Vyos Firewall - rharmonson/richtech GitHub Wiki
Vyos Firewall
Vyos is a open source router, firewall, and VPN operating system based on Debian. You can find additional information and downloads at vyos.net.
This article's context is the use of Vyos as a virtual firewall. I will be utilizing VMware Workstation 11, but the information should apply to ESXi, Hyper-v, KVM, etc. I will be using Vyos Helium, 1.1.3. 64 bit ISO.
Virtual Machine Creation
After download of the installation ISO, create a new virtual machine specifying the following:
- Linux Debian 64 bit
- 1 CPU
- 512 MB RAM
- NAT or Bridge NIC
- 2 GB, LSI Logic, SCSI Disk
Note: Creating a 'New Virtual Machine' in VMware Workstation 11 using 'Typical' will use the specifications above with the exception you will need to specify 2 GB versus 20 GB disk size. Also, when using VMware Workstation and selecting an initial network interface card, I would advise either select NAT or Bridged. I prefer Bridged if I expect to be connecting outside of the lab. If using a hypervisor, eg. ESXi, the decision is unnecessary.
Due to the very small disk size, I preallocate, but it is not required. In addition, customize hardware and remove the following:
- USB Controller
- Sound Card
- Printer
If you did not mount the Vyos installation media during the creation of the virtual machine, do so before moving to the next step.
Next, power-on to firmware or BIOS and disable all unneeded devices. With VMware Workstation I disable Legacy Floppy A, then under 'Advanced' and 'I/O Device Configuration' disable all items:
- Serial ports
- Parallel port
- Floppy controller
Exit saving changes. After the power cycle, Vyos should load and execute from the ISO to complete with a login prompt "Welcome to Vyos - vyos tty1, vyos login:."
Note you may see an error being generated to the console "INIT: Id "TO" respawning too fast: disabled for 5 minutes." This can be safely ignored and we will correct below. Hit [enter] if the message is displayed to login using user name vyos and password vyos.
Vyos Install
After login using user vyos and password vyos we need to install Vyos to our virtual machine's disk.
$ install image
Accept the defaults until prompted with This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: and respond with y
Continue the installation accepting the defaults and provide a new password for user 'vyos.'
Installation completes with Done! then execute reboot and respond with y to reboot.
At this point, you may unmount the installation media.
Vyos Configuration
Login as Vyos and enter configuration mode
$ configure
[Edit]
#
You will see two indicators that you are in configuration mode. The most obvious is [Edit] and the second is the prompt has changed from $ to #. Like previous network operating systems, command syntax is contextual and does not require typing the complete command for generally the first three character will suffice. In addition, hit [tab] for auto-completion or a display of available commands fitting your current context and typed text. Lastly, to exit configure mode use the exit command.
Disable TTyS0 (serial) Console
Before moving forward, let's get rid of the annoying "INIT: Id "TO" respawning too fast: disabled for 5 minutes." message on the console by disable TTyS0 then rebooting. Why would you want TTyS0? If you were installing Vyos on hardware without a VGA display, a serial communication port would be required to install and configure prior to having access via SSH.
[Edit]
# delete system console device ttyS0
# commit
# save
# exit
$ reboot
Set Host Name
Configure firewall host name.
[Edit]
# set system host-name myfw.mydomain.net
# show system host-name
>host-name myfw.mydomain.net
# commit
# save
Set Name Server
Configure DNS for the firewall. Execute the command for each DNS host. This command is additive.
[Edit]
# set system name-server 8.8.8.8
# show system name-server
+name-server 8.8.8.8
# commit
# save
Set Interface to DHCP
[Edit]
# set interfaces ethernet eth0 address dhcp
# set interfaces ethernet eth0 description 'OUTSIDE'
# show interfaces ethernet eth0
+address dhcp
+description OUTSIDE
duplex auto
hw-id ##:##:##:##:##:##
smp_affinity auto
speed auto
# commit
[ interfaces ethernet eth0 address dhcp ]
Starting DHCP client on eth0 ...
# save
# ip addr
The last command ip addr should result with eth0 having an inet address provided by DHCP. If not, backup and review the instructions or verify the virtual machine network interface settings.
Set Service SSH
To effectively manage the firewall, it is time to enable SSH. Besides, you may not have had copy and past functionality up to this point. SSH will simplify moving forward with this tutorial.
[Edit]
# set service ssh
# show service
+ssh {
+}
# commit
[ service ssh ]
Restarting OpenBSD Secure Shell server: ssh.
# save
If you didn't note eth0's IP address, execute ip addr and jot down its inet (IP) address. Open you favorite SSH client, specify the IP address, and provide the credentials to login. When done, exit to close the SSH session.
If you are new to SSH, I would advise using the venerable PuTTY for Windows. In Linux, just use the built-in client. PuTTY and its checksums can be found at the authors website given below. I would not advise downloading from other sources.
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Create Interfaces
Our network topology will consist of four networks.
| Description | IP Address | Interface | vmnet |
|---|---|---|---|
| OUTSIDE | DHCP | eth0 | vmnet0 |
| DMZ | 172.19.201.0/24 | eth1 | vmnet1 |
| INTRANET | 172.19.202.0/24 | eth2 | vmnet2 |
| ACCESS | 172.19.203.0/24 | eth3 | vmnet3 |
By default, your vyos virtual machine has one interface. We will be adding three additional interfaces for DMZ, Intranet, and Access virtual network subnets. The interfaces will be host-only with DHCP disabled. Below is a video tutorial and intructions by VMware on how to use the Virtual Network Editor.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1018697
Once you have completed, poweroff the vyos virtual machine and edit the virtual machine settings. Add three new network adapters, one for each host-only networks by specifying "Custom: Specific virtual network." Power on the machine, login, and execute ip addr which will result with:
vyos@myfw:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:99 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.223/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec4:fb99/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:a3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fba3/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:ad brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fbad/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c4:fb:b7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fec4:fbb7/64 scope link
valid_lft forever preferred_lft forever
vyos@myfw:~$
Set Interfaces
- To set an address for an interface, the syntax is
set interfaces ethernet eth# address ###.###.###.###/## - To set a description for an interface, the syntax is
set interfaces ethernet eth# description 'STRING' - To set duplex for an interface, the syntax is
set interfaces ethernet eth1 duplex auto - To set the speed for an interface, the syntax is
set interfaces ethernet eth1 speed auto - To set the smp affinity for an interface, the syntax is
set interfaces ethernet eth1 smp_affinity auto
For duplex, speed, and smp affinity the default value is "auto." For the purpose of demonstrating the syntax and resulting configuration, I will set them.
[edit]
vyos@myfw# set interfaces ethernet eth1 description 'DMZ'
[edit]
vyos@myfw# set interfaces ethernet eth1 address 172.19.201.254/24
[edit]
vyos@myfw# set interfaces ethernet eth1 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth1 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth1 smp_affinity auto
[edit]
vyos@myfw# set interfaces ethernet eth2 description 'INTRANET'
[edit]
vyos@myfw# set interfaces ethernet eth2 address 172.19.202.254/24
[edit]
vyos@myfw# set interfaces ethernet eth2 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth2 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth2 smp_affinity auto
[edit]
vyos@myfw# set interfaces ethernet eth3 description 'ACCESS'
[edit]
vyos@myfw# set interfaces ethernet eth3 address 172.19.203.254/24
[edit]
vyos@myfw# set interfaces ethernet eth3 duplex auto
[edit]
vyos@myfw# set interfaces ethernet eth3 speed auto
[edit]
vyos@myfw# set interfaces ethernet eth3 smp_affinity auto
[edit]
vyos@myfw# show interfaces ethernet
ethernet eth0 {
address dhcp
description OUTSIDE
duplex auto
hw-id 00:0c:29:c4:fb:99
smp_affinity auto
speed auto
}
ethernet eth1 {
address 172.19.201.254/24
description DMZ
duplex auto
hw-id 00:0c:29:c4:fb:a3
smp_affinity auto
speed auto
}
ethernet eth2 {
address 172.19.202.254/24
description INTRANET
duplex auto
hw-id 00:0c:29:c4:fb:ad
smp_affinity auto
speed auto
}
ethernet eth3 {
address 172.19.203.254/24
description ACCESS
duplex auto
hw-id 00:0c:29:c4:fb:b7
smp_affinity auto
speed auto
}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
Set Service DHCP Server
To configure DHCP services for DMZ, INTRANET, and ACCESS virtual networks, use the following:
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 start 172.19.201.192 stop 172.19.201.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 default-router 172.19.201.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 dns-server 8.8.8.8
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH1_POOL subnet 172.19.201.0/24 dns-server 8.8.4.4
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 start 172.19.202.192 stop 172.19.202.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 default-router 172.19.202.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 dns-server 8.8.8.8
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH2_POOL subnet 172.19.202.0/24 dns-server 8.8.4.4
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 start 172.19.203.192 stop 172.19.203.224
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 default-router 172.19.203.254
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 dns-server 8.8.8.8
[edit]
vyos@myfw# set service dhcp-server shared-network-name ETH3_POOL subnet 172.19.203.0/24 dns-server 8.8.4.4
[edit]
vyos@myfw# show service dhcp-server
+shared-network-name ETH1_POOL {
+ subnet 172.19.201.0/24 {
+ default-router 172.19.201.254
+ dns-server 8.8.8.8
+ dns-server 8.8.4.4
+ start 172.19.201.192 {
+ stop 172.19.201.224
+ }
+ }
+}
+shared-network-name ETH2_POOL {
+ subnet 172.19.202.0/24 {
+ default-router 172.19.202.254
+ dns-server 8.8.8.8
+ dns-server 8.8.4.4
+ start 172.19.202.192 {
+ stop 172.19.202.224
+ }
+ }
+}
+shared-network-name ETH3_POOL {
+ subnet 172.19.203.0/24 {
+ default-router 172.19.203.254
+ dns-server 8.8.8.8
+ dns-server 8.8.4.4
+ start 172.19.203.192 {
+ stop 172.19.203.224
+ }
+ }
+}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
Set Source NAT
To permit DMZ, INTRANET, and ACCESS virtual networks to exit the OUTSIDE interface using source network address translation (NAT) execute the following:
[edit]
vyos@myfw# set nat source rule 900 outbound-interface eth0
[edit]
vyos@myfw# set nat source rule 900 source address 172.19.0.0/16
[edit]
vyos@myfw# set nat source rule 900 translation address masquerade
[edit]
vyos@myfw# show nat source
+rule 900 {
+ outbound-interface eth0
+ source {
+ address 172.19.0.0/16
+ }
+ translation {
+ address masquerade
+ }
+}
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
Next Steps
At this point, build virtual machines with the appropriate vmnet network interface, set the Vyos interface for that virtual network as the virtual machines gateway. Use ping and traceroute for intitial testing and troubleshooting, but you should have functioning layer two (switching) and three (routing) communications.
DNS Forwarding
Scenario is to forward all DNS queries to the firewall interface then the firewall forwards to Google DNS. I, typically, configure DNS hosts to hit the firewall hosts and all other services to use the DNS host. Using the firewall which will be passing and logging the traffic, provide a single point of administration. To configure, use the following syntax:
[edit]
vyos@myfw# set service dns forwarding cache-size '0'
vyos@myfw# set service dns forwarding listen-on 'eth1'
vyos@myfw# set service dns forwarding name-server '8.8.8.8'
vyos@myfw# set service dns forwarding name-server '8.8.4.4'
[edit]
vyos@myfw# commit
[edit]
vyos@myfw# save
Saving configuration to '/config/config.boot'...
Done
[edit]
results with
[edit]
vyos@fw# show service dns forwarding
cache-size 0
listen-on eth1
name-server 8.8.8.8
name-server 8.8.4.4
[edit]
vyos@fw# [edit]
Additional Reading
(in progress)