VMware NSX Lab Part 4 Vyos - rharmonson/richtech GitHub Wiki
January 13, 2016
Repost
Reverted! I deleted the series in December 2015 but at the request of tmitchell5280, I have reposted. YMMV!
(DRAFT)VMware NSX Lab Part 4: Vyos
Vyos is a open source router, firewall, and VPN operating system based on Debian. You can find additional information and downloads at vyos.net.
You can install Vyos using an ISO or OVA appliance. The OVA at http://vyos.net/wiki/VMWare gave me problems and, frankly, I don't have the patience to bug fix others VMware appliances. Installing using the 64 bit ISO, version 1.1.3 (current), was painless. Advise using BSD 64 bit, 512 MB RAM, 1 CPU, 2 GB hard disk, 4 network interfaces (vmnet0, vment1, vmnet2, and vmnet3), remove all the crude like floppy, audio, USB, printer, and enter the BIOS/firmware to disable floppy, serial, and parallel ports.
Virtual Machine Creation
After download of the installation ISO, create a new virtual machine specifying the following:
- Linux BSD 6 64 bit
- 1 CPU
- 512 MB RAM
- NAT or Bridge NIC
- 2 GB, LSI Logic, SCSI Disk
Note: Creating a 'New Virtual Machine' in VMware Workstation 11 using 'Typical' will use the specifications above with the exception you will need to specify 2 GB versus 20 GB disk size. Also, when using VMware Workstation and selecting an initial network interface card, I would advise either select NAT or Bridged. I prefer Bridged if I expect to be connecting outside of the lab. If using a hypervisor, eg. ESXi, the decision is unnecessary.
Due to the very small disk size, I preallocate, but it is not required. In addition, customize hardware and remove the following:
- USB Controller
- Sound Card
- Printer
If you did not mount the Vyos installation media during the creation of the virtual machine, do so before moving to the next step.
Next, power-on to firmware or BIOS and disable all unneeded devices. With VMware Workstation, I disable Legacy Floppy A, then under 'Advanced' and 'I/O Device Configuration' disable all items:
- Serial ports
- Parallel port
- Floppy controller
Exit saving changes. After the power cycle, Vyos should load and execute from the ISO to complete with a login prompt "Welcome to Vyos - vyos tty1, vyos login:."
Note you may see an error being generated to the console "INIT: Id "TO" respawning too fast: disabled for 5 minutes." This can be safely ignored and we will correct below. Hit [enter] if the message is displayed to login using user name vyos and password vyos.
Vyos Install
After login using user vyos and password vyos we need to install Vyos to our virtual machine's disk.
$ install image
Accept the defaults until prompted with This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: and respond with y
Continue the installation accepting the defaults and provide a new password for user 'vyos.'
Installation completes with Done! then execute reboot and respond with y to reboot.
At this point, you may unmount the installation media.
Vyos Configuration
Login as Vyos and enter configuration mode
$ configure
[Edit]
#
You will see two indicators that you are in configuration mode. The most obvious is [Edit] and the second is the prompt has changed from $ to #. Like previous network operating systems, command syntax is contextual and does not require typing the complete command for generally the first three character will suffice. In addition, hit [tab] for auto-completion or a display of available commands fitting your current context and typed text. To commit changes to the running configuration, use commit. After testing your committed changes, use save to save the change. Lastly, to exit configure mode use the exit command.
Disable TTyS0 (serial) Console
Before moving forward, let's get rid of the annoying "INIT: Id "TO" respawning too fast: disabled for 5 minutes." message on the console by disable TTyS0 then rebooting. Why would you want TTyS0? If you were installing Vyos on hardware without a VGA display, a serial communication port would be required to install and configure prior to having access via SSH.
[Edit]
# delete system console device ttyS0
# commit
# save
# exit
$ reboot
Set Host Name
Configure firewall host name.
[Edit]
# set system host-name myfw.mydomain.net
# show system host-name
>host-name myfw.mydomain.net
# commit
# save
Set Name Server
Configure DNS for the firewall. Execute the command for each DNS host. This command is additive.
[Edit]
# set system name-server 8.8.8.8
# show system name-server
+name-server 8.8.8.8
# commit
# save
Set Interface to DHCP
[Edit]
# set interfaces ethernet eth0 address dhcp
# set interfaces ethernet eth0 description 'OUTSIDE'
# show interfaces ethernet eth0
+address dhcp
+description OUTSIDE
duplex auto
hw-id ##:##:##:##:##:##
smp_affinity auto
speed auto
# commit
[ interfaces ethernet eth0 address dhcp ]
Starting DHCP client on eth0 ...
# save
# ip addr
The last command ip addr should result with eth0 having an inet address provided by DHCP. If not, backup and review the instructions or verify the virtual machine network interface settings.
Set Service SSH
To effectively manage the firewall, it is time to enable SSH. Besides, you may not have had copy and past functionality up to this point. SSH will simplify moving forward with this tutorial.
[Edit]
# set service ssh
# show service
+ssh {
+}
# commit
[ service ssh ]
Restarting OpenBSD Secure Shell server: ssh.
# save
If you didn't note eth0's IP address, execute ip addr and jot down its inet (IP) address. Open you favorite SSH client, specify the IP address, and provide the credentials to login. When done, exit to close the SSH session.
If you are new to SSH, I would advise using the venerable PuTTY for Windows. In Linux, just use the built-in client. PuTTY and its checksums can be found at the authors website given below. I would not advise downloading from other sources.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Create Interfaces
Our network topology will consist of four networks.
| Description | IP Address | Interface | vmnet |
|---|---|---|---|
| OUTSIDE | DHCP | eth0 | vmnet0 |
| MANAGEMENT | 172.19.201.0/24 | eth1 | vmnet1 |
| VIRTUALMACHINE | 172.19.202.0/24 | eth2 | vmnet2 |
| TRANSPORT | 172.19.203.0/24 | eth3 | vmnet3 |
By default, your vyos virtual machine has one interface. We will be adding three additional interfaces for Management, Virtual Machine, and Transport virtual network. The interfaces will be host-only with DHCP disabled. Below is a video tutorial and instructions by VMware on how to use the Virtual Network Editor.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1018697
Once you have completed, poweroff the vyos virtual machine and edit the virtual machine settings. Add three new network adapters, one for each host-only networks by specifying "Custom: Specific virtual network." Power on the machine, login, and execute ip addr which will result with:
vyos@myfw:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:99 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.223/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec4:fb99/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:a3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fba3/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fbad/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:b7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fbb7/64 scope link
valid_lft forever preferred_lft forever
vyos@myfw:~$
Set Interfaces
- To set an address for an interface, the syntax is
set interfaces ethernet eth# address ###.###.###.###/## - To set a description for an interface, the syntax is
set interfaces ethernet eth# description 'STRING' - To set duplex for an interface, the syntax is
set interfaces ethernet eth1 duplex auto - To set the speed for an interface, the syntax is
set interfaces ethernet eth1 speed auto - To set the smp affinity for an interface, the syntax is
set interfaces ethernet eth1 smp_affinity auto
For duplex, speed, and smp affinity the default value is "auto." For the purpose of demonstrating the syntax and resulting configuration, I will set them.
WARNING
You cannot configure the router interfaces using the virtual network IP address of x.x.x.1 for that IP address is reserved for use by VMware Workstation to switch traffic between your laptop or workstation to the virtual network. If you do, the symptom is intermittent connectivity due conflicting IP addresses. You can verify my observations by executing ipconfig /all and reviewing each VMware Virtual Ethernet Adapter.
[edit]
vyos@myfw# set interfaces ethernet eth1 description 'MANAGEMENT'
[edit]
vyos@myfw# set interfaces ethernet eth1 address 172.19.201.254/24
[edit]
vyos@myfw# set interfaces ethernet eth1 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth1 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth1 smp_affinity auto
[edit]
vyos@myfw# set interfaces ethernet eth2 description 'VIRTUALMACHINE'
[edit]
vyos@myfw# set interfaces ethernet eth2 address 172.19.202.254/24
[edit]
vyos@myfw# set interfaces ethernet eth2 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth2 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth2 smp_affinity auto
[edit]
vyos@myfw# set interfaces ethernet eth3 description 'TRANSPORT'
[edit]
vyos@myfw# set interfaces ethernet eth3 address 172.19.203.254/24
[edit]
vyos@myfw# set interfaces ethernet eth3 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth3 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth3 smp_affinity auto
Results with
[edit]
vyos@myfw# show interfaces ethernet
ethernet eth0 {
address dhcp
description OUTSIDE
duplex auto
hw-id 00:0c:29:c4:fb:99
smp_affinity auto
speed auto
}
ethernet eth1 {
address 172.19.201.254/24
description MANAGEMENT
duplex auto
hw-id 00:0c:29:c4:fb:a3
smp_affinity auto
speed auto
}
ethernet eth2 {
address 172.19.202.254/24
description VIRTUALMACHINE
duplex auto
hw-id 00:0c:29:c4:fb:ad
smp_affinity auto
speed auto
}
ethernet eth3 {
address 172.19.203.254/24
description TRANSPORT
duplex auto
hw-id 00:0c:29:c4:fb:b7
smp_affinity auto
speed auto
}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
Set MTU
Configure interfaces eth1, eth2, and eth3 to a MTU of 1600. (Need to revisit after testing to identify which interface(s) if any need MTU over 1500)
[edit]
vyos@fw# set interfaces ethernet eth1 mtu 1600
[edit]
vyos@fw# set interfaces ethernet eth2 mtu 1600
[edit]
vyos@fw# set interfaces ethernet eth3 mtu 1600
[edit]
vyos@fw# commit
[edit]
vyos@fw# save
Saving configuration to '/config/config.boot'...
Done
Results
[edit]
vyos@fw# show interfaces ethernet ethernet eth1 mtu
mtu 1600
Set Service DHCP Server
To configure DHCP services for MANAGEMENT, VIRTUALMACHINE, and TRANSPORT virtual networks, execute the commands below. Note the use of 172.19.201.10 for DNS. That is in preparation for building the Windows Server Directory Service and DNS.
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 start 172.19.201.192 stop 172.19.201.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 default-router 172.19.201.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 dns-server 172.19.201.10
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 start 172.19.202.192 stop 172.19.202.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 default-router 172.19.202.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 dns-server 172.19.201.10
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 start 172.19.203.192 stop 172.19.203.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 default-router 172.19.203.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 dns-server 172.19.201.10
Results with
[edit]
vyos@myfw# show service dhcp-server
+shared-network-name ETH1_POOL {
+ subnet 172.19.201.0/24 {
+ default-router 172.19.201.254
+ dns-server 172.19.201.10
+ start 172.19.201.192 {
+ stop 172.19.201.224
+ }
+ }
+}
+shared-network-name ETH2_POOL {
+ subnet 172.19.202.0/24 {
+ default-router 172.19.202.254
+ dns-server 172.19.201.10
+ start 172.19.202.192 {
+ stop 172.19.202.224
+ }
+ }
+}
+shared-network-name ETH3_POOL {
+ subnet 172.19.203.0/24 {
+ default-router 172.19.203.254
+ dns-server 172.19.201.10
+ start 172.19.203.192 {
+ stop 172.19.203.224
+ }
+ }
+}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
Set Source NAT
To permit MANAGEMENT, VIRTUALMACHINE, and TRANSPORT virtual networks to exit the OUTSIDE interface using source network address translation (NAT) execute the following:
[edit]
vyos@myfw# set nat source rule 900 outbound-interface eth0
[edit]
vyos@myfw# set nat source rule 900 source address 172.19.0.0/16
[edit]
vyos@myfw# set nat source rule 900 translation address masquerade
[edit]
vyos@myfw# show nat source
+rule 900 {
+ outbound-interface eth0
+ source {
+ address 172.19.0.0/16
+ }
+ translation {
+ address masquerade
+ }
+}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]