Skip to content

Instantly share code, notes, and snippets.

@dbrosy

dbrosy/lab-fw-vyos.md

Last active May 14, 2018 20:20
Show Gist options
  • Save dbrosy/b41519f56ead8ec1c9f18486d1d57eb8 to your computer and use it in GitHub Desktop.
Save dbrosy/b41519f56ead8ec1c9f18486d1d57eb8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
lab-fw-vyos.md

VMWare Workstation - Install

Install vyos from ova
Upgrade vm
Network Adapter   - Custom (VMnet2) (eth1)  
Network Adapter 2 - NAT (eth0)
configure

Configure network interfaces

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'

set interfaces ethernet eth1 address '10.0.71.1/24'
set interfaces ethernet eth1 description 'INSIDE'

Enable SSH for remote management

set service ssh port '22'

Configure Source NAT for our "Inside" network.

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.0.71.0/24'
set nat source rule 100 translation address masquerade

Configure a DHCP Server

set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN subnet 10.0.71.0/24 default-router '10.0.71.1'
set service dhcp-server shared-network-name LAN subnet 10.0.71.0/24 dns-server '10.0.71.1'
set service dhcp-server shared-network-name LAN subnet 10.0.71.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 10.0.71.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 10.0.71.0/24 start 10.0.71.101 stop '10.0.71.201'

Add a DNS forwarder

set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'

Add a set of firewall policies for our "Outside" interface

set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

Apply the firewall policies

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'

Commit changes, save the configuration, and exit configuration mode

commit
save
exit

Port Forwarding

set nat destination rule 10 description 'Port Forward: HTTPS'
set nat destination rule 10 destination port '443'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.71.103'
set nat destination rule 10 description 'Port Forward: SSH'
set nat destination rule 10 destination port '2222'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.71.103'
set nat destination rule 10 translation port '22'

set firewall name OUTSIDE-IN rule 20 action 'accept'
set firewall name OUTSIDE-IN rule 20 destination address '10.0.71.103'
set firewall name OUTSIDE-IN rule 20 destination port '22'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
set firewall name OUTSIDE-IN rule 20 state new 'enable'
set nat destination rule 30 description 'Port Forward: HTTP'
set nat destination rule 30 destination port '80'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.71.221'
set nat destination rule 30 translation port '80'
set firewall name OUTSIDE-IN rule 30 action 'accept'
set firewall name OUTSIDE-IN rule 30 destination address '10.0.71.221'
set firewall name OUTSIDE-IN rule 30 destination port '80'
set firewall name OUTSIDE-IN rule 30 protocol 'tcp'
set firewall name OUTSIDE-IN rule 30 state new 'enable'
set nat destination rule 31 description 'Port Forward: HTTPS'
set nat destination rule 31 destination port '443'
set nat destination rule 31 inbound-interface 'eth0'
set nat destination rule 31 protocol 'tcp'
set nat destination rule 31 translation address '10.0.71.221'
set nat destination rule 31 translation port '443'
set firewall name OUTSIDE-IN rule 31 action 'accept'
set firewall name OUTSIDE-IN rule 31 destination address '10.0.71.221'
set firewall name OUTSIDE-IN rule 31 destination port '443'
set firewall name OUTSIDE-IN rule 31 protocol 'tcp'
set firewall name OUTSIDE-IN rule 31 state new 'enable'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment