Project 1 - CameronProvost/SEC440 GitHub Wiki
VYOS Configure
set system host-name VYOS1
Setting Interfaces:
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth2 description OPT
Setting Addresses:
VYOS 1
set interface ethernet eth0 address 10.0.17.14/24
set interface ethernet eth1 address 10.0.5.2/24
set interface ethernet eth2 address 10.0.6.2/24
set protocols static route 0.0.0.0/0 next-hop
10.0.17.2 set system name-server 10.0.17.2
VYOS 2
set interface ethernet eth0 address 10.0.17.74/24
set interface ethernet eth1 address 10.0.5.3/24
set interface ethernet eth2 address 10.0.6.3/24
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
DNS Setup
set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding allow-from 10.0.17.0/24
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding listen-address 10.0.5.2
set service dns forwarding listen-address 10.0.5.3
set service dns forwarding listen-address 10.0.17.104
set service dns forwarding system
NAT Setup
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outband-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade
VRRP Setup
WAN
set high-availability vrrp group wangroup4 vrid 154
set high-availability vrrp group wangroup4 interface eth0
set high-availability vrrp group wangroup4 address 10.0.17.104/24
set high-availability vrrp group wangroup4 preempt-delay 10
VYOS1
Set high-availability vrrp group wangroup4 priority 200
VYOS2
Set high-availability vrrp group wangroup4 priority 100
LAN
set high-availability vrrp group lan vrid 10
set high-availability vrrp group lan interface eth1
set high-availability vrrp group lan address 10.0.5.1/24
set high-availability vrrp group lan no-preempt
set high-availability vrrp group lan preempt-delay 10
VYOS1
set high-availability vrrp group lan priority 200
set high-availability vrrp group lan peer-address 10.0.5.3
set high-availability vrrp group lan hello-source-address 10.0.5.2
VYOS2
Set high-availability vrrp group lan priority 100
set high-availability vrrp group lan peer-address 10.0.5.2
set high-availability vrrp group lan hello-source-address 10.0.5.3
OPT
Set high-availability vrrp group opt vrid 20
set high-availability vrrp group opt interface eth2
set high-availability vrrp group opt address 10.0.6.1/24
set high-availability vrrp group opt preempt-delay 10
VYOS 1
Set high-availability vrrp group opt priority 200
VYOS2
Set high-availability vrrp group opt priority 100
Port Forwarding Setup
HTTP to WEB01
set nat destination rule 20 destination port 80
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 80
set nat destination rule 20 description HTTPtoWEB01
SSH to WEB01
set nat destination rule 30 destination port 22
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 protocol tcp
set nat destination rule 30 translation address 10.0.5.100
set nat destination rule 30 translation port 22
set nat destination rule 30 description SSHtoWEB01
WEB01 Configuration
NMTUI
- IP Address: 10.0.5.100
- Default Gateway: 10.0.5.1
- DNS: 10.0.5.1
HTTP and SSH
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=22/tcp
sudo firewall-cmd --reload
XUBUNTU-WAN & XUBUNTU-LAN
Hostname & Sudo User
sudo hostnamectl set-hostname xubuntuwan-cameron
sudo passwd
sudo adduser cameron
sudo usermod -aG sudo cameron
Networking
XUBUNTU-WAN
- IP Address: 10.0.17.44
- Default Gateway: 10.0.17.104
- DNS: 10.0.17.104
XUBUNTU-LAN
- IP Address: 10.0.5.6
- Default Gateway: 10.0.5.1
- DNS: 10.0.5.1
VYOS CONFIG
VYOS1
set high-availability vrrp group opt priority 200
set high-availability vrrp group opt vrid 20
set high-availability vrrp group opt interface eth2
set high-availability vrrp group opt address 10.0.6.1/24
set high-availability vrrp group opt preempt-delay 10
set high-availability vrrp group lan priority 200
set high-availability vrrp group lan peer-address 10.0.5.3
set high-availability vrrp group lan hello-source-address 10.0.5.2
set high-availability vrrp group lan vrid 10
set high-availability vrrp group lan interface eth1
set high-availability vrrp group lan address 10.0.5.1/24
set high-availability vrrp group lan no-preempt
set high-availability vrrp group lan preempt-delay 10set high-availability vrrp group wangroup4 priority 200
set high-availability vrrp group wangroup4 vrid 154
set high-availability vrrp group wangroup4 interface eth0
set high-availability vrrp group wangroup4 address 10.0.17.104/24
set high-availability vrrp group wangroup4 preempt-delay 10
set interfaces ethernet eth0 address '10.0.17.14/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.2/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTPtoWEB01'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSHtoWEB01'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN TO WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'VYOS01'
set system name-server '10.0.17.2'
VYOS2
set high-availability vrrp group opt priority 100
set high-availability vrrp group opt vrid 20
set high-availability vrrp group opt interface eth2
set high-availability vrrp group opt address 10.0.6.1/24
set high-availability vrrp group opt preempt-delay 10
set high-availability vrrp group lan priority 100
set high-availability vrrp group lan peer-address 10.0.5.2
set high-availability vrrp group lan hello-source-address 10.0.5.3
set high-availability vrrp group lan vrid 10
set high-availability vrrp group lan interface eth1
set high-availability vrrp group lan address 10.0.5.1/24
set high-availability vrrp group lan no-preempt
set high-availability vrrp group lan preempt-delay 10
set high-availability vrrp group wangroup4 priority 100
set high-availability vrrp group wangroup4 vrid 154
set high-availability vrrp group wangroup4 interface eth0
set high-availability vrrp group wangroup4 address 10.0.17.104/24
set high-availability vrrp group wangroup4 preempt-delay 10
set interfaces ethernet eth0 address '10.0.17.74/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.3/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.3/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTPtoWEB01'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSHtoWEB01'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN TO WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system console device ttyS0 speed '115200'
set system host-name 'VYOS02'
set system name-server '10.0.17.2'
REFLECTIONS
I faced a few issues with this project, but the main piece that held up my progress was the correct vrrp configurations. The initial set up for the two vyos systems went smoothly as I had done this in previous projects, this included setting up the interfaces and addresses. What caused the most issues was the DNS setup so that I could find WEB01 through Xubuntu-wan. The first step was changing the gateway and DNS server on Xubuntu-wan to the address of the WAN interface on VYOS1 which temporarily fixed my issues. I was at this point able to curl the web page of WEB01 however this fix would not work with the redundancy piece of this project. My next step was to re-configure my high-availability configuration to achieve the failover system’s success. With the working vrrp configuration I changed Xubuntu’s gateway and DNS to the proper virtual address so communication would continue without VYOS. At this point I had completed the failover requirements and the port forwarding for HTTP and SSH to WEB01. The only piece that I am missing for this week that I have not yet implemented is MFA for SSH to WEB01. The required configuration and steps are listed in my documentation however I have not yet had time to complete this piece. The main piece I took away from this project is to step back and look at all pieces when trying to fix an issue. The DNS issue took hours for me to figure out and much of the time I seemed to be going in circles not addressing the real problem. Ultimately with the assistance of the professor I found a temporary solution for this issue and found that my high-availability configures were the root of the problem.