-
-
Save pautiina/77cc6e69b3f6df231320381d1b760818 to your computer and use it in GitHub Desktop.
DANOS configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| configure | |
| # Not working with DANOS 2005 | |
| # RFC 1918 private IP networks are set as blackhole routes | |
| # | |
| # set protocols static route 10.0.0.0/8 blackhole distance 254 | |
| # set protocols static route 172.16.0.0/12 blackhole distance 254 | |
| # set protocols static route 192.168.0.0/16 blackhole distance 254 | |
| # delete protocols static route 10.0.0.0/8 | |
| # delete protocols static route 172.16.0.0/12 | |
| # delete protocols static route 192.168.0.0/16 | |
| set system time-zone Europe/Lisbon | |
| # [WARNING] By default the host-name will be leaked in DHCP client requests | |
| # Reference: /etc/dhcp/dhclient.conf - "send host-name" - Unable to change this behavior | |
| set system host-name edge-router | |
| set system domain-name intra.example.net | |
| # Statically configured entries and DNS forwarding | |
| # See: https://ecl.ntt.com/files/firewall/5.2/vyatta-network-os-5.2r1-services.pdf | |
| # set system static-host-mapping host-name edge-router inet 192.168.2.254 | |
| # set system static-host-mapping host-name edge-router alias firewall | |
| set system name-server 8.8.8.8 | |
| set system name-server 8.8.4.4 | |
| # set system ntp server <IP address or FQDN> | |
| set system alg ftp disable | |
| set system alg pptp disable | |
| set system alg rpc disable | |
| set system alg sip disable | |
| set system alg tftp disable | |
| set system ipv6 disable | |
| set interfaces dataplane dp0p1s0 description "Gateway - Primary" | |
| set interfaces dataplane dp0p1s0 address dhcp | |
| set interfaces dataplane dp0p2s0 description "Gateway - Secondary" | |
| set interfaces dataplane dp0p2s0 address dhcp | |
| set interfaces dataplane dp0p2s0 dhcp-options no-rfc3442 # Don't set a default gateway | |
| set interfaces bonding dp0bond0 description "LAN" | |
| set interfaces bonding dp0bond0 address 192.168.2.254/24 | |
| set interfaces bonding dp0bond0 mtu 9000 | |
| set interfaces bonding dp0bond0 mode lacp # active-backup|balanced|lacp (default) | |
| set interfaces bonding dp0bond0 lacp-options activity active | |
| set interfaces bonding dp0bond0 lacp-options periodic-rate fast | |
| set interfaces bonding dp0bond0 minimum-links 2 | |
| set interfaces bonding dp0bond0 vif 300 description "VLAN - 300" | |
| set interfaces bonding dp0bond0 vif 300 address 192.168.3.254/24 | |
| set interfaces bonding dp0bond0 vif 400 description "VLAN - 400" | |
| set interfaces bonding dp0bond0 vif 400 address 192.168.4.254/24 | |
| set interfaces dataplane dp0p6s0 bond-group dp0bond0 | |
| set interfaces dataplane dp0p6s0 description "dp0bond0 Member" | |
| set interfaces dataplane dp0p7s0 bond-group dp0bond0 | |
| set interfaces dataplane dp0p7s0 description "dp0bond0 Member" | |
| set service dhcp-server shared-network-name Main authoritative enable | |
| set service dhcp-server shared-network-name Main subnet 192.168.2.0/24 | |
| edit service dhcp-server shared-network-name Main subnet 192.168.2.0/24 | |
| set default-router 192.168.2.254 | |
| # set dns-server 192.168.2.254 | |
| set dns-server 8.8.8.8 | |
| set dns-server 8.8.4.4 | |
| set domain-name lan.intra.example.net | |
| set start 192.168.2.100 stop 192.168.2.253 | |
| set lease 86400 | |
| exit | |
| #set service dhcp-server shared-network-name Main subnet 192.168.2.0/24 subnet-parameters "host [SHORT_HOSTNAME] { hardware ethernet [MAC ADDRESS]; fixed-address [IP ADDRESS]; }" | |
| edit service nat source rule 1 | |
| set outbound-interface dp0p1s0 | |
| set source address 192.168.2.0/24 | |
| set translation address masquerade | |
| exit | |
| set service dhcp-server shared-network-name VLAN300 authoritative enable | |
| set service dhcp-server shared-network-name VLAN300 subnet 192.168.3.0/24 | |
| edit service dhcp-server shared-network-name VLAN300 subnet 192.168.3.0/24 | |
| set default-router 192.168.3.254 | |
| # set dns-server 192.168.3.254 | |
| set dns-server 8.8.8.8 | |
| set dns-server 8.8.4.4 | |
| set domain-name vlan300.intra.example.net | |
| set start 192.168.3.100 stop 192.168.3.253 | |
| set lease 86400 | |
| exit | |
| edit service nat source rule 2 | |
| set outbound-interface dp0p1s0 | |
| set source address 192.168.3.0/24 | |
| set translation address masquerade | |
| exit | |
| set service dhcp-server shared-network-name VLAN400 authoritative enable | |
| set service dhcp-server shared-network-name VLAN400 subnet 192.168.4.0/24 | |
| edit service dhcp-server shared-network-name VLAN400 subnet 192.168.4.0/24 | |
| set default-router 192.168.4.254 | |
| # set dns-server 192.168.4.254 | |
| set dns-server 8.8.8.8 | |
| set dns-server 8.8.4.4 | |
| set domain-name vlan400.intra.example.net | |
| set start 192.168.4.100 stop 192.168.4.253 | |
| set lease 86400 | |
| exit | |
| edit service nat source rule 3 | |
| set outbound-interface dp0p2s0 | |
| set source address 192.168.4.0/24 | |
| set translation address masquerade | |
| exit | |
| set service ssh disable-password-authentication | |
| set service ssh disable-tcp-forwarding | |
| set service ssh listen-address 192.168.2.254 | |
| # DNS Forwarder will use the default gateway. Unable to change this behavior - DNS Leak | |
| # set service dns forwarding cache-size 0 | |
| # set service dns forwarding listen-on dp0bond0 | |
| # set service dns forwarding listen-on dp0bond0.300 | |
| # set service dns forwarding listen-on dp0bond0.400 | |
| # set service dns forwarding name-server 8.8.8.8 | |
| # set service dns forwarding name-server 8.8.4.4 | |
| # Forward DNS queries for a specific domain | |
| # set service dns forwarding domain example.net server 192.162.2.1 | |
| # Set the ping behavior. | |
| # [WARNING] Ping is not disabled to assist in routing and firewall troubleshooting | |
| set security firewall all-ping enable | |
| set security firewall broadcast-ping disable | |
| set security firewall syn-cookies enable | |
| set security firewall global-state-policy icmp | |
| set security firewall global-state-policy udp | |
| set security firewall global-state-policy tcp | |
| set security firewall config-trap disable | |
| set security firewall icmp-strict # Enforce ICMP echo request/response stateful directionality | |
| set security firewall tcp-strict # Enable tcp strict stateful firewall rule | |
| # Firewalls | |
| edit security firewall name TRUSTED | |
| set default-action accept | |
| set description "Trusted traffic" | |
| exit | |
| edit security firewall name GATEWAY2LAN | |
| set default-action drop | |
| set description "GATEWAY to LAN traffic" | |
| edit rule 1 | |
| set description "Sample rule to allow ping replies" | |
| set action accept | |
| set protocol icmp | |
| set icmp name echo-reply | |
| exit | |
| # Zone Policies | |
| edit security zone-policy zone LAN | |
| set description LAN | |
| set interface dp0bond0 | |
| exit | |
| edit security zone-policy zone VLAN300 | |
| set description VLAN300 | |
| set interface dp0bond0.300 | |
| exit | |
| edit security zone-policy zone VLAN400 | |
| set description VLAN400 | |
| set interface dp0bond0.400 | |
| exit | |
| edit security zone-policy zone GATEWAY_PRIMARY | |
| set description GATEWAY_PRIMARY | |
| set interface dp0p1s0 | |
| exit | |
| edit security zone-policy zone GATEWAY_SECONDARY | |
| set description GATEWAY_SECONDARY | |
| set interface dp0p2s0 | |
| exit | |
| # Zone Policy Firewall | |
| set security zone-policy zone GATEWAY_PRIMARY to LAN firewall GATEWAY2LAN | |
| set security zone-policy zone GATEWAY_SECONDARY to LAN firewall GATEWAY2LAN | |
| set security zone-policy zone LAN to GATEWAY_PRIMARY firewall TRUSTED | |
| set security zone-policy zone LAN to GATEWAY_SECONDARY firewall TRUSTED | |
| set security zone-policy zone VLAN300 to GATEWAY_PRIMARY firewall TRUSTED | |
| set security zone-policy zone VLAN300 to GATEWAY_SECONDARY firewall TRUSTED | |
| set security zone-policy zone VLAN400 to GATEWAY_PRIMARY firewall TRUSTED | |
| set security zone-policy zone VLAN400 to GATEWAY_SECONDARY firewall TRUSTED | |
| set security zone-policy zone VLAN300 to VLAN400 firewall TRUSTED | |
| set security zone-policy zone VLAN400 to VLAN300 firewall TRUSTED | |
| set security zone-policy zone LAN to VLAN300 firewall TRUSTED | |
| set security zone-policy zone VLAN300 to LAN firewall TRUSTED | |
| # Oh oh... | |
| # | |
| # set protocols static table 10 route 0.0.0.0/0 next-hop 0.0.0.0 | |
| # set protocols static table 11 route 0.0.0.0/0 next-hop 0.0.0.0 | |
| # | |
| # set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface dp0p1s0 distance 1 | |
| # set protocols static table 11 interface-route 0.0.0.0/0 next-hop-interface dp0p2s0 distance 1 | |
| set policy route pbr VLAN_PBR rule 20 action accept | |
| set policy route pbr VLAN_PBR rule 20 address-family ipv4 | |
| set policy route pbr VLAN_PBR rule 20 description "Route VLAN300 traffic to table 10" | |
| set policy route pbr VLAN_PBR rule 20 source address 192.168.3.0/24 | |
| set policy route pbr VLAN_PBR rule 20 destination address 0.0.0.0/0 | |
| set policy route pbr VLAN_PBR rule 20 table 10 | |
| set policy route pbr VLAN_PBR rule 30 action accept | |
| set policy route pbr VLAN_PBR rule 30 address-family ipv4 | |
| set policy route pbr VLAN_PBR rule 30 description "Route VLAN400 traffic to table 11" | |
| set policy route pbr VLAN_PBR rule 30 source address 192.168.4.0/24 | |
| set policy route pbr VLAN_PBR rule 30 destination address 0.0.0.0/0 | |
| set policy route pbr VLAN_PBR rule 30 table 11 | |
| # Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) from PBR | |
| set policy route pbr VLAN_PBR rule 10 action accept | |
| set policy route pbr VLAN_PBR rule 10 address-family ipv4 | |
| set policy route pbr VLAN_PBR rule 10 description "VLAN300 <-> VLAN400 shortcut" | |
| set policy route pbr VLAN_PBR rule 10 destination address 192.168.3.0/24 | |
| set policy route pbr VLAN_PBR rule 10 table main | |
| set policy route pbr VLAN_PBR rule 11 action accept | |
| set policy route pbr VLAN_PBR rule 11 address-family ipv4 | |
| set policy route pbr VLAN_PBR rule 11 description "VLAN400 <-> VLAN300 shortcut" | |
| set policy route pbr VLAN_PBR rule 11 destination address 192.168.4.0/24 | |
| set policy route pbr VLAN_PBR rule 11 table main | |
| set interfaces bonding dp0bond0 vif 300 policy route pbr VLAN_PBR | |
| set interfaces bonding dp0bond0 vif 400 policy route pbr VLAN_PBR | |
| commit | |
| exit | |
| tee update_pbr_route.sh > /dev/null << 'EOF' | |
| #!/bin/vbash | |
| DHCP_INTERFACE=$1 | |
| ROUTING_TABLE=$2 | |
| DHCP_LEASES=/var/lib/dhcp/dhclient_${DHCP_INTERFACE}.leases | |
| if ! [ -f $DHCP_LEASES ]; then | |
| echo "Unable to find DHCP Lease for ${DHCP_INTERFACE}" | |
| exit | |
| fi | |
| CURRENT_DHCP_ROUTER=$(grep "option routers" ${DHCP_LEASES} | tail -n 1 | awk {'print $3'} | sed 's/;//g') | |
| source /opt/vyatta/share/vyatta-cfg/functions/script-wrapper | |
| configure | |
| CURRENT_ROUTER=$(cmd_helper show protocols static table ${ROUTING_TABLE} route 0.0.0.0/0 next-hop | grep next-hop | awk {'print $2'}) | |
| if ! [ "$CURRENT_ROUTER" ] || [ "$CURRENT_DHCP_ROUTER" != "$CURRENT_ROUTER" ]; then | |
| echo "Updating route" | |
| if [ "$CURRENT_ROUTER" ]; then | |
| cmd_helper delete protocols static table ${ROUTING_TABLE} route 0.0.0.0/0 next-hop | |
| fi | |
| cmd_helper set protocols static table ${ROUTING_TABLE} route 0.0.0.0/0 next-hop ${CURRENT_DHCP_ROUTER} | |
| commit | |
| exit | |
| fi | |
| echo "No configuration changes" | |
| cmd_helper exit discard | |
| EOF | |
| chmod +x update_pbr_route.sh | |
| # @TODO Add the following to CRON... | |
| ./update_pbr_route.sh dp0p1s0 10 | |
| ./update_pbr_route.sh dp0p2s0 11 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment