# disable IP forwarding on management interfaces
{% for iface in interfaces | map(attribute="name") | select("match", "^mgmt[0-9]+") %}
iface {{ iface }}
    pre-up sysctl -w net.ipv4.conf.$IFACE.forwarding=0
    pre-up sysctl -w net.ipv6.conf.$IFACE.forwarding=0

{% endfor -%}

# create VLANs 2 and 4 on firewal—exit links for inside and outside traffic
{% for iface in interfaces | map(attribute="name") | select("match", "^lan")
    | product([2, 4])
    | map("join", ".") %}
auto {{ iface }}
iface {{ iface }}

{% endfor %}