Quick Start

This chapter will guide you on how to get up to speed using your new VyOS system. It will show you a very basic configuration example that will provide a NAT gateway for a device with two network interfaces (eth0 and eth1).

Configuration Mode

Commit and Save

After every configuration change you need to apply the changes by using the

commit

Once your configuration works as expected you can save it permanently.

save

Interface Configuration

  • Your outside/WAN interface will be eth0, it receives it’s interface address be means of DHCP.
  • Your internal/LAN interface is eth1. It uses a fixed IP address of 192.168.0.1/24.

After switching to Configuration Mode issue the following commands:

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'

Enable SSH Management SSH

After switching to Configuration Mode issue the following commands, and your system will listen on every interface for incoming SSH connections. You might want to check the SSH chapter on how to listen on specific addresses only.

set service ssh port '22'

Configure DHCP/DNS Servers

  • Provide DHCP service on your internal/LAN network where VyOS will act as the default gateway and DNS server.
  • Client IP addresses are assigned from the range 192.168.0.9 - 192.168.0.254
  • DHCP leases will hold for one day (86400 seconds)
  • VyOS will server as full DNS recursor - no need to bother the Google or Cloudflare DNS servers (good for privacy)
  • Only clients from your internal/LAN network can use the DNS resolver
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start 192.168.0.9
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254'

set service dns forwarding cache-size '0'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding allow-from '192.168.0.0/24'

NAT

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade

Firewall

Add a set of firewall policies for our outside/WAN interface.

This configuration creates a proper stateful firewall that blocks all traffic which was not initiated from the internal/LAN side first.

set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

If you wanted to enable SSH access to your firewall from the outside/WAN interface, you could create some additional rules to allow that kind of traffic.

These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts:

set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

Apply the firewall policies:

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

Commit changes, save the configuration, and exit configuration mode:

[email protected]# commit
[email protected]# save
Saving configuration to '/config/config.boot'...
Done
[email protected]# exit
[email protected]$

QoS

One common use of QoS and Traffic Policy is to limit bandwidth for an interface. In the example below we limit bandwidth for our internal/LAN connection to 200 Mbit/s download and our outside/WAN connection to 50 Mbit/s upload:

set traffic-policy shaper WAN-OUT bandwidth '50Mbit'
set traffic-policy shaper WAN-OUT default bandwidth '50%'
set traffic-policy shaper WAN-OUT default ceiling '100%'
set traffic-policy shaper WAN-OUT default queue-type 'fair-queue'

set traffic-policy shaper LAN-OUT bandwidth '200Mbit'
set traffic-policy shaper LAN-OUT default bandwidth '50%'
set traffic-policy shaper LAN-OUT default ceiling '100%'
set traffic-policy shaper LAN-OUT default queue-type 'fair-queue'

Once defined, a traffic policy needs to be applied to each interface using the interface-level traffic-policy directive:

set interfaces ethernet eth0 traffic-policy out 'WAN-OUT'
set interfaces ethernet eth1 traffic-policy out 'LAN-OUT'

Security Hardening

Especially if you are allowing SSH remote access from the outside/WAN interface, there are a few additional configuration steps that should be taken.

Replace the default vyos system user:

set system login user myvyosuser level admin
set system login user myvyosuser authentication plaintext-password mysecurepassword

Set up Key Based Authentication:

set system login user myvyosuser authentication public-keys [email protected] type ssh-rsa
set system login user myvyosuser authentication public-keys [email protected] key contents_of_id_rsa.pub

Finally, try and SSH into the VyOS install as your new user. Once you have confirmed that your new user can access your router without a password, delete the original vyos user and probably disable password authentication for SSH at all:

delete system login user vyos
set service ssh disable-password-authentication