vyatta的fork开源版本vyos
vyatta的fork开源版本vyos
来源: https://www.reddit.com/r/networking/comments/3dvwfy/who_here_is_using_vyos/
Vyatta came in two flavors: Community Edition and Subscription Edition. VyOS was forked from Vyatta CE 6.6R1. The commercial version of Vyatta at the time (SE) used a different (non-free) routing engine called ZebOS from IP Infusion. IP Infusion was started by the authors of GNU Zebra when they realized they could make money off the project and closed it up. Quagga (which is what VyOS is using) was a fork of GNU Zebra from before they went closed source. The major functionality you get with ZebOS instead of Quagga is multicast routing and DMVPN support. IIRC up until 6.6 Vyatta was also using Quagga for its commercial offering. The major feature of the commercial offering vs. open source was the web GUI and support and "config-sync" for clustering. When Brocade purchased Vyatta Inc the product became the "Vyatta vRouter 5400". Brocade also released another version of Vyatta that leverages Intel DPDK to implement a custom (non-free) forwarding engine that scales performance into the 100G range. That one is called the "vRouter 5600". Similarly EdgeOS (Ubiquiti EdgeRouter) was forked from Vyatta CE 6.3. Changes between 6.3 and 6.6 are a major reason for configuration inconsistencies between EdgeOS and VyOS (specifically in the areas of NAT and policy routing configuration). Ubiquiti EdgeOS is built using the Linux SDK for the Cavium Octeon network CPU that they use for the EdgeRouter to take advantage of hardware acceleration. The other big thing Ubiquiti brought to the table was a really well designed web GUI (both visually and technically). VyOS has made some progress as well. Initial support for DMVPN and VXLAN were introduced in the 2nd major release (1.1) along with support for 802.1ad (Q-in-Q tagging) and IGMP proxy for basic multicast support. VyOS is a pretty active project with their IRC channel on Freenode having over 100 users and 11 releases since 1.0.0 in December of 2013 and the 3rd major release (Lithium) around the corner. Support for Intel DPDK is out of scope for VyOS but a lot of companies are building versions of Linux that support Intel DPDK which VyOS can be built upon. Specific examples being Wind River Linux (now an Intel company) 6WIND and MontaVista. Because they implement DPDK support at the kernel level VyOS is basically a drop-in to add configuration management for these. I am hoping that with the purchase of Wind River Intel will eventually open source the DPDK-powered Linux enhancements. Where I use VyOS the most is as a firewall. The flexibility to right-size a single solution across physical and virtual firewall needs is really a killer app of VyOS. The firewall policy configuration syntax is very verbose and makes policy audits easy even for security engineers unfamiliar with VyOS specifically. We were able to modify RANCID pretty easily to automate configuration backups for VyOS devices like we do for Cisco. Because the configuration file has all system config it makes swapping a failed unit less like rebuilding a Linux server and more like applying a configuration file to a traditional network device. I use VRRP and conntrack-sync for failover which works nicely. Shortcomings and things to improve: 1 Network/Address group support for IPv6 (currently IPv4 only) 2 It would be nice to see VRRP support for IPv6 3 Adjustments to firewall policy engine when applied to bridge interfaces to better support VyOS in a transparent bridge firewall configuration (currently possible but not "clean"). 4 Cross-system LACP to support horizontal scaling of transparent firewall. 5 More work is needed to polish up "cluster mode" and we need config-sync to avoid having to configure multiple devices when in pairs. 6 NAT logging is a challenge at large scale (10000+ users). This is a Linux problem. It would be nice to see the netfilter project implement a CGN kind of offering that mapped a specific range of ports to each internal IP to avoid the need for translation logging. 7 It would be nice to see a DHCPv6 relay agent support injecting routes for DHCPv6-PD and more DHCPv6 support in general. 8 IPv6 transition technologies like NAT64 with DNS ALG. 9 Add VRF-Lite support (start with isolating management VRF) 10 Add Multicast routing support (PIM-SM) 11 JSON-RPC based web API and an optional web GUI that uses the API that can be run locally or on a separate system.
Vyos使用指南
来源: https://www.emulatedlab.com/thread-1381-1-1.html
1、镜像用户名 :vyos 密码:vyos
2、vyos相关wiki :https://wiki.vyos.net/wiki/User_Guide
3、支持功能如下:
VLANs:
802.1q and QinQ
Static and dynamic routing:
BGP for IPv4 and IPv6, OSPFv2, RIP, RIPng, policy-based routing, equal cost multi-path
Firewall:
Firewall rulesets for IPv4 and IPv6 traffic you can assign to interfaces, zone-based firewall, address/network/port groups for IPv4 firewalls
Tunnel interfaces:
PPPoE, GRE, IPIP, SIT, static L2TPv3, VXLAN
VPN:
Site-to-site IPsec for IPv4 and IPv6, L2TP/IPsec server, PPTP server, OpenVPN for site-to-site and remote access
NAT:
Source NAT, port forwards, one to one, one to many, and many to many translations
DHCP:
DHCP and DHCPv6 server and relay
Redundancy:
VRRP, connection table synchronization
4、登录vyos后界面如下:会话以$为提示符
vyos@vyos:~$ s[tab]
set show
vyos@vyos:~$
5、支持tab键补齐
vyos@vyos:~$ show [tab]
Possible completions:
arp Show Address Resolution Protocol (ARP) information
bridge Show bridging information
cluster Show clustering information
configuration Show running configuration
conntrack Show conntrack entries in the conntrack table
conntrack-sync
Show connection syncing information
date Show system date and time
dhcp Show Dynamic Host Configuration Protocol (DHCP) information
dhcpv6 Show status related to DHCPv6
disk Show status of disk device
dns Show Domain Name Server (DNS) information
file Show files for a particular image
firewall Show firewall information
flow-accounting
Show flow accounting statistics
hardware Show system hardware details
history show command history
host Show host information
incoming Show ethernet input-policy information
: q
vyos@vyos:~$
6、进入配置模式:
vyos@vyos:~$ configure
[edit]
vyos@vyos:~#
7、修改主机名
vyos@vyos:~$ configure
[edit]
vyos@vyos:~#set system host-name host1
[edit]
vyos@vyos:~#
提交配置
vyos@vyos:~#commit
保存配置
vyos@vyos:~#save
退出配置模式
vyos@vyos:~#exit
重启系统后生效
vyos@vyos:~#reboot
8、配置网络接口
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'
9、配置ssh远程端口
set service ssh port '22'
10、配置源地址NAT
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
11、配置DHCP 服务器
set service dhcp-server disabled 'false'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.9 stop '192.168.0.254'
12、配置DNS转发
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
13、配置防火墙规则
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
14、生效防火墙规则
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
15、保存配置
vyos@vyos# commit
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
vyos@vyos# exit
vyos@vyos$
16、查看配置
vyos@vyos:~$ show configuration
interfaces {
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
login {
user vyos {
authentication {
encrypted-password ****************
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
repository community {
components main
distribution hydrogen
url http://packages.vyos.net/vyos
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
}
vyos@vyos:~$
17、查看接口配置信息
vyos@vyos:~$ configure
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
vyos@vyos# set interfaces ethernet eth0 description 'OUTSIDE'
[edit]
vyos@vyos# show interfaces
ethernet eth0 {
address dhcp
+ description OUTSIDE
hw-id 00:0c:29:44:3b:0f
}
loopback lo {
}
[edit]
18、查看接口
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$
19、查看接口网卡信息
vyos@vyos:~$ show interfaces ethernet eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:44:3b:0f brd ff:ff:ff:ff:ff:ff
inet 172.16.51.129/24 brd 172.16.51.255 scope global eth0
inet6 fe80::20c:29ff:fe44:3b0f/64 scope link
valid_lft forever preferred_lft forever
Description: OUTSIDE
RX: bytes packets errors dropped overrun mcast
274397 3064 0 0 0 0
TX: bytes packets errors dropped carrier collisions
257276 1890 0 0 0 0
vyos@vyos:~$
20、配置接口描述和接口参数
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 address 'dhcp'
21、配置以太网接口
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 speed 'auto'
22、配置vlan
set interfaces ethernet eth1 vif 100 description 'VLAN 100'
set interfaces ethernet eth1 vif 100 address '192.168.100.1/24'
查看配置
ethernet eth1 {
address 192.168.0.1/24
description INSIDE
duplex auto
hw-id 00:0c:29:44:3b:19
smp_affinity auto
speed auto
vif 100 {
address 192.168.100.1/24
description "VLAN 100"
}
}
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.51.129/24 u/u OUTSIDE
eth1 192.168.0.1/24 u/u INSIDE
eth1.100 192.168.100.1/24 u/u VLAN 100
lo 127.0.0.1/8 u/u
::1/128
vyos@vyos:~$
23、配置桥口绑定
set interfaces bridge 'br100'
set interfaces ethernet eth1 vif 100 bridge-group bridge br100
配置桥IP地址
set interfaces bridge br100 address '192.168.100.1/24'
配置桥接模式开启STP
set interfaces bridge br100 stp true
查看桥信息
vyos@vyos:~$ show bridge
bridge name bridge id STP enabled interfaces
br100 0000.000c29443b19 yes eth1.100
vyos@vyos:~$
vyos@vyos:~$ show bridge br100 spanning-tree
br100
bridge id 0000.000c29443b19
designated root 0000.000c29443b19
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 15.00 bridge forward delay 15.00
ageing time 300.00
hello timer 0.47 tcn timer 0.00
topology change timer 0.00 gc timer 64.63
flags
eth1.100 (1)
port id 8001 state forwarding
designated root 0000.000c29443b19 path cost 4
designated bridge 0000.000c29443b19 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vyos@vyos:~$
vyos@vyos:~$ show bridge br100 macs
port no mac addr is local? ageing timer
1 00:0c:29:44:3b:19 yes 0.00
vyos@vyos:~$
24、配置端口绑定
set interfaces bonding bond0 description 'my-sw1 int 23 and 24'
vyos@vyos# set interfaces bonding bond0 hash-policy
Possible completions:
layer2 use MAC addresses to generate the hash (802.3ad)
layer2+3 combine MAC address and IP address to make hash
layer3+4 combine IP address and port to make hash
set interfaces bonding bond0 hash-policy 'layer2'
set interfaces bonding bond0 mode '802.3ad'
配置绑定模式
vyos@vyos# set interfaces bonding bond0 mode
Possible completions:
802.3ad IEEE 802.3ad Dynamic link aggregation (Default)
active-backup
Fault tolerant: only one slave in the bond is active
broadcast Fault tolerant: transmits everything on all slave interfaces
round-robin Load balance: transmit packets in sequential order
transmit-load-balance
Load balance: adapts based on transmit load and speed
adaptive-load-balance
Load balance: adapts based on transmit and receive plus ARP
xor-hash Load balance: distribute based on MAC address
绑定接口道bond0
set interfaces ethernet eth0 bond-group 'bond0'
set interfaces ethernet eth0 description 'member of bond0'
set interfaces ethernet eth1 bond-group 'bond0'
set interfaces ethernet eth1 description 'member of bond0'
查看绑定端口信息
vyos@vyos# run sh interfaces bonding
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
bond0 - u/u my-sw1 int 23 and 24
bond0.10 192.168.0.1/24 u/u office-net
bond0.100 10.10.10.1/24 u/u management-net
25、配置隧道接口
set interfaces vti vti0 address 192.168.2.249/30
vyos@vyos# show interfaces vti
vti vti0 {
address 192.168.2.249/30
description "Description"
}
26、配置路由
配置静态路由
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1 distance '1'
查看配置信息
static {
route 0.0.0.0/0 {
next-hop 203.0.113.1 {
distance 1
}
}
}
配置黑洞路由
set protocols static route 10.0.0.0/8 blackhole distance '254'
set protocols static route 172.16.0.0/12 blackhole distance '254'
set protocols static route 192.168.0.0/16 blackhole distance '254'
route 10.0.0.0/8 {
blackhole {
distance 254
}
}
route 172.16.0.0/12 {
blackhole {
distance 254
}
}
route 192.168.0.0/16 {
blackhole {
distance 254
}
}
26、配置RIP
节点1
set interfaces loopback address 1.1.1.1/32
set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected
节点2
set interfaces loopback address 2.2.2.2/32
set protocols rip network 192.168.0.0/24
set protocols rip redistribute connected
27、配置OSPF
IPV4
节点1
set interfaces loopback lo address 1.1.1.1/32
set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf default-information originate always
set protocols ospf default-information originate metric 10
set protocols ospf default-information originate metric-type 2
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 1.1.1.1
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT
set policy route-map CONNECT rule 10 action permit
set policy route-map CONNECT rule 10 match interface lo
节点2
set interfaces loopback lo address 2.2.2.2/32
set protocols ospf area 0 network 192.168.0.0/24
set protocols ospf log-adjacency-changes
set protocols ospf parameters router-id 2.2.2.2
set protocols ospf redistribute connected metric-type 2
set protocols ospf redistribute connected route-map CONNECT
set policy route-map CONNECT rule 10 action permit
set policy route-map CONNECT rule 10 match interface lo
IPV6
节点1
set protocols ospfv3 area 0.0.0.0 interface eth1
set protocols ospfv3 area 0.0.0.0 range 2001:db8:1::/64
set protocols ospfv3 parameters router-id 192.168.1.1
set protocols ospfv3 redistribute connected
节点2
set protocols ospfv3 area 0.0.0.0 interface eth1
set protocols ospfv3 area 0.0.0.0 range 2001:db8:2::/64
set protocols ospfv3 parameters router-id 192.168.2.1
set protocols ospfv3 redistribute connected
28、配置BGP
IPV4(eBGP)
节点1
set protocols bgp 65536 neighbor 192.168.0.2 ebgp-multihop '2'
set protocols bgp 65536 neighbor 192.168.0.2 remote-as '65537'
set protocols bgp 65536 neighbor 192.168.0.2 update-source ‘192.168.0.1
set protocols bgp 65536 network '1.0.0.0/16'
set protocols bgp 65536 parameters router-id ‘192.168.0.1
节点2
set protocols bgp 65537 neighbor 192.168.0.1 ebgp-multihop '2'
set protocols bgp 65537 neighbor 192.168.0.1 remote-as '65536’
set protocols bgp 65537 neighbor 192.168.0.1 update-source ‘192.168.0.2
set protocols bgp 65537 network 2.0.0.0/16'
set protocols bgp 65537 parameters router-id ‘192.168.0.2
配置黑洞路由
节点1
set protocols static route 1.0.0.0/16 blackhole distance '254'
节点2
set protocols static route 2.0.0.0/16 blackhole distance '254'
IPv6
节点一
set protocols bgp 65536 neighbor 2a00:100::2 ebgp-multihop '2'
set protocols bgp 65536 neighbor 2a00:100::2 remote-as '65537'
set protocols bgp 65536 neighbor 2a00:100::2 update-source '2a00:100::1'
set protocols bgp 65536 neighbor 2a00:100::2 address-family ipv6-unicast
set protocols bgp 65536 address-family ipv6-unicast network '2a00:100:1::/48'
set protocols bgp 65536 parameters router-id '1.1.1.1'
节点二
set protocols bgp 65537 neighbor 2a00:100::1 ebgp-multihop '2'
set protocols bgp 65537 neighbor 2a00:100::1 remote-as '65536'
set protocols bgp 65537 neighbor 2a00:100::1 update-source '2a00:100::2'
set protocols bgp 65536 neighbor 2a00:100::1 address-family ipv6-unicast
set protocols bgp 65537 address-family ipv6-unicast network '2a00:100:2::/48'
set protocols bgp 65537 parameters router-id '1.1.1.2'
配置黑洞路由
节点1
set protocols static route6 2a001:100:1::/48 blackhole distance '254'
节点2
set protocols static route6 2a00:100:2::/48 blackhole distance '254'
29、配置路由过滤
路由过滤可以使用路由映射应用
节点1
set policy prefix-list AS65537-IN rule 10 action 'permit'
set policy prefix-list AS65537-IN rule 10 prefix '2.0.0.0/16'
set policy prefix-list AS65537-OUT rule 10 action 'deny'
set policy prefix-list AS65537-OUT rule 10 prefix '2.0.0.0/16'
set policy prefix-list6 AS65537-IN rule 10 action 'permit'
set policy prefix-list6 AS65537-IN rule 10 prefix '2a00:100:2::/48'
set policy prefix-list6 AS65537-OUT rule 10 action 'deny'
set policy prefix-list6 AS65537-OUT rule 10 prefix '2a00:100:2::/48'
set policy route-map AS65537-IN rule 10 action 'permit'
set policy route-map AS65537-IN rule 10 match ip address prefix-list 'AS65537-IN'
set policy route-map AS65537-IN rule 10 match ipv6 address prefix-list 'AS65537-IN'
set policy route-map AS65537-IN rule 20 action 'deny'
set policy route-map AS65537-OUT rule 10 action 'deny'
set policy route-map AS65537-OUT rule 10 match ip address prefix-list 'AS65537-OUT'
set policy route-map AS65537-OUT rule 10 match ipv6 address prefix-list 'AS65537-OUT'
set policy route-map AS65537-OUT rule 20 action 'permit'
set protocols bgp 65536 neighbor 2a00:100::2 route-map export 'AS65537-OUT'
set protocols bgp 65536 neighbor 2a00:100::2 route-map import 'AS65537-IN'
节点2
set policy prefix-list AS65536-IN rule 10 action 'permit'
set policy prefix-list AS65536-IN rule 10 prefix '1.0.0.0/16'
set policy prefix-list AS65536-OUT rule 10 action 'deny'
set policy prefix-list AS65536-OUT rule 10 prefix '1.0.0.0/16'
set policy prefix-list6 AS65536-IN rule 10 action 'permit'
set policy prefix-list6 AS65536-IN rule 10 prefix '2a00:100:1::/48'
set policy prefix-list6 AS65536-OUT rule 10 action 'deny'
set policy prefix-list6 AS65536-OUT rule 10 prefix '2a00:100:1::/48'
set policy route-map AS65536-IN rule 10 action 'permit'
set policy route-map AS65536-IN rule 10 match ip address prefix-list 'AS65536-IN'
set policy route-map AS65536-IN rule 10 match ipv6 address prefix-list 'AS65536-IN'
set policy route-map AS65536-IN rule 20 action 'deny'
set policy route-map AS65536-OUT rule 10 action 'deny'
set policy route-map AS65536-OUT rule 10 match ip address prefix-list 'AS65536-OUT'
set policy route-map AS65536-OUT rule 10 match ipv6 address prefix-list 'AS65536-OUT'
set policy route-map AS65536-OUT rule 20 action 'permit'
set protocols bgp 65537 neighbor 2a00:100::1 route-map export 'AS65536-OUT'
set protocols bgp 65537 neighbor 2a00:100::1 route-map import 'AS65536-IN'
30、配置策略路由
VyOS支持策略路由,允许将流量分配给不同的路由表。流量可以使用标准的5元组匹配(源地址,目的地址,协议,源端口,目的端口)进行匹配
以下示例将显示如何使用VyOS将Web流量重定向到外部透明代理
set policy route FILTER-WEB rule 1000 destination port 80
set policy route FILTER-WEB rule 1000 protocol tcp
set policy route FILTER-WEB rule 1000 set table 100
在这里我们创建了一个名为FILTER-WEB的路由策略,其中一条规则将路由表设置为匹配流量(TCP端口80)到表ID 100而不是默认路由表
这可以使用show ip route table 100操作命令来确认,最后,我们使用在LAN接口上应用策略路由到流量。
set interfaces ethernet eth1 policy route FILTER-WEB
31、防火墙规则
创建组
set firewall group network-group NET-INSIDE network 192.168.0.0/24
set firewall group network-group NET-INSIDE network 192.168.1.0/24
配置规则集合
set firewall name INSIDE-OUT default-action drop
set firewall name INSIDE-OUT rule 1010 action accept
set firewall name INSIDE-OUT rule 1010 state established enable
set firewall name INSIDE-OUT rule 1010 state related enable
set firewall name INSIDE-OUT rule 1020 action drop
set firewall name INSIDE-OUT rule 1020 state invalid enable
应用规则到接口
set interfaces ethernet eth1 firewall out name INSIDE-OUT
应用规则到zone
set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT
32、配置NAT
配置源地址NAT
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address 'masquerade'
配置目的地址NAT
set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.0.100'
配置1to1 NAT
set interfaces ethernet eth0 address '192.168.1.1/24'
set interfaces ethernet eth0 description 'Inside interface'
set interfaces ethernet eth1 address '1.2.3.4/24'
set interfaces ethernet eth1 description 'Outside interface'
set nat destination rule 2000 description '1-to-1 NAT example'
set nat destination rule 2000 destination address '1.2.3.4'
set nat destination rule 2000 inbound-interface 'eth1'
set nat destination rule 2000 translation address '192.168.1.10'
set nat source rule 2000 description '1-to-1 NAT example'
set nat source rule 2000 outbound-interface 'eth1'
set nat source rule 2000 source address '192.168.1.10'
set nat source rule 2000 translation address '1.2.3.4'
33、配置VPN
a)、配置OpenVPN 点对点模式
本地配置
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 local-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 remote-address '10.255.1.2'
远程配置
set interfaces openvpn vtun1 mode site-to-site
set interfaces openvpn vtun1 protocol udp
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 remote-host '198.51.100.10'
set interfaces openvpn vtun1 local-port '1195'
set interfaces openvpn vtun1 remote-port '1195'
set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key'
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
vyos@vyos# set interfaces openvpn vtun1 encryption
Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
bf128 Blowfish algorithm with 128-bit key
bf256 Blowfish algorithm with 256-bit key
aes128 AES algorithm with 128-bit key
aes192 AES algorithm with 192-bit key
aes256 AES algorithm with 256-bit key
vyos@vyos# set interfaces openvpn vtun1 hash
Possible completions:
md5 MD5 algorithm
sha1 SHA-1 algorithm
sha256 SHA-256 algorithm
sha512 SHA-512 algorithm
配置本地通道
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
配置远程通道
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
b)、配置L2TP over IPsec
c)、配置点对点IPsec
服务器端配置
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21'
远程办公室配置
set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24
查看配置
vyos@srv-gw0:~$ sh vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 734 3600
vyos@srv-gw0:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
2.2.2.2 1.1.1.1
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
如果在eth1上有SNAT规则,需要添加排除规则
服务器上
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '192.168.0.0/24'
远程办公室配置
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '10.0.0.0/24'
要允许流量传递给客户端,您需要添加以下规则
服务器配置
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
远程配置
set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
34、配置DHCP server
set service dhcp-server shared-network-name 'LAN' authoritative enable
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' start '192.168.0.128' stop '192.168.0.254'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' default-router '192.168.0.1'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' dns-server '192.168.0.1'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' domain-name 'internal-net'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' lease 86400
配置静态dhcp地址
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' ip-address '192.168.0.10'
set service dhcp-server shared-network-name 'LAN' subnet '192.168.0.0/24' static-mapping 'SERVER' mac-address '00:53:00:00:00:01'
35、配置DHCP-Rely
set service dhcp‐relay interface eth0
set service dhcp-relay interface eth1
set service dhcp‐relay server 192.168.0.4
set service dhcp‐relay server 192.168.0.5
配置其他保护功能,以匹配DHCP数据包的跳数限制和最大大小
set service dhcp‐relay hop-count 10
set service dhcp‐relay max-size 576
恢复出厂配置
vyos@vyos-rtr# load /opt/vyatta/etc/config.boot.default Warning: file does NOT appear to be a valid config file. Do you want to continue? [no] Yes Loading configuration from '/config.boot.default'... Load complete. Use 'commit' to make changes active. [edit]
.github/workflows/build-iso.yml
name: Build VyOS LTS
# on:
# release:
# types: [published]
# push:
# branches:
# - master
# on:
# push:
# tags:
# - 'v*'
on:
workflow_dispatch
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Get current date
id: date
uses: Kaven-Universe/github-action-current-date-time@v1.2.0
with:
format: "YYYYMMDDHHmmss"
- name: Pull vyos-build docker image
run: |
docker pull vyos/vyos-build:equuleus
- name: Build iso
run: |
git clone -b 1.3.5 --single-branch https://github.com/vyos/vyos-build.git
cd vyos-build
docker run --rm --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:equuleus bash -c './configure --architecture amd64 --build-type release --version "${{ steps.date.outputs.time }}" && sudo make iso'
- name: Upload binaries to release
uses: svenstaro/upload-release-action@v2
with:
file: vyos-build/build/vyos-1.3.5-${{ steps.date.outputs.time }}-amd64.iso
tag: equuleus-${{ steps.date.outputs.time }}
overwrite: true
file_glob: true
https://raw.githubusercontent.com/vyos/vyos-vm-images/current/Dockerfile
FROM debian:11.8
# Install minimal dependencies
RUN apt-get update && apt-get install -y \
ansible \
python3
# Install required packages (from ansible role "install-packages")
RUN apt-get update && apt-get install -y \
gdisk \
kpartx \
dosfstools \
e2fsprogs \
gnupg \
qemu-utils \
python3-lxml \
grub-efi-amd64 \
grub-efi-amd64-bin \
grub-common \
isolinux \
python3-requests \
rsync \
unzip \
zlib1g-dev \
squashfs-tools \
xorriso \
build-essential
# Install not required dependencies
RUN apt-get install -y \
git \
mc \
nano \
&& rm -rf /var/lib/apt/lists/*
# Make build directory
RUN mkdir -p /home/build
WORKDIR /home/build
vyos-vm-images
用于构建 VyOS VM 映像的 Ansible playbook。
要求
您需要一台至少有 20 GB 可用空间的机器,装有 Debian 10(裸机、虚拟、带有 --privileged 标志的 Docker 容器)。此外,您需要安装 ansible 和 python3 软件包:
sudo apt update
sudo apt install -y ansible python3如果要构建 OVA 映像,还需要从 VMware 获取。它应从 VMware 站点下载。此外,您需要私钥来对 OVA 文件进行签名。可以使用以下命令生成它:ovftool
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:1024 -keyout myself.pem -out myself.pem所有其他需求将由 ansible-playbook 安装。
准备
在运行 ansible-playbook 之前,您需要将 ISO 映像复制到 VyOS。生成的图像也将位于目录中。/tmp/vyos.iso/tmp/
码头工人
Dockerfile 具有所有必需的依赖项。
- 下载
Dockerfile
wget https://raw.githubusercontent.com/vyos/vyos-vm-images/current/Dockerfile- 使用名称构建本地映像(仅当没有名称时)
vyos-vm-images
docker build --tag vyos-vm-images:latest -f ./Dockerfile .- 启动并连接到容器:
docker run --rm -it --privileged -v $(pwd):/vm-build -v $(pwd)/images:/images -w /vm-build vyos-vm-images:latest bash
- 克隆存储库
git clone https://github.com/vyos/vyos-vm-images.git && cd vyos-vm-images
支持的平台
-
QEMU
ansible-playbook qemu.yml -
VMware 云初始化
ansible-playbook vmware.yml -e vyos_vmware_private_key_path=path_to_private_key -
VMware 简单 ova
ansible-playbook vmware.yml -e vyos_vmware_private_key_path=path_to_private_key -e cloud_init=false -e ovf_template=simple -
Microsoft Hyper-V
ansible-playbook hyperv.yml -
流浪者 libvirt
ansible-playbook vagrant-libvirt.yml
其他(可选)参数
-
本地 ISO 映像的路径(默认:/tmp/vyos.iso):
-e iso_local=path例:
-e iso_local=/tmp/vyos/custom_image.iso -
磁盘大小(默认:10GB):
-e disk_size=size2 GB 的示例:
-e disk_size=2 -
启用 Cloud-init(默认:根据平台):
-e cloud_init=true -
配置自定义 Cloud-init 数据源(默认:根据平台):
-e cloud_init_ds=datasources例:
-e cloud_init_ds=NoCloud,ConfigDrive,None -
安装客户机代理。它可以是 ,(默认值:none):
qemuvmware-e guest_agent=agent例:
-e guest_agent=qemu -
在 Cloud-init 中禁用配置阶段模块。在为非云环境构建时最有用,其中 Cloud-init 元数据不可用(默认值:false):
-e cloud_init_disable_config=true -
使用 PXE 启动所需的文件创建存档(默认值:false):
-e pxe=true -
使用 Cloud-init 构建镜像时,在配置中保留带有密码的默认用户(默认值:false):
vyosvyos-e keep_user=true -
选择磁盘映像的分区表类型。支持:、、(默认值:):
mbrgpthybridhybrid-e parttable_type=hybrid -
选择默认控制台进行引导。支持:、(默认:取决于平台):
kvmserial-e grub_console=serial -
安装自定义软件包。可以是文件中用空格分隔的列表,也可以是目录中的 deb 文件:
files/custom_packages_list.txtfiles/custom_debs/-e custom_packages=true -
复制自定义文件。目录内的所有文件都将以递归方式复制到目标文件系统:
files/custom_files/-e custom_files=true -
在 eth0 上启用 DHCP(默认值: ):
false-e enable_dhcp=true -
启用 SSH(默认值:):
false-e enable_ssh=true -
从配置中删除。与 不同,此选项将从配置中完全删除。
loginkeep_usersystem login-e without_login=true
============ End
