VyOS: Getting Your Feet Wet
Goals
For VyOS to be a viable replacement for my typical OpenBSD deployments, it must … Pffft. The goals were defined in a previous post … so let’s just get on with it, shall we?
First Step Hints
- tab or question mark (?) provides command completion / hints
- enter configuration mode with the configure command
- after describing changes, use commit to make the changes live
- after changes are live, the save command will update the boot configuration
- exit configuration mode with the exit command
NAT
Outbound NAT
NOTE: translation address can be specified; the use of masquerade results in usage of the primary address of the interface.
set int eth eth0 description OUTSIDE
set int eth eth1 description INSIDE
commit
save
run show int eth
edit nat source rule 1
set outbound-interface eth0
set source address 192.168.1.0/24
set translation address masquerade
commit
save
Inbound NAT
This simple port forwarding, often used for publishing internal services. NOTE: Set inbound_interface to any instead of eth0 to allow nat reflection; this means an internal host can get to an externally-published service via its externally published address.
edit nat destination rule 1
set inbound-interface any
set destination address 10.0.0.245
set destination port 80
set translation address 192.168.1.5
set translation port 80
set protocol tcp
exit
NAT reflection (hairpin nat)
edit nat source rule 2
set source address 192.168.1.0/24
set destination address 192.168.1.0/24
set translation address masquerade
set outbound-interface eth1
VLANs
VLAN sub-interfaces
Sometimes referred to as “Routing on a Stick”
set int eth eth1 vif 2 address 192.168.2.1/24
set int eth eth1 vif 3 address 192.168.3.1/24
NOTE: In this case, vif defines the VLAN number. The same thing can be shortened just a bit:
set int eth eth1.2 address 192.168.2.1/24
set int eth eth1.3 address 192.168.3.1/24
Routing
Adding Static Routes
set protocols static route 172.16.0.0/12 next-hop 1.1.1.2
Deleting Static Routes
delete protocols static route 172.16.0.0/12
OSPF
advertise my networks in area 0
edit protocols ospf
set area 0 network 1.1.1.0/30
set area 0 network 192.168.1.0/24
set area 0 network 192.168.2.0/24
set area 0 network 192.168.3.0/24
don’t advertise out of these interfaces
set passive-interface eth1
set passive-interface eth1.2
set passive-interface eth1.3
DHCP Service
NOTE: change main to enduser or something which better describes the network in question.
Example Scope
set service dhcp-server shared-network-name main subnet 192.168.1.0/24
edit service dhcp-server shared-network-name main subnet 192.168.1.0/24
set start 192.168.1.10 stop 192.168.1.250
set default-router 192.168.1.1
set dns-server 8.8.8.8
set domain-name mydomain.local
set domain-search mydomain.local
Example Reservation
edit service dhcp-server
set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox ip-address 192.168.1.43
set shared-network-name main subnet 192.168.1.0/24 static-mapping somebox mac-address a1:b2:c3:d4:e5:f6
DNS Service
NOTE: The DNS service by default consults the local /etc/hosts
file before consulting a forwarder. This is what the static-host-mapping refers to.
Internal Hosts
set service dns
set system static-host-mapping host-name foo.bar.baz inet 2.4.6.8
External Forwarder
set service dns forwarding name-server 8.8.8.8
set service dns forwarding listen-on eth1
NTP Service
set system ntp server us.pool.ntp.org
NOTE: This is really all that is required; just remember to allow connectivity via firewall if necessary.
L2TP VPN
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn l2tp remote-access outside-address 10.0.0.245
set vpn l2tp remote-access client-ip-pool start 172.16.123.1
set vpn l2tp remote-access client-ip-pool stop 172.16.123.255
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret [email protected]
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username winston password salem