Hi,
I think I just about finished making my first configuration and I am seeking advice.
I would like someone to take a look at my configuration and tell me;
A Am I going about firewalls the right way (ie filtering on LAN rather than WAN etc)
B Are my nat, load-balancing, static routes correct (ie subnets?)
C Am I using the correct addresses
I have the following;
2 ISP interfaces, IPs are assigned through their DHCPs
1 LAN interface
A pair of DNS servers on 10.40.0.1 and 10.40.0.3
My aim is to use Vyos mainly as a firewall and load-balancing.
I want to use my LAN to provide for itself DHCP, DNS and NAT.
So I would want my DNS to be able to reach out to the web DNSs, not caching in Vyos.
I am also trying to perform egress filtering, so that I am not spewing out random/bad stuff.
Let me know if you need more specific details.
Oh Yes I have not configured time servers yet.
show configuration
firewall {
all-ping enable
broadcast-ping disable
config-trap enable
group {
address-group AG-WEB-1 {
address 10.50.0.100
}
network-group NG-BLACKLISTED {
network 1.1.1.1/32
}
network-group NG-DMZ {
network 10.50.0.0/24
}
network-group NG-LAN {
network 10.30.0.0/24
}
network-group NG-MANAGEMENT {
network 10.30.0.251/32
network 10.30.0.252/32
}
network-group NG-WAN {
network 192.168.4.0/24
network 192.168.1.0/24
}
port-group PG-DHCP {
port 67
}
port-group PG-DNS {
port 53
}
port-group PG-NTP {
port 123
}
port-group PG-SNMP {
port 161
}
port-group PG-SSH {
port 52222
}
port-group PG-WEB {
port 80
port 443
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ-IN {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1001 {
action drop
description "Block traffic TO Blacklisted"
destination {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
}
name DMZ-LOCAL {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 1020 {
action accept
description "Allow Ping traffic"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 1030 {
action accept
description "Allow DHCP traffic"
destination {
group {
port-group PG-DHCP
}
}
protocol udp
state {
new enable
}
}
rule 1040 {
action accept
description "Allow DNS traffic"
destination {
group {
port-group PG-DNS
}
}
protocol tcp_udp
state {
new enable
}
}
rule 1050 {
action accept
description "Allow Time traffic"
destination {
group {
port-group PG-NTP
}
}
protocol udp
state {
new enable
}
}
rule 1100 {
action drop
description "Limit rate of SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
recent {
count 4
time 30
}
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1101 {
action accept
description "Allow SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1110 {
action accept
description "Allow SNMP traffic"
destination {
group {
port-group PG-SNMP
}
}
protocol udp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
}
name DMZ-OUT {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1001 {
action drop
description "Block traffic TO Blacklisted"
destination {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 1020 {
action accept
description "Allow Ping traffic"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 4000 {
action accept
description "Allow WebServer traffic"
destination {
group {
address-group AG-WEB-1
port-group PG-WEB
}
}
protocol tcp
state {
new enable
}
}
rule 9000 {
action accept
description "Allow traffic FROM LAN"
source {
group {
network-group NG-LAN
}
}
state {
new enable
}
}
}
name LAN-IN {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1001 {
action drop
description "Block traffic TO Blacklisted"
destination {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invaid traffic"
state {
invalid enable
}
}
rule 9000 {
action accept
description "Allow traffic FROM LAN"
source {
group {
network-group NG-LAN
}
}
state {
new enable
}
}
}
name LAN-LOCAL {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 1020 {
action accept
description "Allow Ping traffic"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 1030 {
action accept
description "Allow DHCP traffic"
destination {
group {
port-group PG-DHCP
}
}
protocol udp
state {
new enable
}
}
rule 1040 {
action accept
description "Allow DNS traffic"
destination {
group {
port-group PG-DNS
}
}
protocol tcp_udp
state {
new enable
}
}
rule 1050 {
action accept
description "Allow Time traffic"
destination {
group {
port-group PG-NTP
}
}
protocol udp
state {
new enable
}
}
rule 1100 {
action drop
description "Limit rate of SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
recent {
count 4
time 30
}
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1101 {
action accept
description "Allow SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1110 {
action accept
description "Allow SNMP traffic"
destination {
group {
port-group PG-SNMP
}
}
protocol udp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
}
name LAN-OUT {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1001 {
action drop
description "Block traffic TO Blacklisted"
destination {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related trafic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 1020 {
action accept
description "Allow Ping traffic"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 1000 {
action drop
description "Block traffic FROM Blacklisted"
source {
group {
network-group NG-BLACKLISTED
}
}
}
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 1020 {
action accept
description "Allow Ping traffic"
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 1100 {
action drop
description "Limit rate of SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
recent {
count 3
time 30
}
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1101 {
action accept
description "Allow SSH FROM management network"
destination {
group {
port-group PG-SSH
}
}
protocol tcp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
rule 1110 {
action accept
description "Allow SNMP traffic"
destination {
group {
port-group PG-SNMP
}
}
protocol udp
source {
group {
network-group NG-MANAGEMENT
}
}
state {
new enable
}
}
}
name WAN-OUT {
default-action drop
rule 1010 {
action accept
description "Allow Established and Related traffic"
state {
established enable
related enable
}
}
rule 1011 {
action drop
description "Block Invalid traffic"
state {
invalid enable
}
}
rule 9000 {
action accept
description "Allow traffic FROM LAN"
source {
group {
network-group NG-LAN
}
}
state {
new enable
}
}
}
receive-redirects disable
send-redirects disable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address dhcp
description "WAN Cable 1"
duplex auto
firewall {
local {
name WAN-LOCAL
}
out {
name WAN-OUT
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.30.0.254/24
description LAN
duplex auto
firewall {
in {
name LAN-IN
}
local {
name LAN-LOCAL
}
out {
name LAN-OUT
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth2 {
address dhcp
description "WAN Phone 1"
duplex auto
firewall {
local {
name WAN-LOCAL
}
out {
name WAN-OUT
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth3 {
address 10.50.0.254/24
description DMZ
duplex auto
firewall {
in {
name DMZ-IN
}
local {
name DMZ-LOCAL
}
out {
name DMZ-OUT
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
loopback lo {
}
}
load-balancing {
wan {
interface-health eth0 {
failure-count 3
nexthop 192.168.4.254
success-count 10
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
interface-health eth2 {
failure-count 3
nexthop 192.168.1.254
success-count 10
test 10 {
resp-time 5
target 8.8.8.8
ttl-limit 1
type ping
}
}
rule 10 {
inbound-interface eth1
interface eth0 {
weight 1
}
interface eth2 {
weight 1
}
protocol all
}
}
}
nat {
source {
rule 1 {
description "NAT inside to Cable 1"
outbound-interface eth0
source {
address 10.30.0.0/24
}
translation {
address masquerade
}
}
rule 2 {
description "NAT inside to Phone 1"
outbound-interface eth2
source {
address 10.30.0.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.1.254 {
distance 2
}
next-hop 192.168.4.254 {
distance 2
}
}
}
}
service {
dhcp-server {
disabled true
shared-network-name GATE {
authoritative disable
subnet 10.30.0.0/24 {
default-router 10.30.0.254
dns-server 8.8.8.8
domain-name in.feanor.me.uk
lease 86400
start 10.30.0.10 {
stop 10.30.0.240
}
}
}
}
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name vyos
login {
user xxxx {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 10.40.0.1
name-server 10.40.0.3
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ****************
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
Thanks
Apa