Week 2 VYOS Changes for adding an HAProxy cluster in a new DMZ network

Remember, configure, commit, save!!!

Adding the DMZ Network-

Create the new interface

set interfaces ehternet ethx description "DMZ"

set interfaces ehternet ethx address x.x.x.x

Nat for DMZ --> WAN

set nat source rule xxx source address x.x.x.x/xx

set nat source rule xxx translation address masquerade

set nat source rule xxx outbound-interface ethx

Setup HA using VRRP (assuming two routers are in use)

set interfaces ethernet ethx vrrp vrrp-group xxx preempt true

set interfaces ethernet ethx vrrp vrrp-group xxx priority xxx (set between 0 and 250 with primary FW at higher number)

set interfaces ethernet ethx vrrp vrrp-group xxx virtual-address x.x.x.x/xx

set interfaces ethernet eth0 vrrp vrrp-group xxx sync-group (syncname)

Note on sync group- Create a different one for each cluster of interfaces (i.e. all WAN interfaces together)

To check the status of HA, use - run show vrrp

Remember, these action needs to be performed on every firewall, and HA must be configured on each interface Each group gets a different number! (DMZ seperate from WAN & LAN). Sync group applies to all groups regardless of location!

Changing a Port Forwarding Rule-

This example shows removing the nat translation address

remove nat destination rule xxx translation address x.x.x.x

set nat destination rule xxx translation address x.x.x.x

All stuff that's probably already done, but rest of the rule-

set nat destination rule xxx destination port xxxx

set nat destination rule xxx protocol (tcp/udp)

set nat destination rule xxx inbound-interface ethx

Use command show nat rule xxx to verify nat rule!