VYOS - samuel-richardson/Sam-Tech-Journal GitHub Wiki
configure
set system login user <name> authentication plaintext-password <password>
commit
save
configure
set system host-name fw1-sam
commit
save
exit
Show interfaces to show interfaces.
delete interfaces ethernet ethx address dhcp
commit
save
Set Interface Descriptions
configure
set interfaces ethernet eth0 description "SEC350-WAN"
commit
save
exit
Set Interface IP
set interfaces ethernet ethX address IPADDRESS/MASK
set protocols static route 0.0.0.0./0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
NAT Forwarding
configure
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit
save
DNS Forwarding
configure
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
configure
set system host 172.16.50.5 facility authpriv level info
commit
save
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
Note the firewalls will need to be made to add them to a zone.
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
Note this will block all traffic by default. Additional rules need to be added to allow connections.
set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
rule 1 allows established connections back through the FW and is typically required on all FW zones.
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
wazuh rule 10. Increment new rules by 10 and set fields appropriate to the rule:
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
Setting a general outbound rule to a network.
set firewall name MGMT-to-LAN rule 10 action 'accept'
set firewall name MGMT-to-LAN rule 10 description 'Allow MGMT to initiate any connection to LAN'
set firewall name MGMT-to-LAN rule 10 destination address '172.16.150.0/24'
Dropped packets can be seen in /car/log/messages which can be used in debugging if packets are being dropped or not. Additionally trace route and ping from endpoint machines can be useful in test connection. Along with other tools such as tcmpdump.
This extracts the commands used for configuration.
show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"
Port forwarding set nat inbound rule.
set nat destination rule 20 description 'SSH->JUMP-SAM'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.50.4'
set nat destination rule 20 translation port '22'
Configure the same group on both routers for an interface. Change the priority to make one a master.
set high-availability vrrp group Foo vrid 10
set high-availability vrrp group Foo interface eth0
set high-availability vrrp group Foo address 192.0.2.1/24
set high-availability vrrp group Foo priority {High number for master}