download

VyOS Community

technical specifications

If VyOS Deployed in a separate ESXi or vCenter On , Can guarantee first-class performance , The premise is that you meet the minimum technical requirements for production purposes .

Minimum size

Recommended specifications

Deploy

With IOS Version installation, for example

install

Default account ：vyos/vyos

[email protected]:~$ install image
Welcome to the VyOS install program.  This script
will walk you through the process of installing the
VyOS image to a local hard drive.
Would you like to continue? (Yes/No) [Yes]: Yes
Probing drives: OK
Looking for pre-existing RAID groups...none found.
The VyOS image will require a minimum 2000MB root.
Would you like me to try to partition a drive automatically
or would you rather partition it manually with parted?  If
you have already setup your partitions, you may skip this step

Partition (Auto/Parted/Skip) [Auto]:

I found the following drives on your system:
 sda    4294MB

Install the image on? [sda]:

This will destroy all data on /dev/sda.
Continue? (Yes/No) [No]: Yes

How big of a root partition should I create? (2000MB - 4294MB) [4294]MB:

Creating filesystem on /dev/sda1: OK
Done!
Mounting /dev/sda1...
What would you like to name this image? [1.2.0-rolling+201809210337]:
OK.  This image will be named: 1.2.0-rolling+201809210337
Copying squashfs image...
Copying kernel and initrd images...
Done!
I found the following configuration files:
    /opt/vyatta/etc/config.boot.default
Which one should I copy to sda? [/opt/vyatta/etc/config.boot.default]:

Copying /opt/vyatta/etc/config.boot.default to sda.
Enter password for administrator account
Enter password for user 'vyos':
Retype password for user 'vyos':
I need to install the GRUB boot loader.
I found the following drives on your system:
 sda    4294MB

Which drive should GRUB modify the boot partition on? [sda]:

Setting up grub: OK
Done!

SSH

set service ssh port '22'

Command line interface

Operation mode

Operation mode allows commands to perform operating system tasks and view system and service status , The configuration mode allows you to modify the system configuration .

[email protected]:~$ s[tab]
set   show

Show possible show Examples of commands ：

[email protected]:~$ show [tab]
Possible completions:
  arp           Show Address Resolution Protocol (ARP) information
  bridge        Show bridging information
  cluster       Show clustering information
  configuration Show running configuration
  conntrack     Show conntrack entries in the conntrack table
  conntrack-sync
                Show connection syncing information
  date          Show system date and time
  dhcp          Show Dynamic Host Configuration Protocol (DHCP) information
  dhcpv6        Show status related to DHCPv6
  disk          Show status of disk device
  dns           Show Domain Name Server (DNS) information
  file          Show files for a particular image
  firewall      Show firewall information
  flow-accounting
                Show flow accounting statistics
  hardware      Show system hardware details
  history       show command history
  host          Show host information
  incoming      Show ethernet input-policy information
: q

Configuration mode

To enter configuration mode , Please use the following command ：configure

[email protected]:~$ configure
[edit]
[email protected]:~#

Attention from To Prompt changes for . To exit configuration mode , Please type the .$``#``exit

[email protected]:~# exit
exit
[email protected]:~$

[email protected]# edit interfaces ethernet eth0
[edit interfaces ethernet eth0]
[email protected]# sh
 address 10.232.3.250/23
 description OUTSIDE
 firewall {
     in {
         name OUTSIDE-LOCAL
     }
     out {
         name LOCAL-OUTSIDE
     }
 }
 hw-id 00:50:56:a2:ac:40
[email protected]# set address
Possible completions:
   <x.x.x.x/x>          IPv4 address and prefix length
   <h:h:h:h:h:h:h:h/x>  IPv6 address and prefix length
   dhcp                 Dynamic Host Configuration Protocol
   dhcpv6               Dynamic Host Configuration Protocol for IPv6
   10.232.3.250/23

Edit the configuration

set: Use this command to set the value of a parameter or create a new element .

delete: To delete a configuration entry , Please use this command , This action will also delete all sub levels under the current level you specify in the command .

commit: Any changes made to the configuration will not take effect until the command is submitted in configuration mode .

save: Use this command to preserve configuration changes on restart .

exit [discard]: When there are uncommitted changes , Unable to exit configuration mode .

commit-confirm : Use this command to temporarily commit changes and set the number of minutes available for validation .

copy: Copy configuration elements .

[email protected]# show firewall name FromWorld
 default-action drop
 rule 10 {
     action accept
     source {
         address 203.0.113.0/24
     }
 }
[edit]
[email protected]# edit firewall name FromWorld
[edit firewall name FromWorld]
[email protected]# copy rule 10 to rule 20

rename: Rename the configuration element .

[email protected]# rename rule 10 to rule 5
[edit firewall name FromWorld]
[email protected]# commit
[edit firewall name FromWorld]

comment “comment text”: Add comments as comments to the configuration node .

[email protected]# comment firewall all-ping "Yes I know this VyOS is cool"
[email protected]# commit
[email protected]# show
 firewall {
     /* Yes I know this VyOS is cool */
     all-ping enable
     broadcast-ping disable
     ...
 }

run: These commands can be accessed by using this command . Through this command , You will have access to everything that can be accessed from the operating mode .

To configure

Firewall — VyOS 1.4.x (sagitta) documentation

Configure interface

# Configure the external network interface 
set interfaces ethernet eth0 address '10.232.3.250/23'
set interfaces ethernet eth0 description 'OUTSIDE'

# Configure intranet interface 
set interfaces ethernet eth1 address '172.16.240.2/29'
set interfaces ethernet eth1 description 'INSIDE1'

Configure the routing

# Specify a static route 
set protocols static route 0.0.0.0/0 next-hop 10.232.3.253 distance 1

NAT

PAT

set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.240.0/24'
set nat source rule 10 translation address 'masquerade'

[email protected]# run sh  nat source translations
Pre-NAT              Post-NAT             Prot  Timeout
172.16.240.5         172.16.240.5         icmp  29
172.16.240.12        10.232.3.250         icmp  29
[edit]

1:1 NAT

set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '192.0.2.30'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '192.0.2.30'

DNAT

set nat destination rule 12 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 12 destination port '80'
set nat destination rule 12 inbound-interface 'eth0'
set nat destination rule 12 protocol 'tcp'
set nat destination rule 12 translation address '192.168.0.100'



set nat destination rule 12 description 'Port Forward: SSH to 172.16.240.3'
set nat destination rule 12 destination port '10022'
set nat destination rule 12 inbound-interface 'eth0'
set nat destination rule 12 protocol 'tcp'
set nat destination rule 12 translation address '172.16.240.3'

NTP

set system ntp server 10.232.3.222

[email protected]# run show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.232.3.222    114.118.7.161    2 u  372 1024  377    0.210   -2.518   0.693

Firewall

set firewall all-ping 'enable'
set firewall ip-src-route 'enable'
set firewall log-martians 'enable'

set firewall name INSIDE1-OUTSIDE rule 20 action 'accept'
set firewall name INSIDE1-OUTSIDE rule 20 protocol 'all'
set firewall name INSIDE1-OUTSIDE rule 20 state new 'enable'
set firewall name LOCAL-OUTSIDE rule 10 action 'accept'
set firewall name LOCAL-OUTSIDE rule 10 protocol 'all'
set firewall name LOCAL-OUTSIDE rule 10 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'


set interfaces ethernet eth0 firewall in name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 firewall out name 'LOCAL-OUTSIDE'
set interfaces ethernet eth1 firewall in name 'INSIDE1-OUTSIDE'

[email protected]# set firewall name OUTSIDE-LOCAL rule 31 state
Possible completions:
   established          Established state
   invalid              Invalid state
   new                  New state
   related              Related state

ESTABLISHED,NEW,RELATED,INVALID.

Be careful :TCP/IP Under the standard description ,UDP And ICPM Packets are not connected , But in state Under the description of the module , Any packet has a connection state .

ESTABLISHED: And TCP The relationship between packets , First, execute on the firewall ssh client, And on the network ssh The server makes a service request , At this time, the first packet sent is the packet of service request , If a real packet can successfully penetrate the firewall , So next ,ssh server And ssh client Between all ssh The status of packets will be ESTABLISHED.

And UDP The relationship between packets ： Suppose we use firefox Use the program to browse the web ( Through domain name ), The action of browsing the web requires DNS With the help of the server , For some reasons firefox Will send one udp Data package to DNS SERVER, Resolve service with request name , If this packet can successfully cross the firewall , So the next dns server And firefox The status of all packets between is ESTABLISHED.

NEW: First we know that ,NEW It has nothing to do with the agreement , It refers to the first packet of each connection , If we use ssh client Connect ssh server when , The state of the first packet in this connection is NEW.

RELATED:RELATED State packets refer to passively generated packets . And this connection does not belong to any connection now .RELATED Packets of state are protocol independent , As long as the data packet returned is due to another connection caused by a data packet sent by the local machine , All packets on this new connection belong to RELATED Status packets .

be based on Zone Our firewall strategy

#  Configure the interface to join the security zone . A region can have multiple interfaces . But an interface can only be a member of one region .
 set zone-policy zone <name> interface <interfacenames>
# take zone Defined as local zone.local There is no interface in the area , Only apply to the router itself .
 set zone-policy zone <name> local-zone
# Set up Zone Default operation 
 set zone-policy zone <name> default-action [drop | reject]
# Set up Zone describe 
 set zone-policy zone <name> description
 Set a meaningful description.
# Set up Zone The rules 
 set zone-policy zone <Destination Zone> from <Source Zone> firewall name <rule-set>
 set zone-policy zone <name> from <name> firewall name <rule-set>
 set zone-policy zone <name> from <name> firewall ipv6-name <rule-set>
 set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4
 set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4 
 

HA-VRRP

set high-availability vrrp group 1 address 10.232.3.248/23
set high-availability vrrp group 1 interface 'eth0'
set high-availability vrrp group 1 peer-address '10.232.3.250'
set high-availability vrrp group 1 vrid '1'


[email protected]# run sh vrrp
  Name  Interface      VRID  State      Priority  Last Transition
------  -----------  ------  -------  ----------  -----------------
     1  eth0              1  MASTER          100  2m31s