Setting up routers - serate-actual/sec350final GitHub Wiki

Basic Installation of VyOS

  • Do these steps on both fw-edge and fw-mgmt
  • Log in using the username vyos and the password vyos
  • Use the install image command to install VyOS
    • You can use tab to
  • Set it to auto-partition
  • Select the appropriate drive section
  • Select the maximum size
  • Reboot the firewall

fw-edge

  • Set the hostname to fw-edge
    • set system host-name fw-edge

Configuring interfaces

  • Set the WAN interface to be DHCP enabled
    • set interfaces ethernet eth0 address dhcp
  • Set the DMZ interface address to 10.0.10.2/24
    • set interfaces ethernet eth1 address 10.0.10.2/24
  • Set the LAN interface address to 10.0.0.2/24
    • set interfaces ethernet eth1 address 10.0.0.2/24
  • Add descriptions if desired

Configuring name server and DNS forwarding

  • On the host machine, find the IP of the default gateway. As the WAN interface is bridged directly to the network, this information is important.
  • Set name server
    • set system name-server (default gateway IP)
  • Set DNS forwarding for LAN
set service dns forwarding listen-address 10.0.0.2
set service dns forwarding allow-from 10.0.0.0/24
  • Set DNS forwarding for DMZ
set service dns forwarding listen-address 10.0.10.2
set service dns forwarding allow-from 10.0.10.0/24

Configuring routes

  • Set static route for default gateway
    • set protocols static route 0.0.0.0/0 next-hop (default gateway IP)
  • Set route for the fw-mgmt router
    • set protocols static route 10.0.5.0/24 next-hop 10.0.0.10

Test for connectivity

  • You should be able to ping from fw-edge to 8.8.8.8
    • This tests accessing external IPs through the default gateway
  • You should be able to ping from fw-edge to google.com
    • This tests DNS functionality

Set up NAT from web01 to WAN

  • Enter the following commands
set nat destination rule 10 description "Port forward HTTP to web01"
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 10.0.10.10
  • This port forwards HTTP traffic to port 80 on web01, allowing you to access it from the WAN interface

Set up NAT from LAN to WAN

  • Enter the following commands
set nat source rule 20 description “NAT from LAN to WAN”
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 10.0.0.0/24
set nat source rule 20 translation address masquerade
  • This allows LAN addresses to access the WAN network via NAT

Set up NAT from DMZ to WAN

  • Enter the following commands
set nat source rule 30 description “NAT from DMZ to WAN”
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 10.0.10.0/24
set nat source rule 30 translation address masquerade

Set up SSH

  • Enable SSH on the LAN interface
set service ssh port 22
set service ssh listen-address 10.0.0.2

fw-mgmt

  • Set the hostname to fw-mgmt
    • set system host-name fw-mgmt

Configuring interfaces

  • Set the LAN interface address to 10.0.0.10/24
    • set interfaces ethernet eth1 address 10.0.0.10/24
  • Set the MGMT interface address to 10.0.10.2/24
    • set interfaces ethernet eth1 address 10.0.5.2/24
  • Add descriptions if desired

Configuring name server and DNS forwarding

  • Set name server
    • set system name-server 10.0.0.2
  • Set DNS forwarding for MGMT
set service dns forwarding listen-address 10.0.5.2
set service dns forwarding allow-from 10.0.5.0/24

Configuring routes

  • Set static route for default gateway
    • set protocols static route 0.0.0.0/0 next-hop 10.0.0.2

Set up NAT from MGMT to LAN

  • Enter the following commands
set nat source rule 10 description “NAT from MGMT to LAN”
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade

Set up Static NAT from MGMT to LAN

  • This allows our usr01 machine to use the AD DC functionality of our mgmt01 box
set nat destination rule 20 description "tcp ports for mgmt01 AD DC"
set nat destination rule 20 destination port 88,135,389,464
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.10.10

set nat destination rule 25 description "udp ports for mgmt01 AD DC"
set nat destination rule 25 destination port 88
set nat destination rule 25 inbound-interface eth0
set nat destination rule 25 protocol udp
set nat destination rule 25 translation address 10.0.10.10

Set up SSH

  • Enable SSH on the MGMT interface
set service ssh port 22
set service ssh listen-address 10.0.5.2