof log for $WAN tracker 1000001570
antispoof log for $VL10_LAN tracker 1000002620
# allow access to DHCP server on VL10_LAN
pass in  quick on $VL10_LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server"
pass in  quick on $VL10_LAN proto udp from any port = 68 to 192.168.10.1 port = 67 tracker 1000002642 label "allow access to DHCP server"
pass out  quick on $VL10_LAN proto udp from 192.168.10.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server"
antispoof log for $VL20_VPN tracker 1000003670
# allow access to DHCP server on VL20_VPN
pass in  quick on $VL20_VPN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000003691 label "allow access to DHCP server"
pass in  quick on $VL20_VPN proto udp from any port = 68 to 192.168.20.1 port = 67 tracker 1000003692 label "allow access to DHCP server"
pass out  quick on $VL20_VPN proto udp from 192.168.20.1 port = 67 to any port = 68 tracker 1000003693 label "allow access to DHCP server"
antispoof log for $VL30_IOT tracker 1000004720
# allow access to DHCP server on VL30_IOT
pass in  quick on $VL30_IOT proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000004741 label "allow access to DHCP server"
pass in  quick on $VL30_IOT proto udp from any port = 68 to 192.168.30.1 port = 67 tracker 1000004742 label "allow access to DHCP server"
pass out  quick on $VL30_IOT proto udp from 192.168.30.1 port = 67 to any port = 68 tracker 1000004743 label "allow access to DHCP server"
antispoof log for $VL40_GUEST tracker 1000005770
# allow access to DHCP server on VL40_GUEST
pass in  quick on $VL40_GUEST proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000005791 label "allow access to DHCP server"
pass in  quick on $VL40_GUEST proto udp from any port = 68 to 192.168.40.1 port = 67 tracker 1000005792 label "allow access to DHCP server"
pass out  quick on $VL40_GUEST proto udp from 192.168.40.1 port = 67 to any port = 68 tracker 1000005793 label "allow access to DHCP server"
antispoof log for $VPN_WAN tracker 1000006820

# loopback
pass in  on $loopback inet all tracker 1000007911 label "pass IPv4 loopback"
pass out  on $loopback inet all tracker 1000007912 label "pass IPv4 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts tracker 1000007913 label "let out anything IPv4 from firewall host itself"

pass out  route-to ( em0.99 104.163.184.1 ) from 104.163.184.210 to !104.163.184.0/24 tracker 1000008011 keep state allow-opts label "let out anything from firewall host itself"
pass out  route-to ( ovpnc1 10.35.38.1 ) from 10.35.38.107 to !10.35.38.0/24 tracker 1000008012 keep state allow-opts label "let out anything from firewall host itself"
# NAT Reflection rules
pass in  inet tagged PFREFLECT tracker 1000008331 keep state label "NAT REFLECT: Allow traffic to localhost"

# User-defined rules follow

anchor "userrules/*"
block return  in log  quick  on $WAN reply-to ( em0.99 104.163.184.1 ) inet from any to any tracker 1589473446  label "USER_RULE: WAN: default block IPv4"
block return  in log  quick  on $WAN inet6 from any to any tracker 1589473491  label "USER_RULE: WAN: default block IPv6"
pass  in  quick  on $VL10_LAN inet from 192.168.10.50 to any tracker 1591975140 keep state  label "USER_RULE: VL10_MGMT: Allow ubuntu to any"
pass  in  quick  on $VL10_LAN inet from any to 192.168.10.50 tracker 1591976150 keep state  label "USER_RULE: VL10_MGMT: Allow any to ubuntu"
pass  in  quick  on $VL10_LAN inet proto { tcp udp }  from 192.168.10.0/24 to 192.168.10.1 port $Admin_Ports tracker 1589504868 keep state  label "USER_RULE: VL10_MGMT: Antilockout"
pass  in  quick  on $VL10_LAN inet proto udp  from any to 224.0.0.251 port 5353 tracker 1612902692 keep state  label "USER_RULE: VL10_MGMT: mDNS ipv4 5353"
pass  in  quick  on $VL10_LAN inet proto udp  from any to 224.0.0.251 port 1900 tracker 1612902726 keep state  label "USER_RULE: VL10_MGMT: mDNS ipv4 1900"
pass  in  quick  on $VL10_LAN inet6 proto udp  from any to ff02::fb port 5353 tracker 1612902123 keep state  label "USER_RULE: VL10_MGMT: mDNS ipv6 5353"
pass  in  quick  on $VL10_LAN inet6 proto udp  from any to ff02::fb port 1900 tracker 1612902640 keep state  label "USER_RULE: VL10_MGMT: mDNS ipv6 1900"
pass  in  quick  on $VL10_LAN inet proto tcp  from any to $Google_Devices port 8007 >< 8010 tracker 1612903125 flags S/SA keep state  label "USER_RULE: VL10_MGMT: Access to VL30 ChromeCast devices port..."
pass  in  quick  on $VL10_LAN inet proto tcp  from any to $Google_Devices port 8443 tracker 1612903303 flags S/SA keep state  label "USER_RULE: VL10_MGMT: Access to VL30 Chromecast devices port..."
pass  in  quick  on $VL10_LAN inet proto icmp  from 192.168.10.0/24 to any icmp-type echoreq tracker 1589505111 keep state  label "USER_RULE: VL10_MGMT: Allow ICMP"
pass  in  quick  on $VL10_LAN inet proto udp  from 192.168.10.0/24 to 127.0.0.1 port 123 tracker 1589577466 keep state  label "USER_RULE: NAT VL10_MGMT: NTP redirect"
pass  in  quick  on $VL10_LAN inet proto { tcp udp }  from 192.168.10.0/24 to 127.0.0.1 port 53 tracker 1589577679 keep state  label "USER_RULE: NAT VL10_MGMT: DNS redirect"
pass  in  quick  on $VL10_LAN inet proto { tcp udp }  from 192.168.10.0/24 to $Local_Subnets port $Allowed_OUT_Ports_VLANs tracker 1589578420 keep state  label "USER_RULE: VL10_MGMT: Allow traffic to local subnets"
pass  in  quick  on $VL10_LAN inet proto { tcp udp }  from 192.168.10.0/24 to ! $Local_Subnets port $Allowed_OUT_Home_Ports_WAN tracker 1589578581 keep state  label "USER_RULE: VL10_MGMT: Allow home traffic to WAN"
pass  in  quick  on $VL10_LAN inet proto { tcp udp }  from 192.168.10.0/24 to ! $Local_Subnets port $Allowed_OUT_Work_Ports_WAN tracker 1591976563 keep state  label "USER_RULE: VL10_MGMT: Allow work traffic to WAN"
block return  in log  quick  on $VL10_LAN inet from 192.168.10.0/24 to any tracker 1589661733  label "USER_RULE: VL10_MGMT: default block IPv4"
# source address is empty.  label "USER_RULE: VL10_MGMT: default block IPv6"
pass  in  quick  on $VL20_VPN inet proto icmp  from 192.168.20.0/24 to any icmp-type echoreq tracker 1591985355 keep state  label "USER_RULE: VL20_VPN: Allow ICMP"
pass  in  quick  on $VL20_VPN inet proto udp  from 192.168.20.0/24 to 127.0.0.1 port 123 tracker 1591985604 keep state  label "USER_RULE: NAT VL20_VPN: NTP redirect"
pass  in  quick  on $VL20_VPN inet proto { tcp udp }  from 192.168.20.0/24 to 127.0.0.1 port 53 tracker 1591985660 keep state  label "USER_RULE: NAT VL20_VPN: DNS redirect"
pass  in  quick  on $VL20_VPN inet proto { tcp udp }  from 192.168.20.0/24 to $Local_Subnets port $Allowed_OUT_Ports_VLANs tracker 1591986323 keep state  label "USER_RULE: VL20_VPN: Pass approved LAN"
pass  in  quick  on $VL20_VPN  $GWVPN_WAN inet proto { tcp udp }  from 192.168.20.0/24 to ! $Local_Subnets port $Allowed_OUT_Home_Ports_WAN tracker 1591986421 keep state  label "USER_RULE: VL20_VPN: Pass VPN_WAN"
block return  in log  quick  on $VL20_VPN inet from 192.168.20.0/24 to any tracker 1591986623  label "USER_RULE: VL20_VPN: default block IPv4"
# source address is empty.  label "USER_RULE: VL20_VPN: default block IPv6"
block return  in  quick  on $VL30_IOT inet proto { tcp udp }  from 192.168.30.0/24 to (self) port $Admin_Ports tracker 1591991001  label "USER_RULE: VL30_IOT: Reject pfsense admin interfaces"
pass  in  quick  on $VL30_IOT inet proto icmp  from 192.168.30.0/24 to any icmp-type echoreq tracker 1591990972 keep state  label "USER_RULE: VL30_IOT: Pass ICMP"
pass  in  quick  on $VL30_IOT inet proto tcp  from 192.168.30.0/24 to 8.8.8.8 port 53 tracker 1607978263 flags S/SA keep state  label "USER_RULE: VL30_IOT: Allow Chromecast access Google DNS"
pass  in  quick  on $VL30_IOT inet proto udp  from 192.168.30.0/24 to 224.0.0.251 port 5353 tracker 1607977986  allow-opts keep state  label "USER_RULE: VL30_IOT: Allow mDNS broadcast"
pass  in  quick  on $VL30_IOT inet proto { tcp udp }  from 192.168.30.0/24 to 192.168.30.0/24 tracker 1607986647 keep state  label "USER_RULE: VL30_IOT: Allow traffic within VLAN"
pass  in  quick  on $VL30_IOT inet proto { tcp udp }  from 192.168.30.0/24 to ! $Local_Subnets tracker 1591990939 keep state  label "USER_RULE: VL30_IOT: Pass WAN"
block return  in log  quick  on $VL30_IOT inet proto { tcp udp }  from 192.168.30.0/24 to $Local_Subnets tracker 1591990907  label "USER_RULE: VL30_IOT: Reject any local traffic"
# source address is empty.  label "USER_RULE: VL30_IOT: Default reject IPv6"
block return  in log  quick  on $VL30_IOT inet from 192.168.30.0/24 to any tracker 1591990886  label "USER_RULE: VL30_IOT: Default reject IPv4"
block return  in  quick  on $VL40_GUEST inet proto { tcp udp }  from 192.168.40.0/24 to (self) port $Admin_Ports tracker 1591987874  label "USER_RULE: VL40_GUEST: Reject pfsense admin interfaces"
pass  in  quick  on $VL40_GUEST inet proto icmp  from 192.168.40.0/24 to any icmp-type echoreq tracker 1591988190 keep state  label "USER_RULE: VL40_GUEST: Pass ICMP"
pass  in  quick  on $VL40_GUEST inet proto { tcp udp }  from 192.168.40.0/24 to ! $Local_Subnets tracker 1591988534 keep state  label "USER_RULE: VL40_GUEST: Pass WAN"
block return  in log  quick  on $VL40_GUEST inet proto { tcp udp }  from 192.168.40.0/24 to $Local_Subnets tracker 1591988590  label "USER_RULE: VL40_GUEST: Reject any local traffic"
block return  in log  quick  on $VL40_GUEST inet from 192.168.40.0/24 to any tracker 1591988658  label "USER_RULE: VL40_GUEST: Default reject IPv4"
# source address is empty.  label "USER_RULE: VL40_GUEST: Default reject IPv6"
pass  in log  quick  on $VPN_WAN reply-to ( ovpnc1 10.35.38.1 ) inet proto { tcp udp }  from any to $VPN_Host port $VPN_Inbound_Port tracker 1631732658 keep state  label "USER_RULE: VPN_WAN: airvpn port forward"
block return  in log  quick  on $VPN_WAN reply-to ( ovpnc1 10.35.38.1 ) inet from any to any tracker 1591990263  label "USER_RULE: VPN_WAN: default block IPv4"
block return  in log  quick  on $VPN_WAN inet6 from any to any tracker 1591990244  label "USER_RULE: VPN_WAN: default block IPv6"

# VPN Rules

anchor "tftp-proxy/*"