I have 2 network interfaces. one for user access inboard network,another for user to access network aboard. How to make it work with vyos?
Make a network group
1
2
3
4
5
#Define a netwrok-groupset firewall group network-group china-ip-ranges
#Define lan network groupset firewall group network-group lan-net-group network '192.168.11.0/24'
set policy
1
2
3
4
5
set policy route network-shunt rule 20 destination group network-group 'china-ip-ranges'set policy route network-shunt rule 20set table '20'set policy route network-shunt rule 20source group network-group 'lan-net-group'set policy route network-shunt rule 30set table '30'set policy route network-shunt rule 30source group network-group 'lan-net-group'
Download and set the network-group with ipset
Download and make a list for network-group loading when booting.
1
2
3
4
5
6
7
8
9
10
11
#create the update shell scriptcat > /config/scripts/generate_china_ip_address.sh <<EOF
#!/bin/sh
wget -c http://ftp.apnic.net/stats/apnic/delegated-apnic-latest -O - | cat | awk -F '|' '/CN/&&/ipv4/ {print $4 "/" 32-log($5)/log(2)}' | cat > /config/chinaiprange.txt
EOF# make the script an runchmod +x /config/scripts/generate_china_ip_address.sh
#Run the script/config/scripts/generate_china_ip_address.sh
Create boot loading script
1
2
3
cat >> /config/scripts/vyos-postconfig-bootup.script << EOF
for l in `cat /config/chinaiprange.txt`; do sudo ipset add china-ip-ranges $l;done
EOF
Set protocol
1
2
3
4
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static interface-route 172.16.131.0/24 next-hop-interface wg01
set protocols static table 20 interface-route 0.0.0.0/0 next-hop-interface pppoe0
set protocols static table 30 route 0.0.0.0/0 next-hop 172.16.131.1
Apply PBR Policy on lan interface
1
set interfaces bridge br0 policy route network-shunt