Milestone 6.2 - InaFricke/SEC-480 GitHub Wiki

Milestone 6 - Part 2 - Vyos Provisioning with Ansible

I used Claude (Anthropic's AI assistant) to help me understand and work through the Ansible configuration steps for this milestone. I did not use anything I did not understand, and was able to catch several errors throughout the process.

Prep and check

  1. I had to change it to a static IP on eth1
configure
set interfaces ethernet eth1 address 10.0.17.200/24
delete interfaces ethernet eth1 address dhcp
commit
save
  1. Take a new snapshot Snapshot name: before ansible

Static IP: 10.0.17.200

  1. Update the inventory file with the correct IP

Create new playbook

Prep

  1. check ssh works

  2. Exit and enter the Ansible folder on MGMT

  3. Scrape the contents of the file over

scp [email protected]:/config/config.boot config.boot.j2

Playbook

  1. add, commit, and push to GitHub (bad password practice, but I understand, so it's fine)

  2. In github add variables to the config.bootj2

{{ wan_ip }} — IP address for eth0 (Blue1-Network)
{{ lan_ip }} — IP address for eth1 (480-internal)
{{ lan }} — the network range for NAT and DNS
{{ gateway }} — default route so traffic can leave
{{ name_server }} — points to your DC for DNS resolution
{{ hostname }} — the firewall's hostname
{{ password_hash }} — the sha512 hashed password, calculated dynamically by the playbook at runtime
  1. Create the vars.yml file. This is where you enter inputs for the variables in the config.bootj2
wan_ip: "10.0.8.1"
lan_ip: "10.0.17.200"
lan: "10.0.17.0/24"
gateway: "10.0.17.2"
name_server: "10.0.17.4"
hostname: "blue8-fw"
  1. Create the vyos-config.yml

Tells what matchine to target

- name: Configure VyOS Firewall
  hosts: vyos
  gather_facts: no

Password prompt

 vars_prompt:
    - name: vyos_password
      prompt: "Enter new VyOS password"
      private: yes

Pull in variables

vars_files:
    - vars.yml

Hash the password

  - name: Set password hash
      set_fact:
        password_hash: "{{ vyos_password | password_hash('sha512') }}"

Push the filled-in config.boot.j2 to the target machine

   - name: Push VyOS config
      become: yes
      template:
        src: config.boot.j2
        dest: /config/config.boot

Reboot target machine

 - name: Reboot VyOS
      become: yes
      shell: "nohup sh -c 'sleep 2 && reboot' &"

Pull from Github

  1. Git pull (in vscode)

  2. ls (in bash)

demo / test prep

It was super unclear what network configuration is supposed to be assigned to blue X, making it confusing to complete the deliverable. To complete it I removed the static IP address assigned to eth1 which is connected to the 480-internal enforced it to pick up a DHCP IP address.

configure
delete interfaces ethernet eth1 address 10.0.17.200/24
set interfaces ethernet eth1 address dhcp
commit
save
reboot

New IP: 10.0.17.101

Update the inventory file with new IP so it can connect

Issues:

  1. Power outage took down all VMs Had to power on 480-FW-Ina, 480-AD, and vCenter in order

  2. blue8-fw got a 192.168.3.x IP from wrong DHCP server Had to manually set static IP via VyOS console

  3. Inventory had typo [yovs] instead of [vyos] Inventory had z at end of IP making it 10.0.17.101z

  4. --ask pass typed with space instead of --ask-pass

  5. config.boot.j2 file had no dot — was config.bootj2

  6. Password hash not applying because of quotes around {{ password_hash }}

  7. Accidentally shut off vCenter instead of blue8-fw (AGAINNNN)

so many more I stopped keeping track

Demo

0.5. Import-Module ./480-utils.psm1

0.6. Reconnect to vcenter COnnect-VIServer -Server 10.0.17.3

user: [email protected] PW: RR32

  1. In pwsh Run Get-IP -VMName "blue8-fw"

  2. In bash run ansible-playbook -i inventory vyos-config.yml --ask-pass

  3. enter new passwd

  4. let it reboot

  5. In pwsh Run Get-IP -VMName "blue8-fw" or ssh in and show IP