Швидкий початок
This chapter will guide you on how to get up to speed quickly using your new
VyOS system. It will show you a very basic configuration example that will
provide a NAT gateway for a device with two network interfaces
(eth0
and eth1
).
Режим конфігурації
By default, VyOS is in operational mode, and the command prompt displays
a $
. To configure VyOS, you will need to enter configuration mode, resulting
in the command prompt displaying a #
, as demonstrated below:
vyos@vyos$ configure
vyos@vyos#
Здійснити та зберегти
Після кожної зміни конфігурації вам потрібно застосувати зміни за допомогою такої команди:
commit
Коли ваша конфігурація запрацює належним чином, ви можете зберегти її назавжди за допомогою такої команди:
save
Конфігурація інтерфейсу
Your outside/WAN interface will be
eth0
. It will receive its interface address via DHCP.Your internal/LAN interface will be
eth1
. It will use a static IP address of192.168.0.1/24
.
Після переходу в режим Режим конфігурації виконайте такі команди:
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'LAN'
Управління SSH
Після переходу в режим Режим конфігурації виконайте наступні команди, і ваша система прослуховуватиме вхідні з’єднання SSH на кожному інтерфейсі. Ви можете переглянути розділ SSH про те, як прослуховувати лише певні адреси.
set service ssh port '22'
Швидкий старт DHCP/DNS
Наступні параметри налаштують служби DHCP і DNS у вашій внутрішній мережі/мережі LAN, де VyOS діятиме як шлюз за замовчуванням і сервер DNS.
The default gateway and DNS recursor address will be
192.168.0.1/24
The address range
192.168.0.2/24 - 192.168.0.8/24
will be reserved for static assignmentsDHCP clients will be assigned IP addresses within the range of
192.168.0.9 - 192.168.0.254
and have a domain name ofinternal-network
Оренда DHCP триватиме один день (86400 секунд)
VyOS слугуватиме повним DNS-рекурсором, замінюючи потребу у використанні Google, Cloudflare або інших загальнодоступних DNS-серверів (що добре для конфіденційності)
Тільки хости з вашої внутрішньої/LAN мережі можуть використовувати рекурсор DNS
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.9'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.254'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding allow-from '192.168.0.0/24'
NAT
Наступні параметри налаштують правила SNAT для нашої внутрішньої/LAN мережі, дозволяючи хостам спілкуватися через зовнішню/WAN мережу через IP-маскарад.
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
Брандмауер
A new firewall structure—which uses the nftables
backend, rather
than iptables
—is available on all installations starting from
VyOS 1.4-rolling-202308040557
. The firewall supports creation of distinct,
interlinked chains for each Netfilter hook
and allows for more granular control over the packet filtering process.
The firewall begins with the base filter
tables you define for each of the
forward
, input
, and output
Netfiter hooks. Each of these tables is
populated with rules that are processed in order and can jump to other chains
for more granular filtering.
Configure Firewall Groups
To make firewall configuration easier, we can create groups of interfaces, networks, addresses, ports, and domains that describe different parts of our network. We can then use them for filtering within our firewall rulesets, allowing for more concise and readable configuration.
In this case, we will create two interface groups — a WAN
group for our
interfaces connected to the public internet and a LAN
group for the
interfaces connected to our internal network. Additionally, we will create a
network group, NET-INSIDE-v4
, that contains our internal subnet.
set firewall group interface-group WAN interface eth0
set firewall group interface-group LAN interface eth1
set firewall group network-group NET-INSIDE-v4 network '192.168.0.0/24'
Configure Stateful Packet Filtering
With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the three alternative approaches below.
Option 1: Global State Policies
Using options defined in set firewall global-options state-policy
, state
policy rules that applies for both IPv4 and IPv6 are created. These global
state policies also applies for all traffic that passes through the router
(transit) and for traffic originated/destinated to/from the router itself, and
will be evaluated before any other rule defined in the firewall.
Most installations would choose this option, and will contain:
set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop
Option 2: Common/Custom Chain
We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual chains can then jump to the common chain for stateful connection filtering, returning to the original chain for further rule processing if no action is taken on the packet.
The chain we will create is called CONN_FILTER
and has three rules:
A default action of
return
, which returns the packet back to the original chain if no action is taken.A rule to
accept
packets from established and related connections.A rule to
drop
packets from invalid connections.
set firewall ipv4 name CONN_FILTER default-action 'return'
set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
set firewall ipv4 name CONN_FILTER rule 10 state established
set firewall ipv4 name CONN_FILTER rule 10 state related
set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
set firewall ipv4 name CONN_FILTER rule 20 state invalid
Then, we can jump to the common chain from both the forward
and input
hooks as the first filtering rule in the respective chains:
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 jump-target CONN_FILTER
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
Option 3: Per-Hook Chain
Alternatively, you can take the more traditional stateful connection filtering approach by creating rules on each base hook’s chain:
set firewall ipv4 forward filter rule 5 action 'accept'
set firewall ipv4 forward filter rule 5 state established
set firewall ipv4 forward filter rule 5 state related
set firewall ipv4 forward filter rule 10 action 'drop'
set firewall ipv4 forward filter rule 10 state invalid
set firewall ipv4 input filter rule 5 action 'accept'
set firewall ipv4 input filter rule 5 state established
set firewall ipv4 input filter rule 5 state related
set firewall ipv4 input filter rule 10 action 'drop'
set firewall ipv4 input filter rule 10 state invalid
Block Incoming Traffic
Now that we have configured stateful connection filtering to allow traffic from established and related connections, we can block all other incoming traffic addressed to our local network.
Create a new chain (OUTSIDE-IN
) which will drop all traffic that is not
explicitly allowed at some point in the chain. Then, we can jump to that chain
from the forward
hook when traffic is coming from the WAN
interface
group and is addressed to our local network.
set firewall ipv4 name OUTSIDE-IN default-action 'drop'
set firewall ipv4 forward filter rule 100 action jump
set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
set firewall ipv4 forward filter rule 100 inbound-interface group WAN
set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4
We should also block all traffic destinated to the router itself that isn’t
explicitly allowed at some point in the chain for the input
hook. As
we’ve already configured stateful packet filtering above, we only need to
set the default action to drop
:
set firewall ipv4 input filter default-action 'drop'
Allow Management Access
We can now configure access to the router itself, allowing SSH access from the inside/LAN network and rate limiting SSH access from the outside/WAN network.
First, create a new dedicated chain (VyOS_MANAGEMENT
) for management
access, which returns to the parent chain if no action is taken. Add a rule
to accept traffic from the LAN
interface group:
set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'
Configure a rule on the input
hook filter to jump to the VyOS_MANAGEMENT
chain when new connections are addressed to port 22 (SSH) on the router itself:
set firewall ipv4 input filter rule 20 action jump
set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT
set firewall ipv4 input filter rule 20 destination port 22
set firewall ipv4 input filter rule 20 protocol tcp
Finally, configure the VyOS_MANAGEMENT
chain to accept connection from the
LAN
interface group while limiting requests coming from the WAN
interface group to 4 per minute:
set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN'
Allow Access to Services
Here we’re allowing the router to respond to pings. Then, we can allow access to
the DNS recursor we configured earlier, accepting traffic bound for port 53 from
all hosts on the NET-INSIDE-v4
network:
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'
set firewall ipv4 input filter rule 40 protocol 'tcp_udp'
set firewall ipv4 input filter rule 40 source group network-group NET-INSIDE-v4
Finally, we can now configure access to the services running on this router, allowing all connections coming from localhost:
set firewall ipv4 input filter rule 50 action 'accept'
set firewall ipv4 input filter rule 50 source address 127.0.0.0/8
Зафіксувати зміни, зберегти конфігурацію та вийти з режиму конфігурації:
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$
Загартовування
Особливо якщо ви дозволяєте віддалений доступ через SSH із зовнішнього/WAN-інтерфейсу, необхідно виконати кілька додаткових кроків налаштування.
Replace the default vyos
system user:
set system login user myvyosuser authentication plaintext-password mysecurepassword
Налаштувати Аутентифікація на основі ключа:
set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa
set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub
Нарешті, спробуйте встановити SSH у VyOS як новий користувач. Після того, як ви підтвердите, що ваш новий користувач може отримати доступ до вашого маршрутизатора без пароля, видаліть початкового користувача vyos
і повністю вимкніть автентифікацію пароля для SSH:
delete system login user vyos
set service ssh disable-password-authentication
Як і вище, закріпіть свої зміни, збережіть конфігурацію та вийдіть з режиму конфігурації:
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$
Тепер у вас повинен бути простий, але безпечний і функціональний маршрутизатор, з яким можна експериментувати далі. Насолоджуйтесь!