Project 1: Network Redundancy - FlameSpyro/Tech-Journal GitHub Wiki

Project 1: Network Redundancy

A bit of old and a bit of new, here's what was required to do!

Configure and Network the following systems.

  • vyos1
  • vyos2
  • xubuntu-wan
  • xubuntu-lan
  • web01
  • Redundant WAN and LAN
    • The WAN interface on vyos1 and vyos2 should be redundant so that addressing a single IP address will route to whichever vyos router is currently active.
    • Your redundant WAN interface should be configured to port forward
      • http to web01 on the LAN.
      • ssh to web01 on the LAN, this should also be augmented with MFA and root SSH disabled.
    • Your LAN based systems should also have a redundant default gateway of 10.0.5.1 where either of the two routers providing gateway services can be taken offline without an interruption in service.
  • No vyos firewall zones or rules are required for Project 1.

Vyos1 Setuo

Heres is what I entered for configuring the network

set interfaces ethernet eth0 address '10.0.17.12/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.2'
set service dns forwarding system
set system name-server '10.0.17.2'

Nat Setup

The following allows port forwarding from LAN to WAN with NAT, this also creates the two rules for allowing port 80 and 22 to web01

set nat source rule 10 description 'NAT from LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set nat destination rule 10 description 'Allow HTTP to web01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 11 description 'Allow SSH to web01'
set nat destination rule 11 destination port '22'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp'
set nat destination rule 11 translation address '10.0.5.100'
set nat destination rule 11 translation port '22'
set service dns forwarding listen-address '10.0.5.1'

VRRP

A Virtual Router Redundancy Protocol is built to allow us to make vyos1-2 redundant by sharing an IP address. vyos 2 will become the stunt double in the case vyos1 ever goes down!

  • Priority just allows us to pick who we want in the front.
  • vrid is an identification number
set high-availability vrrp group langroup address 10.0.5.1/24
set high-availability vrrp group langroup interface 'eth1'
set high-availability vrrp group langroup priority '200'
set high-availability vrrp group langroup vrid '10'
set high-availability vrrp group wangroup14 address 10.0.17.102/24
set high-availability vrrp group wangroup14 interface 'eth0'
set high-availability vrrp group wangroup14 priority '200'
set high-availability vrrp group wangroup14 vrid '100'

vyos2

A lot of copy paste from here

set interfaces ethernet eth0 address '10.0.17.72/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.2'
set service dns forwarding system
set system name-server '10.0.17.2'

Nat Setup

set nat source rule 10 description 'NAT from LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set nat destination rule 10 description 'Allow HTTP to web01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 11 description 'Allow SSH to web01'
set nat destination rule 11 destination port '22'
set nat destination rule 11 inbound-interface 'eth0'
set nat destination rule 11 protocol 'tcp'
set nat destination rule 11 translation address '10.0.5.100'
set nat destination rule 11 translation port '22'
set service dns forwarding listen-address '10.0.5.1'

VRRP

A Virtual Router Redundancy Protocol is built to allow us to make vyos1-2 redundant by sharing an IP address. vyos 2 will become the stunt double in the case vyos1 ever goes down!

  • Priority just allows us to pick who we want in the front.
  • vrid is an identification number
set high-availability vrrp group langroup address 10.0.5.1/24
set high-availability vrrp group langroup interface 'eth1'
set high-availability vrrp group langroup priority '200'
set high-availability vrrp group langroup vrid '10'
set high-availability vrrp group wangroup14 address 10.0.17.102/24
set high-availability vrrp group wangroup14 interface 'eth0'
set high-availability vrrp group wangroup14 priority '200'
set high-availability vrrp group wangroup14 vrid '100'

With that! Vyos should be linked and ready to go!

web01

Always start with nmtui before doing anything else

Multi-factor authentication

This allows for another form of authentication before sshing into a machine. We can have the code stored on google authenticator's app/service

Heres is how to install it

sudo yum update
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install google-authenticator
google-authenticator
  • For SSH in particular go to /etc/pam.d/sshd and add
auth required pam_google_authenticator.so
  • Then modify /etc/ssh/sshd_config by changing
# Change this to no and restart sshd.service
auth required pam_google_authenticator.so

Xubuntu

  • This requires the least amount of setup however it should be noted that one key note for later. When configuring Xubuntu networks, RESET THE NETWORK
  • Also install net-tools and curl for testing

Testing

HTTP testing

  • You should be able to simply curl http://10.0.17.x but this is where I struggled for some reason, an update for how I fixed it will be added here.

ARP

  • On xubuntu(WAN) use the arp- a command to allow us to see vyos1 information

MfA

  • A simple ssh [email protected] will allow us to connect as usual but will require an extra code that we can get off google authenticator!

Lan Tracepath

Running tracepath 10.0.17.x on xubuntu(lan) will allow us to see the firewall and then using arp -a

Redundancy Check

For testing I simply turned off vyos1 and then ran through all the test once again to show vyos2 is now in charge.

Video Demonstration

Reflection

I think this lab took me longer in the setup part more than anything else. Getting everything back into gear just took me a bit of time just to get used to. I got hung up on xubuntu thinking I made an error when the os just refused to connect me which really stinks. But the multifactor authentication and vrrp was super cool to get all set! Glad that I got that to fully work!