From 473d7aa05a512df75c15380d5c9db5aa3e2c8917 Mon Sep 17 00:00:00 2001
From: Gregor Michels <hirnpfirsich@brainpeach.de>
Date: Wed, 18 Jan 2023 00:35:25 +0100
Subject: [PATCH] sax-rgs-gw-core01: add laundering client network

v4 works, v6 is still a work in progress

launder:
* v4 through mullvad
* v6 through mowoe
---
 password-store/wg/wg4/core.mowoe.com.pub.gpg  | Bin 0 -> 1681 bytes
 password-store/wg/wg4/sax-rgs-gw-core01.gpg   | Bin 0 -> 1677 bytes
 password-store/wg/wg5/mullvad.pub.gpg         | Bin 0 -> 1645 bytes
 password-store/wg/wg5/sax-rgs-gw-core01.gpg   | Bin 0 -> 1645 bytes
 .../sax-rgs-gw-core01/etc/config/dhcp         |  16 ++++++
 .../sax-rgs-gw-core01/etc/config/firewall     |  36 ++++++++++++++
 .../sax-rgs-gw-core01/etc/config/network      |  46 ++++++++++++++++++
 .../sax-rgs-gw-core01/etc/iproute2/rt_tables  |  13 +++++
 8 files changed, 111 insertions(+)
 create mode 100644 password-store/wg/wg4/core.mowoe.com.pub.gpg
 create mode 100644 password-store/wg/wg4/sax-rgs-gw-core01.gpg
 create mode 100644 password-store/wg/wg5/mullvad.pub.gpg
 create mode 100644 password-store/wg/wg5/sax-rgs-gw-core01.gpg
 create mode 100644 templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables

diff --git a/password-store/wg/wg4/core.mowoe.com.pub.gpg b/password-store/wg/wg4/core.mowoe.com.pub.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..19ec1e0fb946b2165503cf4b021b8c578183e553
GIT binary patch
literal 1681
zcmV;C25$L<0gMAuv2e?Nuf@Ru3;$Z8j&1N%W^Ltk!@`S}dEX$~mq{=3w4u}1M_Bg{
z;LXLZD>E!WH-fyx-@f8wR~{lz8z0jmi^Q>PF0gh_XBV`mud;GWW5CW|H*u<$EL>t?
z-=+#_DxQ2)+PqaA{x2AtDVmV}MsNmt=co`vPNHsi5D`MC62d=ODH8@nN9j>N0Nrme
zOG9xotL);c-N-A@SMw9Ohv_ND-m_Yiqo`UKi$kxy2}}oi`gRM-z>IQ)woo3Z`Hhg1
zVeLR6ZlP5?r>?Zw3|Qv~PI?O(t%O9$A+y{$V<&*))Y>kjVD=Nw2;gl9J3dLLn5}0>
zl{(7tpEN?KQ4uJcr2sM<h!@;tctx|4NN}JVJ`K}Eu^Qi*PZx!`|A4X;jQ&?l5YyY`
zix>yXS!2E{t6&XERVM{QhAir?ISKu?vAD<hzz~w8#)5ARo82Yo#_?Lrlu5_06PQQ=
z0cc%o>wFQ%)=K!-wbDO&0pWtiePrwCA!BY_%v~S?dyA739H5C?`kRFU3<JwFRsqpy
zdU^p5{x^3TT^A!&glir6Fdq-k1Jxa{;{!0k80Ok0U7rveWOxpH#U%-0o~nzCFm0^9
zfekU6!-r>0LiWrCOo_Ol92CJIP2-b88bzIVx76q*zDl|km>pLrMg7xgwY$^gu#gsW
z!4V%cIJIOfakxP*0DgOud^x}AC>n9Jyo(?mxNm+VzWAtoA+4J%rMoWC{*`HBaKrqw
zw2ynQHuGA76bBYe1K0v~F!OvMrIGVZt{y1oEQe1}Z_;+zl&FRzL%}RS5UUJue9!Kn
zPLFR~aaOc5^Kq7CFM&;!CQ>?>2OzpASG{)Z`9l20?AS$X`SnXuf97p7pB(>UJI#0>
z@CDKmDq;jb7sSPyvT4D`9>C8?20usE64nzw>3Bh>esixeF2t0Mh#u(%Iv+Fq7+`h^
zy@m9H@8U`pV7U$7S+$s&*iwJf1hnpHN}(|1aC0Y17D7n-;`sQeX9m9j3~i)4mTe2l
z^A>A7fJ%-8-EDSn^E-M@@t`^ju*?nd?ZEwQt`cce>La5qbB!^@ilU<uLpQYb4n9pt
z6zh#{J&^MBmY(4FpC`dRrji7k9(vxa?Wi?`S}W=WT4E<v4pkYunt4Qp7DhvkluB)v
zfZLN(z=!mWZ!LSiQCjrYC8FrYjGX0kZt;?^rOH8|o~XeVP}%~&@;&i^6N{k&sf1nw
z472IsUB_Hf5&;K5p)(C`Qt(S(l(`T4Lm?7wy))WD?VLoJ+=0A6Jkl#wFhrX;j$qGL
z9YraMnbc!74u&F;*C{+}nU~dku_-`#(*FJ=(&#at+GqOeH{&~$c!dHC1E0ZPC02X0
z!T}Ha1*QyuU<8<TT@uG>6~?p|bn@+b^e*fzQUgJIzNW-ZHMhQSdm}?nf{av4<08)d
zRrcjX9eZs>5V~sR6d!%N)q7QF>1TGh{D<B%#*1cn1Wi#LD@}mT0xVAU5=Fhl>05nF
z_*y30txpa_HS_AgBz|b*Ss4$*URh%V-7{fh)DAqtOU(O#qt5zuRO{d}&`-UP2;SrB
z-1L|T%l&=}vr7dL20xsa0-?Bu$@fzuk{?oE7Q0epp)!G($OVcK1eaJ9RnQ;Q1+~ZA
zhDty~KpPDZ=c|zqrZB!o7k!daIMWf8!RLtgBUKIkM{PT@OO3tD8#;cryT#-Cl3K$@
z=_g@lCA8(YJv3UB7>nMAXSkT}nij$a_Yod|Jw8r59>*X%^Jd?@5G6~!<iqU>BqXIl
zRvl_*o20@*zQ^wbX17OisP1jH1KnTWjzFvW4!vqZ&Bt^Y*ISl;&qp`rBZMnWC1GtK
z507~-DR<@NihA;sP5WN{;t4YcqHaLJ4nZ-W;(YE8`>9q+*8`j(t_bKA-6K-51qS<G
zyqqUle4q+lUg9q1g$`xuk%WYDvxC_J_Yy&EGnp*4MIIp`$Gx@I8riHV3{ZI2ebtu8
zm&(^KpA2qn!URTo4zt1=#6`qbKY=Uy*i|WYJcpR#Fao`2iBOek7C{wV^?a}q(t-hL
zMb4Z2u{RjW33qRjGlNZw4g|ts1&B~@057_WdXz-IqzRK?bjD|1-@Lj$-pjmI6MO3c
zRANW6P?mL4-G~Y$Lh2@l;JzbV|CBFZG6?rNURAn4J5~`f+2z03VWXHwg_Npa1C|@?
bm%_X;R_t27!TjE^K|^fYGXB8@*;p0JL0KGI

literal 0
HcmV?d00001

diff --git a/password-store/wg/wg4/sax-rgs-gw-core01.gpg b/password-store/wg/wg4/sax-rgs-gw-core01.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..2f7b8196607af0b1d7e389c5101639fab2ac673f
GIT binary patch
literal 1677
zcmV;826Fj@0gMAuv2e?Nuf@Ru3;%h)-|yRM#vU(*<F9W$5G5nq)pWEbq4cS<wNAmU
za~bIk+h33ZL4E^Dv8#g|guJnY1t7nXWH(VCqD~UUcm<;lTz{6Zm|qjdj(l*~2mDDI
z!XB9P^t=``7oqX38WGnrZUU(k59wQ_xGeq%=WLQK9;*FB|A;6aIFM<<pm(*bJpqU2
zZ>N89WJw2YN!AB)F=SVZo{V0p^WRz&-lXNN_^{(_WMMn_-WAo#-&DV=mgRuEVKzpD
z8GmTd`VI5J)}*S1*0M=(B4&4K7><y2&<evV4h|*P_<v5qw<y&W3{%sZ@po8gI_t5F
z%vwM_6PjPo^}+!ECk^0Iu9M_^mEwVD>h3?X{#|-)UJQLYMh?Sm>d9tGik!mf2jJq?
z^gya%w~t0)dlGEjMxNAMSl4O-=H%`L8VtB_S5vkVG@F5~02Rc<hjlTH510H2`^A#&
z;;b)hVPK}-lKYH$Z-F7!LB@zumduw6^~Q+9`j-t>pNwL}?$ZFqbIgST3<JwFRsqpy
zdU^p5|8j#E{>-q9w)@oHQ*>mj<Wlyz2X)NM8U=;^cysrZpZHg2h7fvO{Eh}PxBrZ_
zvKA|QFGV?|TILyEPJxlQi^2E)e^TTyoA;2HpxSl13mGq|D9q8eUJDdbbM=18x5R_X
z+Etrsa+;pWTPe$Jrp7^+25I7rpO~+|n5!(!%BtI5g%gT%JSHWI67g64I-J172)f6j
zwaNdP1DF)w+hAn;k~Eco)_6r7r_41Urv1{y&@&SEwe?gZkFeK%Rk@^?Q3ETzP?34n
zKlE(<CVQZzeRSXDAnp*Q)yiPzDY^3O_rqS47mxCGlU4wP3vhqre}%mKtI=}2>olkb
z`l`n3@;c%!g+k=EuQ{!IehI+dzKenuXduz!5YJ?EtAkDB9r=lKNXu;@prk-~Q6o&(
zmKjrZ=v0(z7e%Y~4%DhsHAD2fXD43|S4wTQyb#$m&uSxz%qTkEDO{p_KOXHs>lfaa
z^eP!55kJAkH)zIakbW{JSt{jZOOiu^<iE8$Os_Q1J3LTeppVevG9tq9L4~GI+_;Om
ztyY;~PxO6X;|Hyki#n3KOs}sJBe|(ddsx;iTfQ!B>*3cJFmAK(GdzaJuze{9B2*EN
znNMzcoYKBnYFvC{Lt;jPw8Z_S530eTCf;nFZ#nrcl^P()mr`A*QwZ(#opJobH-ugT
z472IsUB_Hf5&;K5MH9|k4Agrs2m1iIARCL{C-*?U9)N17f1kL7Yn-<dFe%=@me>aj
zw+ild2|c$#^PczK&ZLr)&_o#Ib$QBT@5_c;5w0&i(dhz8yzJHjD}@3K1E0ZPC02X0
z!T}HeM%!gK(HnaFb%2+r?)E00VP(Y)JK+qKOmqo(VvPjE_-jhYStxR{0JS&$5G!d=
zP4NJtBJcpRKX0u)U@g~-3s9H8V3U!69ecSV&S10vd;lm#%Szwq`#01~_4g*OQbh#!
z=u|l-9Ba;CmvlsSCX%7V+1rEz2bi9uV}Ks~+~a`Jmb(!v*&6(uliW0W=PEEW^~h-Y
z16<$(JYO1&3A6XO5l{m4B!-^1{|za7rh1HB&Jo&C%&#Ffj+p4%PoE5v$Oe4*9egqW
z)ob%uW=HHxf7)5jx7#U0@zy$ZWs6I8UgWOE-bV^+CCTjm3yWgnS4#Ib+`f$eACita
z&;FE?f9c?!e80-p!HH|GzC<ae3^{{zu6Ae7<|_qbIRcEujI>e`R^4E?L-!evLt=-E
ziMwP`<dL+H8k<=$B_@RK;u>Z5y-vw^e>I2x!c<Jlq2?{41Enpefl+&V1#v2Db{#IM
z6jU)={+5~S8D0ZIY32FN7VHqqsP(+fM&~Mh5ZlX{bR+dfHSlk1kbgQIJ~A3Oz(yxc
zo*lWns=={|K5;e^33HeY0y~1>;kAZ0iBM**`v$_@ucK5l6}|1szcfbNFFCBI$q?j{
z<MJ_%d6R+y$q3r%C5d0%{Wa)O%E)8V8)#Gjm)Zu2{qfU1%*I*yRRA}ueN;)P(tZI`
z0zLM4*u(7xJ?zK^Jla*LA{5Ll)`e6sA;>Hm!Z>`|js<U^I7pX_i%JWrlL@$+575d?
z`^?5A7U=yOnn`^8G*;(k!Rt+R%4S<-Q|a!Vb38kb@}Ax1)V4Qo8tTC9n9)-_4l$?>
XO`nQ;Dv-It67xu+t0<kKg%}_^MG8tI

literal 0
HcmV?d00001

diff --git a/password-store/wg/wg5/mullvad.pub.gpg b/password-store/wg/wg5/mullvad.pub.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..d2d9d5814817576800841265d571526c43d4a9c6
GIT binary patch
literal 1645
zcmV-z29o)O0gMAuv2e?Nuf@Ru3;%U5L_)Tf1^edq(p@>~R3LveDrX*xB0dKNwZH^(
zo6&zX$`bOuMbmn5@1N6S1wc2AGj5C$rsBEIRX#joSn9!&f2r<YchvMg0<0p=wKk!0
zlvM8&71X>+9P5=Yo1<=2pO8&h<xXcJPdRT{cw>#=T2p+s*2GXzZ&cCyX&v7Gtdvrh
zu$li`>uS`Hg%{aRT!HSF@63X&WR~&82;iS)G}eeyoePjnQ>4G_wBZWl3D8F5>ma<j
zxc3P3G;QLz)z8S)&@Y~yE?JET=5(nlit)u`HPERCzhF<|Y4+PgQT)O;g>-na#KloB
z9;%K>+%wM6Zd$e%HIdKC-OB=&#gy*vTnPL1@P(&X_w!$ICg+B0Ddi^9Ct-_Y4?c6%
z8FNa%p!)fHck;&PH6y#h1+`P(K?d*IiFzKIZALhrl-m_pFyo+XQju>C_qZTS{gJ?-
zxj2O~<+VjS0Nc`oGX?5vu+fJZ>}sk;JpGTSqT9^Od%eW8ntDk}@)?B!3<JwFRsqpy
zdU^p60HOj_%u*lK*hkC>C^26^?TFqDk6-_d(DiEcb7KU_Kr-wb=?}o(BWk?Ec@LN)
z1?}4ouf^YOo-Xz~+4C*spv@dP4{l$S4MpO@Ewm<hsS_mc2C(iA%UMe(C9){e{+@o^
z`w(z1YyS*s3B9j3_~;nC(7rS5ntqU2?4EGA*3dV9u=n9+x6D^DAE*5s-bR=B@3O%U
zTfa&f{692c`t{d!dQ^ZpOi0w0+862eBxur5_p_1rAb>+)E7ajQsyt6c$rUQR8n<zl
z_=Ag{>f_n`$pU3oqHb%W8VOk)t-xwS$;-Vo8)EDT1ND;u&!p5@PxF0BMht|&e-%eo
zr|hQitHaqt&BT>GVb6(N${wxvxeeShb*L~?drE%opZ+Y;Hdmg$J@cEljj`05ar~fR
z5Xa_A5iyi!`<9A5llN3+1jI`b_W0%YwEe_Q0T24&N<XNJbfoTGN|h@sg-H@@Vyi0y
zsOPYFpZHVzi^>JD>;~!bjAoU_ed?;GR;s;%U`#cHn)hKcsBdt<SKYq-$O`f*j6C`O
z+8A%*o8j15>k-3Jp|&dMH`twZ0qk^x*f<=gD_1i8zMgWSuJ=X_4=o-SQYSuiWPlR|
z+o=?A_kv?eoO2dyXJc=ys%2y+ivd#JQyxCFjYVisT7maNoFiYwy~Ci#0!L>;U4&i(
z472IsUB_Hf5&;K5Tl!kb|2#j}YfT#OKip?tOiX$|+E|`1^~M>38<ZP9FldFMS9#_^
zHwahKvjJrN{KF#4=_tw_GQZM(skxK4>TGYU8GZ?t3<(Fa)3^JgHH88U1E0ZPC02X0
z!T}HdH3a6@iSUGjFgyJxcTBf2gwOdaEumA6k&wT3AI#p%{X1&S#E_?8vF9hApQZ^%
zSwcJH`}Uas3o$R*F&2j8Oj<JXq&4+UNJ?E8fXQ<{OyKHf!(A&(^7S*83mZT!v!vco
zK&ND!AnQc^bDc_&wz(5b&bh#QiPhWt9Av0Y4C{*5D+`Q1)q|s_8!$rgqw9tDG$jD_
zM_&yr3X>pm3Hu+21Mk@uuh@=Y6r&MmH>ega017K2aO{jqn-gK8O~^d;^jeu|n5?dy
zTE#+0Xkr0krcy4Z^SPB2s0%cOjBl;xykVB5E)P;S4|$S#!unV6CKVZknQXQ$7Q!7S
z=TKapPH8RigaEzJXube$ii*~Xe}mdom?3%1QmrxESV^uT*Px8>&vx)5;Z`T^zHK=e
z6-*DKD3GlmuQQB7g<()n(nc9<#pzs1MC=wSsV^|V4`>l(3GEuaOirnbIfBP1s)1_J
zsz~MHQ9bF63tp511CdyMuQ6?pfhHAb*o0~um{NFm^Ew?v2GITz_lI|T3$t={If{x=
zwn~|PhIL&!yV}e;iZp*Iqw&Y!V%zjk&_#3RXuzf^k#WU6RhT+|`+=+^Cd$g`P5U8A
z9yj)^1tB%>svuio0r^IZh)d3iKuak(1LpJ#Yw%@T%<_HpOT;;N<F`cx+lIhM(p~`r
zwFmBs4*jkU!a*xqj*ike@REELzsu^EWQu`?8@&!c0M?K&XjWw2rp>8!y@qbgwqW`n
r%I>ZJ=0BseN-jFVJ5j(^FjFDd*pC>UwA?%7*INa*0Y!%^{;IPviC#3z

literal 0
HcmV?d00001

diff --git a/password-store/wg/wg5/sax-rgs-gw-core01.gpg b/password-store/wg/wg5/sax-rgs-gw-core01.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..727efe8992689777691bfebde3bd3fcc19a2fd10
GIT binary patch
literal 1645
zcmV-z29o)O0gMAuv2e?Nuf@Ru3;@3(4l~LYPd<BE0bAWvW{_{my$sL&Xe?e@EZaqT
z<3K^WC6Xajk$t-oGn6fMv}@V<GZGD_M1hZOw;?ZAfLYJV{TfK24e-*#k(B3rG$dC&
zS%f}k+*&)C%C{Y399#QNC#Jo3vLDAMc#ZgM>~F1_L)}BW2b#J~J_ij~Xfw?At-f<m
z_y``xQ;AxM+AG;BM>HyV9%164^75QGM`C=5I3(tu3fB*FrWbYhTc%vPFvB~^+ct|o
za01vs?BuVd;VLzYMnxq@d!cd)>>L(yfsamv=ETEXol?K$%t+t~E;W1*Lq~6MG4u-l
zr;aBxB9B`rC2{6j+k$$N|CuW9JqUl@M*CI3R86I}=ue4VOM)b|_9^Ei1!O?3I<LwM
z;SDP#_RxoEKdf4VDEv6Q06G`{^MYwy(4_t`q%UpBeJnSA>ny<njEfcW*V@iS2lMRx
zJMhgM@=c_j_d4gA{f(ad0ng~C(lXrrRab=ivg$w&3~iqTbV0!-As~eU3<JwFRsqpy
zdU^p60GliZL1~6zpau)(07%%Dj%w*gFEdoiL2iJNZu1Ewdw4&>o~2CdK9yF6cW_Uc
zGHf^Hz#C78+IJ_N4?=UdErAT%u7Z(UT#t#+s_E^9)q^-~W)pBii1}i;+hZ2!T-$Ig
z@$F^qX8&fZbO7$%P+l1i)}NZvq*)f!ptE@a2HfgsX!)>PJE@>Y38Cg<@IRiu(I0AQ
zj*lj^V3A{m_Z1@RosJT3MpO;(Iz`~xa)!t6s-h2mEZO}ePRrs^50jz(_a%x=^)2ds
zs?oRFh@i?&zoO?Kj|{C7ZT&NgrYGiVi~JyUW5h~Gsohzskvma72l0f!f{7-reg$V7
zu#^p3p1ha-Ltj?I&LI3`;kel=b+HTn<XpN`oEx3M!VLd@Ty;$)*@nBQn%nF)azrtJ
zqd!OApinrZ4g@sPrR*g{o;^hUD1py_Lq6UK2&@+wXHs4_xhuS<B#ZEnsV3joq99l1
z{A3RK(tVvH(@$~bZ?D`Qb~ID*Ly=2rkz-k537g|{#hY|@?8h)}SP7bcJ+n|O4}Uwg
zM!0Nchg>;sC8K1P$EZvLw!`Md;N0{NFzw!mxv($JmPm&YwaiM+l%k+901Ww*_L<HX
z@_Tv(?#M;154lPK7{@nvWRXjJaQg*1r)|W590@S8YMf?F#+$@)yC{G*V)^%SQiNUu
z472IsUB_Hf5&;K5X`RvXlr`X2I7TY2^o*i)#H9^;$cap5WnBf1@xQS?F#k)enY&;e
zn3YEF?Fli80+v1*KQ%=Ihf%d`iaA8T?-|8osJMMiokLRmaj>*UM1=wj1E0ZPC02X0
z!T}HfgB-<HlL=v#59weCixl)u>JcOU5J8F$#F#YHqo?CpY|lh9=gEcxQzcvSQMvNm
zvkoukUqL%0xC^(f6X2G3!`n(kEOu)o+7w<*mnkvPX?4m%@+R;spk+?UqZ<Ew_!T}j
zIgq-=Iq1<nkmb(aIzS{aaS=@lh>nf-R7d#L%ud#&%|{HJ@-@B}Wj%bt4GS?sw6pdl
zLf=48gMNC$_ML6JyW8GPBhycv+jypS<o!V?v7Im?N5jWDObe`TLbr`1mhp<}>BEpu
z%W*&dc-N;ElU}01;K;Mn8BB@XvU}uErP^o+2lp`2-2FQ>(V7ys&Nmf_ij%nr%I?mD
z4&AVs=E~*Ro7s=J%ieAz;J(C|a@%O{U}G#~`hO4G?d8E)gR$B)!UhUH)vhP`AAn`=
zS!rSQ6&0IHqf7fqsXZa(&i{lBCryr@8@tcfXQ$_O9{A`NRc2Ip3gz&|_xfsEO>q_H
zi*Y>x!#+bpYNA2p(|~B1R>+<e!$K6bsF1&Qw_~p}z)SLuTc$tfXX$9B+8}<>-~i%{
z9_pw%E>eAZ52^1X{W%E83HwVJ54)y*DA@sqkF^8+KiRhiS4df*s!n@jj)<m`YVkCa
zgS;D3#IkLEWMtz5Wl#e5h!=P(y~3S=$5oCsO|*?f8y}lAuo>-<<4IpFK_s&@(p~|+
zFB_h><Anv!UMkONR?iw^jENHIf)WdPUKg~ME}8Rd{~8^tOLsVkXN<g`^b@PHQ#zam
r85EizIB*yl?>s;DTqg}~wpaAYNld3ieF04^KpZugpvK0JDOWdVVe}x7

literal 0
HcmV?d00001

diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
index 7cb176a..922ba79 100644
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/dhcp
@@ -30,6 +30,22 @@ config dhcp 'mgmt'
 	list ra_flags 'managed-config'
 	list ra_flags 'other-config'
 
+config dhcp 'clients'
+        option interface 'clients'
+        # from: 10.86.4.2
+        # to: 10.86.7.254
+        # start: 2
+        # limit: 1020
+        option start '2'
+        option limit '1020'
+        option leasetime '12h'
+        option dhcpv4 'server'
+        option dhcpv6 'server'
+        option ra 'server'
+        option ra_slaac '1'
+        list ra_flags 'managed-config'
+        list ra_flags 'other-config'
+
 config dhcp 'backoffice'
 	option interface 'backoffice'
 	option start '100'
diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
index 2d82ed3..dc51b8d 100644
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/firewall
@@ -13,6 +13,13 @@ config zone
 	option output		ACCEPT
 	option forward		REJECT
 
+config zone
+	option name		clients
+	list network		clients
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+
 config zone
 	option name		backoffice
 	list   network		'backoffice'
@@ -20,6 +27,20 @@ config zone
 	option output		ACCEPT
 	option forward		REJECT
 
+config zone
+	option name		launder
+	list network		wg4
+	list network		wg5
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq 		1
+	option mtu_fix		1
+
+config forwarding
+	option src		clients
+	option dest		launder
+
 config zone
 	option name		backbone
 	list network		wg3
@@ -27,6 +48,21 @@ config zone
 	option output 		ACCEPT
 	option forward		REJECT
 
+ config rule
+        option name             CLIENTS_Allow-DHCP
+        option src              clients
+        option proto            udp
+        option dest_port        67-68
+        option target           ACCEPT
+        option family           ipv4
+
+config rule
+        option name             CLIENTS_Allow-DNS
+        option src              clients
+        option proto            udp
+        option dest_port        53
+        option target           ACCEPT
+
 config rule
 	option name		From-BACKBONE-Allow-OSPF
 	option src		backbone
diff --git a/templates/gateways/sax-rgs-gw-core01/etc/config/network b/templates/gateways/sax-rgs-gw-core01/etc/config/network
index 99bce33..13a2916 100644
--- a/templates/gateways/sax-rgs-gw-core01/etc/config/network
+++ b/templates/gateways/sax-rgs-gw-core01/etc/config/network
@@ -71,6 +71,12 @@ config interface 'wan6'
         option device 'switch.3'
         option proto 'dhcpv6'
 
+config interface 'clients'
+        option device 'switch.2'
+        option proto 'static'
+        option ipaddr '10.86.4.1'
+        option netmask '255.255.252.0'
+
 config interface 'backoffice'
         option device 'switch.8'
         option proto 'static'
@@ -93,3 +99,43 @@ config wireguard_wg3 'eap_adp_jump01'
         option route_allowed_ips '0'
         option persistent_keepalive 15
         list allowed_ips '0.0.0.0/0'
+
+config interface 'wg4'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg4/sax-rgs-gw-core01') }}"
+        list addresses 'fe80:2131:27:189::2/64'
+        option disabled '0'
+
+# routes 2a0e:8f02:f000:2e61::1/64 to the link-local of wg4
+config wireguard_wg4 'core_mowoe_com'
+        option public_key "{{ lookup('passwordstore', 'wg/wg4/core.mowoe.com.pub') }}"
+        option endpoint_host 'core.mowoe.com'
+        option endpoint_port '51821'
+        option route_allowed_ips '0'
+        option persistent_keepalive 15
+        list allowed_ips '::/0'
+
+config interface 'wg5'
+        option ip4table 'launder'
+        option proto 'wireguard'
+        option private_key "{{ lookup('passwordstore', 'wg/wg5/sax-rgs-gw-core01') }}"
+        list addresses '10.67.171.28'
+        option disabled '0'
+
+config wireguard_wg5 'mullvad'
+        option public_key "{{ lookup('passwordstore', 'wg/wg5/mullvad.pub') }}"
+        option endpoint_host '146.70.117.162'
+        option endpoint_port '51820'
+        option route_allowed_ips '1'
+        option persistent_keepalive 15
+        list allowed_ips '0.0.0.0/0'
+
+config rule
+        option in 'clients'
+        option lookup 'launder'
+        option priority 50
+
+config rule
+        option in 'clients'
+        option action prohibit
+        option priority 51
diff --git a/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables b/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables
new file mode 100644
index 0000000..cb61684
--- /dev/null
+++ b/templates/gateways/sax-rgs-gw-core01/etc/iproute2/rt_tables
@@ -0,0 +1,13 @@
+#
+# reserved values
+#
+128	prelocal
+255	local
+254	main
+253	default
+0	unspec
+20	launder
+#
+# local
+#
+#1	inr.ruhep