Project 1 SEC440 - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Deliverables
Week 1
- During class on week 1 attempt to get xubuntu-wan, vyos1, web01, and xubuntu-lan routing through vyos and the internet.
- Make sure to grab and commit copies of your vyos configuration as you go
- Build out the structure of you tech journal this week and reflect on week 1
- During week 1 get port forwarding to work and get 2fa installed on web01
Week 2
- During week 2 get your redundant vrrp working (clients should likely have all three inside router ips listed in DNS) (10.0.5.1,10.0.5.2,10.0.5.3)
- Produce a professional demo that touches all bases
- Commit any changes to your vyos configs to git and reflect on your project
SETUP
VYOS 1 & 2
Routing and DNS forwarding
For these tasks, I went with my old notes from my Sec350 Vyos Page. I followed the instructions there, substituting the IP addresses on the page for my own correct IP addresses.
I repeated once more to set up the LAN network.
VRRP
To setup VRRP on Vyos 1 (and 2), I used the following commands:
- set high-availability vrrp group langroup10 vrid 160
- set high-availability vrrp group langroup10 interface eth0
- set high-availability vrrp group langroup10 address 10.0.17.110/24
- set high-availability vrrp group langroup10 priority 200
- set high-availability vrrp group wangroup10 vrid 160
- set high-availability vrrp group wangroup10 interface eth0
- set high-availability vrrp group wangroup10 address 10.0.17.110/24
- set high-availability vrrp group wangroup10 priority 200
For Vyos 2 I did the same, replacing the appropriate IPs. I also made the priority of Vyos 2 100 instead of 200
WEB01
For web01, I needed to break into the root account using single user boot mode. It was a very simple process actually, I just followed this guide
I used nmtui to set up networking and set the system hostname.
- IP:10.0.5.100/24
- Default Gateway:10.0.5.2
- DNS:10.0.5.2
At this point, I would consider this set up. However I was facing up to 77% packet loss, and I was informed that this meant there was probably an issue.
The fix to this issue was to add a host based firewall rule allowing icmp into the system.
2FA
For two factor authentication, I followed this guide for every single thing they said.
Tests
- From WAN, using arp, determine the real firewall host behind your virtual IP
- From xubuntu-lan, determine active firewall using tracepath 10.0.17.2
- Active WAN and LAN firewalls should be either vyos 1 or 2.
- Kill the active firewall (it should be vyos1 or vyos2 for the active WAN/LAN connections
- Port forwarding should work from WAN to a virtual IP that fronts a team of vyos firewalls ->Web01 5a. http (2 points) 5b. ssh (2 points) 5c. with MFA (1 point)
- xubuntu-lan should still be able to route to the internet (3 points)
- tracepath/traceroute from xubuntu-lan should show the first hop as the redundant firewall.