VyOS: Getting Your Feet Wet
For VyOS to be a viable replacement for my typical OpenBSD deployments, it must … Pffft. The goals were defined in a previous post … so let’s just get on with it, shall we?
First Step Hints
- tab or question mark (?) provides command completion / hints
- enter configuration mode with the configure command
- after describing changes, use commit to make the changes live
- after changes are live, the save command will update the boot configuration
- exit configuration mode with the exit command
NOTE: translation address can be specified; the use of masquerade results in usage of the primary address of the interface.
set int eth eth0 description OUTSIDE set int eth eth1 description INSIDE commit save run show int eth edit nat source rule 1 set outbound-interface eth0 set source address 192.168.1.0/24 set translation address masquerade commit save
This simple port forwarding, often used for publishing internal services. NOTE: Set inbound_interface to any instead of eth0 to allow nat reflection; this means an internal host can get to an externally-published service via its externally published address.
edit nat destination rule 1 set inbound-interface any set destination address 10.0.0.245 set destination port 80 set translation address 192.168.1.5 set translation port 80 set protocol tcp exit
NAT reflection (hairpin nat)
edit nat source rule 2 set source address 192.168.1.0/24 set destination address 192.168.1.0/24 set translation address masquerade set outbound-interface eth1
Sometimes referred to as “Routing on a Stick”
set int eth eth1 vif 2 address 192.168.2.1/24 set int eth eth1 vif 3 address 192.168.3.1/24
NOTE: In this case, vif defines the VLAN number. The same thing can be shortened just a bit:
set int eth eth1.2 address 192.168.2.1/24 set int eth eth1.3 address 192.168.3.1/24
Adding Static Routes
set protocols static route 172.16.0.0/12 next-hop 188.8.131.52
Deleting Static Routes
delete protocols static route 172.16.0.0/12
advertise my networks in area 0
edit protocols ospf set area 0 network 184.108.40.206/30 set area 0 network 192.168.1.0/24 set area 0 network 192.168.2.0/24 set area 0 network 192.168.3.0/24
don’t advertise out of these interfaces
set passive-interface eth1 set passive-interface eth1.2 set passive-interface eth1.3
NOTE: change main to enduser or something which better describes the network in question.
set service dhcp-server shared-network-name main subnet 192.168.1.0/24 edit service dhcp-server shared-network-name main subnet 192.168.1.0/24 set start 192.168.1.10 stop 192.168.1.250 set default-router 192.168.1.1 set dns-server 220.127.116.11 set domain-name mydomain.local set domain-search mydomain.local
edit service dhcp-server set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox ip-address 192.168.1.43 set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox mac-address a1:b2:c3:d4:e5:f6
NOTE: The DNS service by default consults the local
/etc/hosts file before consulting a forwarder. This is what the static-host-mapping refers to.
set service dns set system static-host-mapping host-name foo.bar.baz inet 18.104.22.168
set service dns forwarding name-server 22.214.171.124 set service dns forwarding listen-on eth1
set system ntp server us.pool.ntp.org
NOTE: This is really all that is required; just remember to allow connectivity via firewall if necessary.
set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec nat-traversal enable set vpn ipsec nat-networks allowed-network 0.0.0.0/0 set vpn l2tp remote-access outside-address 10.0.0.245 set vpn l2tp remote-access client-ip-pool start 172.16.123.1 set vpn l2tp remote-access client-ip-pool stop 172.16.123.255 set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret [email protected] set vpn l2tp remote-access authentication mode local set vpn l2tp remote-access authentication local-users username winston password salem