Configure vyatta
Username: vyatta
Password: vyatta
配置网卡:
编辑:
configure
内部网络IP地址配置:192.168.0.1
set interfaces ethernet eth0 address 192.168.0.1/24
set interfaces ethernet eth0 description Inside
从DHCP 服务器上自动外网IP地址:
set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description Outside
commit
查看:
show interfaces
ip addr
ping www.google.com
ethernet eth0 {
address 192.168.0.1/24
description Inside
duplex auto
smp_affinity auto
speed auto
}
ethernet eth1 {
address dhcp
description Outside
duplex auto
firewall {
in {
name WAN_IN
}
}
smp_affinity auto
speed auto
}
loopback lo {
}
配置SSH:
set service ssh port '22'
set service ssh listen-address 192.168.0.1 (router内网ip地址)
commit
vyatta@vyatta# show service ssh
listen-address 192.168.0.1
port 22
protocol-version v2
内网通外网:
配置网络地址转换(NAT): //内部网络的所有机器共享同一个外部网络地址(连接外网)
Configure Source NAT for our "Inside" network.
set service nat rule 10 outbound-interface eth1 (外网网卡) NAT出口设置
set service nat rule 10 source address 192.168.0.0/24 NAT需要转换的地址
set service nat rule 10 type masquerade 启用NAT
commit
vyatta@vyatta# show service
nat {
rule 10 {
outbound-interface eth1
source {
address 192.168.0.0/24
}
type masquerade
}
设置DNS Forwarding(DNS 服务器转发):
set service dns forwarding listen-on eth0 (内网网卡)
set service dns forwarding cache-size '0'
set service dns forwarding name-server 10.108.36.85 (搭建有dns服务器的任意一台VM的IP地址)
commit
vyatta@vyatta# show service dns
dns {
forwarding {
cache-size 0
listen-on eth0 (内网)
name-server 10.108.36.85
}
}
外网通内网:
配置防火墙规则:
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 destination address 192.168.0.12
set firewall name WAN_IN rule 10 destination port 443
set firewall name WAN_IN rule 10 protocol tcp
set firewall name WAN_IN rule 10 description ALLOW-ACCESS-TO-ACCESS-GATEWAY
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 destination address 192.168.0.0/24
set firewall name WAN_IN rule 20 description NAT-FOR-LAN
Commit
NAT rule:
set service nat rule 20 destination address 10.108.16.30 (router 外网IP地址)
set service nat rule 20 destination port 443 (内网443端口打开)
set service nat rule 20 inbound-interface eth1 (外网网卡)
set service nat rule 20 inside-address address 192.168.0.12 (gateway ip address, vip 客户端访问的ip地址)绑定内网web server 的ip 地址和端口号
set service nat rule 20 inside-address port 443
set service nat rule 20 type destination
set service nat rule 20 protocol tcp
commit
vyatta@vyatta# show service
rule 20 {
destination {
port 443
}
inbound-interface eth1
inside-address {
address 192.168.0.12
port 443
}
protocol tcp
type destination
}
}
防火墙策略分配给NIC eth1
set interfaces ethernet eth1 firewall in name WAN_IN 在 eth1(外网网卡)上配置WAN_IN策略
Commit
Configure a DHCP Server:
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24
dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24
domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease
'86400'
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start
192.168.0.30 stop '192.168.0.254'
commit
save
vyatta@vyatta# show service dhcp-server
disabled false
shared-network-name DHCP_Pool_ETH1 {
authoritative disable
subnet 192.168.0.0/24 {
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name internal-network
lease 86400
start 192.168.0.30 {
stop 192.168.0.254
}
}
}
Commit
Save
检查内外网通信:
内网VM 打开外网共享服务器
外网打开https:router_externel_ip
更多内容可参考:From <https://wiki.vyos.net/wiki/User_Guide>