configure

# Define firewall rules for WAN zone
set firewall name wan default-action drop

# Allow established and related
set firewall name wan rule 10 action accept
set firewall name wan rule 10 description established
set firewall name wan rule 10 state established enable
set firewall name wan rule 10 state related enable

# Drop invalid
set firewall name wan rule 20 action drop
set firewall name wan rule 20 description invalid
set firewall name wan rule 20 state invalid enable

# Rules 30 - 60 are for VPN 
set firewall name wan rule 30 action accept
set firewall name wan rule 30 description ike
set firewall name wan rule 30 destination port 500
set firewall name wan rule 30 log disable
set firewall name wan rule 30 protocol udp

set firewall name wan rule 40 action accept
set firewall name wan rule 40 description esp
set firewall name wan rule 40 log disable
set firewall name wan rule 40 protocol esp

set firewall name wan rule 50 action accept
set firewall name wan rule 50 description nat-t
set firewall name wan rule 50 destination port 4500
set firewall name wan rule 50 log disable
set firewall name wan rule 50 protocol udp

set firewall name wan rule 60 action accept
set firewall name wan rule 60 description l2tp
set firewall name wan rule 60 destination port 1701
set firewall name wan rule 60 ipsec match-ipsec
set firewall name wan rule 60 log disable
set firewall name wan rule 60 protocol udp

# Rule 70 is to allow web server to be accessible from public
set firewall name wan rule 70 action accept
set firewall name wan rule 70 description web
set firewall name wan rule 70 destination port 443
set firewall name wan rule 70 log disable
set firewall name wan rule 70 protocol tcp

# Allow everything on the LAN
set firewall name lan default-action accept

# Allow everything on the PPPoE network (assumes another router is there)
set firewall name pppoe default-action accept

# Allow local traffic to the EdgeRouter
set firewall name local default-action accept

# Allow VPN traffic
set firewall name vpn default-action accept

# Define rules that apply to VPN destined for LAN
set firewall name vpn-lan default-action drop

# Define rules that apply to VPN destined for LOCAL (just allow DHCP/DNS)
set firewall name vpn-local default-action drop

set firewall name vpn-local rule 10 action accept
set firewall name vpn-local rule 10 description dhcp
set firewall name vpn-local rule 10 log disable
set firewall name vpn-local rule 10 protocol udp
set firewall name vpn-local rule 10 destination port 67

set firewall name vpn-local rule 20 action accept
set firewall name vpn-local rule 20 description dns
set firewall name vpn-local rule 20 log disable
set firewall name vpn-local rule 20 protocol tcp_udp
set firewall name vpn-local rule 20 destination port 53

# Define rules that apply to VPN destined for WAN
set firewall name vpn-wan default-action accept

# Define rules that apply to GUEST destined for LAN
set firewall name guest-lan default-action drop

set firewall name guest-lan rule 10 action accept
set firewall name guest-lan rule 10 description established
set firewall name guest-lan rule 10 log disable
set firewall name guest-lan rule 10 protocol all
set firewall name guest-lan rule 10 state established enable
set firewall name guest-lan rule 10 state related enable

# Define rules that apply to GUEST destined for LOCAL (just allow DHCP/DNS)
set firewall name guest-local default-action drop

set firewall name guest-local rule 10 action accept
set firewall name guest-local rule 10 description dhcp
set firewall name guest-local rule 10 log disable
set firewall name guest-local rule 10 protocol udp
set firewall name guest-local rule 10 destination port 67

set firewall name guest-local rule 20 action accept
set firewall name guest-local rule 20 description dns
set firewall name guest-local rule 20 log disable
set firewall name guest-local rule 20 protocol tcp_udp
set firewall name guest-local rule 20 destination port 53

# Define rules that apply to GUEST destined for WAN
set firewall name guest-wan default-action accept

# Create zone policy for WAN and assign to ETH0 interface
set zone-policy zone wan default-action drop
set zone-policy zone wan from local firewall name local
set zone-policy zone wan from lan firewall name lan
set zone-policy zone wan from pppoe firewall name pppoe
set zone-policy zone wan from vpn firewall name vpn-wan
set zone-policy zone wan from guest firewall name guest-wan
set zone-policy zone wan interface eth0

# Create zone policy for LAN and assign to ETH1 interface
set zone-policy zone lan default-action drop
set zone-policy zone lan from local firewall name local
set zone-policy zone lan from wan firewall name wan
set zone-policy zone lan from vpn firewall name vpn-lan
set zone-policy zone lan from guest firewall name guest-lan
set zone-policy zone lan interface eth1

# Create zone policy for PPPoE and assign to PPPOES+ interface
# Note that pppoes+ is a wildcard for all pppoes interfaces
# They are created when a connection is made and you will get a
# Warning if you try to apply it when no connection is made
# This warning is benign because no connection is made yet at this point
set zone-policy zone pppoe default-action drop
set zone-policy zone pppoe from local firewall name local
set zone-policy zone pppoe from wan firewall name wan
set zone-policy zone pppoe from vpn firewall name vpn-lan
set zone-policy zone pppoe from guest firewall name guest-lan
set zone-policy zone pppoe interface pppoes+

# Create zone policy for GUEST and assign to ETH2 interface
set zone-policy zone guest default-action drop
set zone-policy zone guest from local firewall name local
set zone-policy zone guest from wan firewall name wan
set zone-policy zone guest from lan firewall name lan
set zone-policy zone guest from vpn firewall name vpn
set zone-policy zone guest interface eth2

# Create zone policy for LOCAL and assign to local-zone interface
set zone-policy zone local default-action drop
set zone-policy zone local from wan firewall name wan
set zone-policy zone local from lan firewall name lan
set zone-policy zone local from pppoe firewall name pppoe
set zone-policy zone local from vpn firewall name vpn-local
set zone-policy zone local from guest firewall name guest-local
set zone-policy zone local local-zone

# Create zone policy for VPN and assign to l2tp+ interface
# Note that l2tp+ is a wildcard for all l2tp interfaces
# They are created when a connection is made and you will get a
# Warning if you try to apply it when no connection is made
# This warning is benign because no connection is made yet at this point
# Wildcard is needed since if there is more than one l2tp connection 
# They will be assigne l2tp0, l2tp1, l2tp2, etc. and you want this zone
# To apply to all of them
set zone-policy zone vpn default-action drop
set zone-policy zone vpn from local firewall name local
set zone-policy zone vpn from wan firewall name wan
set zone-policy zone vpn from lan firewall name lan
set zone-policy zone vpn from vpn firewall name vpn
set zone-policy zone vpn interface l2tp+

# Commit (make active), Save (save so it survives a reboot), Exit
# If you just want to test this so you can roll back if it all goes bad
# Then just do the commit step and remove "; save ; exit"
commit ; save ; exit