Internet & LAN router setup VyOS 1.5 Debian Bookworm

hi all,

I have an edge device with 4 RJ45 (eth1 to eth4) ports and 2 sfp+ (eth5 and eth6) ports, a wireless device (wlan0) and 2 SIM card slots (not doing anything with them for now).
I installed debian bookworm on it and then went ahead to build VyOS 1.5 from source, following the documentation and all worked out fine.
I configured eth6 get its IP via dhcpv4 from ISP on vlan tag ID 300, I want that Internet to be shared on the local lan (10.0.0.0/24). eth5 is configured to be on 10.0.0.1 and should be the gateway and dns for local LAN. eth1 to eth4 i bridged into one device br0 and also on local lan on 10.0.0.11, also configured to run a dhcpv4 server for local lan.
Firewalls and NAT rules are a bit difficult for me to understand and drive me crazy so I could really use some help. Currently, with the config below, it seems clients on the local LAN, nslookup on e.g. google works, but urls in browsers don’t load anything, what am i doing wrong here?

vyos@vyos:~$ show config
firewall {
    group {
        interface-group LAN {
            interface eth5
            interface br0
        }
        interface-group WAN {
            interface eth6
        }
        network-group NET-INSIDE-v4 {
            network 10.0.0.0/24
        }
    }
    ipv4 {
        name LAN_OUT {
            default-action accept
            rule 10 {
                action accept
                state established
                state related
            }
        }
        name LOCAL {
            default-action accept
            rule 10 {
                action accept
                state established
                state related
            }
        }
        name WAN_IN {
            default-action drop
            rule 10 {
                action accept
                state established
                state related
            }
        }
        name WAN_LOCAL {
            default-action drop
            rule 10 {
                action accept
                state established
                state related
            }
            rule 20 {
                action accept
                destination {
                    port 53
                }
                protocol tcp_udp
            }
        }
    }
}
interfaces {
    bridge br0 {
        address 10.0.0.11/24
        member {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
        }
    }
    ethernet eth1 {
        hw-id d0:63:b4:05:47:3f
    }
    ethernet eth2 {
        hw-id d0:63:b4:05:47:40
    }
    ethernet eth3 {
        hw-id d0:63:b4:05:47:41
    }
    ethernet eth4 {
        hw-id d0:63:b4:05:47:42
    }
    ethernet eth5 {
        address 10.0.0.1/24
        hw-id d0:63:b4:05:47:43
    }
    ethernet eth6 {
        hw-id d0:63:b4:05:47:44
        vif 300 {
            address dhcp
        }
    }
    loopback lo {
    }
    wireless wlan0 {
        address 10.0.0.12/24
        country-code nl
        hw-id 2c:33:58:f3:cc:4e
        physical-device phy0
        security {
            wpa {
                cipher CCMP
                mode wpa2
                passphrase ****************
            }
        }
        ssid we_can_hear_you_having_sex
        type access-point
    }
}
nat {
    destination {
        rule 10 {
            description fatzohh
            destination {
                port 44000
            }
            inbound-interface {
                name eth6
            }
            protocol tcp
            translation {
                address 10.0.0.3
                port 22
            }
        }
        rule 20 {
            description fatzovp1
            destination {
                port 44001
            }
            inbound-interface {
                name eth6
            }
            protocol tcp
            translation {
                address 10.0.0.3
                port 44001
            }
        }
    }
}
    source {
        rule 9 {
            destination {
                address 10.0.0.0/24
            }
            source {
                address 10.0.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.0.0.1 {
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name LAN {
            authoritative
            subnet 10.0.0.0/24 {
                option {
                    default-router 10.0.0.1
                    name-server 10.0.0.1
                }
                range 0 {
                    start 10.0.0.38
                    stop 10.0.0.140
                }
                subnet-id 1
            }
        }
    }
    dns {
        forwarding {
            allow-from 10.0.0.0/24
            cache-size 0
            listen-address 10.0.0.1
        }
    }
    ntp {
        allow-client {
            address 127.0.0.0/8
            address 169.1.0.0/16
            address 10.0.0.0/8
            address 172.16.0.0/12
            address 192.168.0.0/16
            address ::1/128
            address fe80::/10
            address fc00::/7
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    ssh {
        listen-address 10.0.0.1
        listen-address 10.0.0.11
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
            }
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}

1 Like

You’re NAT config should look similar to the quick start guide in that you specify the outbound device “eth6.300” in your case.

You don’t need the destination address in rule 9. Destination would be your dhcp device connected to WAN as per above.

https://docs.vyos.io/en/latest/quick-start.html

thx ginko, i had looked at that, but there are not many NAT rules in the quick guide and I think it does look similar, have you noticed any particular errors?
how to do i specify the outbound device to be eth6.300? can hou give me hint please?
will remove the destination address in rule 9 (not needing it does it mean having it in there or not does not make any difference at all?)

thank you in advance :smiley:

If you enter the command “show interfaces”, do you see an interface named eth6.300 with a dhcp address assigned from your ISP?

If yes, try editing your NAT source rule per below:

configure
delete nat source rule 9 destination
set nat source rule 9 outbound-interface 'eth6.300'
commit
save

This will modify the config for your source nat rule 9 shown above to look like the below. You can verify by entering the show conf command.

    source {
        rule 9 {
            outbound-interface {
                name eth6.300
            }
            source {
                address 10.0.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }

Now try to ping/access internet from one of the machines on your LAN.

You’ve made the config super complicated…

Interfaces

Put 10.0.0.1/24 on the br0 interface, put eth5 in the bridge
Take off 10.0.0.11/24 of the wlan0 interface, add wlan0 to the bridge

Firewall

br0 will be the only thing in interface-group LAN
eth6.300 will be in interface-group WAN

None of the policies are applied to any interfaces

NAT

You’ll want a source NAT rule something like

set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT to WAN'
set nat source rule 20 outbound-interface name 'eth6.300'
set nat source rule 20 source address '0.0.0.0/0'

Routing

Your static route makes no sense, it’s just routing to itself, you should be getting the default route from DHCP

thanks zero1three013 in regards to the interfaces:
eth5 is a sfp+ interface whereas eth1 to eth4 are rj45 interface with 2.5 gbps. So bridging sfp+ with 2.5 gbps and wlan0 will impact the speed of the bridge, why would you recommend that? fyi I have a 10gbps internet connection so I do not want speeds to be impacted. for those reasons I didn’t combine it all in one bridge. thank you in advance for your advise

Firewall: how to apply polices to interfaces in 1.5, could you show me an example or a link to one is also good :slight_smile:

so I went ahead and adjusted rule 9 as suggested by ginkgo, had not worked, there was another part in my config which caused an issue I think:
I had this in my config (also shown in my first post):

protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.0.0.1 {
            }

deleted this entry and then pings started working on LAN, DNS resolution seems still an issue from router or any LAN client, however, when I manually edit the /etc/resolv.conf on the PC/router I do get dns resolution.
I was wondering is there some simple way I can just migrate my current config on my Edge Router lite, which is working and I use to VyOS 1.5 ? I googled that a bit but does not look like it
this is my current edge config:

show configuration
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description SIP
            destination {
                address 10.0.0.6
                port 5060
            }
            log disable
            protocol tcp_udp
        }
        rule 20 {
            action accept
            description RTP
            destination {
                address 10.0.0.6
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.0.0.1/24
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 10.133.133.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    lan-interface eth2
    rule 1 {
        description serverhh
        forward-to {
            address 10.0.0.3
            port 22
        }
        original-port 41025
        protocol tcp
    }
    rule 2 {
        description servervp1
        forward-to {
            address 10.0.0.3
            port 4444
        }
        original-port 43221
        protocol tcp
    }
    rule 3 {
        description serverrent1
        forward-to {
            address 10.0.0.3
            port 41114-43120
        }
        original-port 41114-43120
        protocol tcp
    }
    rule 4 {
        description serverrent2
        forward-to {
            address 10.0.0.3
            port 50000-51000
        }
        original-port 50000-51000
        protocol tcp_udp
    }
    rule 5 {
        description serverGL
        forward-to {
            address 10.0.0.3
            port 44445
        }
        original-port 44445
        protocol tcp
    }
    rule 6 {
        description servervp2
        forward-to {
            address 10.0.0.3
            port 43220
        }
        original-port 43220
        protocol udp
    }
    rule 7 {
        description serverrent3
        forward-to {
            address 10.0.0.3
            port 43301-48599
        }
        original-port 43301-48599
        protocol tcp
    }
    rule 8 {
        description vpn
        forward-to {
            address 10.0.0.3
            port 45123
        }
        original-port 45123
        protocol udp
    }
    rule 9 {
        description NC1
        forward-to {
            address 10.0.0.10
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    rule 10 {
        description NC2
        forward-to {
            address 10.0.0.10
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    rule 11 {
        description turnC
        forward-to {
            address 10.0.0.10
            port 3478
        }
        original-port 3478
        protocol tcp_udp
    }
    rule 12 {
        description pydio
        forward-to {
            address 10.0.0.10
            port 8443
        }
        original-port 8443
        protocol tcp_udp
    }
    rule 13 {
        description 1pbx
        forward-to {
            address 10.0.0.6
            port 5060-5061
        }
        original-port 5060-5061
        protocol tcp_udp
    }
    rule 14 {
        description 2pbx
        forward-to {
            address 10.0.0.6
            port 5000-5001
        }
        original-port 5000-5001
        protocol tcp_udp
    }
    rule 15 {
        description jitsi
        forward-to {
            address 10.0.0.10
            port 443
        }
        original-port 4443
        protocol tcp
    }
    rule 16 {
        description jitsi2
        forward-to {
            address 10.0.0.10
            port 10000
        }
        original-port 10000
        protocol udp
    }
    rule 17 {
        description servervp3
        forward-to {
            address 10.0.0.3
            port 43219
        }
        original-port 43219
        protocol udp
    }
    rule 18 {
        description 3pbx
        forward-to {
            address 10.0.0.6
            port 5090
        }
        original-port 5090
        protocol tcp_udp
    }
    rule 19 {
        description 4pbx
        forward-to {
            address 10.0.0.6
            port 9000-9500
        }
        original-port 9000-9500
        protocol tcp_udp
    }
    rule 20 {
        description ncTEMP
        forward-to {
            address 10.0.0.233
            port 80
        }
        original-port 81
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                lease 86400
                start 10.0.0.38 {
                    stop 10.0.0.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            subnet 10.133.133.0/24 {
                default-router 10.133.133.1
                dns-server 10.133.133.1
                lease 86400
                start 10.133.133.38 {
                    stop 10.133.133.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            blacklist {
                disabled false
                dns-redirect-ip 0.0.0.0
                domains {
                    include adk2x.com
                    include adsrvr.org
                    include adtechus.net
                    include advertising.com
                    include centade.com
                    include doubleclick.net
                    include fastplayz.com
                    include free-counter.co.uk
                    include hilltopads.net
                    include intellitxt.com
                    include kiosked.com
                    include patoghee.in
                    include themillionaireinpjs.com
                    include traktrafficflow.com
                    include wwwpromoter.com
                    source NoBitCoin {
                        description "Blocking Web Browser Bitcoin Mining"
                        prefix 0.0.0.0
                        url https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
                    }
                    source OISD {
                        description "OISD Domains Basic"
                        url https://dbl.oisd.nl/basic/
                    }
                    source simple_tracking {
                        description "Basic tracking list by Disconnect"
                        url https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
                    }
                }
                exclude 1e100.net
                exclude 2o7.net
                exclude adjust.com
                exclude adobedtm.com
                exclude akamai.net
                exclude akamaihd.net
                exclude amazon.com
                exclude amazonaws.com
                exclude ampproject.org
                exclude android.clients.google.com
                exclude apple.com
                exclude apresolve.spotify.com
                exclude ask.com
                exclude avast.com
                exclude avira-update.com
                exclude bannerbank.com
                exclude bazaarvoice.com
                exclude bing.com
                exclude bit.ly
                exclude bitdefender.com
                exclude bonsaimirai.us9.list-manage.com
                exclude c.s-microsoft.com
                exclude cdn.ravenjs.com
                exclude cdn.visiblemeasures.com
                exclude clientconfig.passport.net
                exclude clients2.google.com
                exclude clients4.google.com
                exclude cloudfront.net
                exclude coremetrics.com
                exclude dickssportinggoods.com
                exclude dl.dropboxusercontent.com
                exclude dropbox.com
                exclude ebay.com
                exclude edgesuite.net
                exclude evernote.com
                exclude express.co.uk
                exclude feedly.com
                exclude freedns.afraid.org
                exclude github.com
                exclude githubusercontent.com
                exclude global.ssl.fastly.net
                exclude google.com
                exclude googleads.g.doubleclick.net
                exclude googleadservices.com
                exclude googleapis.com
                exclude googletagmanager.com
                exclude googleusercontent.com
                exclude gstatic.com
                exclude gvt1.com
                exclude gvt1.net
                exclude hb.disney.go.com
                exclude herokuapp.com
                exclude hp.com
                exclude hulu.com
                exclude i.s-microsoft.com
                exclude images-amazon.com
                exclude live.com
                exclude logmein.com
                exclude m.weeklyad.target.com
                exclude magnetmail1.net
                exclude microsoft.com
                exclude microsoftonline.com
                exclude msdn.com
                exclude msecnd.net
                exclude msftncsi.com
                exclude mywot.com
                exclude nsatc.net
                exclude outlook.office365.com
                exclude paypal.com
                exclude pop.h-cdn.co
                exclude products.office.com
                exclude quora.com
                exclude rackcdn.com
                exclude rarlab.com
                exclude s.youtube.com
                exclude schema.org
                exclude shopify.com
                exclude skype.com
                exclude smacargo.com
                exclude sourceforge.net
                exclude spclient.wg.spotify.com
                exclude spotify.com
                exclude spotify.edgekey.net
                exclude spotilocal.com
                exclude ssl-on9.com
                exclude ssl-on9.net
                exclude sstatic.net
                exclude static.chartbeat.com
                exclude storage.googleapis.com
                exclude twimg.com
                exclude video-stats.l.google.com
                exclude viewpoint.com
                exclude weeklyad.target.com
                exclude weeklyad.target.com.edgesuite.net
                exclude windows.net
                exclude www.msftncsi.com
                exclude xboxlive.com
                exclude yimg.com
                exclude ytimg.com
                hosts {
                    exclude cfvod.kaltura.com
                    include ads.feedly.com
                    include beap.gemini.yahoo.com
                    source openphish {
                        description "OpenPhish automatic phishing detection"
                        prefix http
                        url https://openphish.com/feed.txt
                    }
                }
            }
            cache-size 10000
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
    }
}
system {
    analytics-handler {
        send-analytics-report false
    }
    conntrack {
        expect-table-size 2048
        hash-size 32768
        modules {
            sip {
                disable
            }
        }
        table-size 262144
    }
    crash-handler {
        send-crash-report false
    }
    host-name EdgeRouter-Lite-3-Port
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository blacklist {
            components main
            description "Britannic blacklist debian stretch repository"
            distribution stretch
            password ****************
            url https://raw.githubusercontent.com/britannic/debian-repo/master/blacklist/public/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    task-scheduler {
        task update_blacklists {
            executable {
                arguments 10800
                path /config/scripts/update-dnsmasq-cronjob.sh
            }
            interval 1d
        }
    }
    time-zone UTC
    traffic-analysis {
        dpi enable
        export enable
    }
}

I don’t know if anything exists to migrate an ER config to VyOS. If one exists, it wouldn’t really work for your needs since there’s enough difference between 1.3 (which is closer to ER) and 1.4/1.5 to require syntax migration, much less from an entirely different product. Just work section by section to migrate everything.

I’m not sure how much progress you’ve made since your original post, but the very first thing you need to do is get your firewall configured properly. What you have configured in your original post is just policies, you didn’t apply that anywhere. Your device is wide open to the internet based on that config. Don’t worry about anything else until that is done.

Also, especially considering you don’t have a firewall applied right now, make sure you remove the default ‘vyos’ user account and make your own account in there.

Beyond that, here’s a couple notes in addition to what others have mentioned to you:

  • DNS Forwarding:
    • You have DNS forwarding enabled, but don’t have an upstream DNS server configured on the VyOS box. You can configure a system name-server, or a name-server just for forwarding:
set system name-server x.x.x.x
set service dns forwarding system

or

set service dns forwarding name-server x.x.x.x
  • DNS Filtering:
    • You can run something like AdGuard or PiHole to do the DNS filtering you are doing on the ER box. You can run the container on VyOS, or somewhere in your LAN. You can even do both so you have redundancy for your DNS. I run AdGuard and another container called adguardhome-sync that lets me just configure changes to a master instance, and the changes get pushed to all redundant AdGuard instances.
  • Port Forwarding:
    • The EdgeRouter has an auto firewall function when configuring port-forwarding (destination NAT), but VyOS doesn’t have that. So you’ll also need to make rules for your DNAT in your forwarding chain allowing that traffic.
    • The EdgeRouter also has a function for hairpin NAT that you have enabled, so if you need that, you’ll need to configure that manually as well.
  • Multiple interfaces in the same IP range:
    • You have multiple interfaces in the same IP range, which could confuse VyOS on how to route destination traffic. I recommend putting those interfaces in different subnets.

Am New here .
Please I want to ask questions
Can vyos browse internet without ISP or any additional devices?

What do you mean? Can you clarify or rephrase your question?

has nothing to do with this threat, so if this is to be addressed please new threat, thx

1 Like