vyos configuration - nofree

basic

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]
install image
show system image
delete system image
set system image default-boot [image-name] 
set service ssh port 22
set system hostname vyos
set system time-zone Asia/Shanghai

show version
delete interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 address 10.0.1.32/24
set interfaces ethernet eth0 description public
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description private

commit 
save
rollback

dhcp and dns

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start 192.168.0.100
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.200'

set service dns forwarding cache-size '0'
set service dns forwarding listen-address '192.168.0.1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
set service dns forwarding allow-from '0.0.0.0/0'

set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1

nat

show nat source translations

# 外网访问 
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.100.0/24
set nat source rule 100 translation address masquerade

# 端口映射
set nat destination rule 10 description 'Port Forward'
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination address 10.0.1.100
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.0.100
set nat destination rule 10 translation port 80

firewalld

基于接口的防火墙策略
基于组的防火墙策略
基于区块的防火墙策略ZBF

# 防火墙策略
set firewall all-ping disable
set firewall broadcast-ping enable
set firewall ip-src-route enable
set firewall syn-cookies enable
set firewall name private-public default-action drop
 
# private　-> public 方向的防火墙策略
# 规则1 匹配成功的请求，允许建立与关联
set firewall name private-public rule 1 action accept
set firewall name private-public rule 1 state established enable
set firewall name private-public rule 1 state related enable
 
#　规则2 匹配失败的请求，记录日志
set firewall name private-public rule 2 action drop
set firewall name private-public rule 2 log enable
set firewall name private-public rule 2 state invalid enable
 
# 规则100 允许ping
set firewall name private-public rule 100 action accept
set firewall name private-public rule 100 log enable
set firewall name private-public rule 100 protocol icmp
 
# 规则200 允许http https,ssh
set firewall name private-public rule 200 action accept
set firewall name private-public rule 200 destination port 80,443,22
set firewall name private-public rule 200 log enable
set firewall name private-public rule 200 protocol tcp
 
# 规则300 允许来自dns请求
set firewall name private-public rule 600 action accept
set firewall name private-public rule 600 destination port 53
set firewall name private-public rule 600 log enable
set firewall name private-public rule 600 protocol tcp_udp

# 基于接口的防火墙
set interfaces ethernet eth0 firewall in name 'public-private'
set interfaces ethernet eth1 firewall in name 'private-public'


# public区域包含外网接口，private区域包含内网接口，
set zone-policy zone public interface eth0
set zone-policy zone private interface eth1
set zone-policy zone private from public firewall name public-private
set zone-policy zone public from private firewall name private-public

wireguard

generate wireguard keypair
configure
set interfaces wireguard wg0 address '10.22.211.1/24'
set interfaces wireguard wg0 peer center allowed-ips '10.22.211.10/32'
set interfaces wireguard wg0 peer center persistent-keepalive '15'
set interfaces wireguard wg0 peer center pubkey 'M52tdV2dnXRvCxw4QNeoYZeaUbkfTkKbi2ElhcUGF0E=' ##Client publicKey
set interfaces wireguard wg0 port '51820'

set firewall name public-private rule 10 action 'accept'
set firewall name public-private rule 10 destination port '51820'
set firewall name public-private rule 10 log 'enable'
set firewall name public-private rule 10 protocol 'udp'
set firewall name public-private rule 10 source address '0.0.0.0/0'
set firewall name public-private rule 10 state established 'enable'
set firewall name public-private rule 10 state related 'enable'

basic

dhcp and dns

nat

firewalld

wireguard

Read more