Lab 1.1: Routing and DMZ - squatchulator/Tech-Journal GitHub Wiki

Lab 1.1 - Routing and DMZ

Network and IP Assignments

Setting up RW01

  • Change password for champuser with passwd
  • Add a new user with adduser (not useradd as this needs to be set up manually)
  • Elevate new user to sudo with sudo usermod -aG sudo newuser
  • Set a new hostname with sudo hostnamectl set-hostname rw01-yourname
  • Configure network settings with IP above and 10.0.17.2 as the gateway and the DNS

Setting up FW01

  • NOTE: VyOS configuration is very similar to Cisco. Changes are made to the running configuration by entering “configure” mode. These changes are applied to the running configuration via “commit”. The changes persist after reload only if you “save” them. You leave configuration mode via the “exit” command.
  • Configure network adapter 1 to the WAN, adapter 2 to the DMZ, and 3 to the LAN.
  • Set hostname:
configure
set system host-name fw01-yourname
commit
save
exit (until you get to login prompt)
  • Configure network:
configure
show interfaces
delete interfaces ethernet eth0 address dhcp
delete interfaces ethernet eth1 address dhcp
commit
save
  • Set descriptions on each interface:
configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description YOURNAME-DMZ
set interfaces ethernet eth2 description YOURNAME-LAN
commit
save
exit
  • Configure each interface:
configure
set interfaces ethernet eth0 address YOURADDRESS/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
  • Configure gateway and DNS:
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save

Setting up WEB01

  • Ensure it is on the DMZ-yourname network
  • Set a new hostname with sudo hostnamectl set-hostname web01-yourname
  • ip a to see the name of the interface
  • sudo nano /etc/sysconfig/network-scripts/INTERFACENAME
  • Append the following (OR use nmtui, set connection to manual):
IPADDR=172.16.50.3
NETMASK=255.255.255.248
GATEWAY=172.16.50.2
DNS1=172.16.50.2

Configuring NAT and DNS Forwarding on FW01

  • Enter the following:
configure
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit
save
  • Should now be able to ping 8.8.8.8 from Web01
  • Enter the following:
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save

Setting up Log01

  • Ensure it is on the DMZ-yourname network
  • Set a new hostname with sudo hostnamectl set-hostname log01-yourname
  • ip a to see the name of the interface
  • sudo nano /etc/sysconfig/network-scripts/INTERFACENAME
  • Append the following:
IPADDR=172.16.50.5
NETMASK=255.255.255.248
GATEWAY=172.16.50.2
DNS1=172.16.50.2

Installing HTTP on Web01

sudo yum install httpd
sudo systemctl enable httpd
sudo systemctl start httpd
sudo systemctl enable firewalld
sudo firewall-cmd --add-port=80/tcp --permanent
sudo firewall-cmd --add-port=443/tcp --permanent
sudo firewall-cmd --reload

Testing httpd on Web01 from RW01

  • Open connection settings and navigate to Routes
    • Address: 172.16.50.0
    • Netmask: 255.255.255.248
    • Gateway: 10.0.17.114
  • Run sudo service NetworkManager restart
  • Should be able to navigate to the httpd server.

Configuring rsyslog services on Log01

sudo systemctl enable firewalld
sudo firewall-cmd --add-port=514/tcp --permanent
sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --reload
sudo nano /etc/rsyslog.conf
  • Right above GLOBAL DIRECTIVES uncomment:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
  • sudo systemctl restart rsyslog
  • Check if functional with netstat -tupan | grep 514

Configuring rsyslog client on Web01

  • sudo yum install rsyslog
  • sudo nano /etc/rsyslog.d/sec350.conf
    • Add line:
      • user.notice @172.16.50.5
      • This line means:
        • user=syslog facility
        • notice=syslog priority
        • @=UDP, @@ means TCP, so we are only going to send UDP
        • 172.16.50.5=Remote Syslog Server
  • sudo systemctl restart rsyslog

Test rsyslog messaging from Web01 to Log01

  • On Log01, `sudo tail -f /

Test rsyslog messaging from Web01 to Log01

  • On Log01, sudo tail -f /var/log/messages
  • On Web01, logger -t test TESTFROMWEB01LOG01