Goals

For VyOS to be a viable replacement for my typical OpenBSD deployments, it must … Pffft. The goals were defined in a previous post … so let’s just get on with it, shall we?

First Step Hints

  • tab or question mark (?) provides command completion / hints
  • enter configuration mode with the configure command
  • after describing changes, use commit to make the changes live
  • after changes are live, the save command will update the boot configuration
  • exit configuration mode with the exit command

NAT

Outbound NAT

NOTE: translation address can be specified; the use of masquerade results in usage of the primary address of the interface.

set int eth eth0 description OUTSIDE
set int eth eth1 description INSIDE
commit
save
run show int eth

edit nat source rule 1
set outbound-interface eth0
set source address 192.168.1.0/24
set translation address masquerade
commit
save

Inbound NAT

This simple port forwarding, often used for publishing internal services. NOTE: Set inbound_interface to any instead of eth0 to allow nat reflection; this means an internal host can get to an externally-published service via its externally published address.

edit nat destination rule 1
set inbound-interface any
set destination address 10.0.0.245
set destination port 80
set translation address 192.168.1.5
set translation port 80
set protocol tcp
exit

NAT reflection (hairpin nat)

edit nat source rule 2
set source address 192.168.1.0/24
set destination address 192.168.1.0/24
set translation address masquerade
set outbound-interface eth1

VLANs

VLAN sub-interfaces

Sometimes referred to as “Routing on a Stick”

set int eth eth1 vif 2 address 192.168.2.1/24
set int eth eth1 vif 3 address 192.168.3.1/24

NOTE: In this case, vif defines the VLAN number. The same thing can be shortened just a bit:

set int eth eth1.2 address 192.168.2.1/24
set int eth eth1.3 address 192.168.3.1/24

Routing

Adding Static Routes

set protocols static route 172.16.0.0/12 next-hop 1.1.1.2

Deleting Static Routes

delete protocols static route 172.16.0.0/12

OSPF

edit protocols ospf
set area 0 network 1.1.1.0/30
set area 0 network 192.168.1.0/24
set area 0 network 192.168.2.0/24
set area 0 network 192.168.3.0/24

don’t advertise out of these interfaces

set passive-interface eth1
set passive-interface eth1.2
set passive-interface eth1.3

DHCP Service

NOTE: change main to enduser or something which better describes the network in question.

Example Scope

set service dhcp-server shared-network-name main subnet 192.168.1.0/24
edit service dhcp-server shared-network-name main subnet 192.168.1.0/24
set start 192.168.1.10 stop 192.168.1.250
set default-router 192.168.1.1
set dns-server 8.8.8.8
set domain-name mydomain.local
set domain-search mydomain.local

Example Reservation

edit service dhcp-server
set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox ip-address 192.168.1.43
set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox mac-address a1:b2:c3:d4:e5:f6

DNS Service

NOTE: The DNS service by default consults the local /etc/hosts file before consulting a forwarder. This is what the static-host-mapping refers to.

Internal Hosts

set service dns
set system static-host-mapping host-name foo.bar.baz inet 2.4.6.8

External Forwarder

set service dns forwarding name-server 8.8.8.8
set service dns forwarding listen-on eth1

NTP Service

set system ntp server us.pool.ntp.org

NOTE: This is really all that is required; just remember to allow connectivity via firewall if necessary.

L2TP VPN

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address 10.0.0.245
set vpn l2tp remote-access client-ip-pool start 172.16.123.1
set vpn l2tp remote-access client-ip-pool stop 172.16.123.255
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret [email protected]
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username winston password salem