ansible/group_vars/isp/firewall.yml

---
firewall__zones:
  internet:
    negate: true
    addrs:
      - 2a09:6840::/32
      - 2a09:6841::/32
      - 2a09:6842::/32
      - 45.66.108.0/22
      - 10.0.0.0/8
      - 100.64.0.0/10
  clients:
    addrs:
      - 100.64.0.0/10
  non_clients:
    negate: true
    zones: clients
  allowed_clients:
    file:
      path: /var/run/firewall/allowed_clients.yml
      default: []

firewall__input:
  - verdict: accept

firewall__output:
  - verdict: accept

firewall__forward:
  - src: allowed_clients
    dst: non_clients
    verdict: accept

firewall__nat:
  - src: clients
    dst: internet
    protocols: null
    snat:
      addr: 45.66.111.220
...