Can someone help me and check my commands?

So, after reading tutorials and videos, i think i have now build up all the commands for a basic firewall with one portforward for the local webserver. Can someone validate this n00b’s idea’s and commands please? :slight_smile:

==========

####->
INFORMATION:
Network 192.168.1.0/24
192.168.1.20 webserver for internet accessable websites
AD servers: 192.168.1.80/192.168.1.81
####->

####-> SET INTERFACE SETTINGS
ETH0 is the ISP connection which has DHCP
ETH1 is the primary LAN network (where te webserver will also live for the time beeing)
ETH2 is the Guest network (for wifi)
ETH3 is the DMZ where the servers will live
####->
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description ‘WAN’

set interfaces ethernet eth1 address ‘192.168.1.1/24’
set interfaces ethernet eth1 description ‘LAN’

set interfaces ethernet eth2 address ‘192.168.2.1/24’
set interfaces ethernet eth2 description ‘GUEST’

set interfaces ethernet eth3 address ‘192.168.3.1/24’
set interfaces ethernet eth3 description ‘DMZ’

####-> SET DEFAULT SETTINGS
####->
set system host-name firewall.local.lan
set system name-server 192.168.1.80
set system name-server 192.168.1.81

####-> SET SSH SETTINGS
SSH for the local VyOS instance on the LAN interface
####->
set service ssh port 22
set service ssh listen-address 192.168.1.1

####-> SET DHCP SETTINGS
DHCP for the LAN network
####->
set service dhcp-server disabled ‘false’
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server 192.168.1.80
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name lan.local
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 604800
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.250

####-> SET DNS SETTINGS
DNS for the LAN network
####->
set service dns forwarding domain local.lan server 192.1.1.80
set service dns forwarding name-server 192.168.1.80
set service dns forwarding name-server 192.168.1.81
set service dns forwarding listen-address 192.168.1.1
set service dns forwarding allow-from 192.168.1.0/24

####-> SET NAT SETTINGS
NAT for the LAN network
####->
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.1.0/24
set nat source rule 10 translation address masquerade

####-> SET NAT SETTINGS - WEBSERVER
Forward the port 80 from the WAN to the server in the LAN
####->
set nat destination rule 10 description ‘Web server’
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.1.20
set nat destination rule 10 translation port 80

set firewall name eth0-local rule 40 action accept
set firewall name eth0-local rule 40 description ‘Allow http’
set firewall name eth0-local rule 40 destination port 80
set firewall name eth0-local rule 40 protocol tcp

####-> SET FIREWALL SETTINGS
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects disable
set firewall source-validation disable
set firewall syn-cookies enable

set firewall name eth0-local default-action drop
set firewall name eth0-local rule 10 action accept
set firewall name eth0-local rule 10 description ‘Allow established and related packets’
set firewall name eth0-local rule 10 state established enable
set firewall name eth0-local rule 10 state related enable
set firewall name eth0-local rule 11 action accept
set firewall name eth0-local rule 11 description ‘Allow icmp’
set firewall name eth0-local rule 11 icmp type-name echo-request
set firewall name eth0-local rule 11 protocol icmp
set firewall name eth0-local rule 12 action accept
set firewall name eth0-local rule 12 description ‘Allow ssh’
set firewall name eth0-local rule 12 destination port 22
set firewall name eth0-local rule 12 protocol tcp
set firewall name eth0-local rule 13 action drop
set firewall name eth0-local rule 13 destination port 22
set firewall name eth0-local rule 13 protocol tcp
set firewall name eth0-local rule 13 recent count 3
set firewall name eth0-local rule 13 recent time 30
set firewall name eth0-local rule 13 state new enable

set interfaces ethernet eth0 firewall local name eth0-local

commit
save

Hello @jhjacobs81, I think you need to use eth0 for DNAT

set nat destination rule 10 inbound-interface eth0
1 Like

thank you @Dmitry for the quick response :slight_smile: i edditted the post and made the change bold, this is what you mean?

Yes, exactly. Incoming packets from eth0 (WAN) and port 80 will be translated to your LAN Webserver

1 Like

@Dmitry Doesn’t the op need a WAN-LAN firewall ruleset? The eth0-local firewall ruleset is applied to interface eth0 local firewall, not in firewall.

1 Like