networking

How to Setup Vyos as a Firewall

How to Setup Vyos as a Firewall

Setup interface

InterfaceIP AddressDescription
eth0pppoeWAN
eth1192.168.68.1 / 24DMZ
eth210.0.0.1 / 24LAN
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

set interface ethernet eth0 pppoe 0 user-id '<pppoe accout>'
set interface ethernet eth0 pppoe 0 password '<pppoe password>'
set interface ethernet eth0 pppoe 0 name-server 'none'
set interface ethernet eth0 description 'WAN'

set interface ethernet eth1 address 192.168.68.1/24
set interface ethernet eth1 description DMZ

set interface ethernet eth2 address 10.0.0.1/24
set interface ethernet eth2 description 'LAN'

DHCP Server

1
2
3
4
5

set shared-network-name lan.local subnet 192.168.68.0/24 default-router 192.168.68.1
set shared-network-name lan.local subnet 192.168.68.0/24 dns-server 192.168.68.1
set shared-network-name lan.local subnet 192.168.68.0/24 domain-name lan.local
set shared-network-name lan.local subnet 192.168.68.0/24 range 0 start 192.168.50
set shared-network-name lan.local subnet 192.168.68.0/24 range 0 stop 192.168.68.254'

DNS forwarding

1
2
3

set cache-size '0'
set listen-address 192.168.68.1
set name-server <public dns server ip ,like 8.8.8.8>

Set loging banner

You are able to set post-login or pre-login messages with the following lines:

1
2

set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n"
set system login banner post-login "Welcome to VyOS"

NAT

SNAT

1
2
3

set source rule 10 outbound-interface pppoe0
set source rule 10 source address 192.168.68.0/24
set source rule 10 translation address masquerade

DNAT

1
2
3
4
5
6

set nat destination rule 10 destination address '10.0.0.5'
set nat destination rule 10 destination port '3389'
set nat destination rule 10 inbound-interface 'eth2'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.168.68.50'
set nat destination rule 10 translation port '3389'

Default routing

1

set static interface-route 0.0.0.0/0 next-hop-interface pppoe0

Setting of firewall

Zone base firewall

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98


# Chang firewall to statue firewall
set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept'
set firewall state-policy invalid action 'drop'

# Set Zone for interfaces
set zone-policy zone dmz interface 'eth1'
set zone-policy zone private interface 'eth2'
set zone-policy zone local local-zone
set zone-policy zone public interface 'pppoe0'

# define firewall policy
set firewall name dmz-local default-action 'drop'
set firewall name dmz-local rule 10 action 'accept'
set firewall name dmz-local rule 10 destination address '192.168.68.1'
set firewall name dmz-local rule 10 destination port '53'
set firewall name dmz-local rule 10 protocol 'udp'

set firewall name dmz-local rule 11 action 'accept'
set firewall name dmz-local rule 11 icmp type-name 'echo-request'
set firewall name dmz-local rule 11 protocol 'icmp'

set firewall name dmz-private default-action 'drop'
set firewall name dmz-private rule 10 action 'accept'
set firewall name dmz-private rule 10 destination address '192.168.68.1'
set firewall name dmz-private rule 10 destination port '53'
set firewall name dmz-private rule 10 protocol 'udp'

set firewall name dmz-public default-action 'accept'


set firewall name local-dmz default-action 'accept'

set firewall name local-private default-action 'accept'

set firewall name local-public default-action 'accept'

set firewall name private-dmz default-action 'accept'

set firewall name private-local default-action 'accept'

# Allow ping
set firewall name private-local rule 1 action 'accept'
set firewall name private-local rule 1 icmp type-name 'echo-request'
set firewall name private-local rule 1 protocol 'icmp'

set firewall name private-public default-action 'accept'

set firewall name public-dmz default-action 'drop'

set firewall name public-local default-action 'drop'

set firewall name public-private default-action 'drop'





set zone-policy zone dmz default-action 'drop'
set zone-policy zone private default-action 'drop'
set zone-policy zone public default-action 'drop'

set zone-policy zone dmz from local firewall name 'local-dmz'
set zone-policy zone dmz from private firewall name 'private-dmz'
set zone-policy zone dmz from public firewall name 'public-dmz'

set zone-policy zone local from dmz firewall name 'dmz-local'
set zone-policy zone local from private firewall name 'private-local'
set zone-policy zone local from public firewall name 'public-local'


set zone-policy zone private from dmz firewall name 'dmz-private'
set zone-policy zone private from local firewall name 'local-private'
set zone-policy zone private from public firewall name 'public-private'

set zone-policy zone public from dmz firewall name 'dmz-public'
set zone-policy zone public from local firewall name 'local-public'
set zone-policy zone public from private firewall name 'private-public'



set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set firewall ip-src-route 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall log-martians 'enable'


commit
save
© 2018 - 2024 Steve's Blog
Built with Hugo
Theme Stack designed by Jimmy