I have an edge device with 4 RJ45 (eth1 to eth4) ports and 2 sfp+ (eth5 and eth6) ports, a wireless device (wlan0) and 2 SIM card slots (not doing anything with them for now).
I installed debian bookworm on it and then went ahead to build VyOS 1.5 from source, following the documentation and all worked out fine.
I configured eth6 get its IP via dhcpv4 from ISP on vlan tag ID 300, I want that Internet to be shared on the local lan (10.0.0.0/24). eth5 is configured to be on 10.0.0.1 and should be the gateway and dns for local LAN. eth1 to eth4 i bridged into one device br0 and also on local lan on 10.0.0.11, also configured to run a dhcpv4 server for local lan.
Firewalls and NAT rules are a bit difficult for me to understand and drive me crazy so I could really use some help. Currently, with the config below, it seems clients on the local LAN, nslookup on e.g. google works, but urls in browsers donât load anything, what am i doing wrong here?
vyos@vyos:~$ show config
firewall {
group {
interface-group LAN {
interface eth5
interface br0
}
interface-group WAN {
interface eth6
}
network-group NET-INSIDE-v4 {
network 10.0.0.0/24
}
}
ipv4 {
name LAN_OUT {
default-action accept
rule 10 {
action accept
state established
state related
}
}
name LOCAL {
default-action accept
rule 10 {
action accept
state established
state related
}
}
name WAN_IN {
default-action drop
rule 10 {
action accept
state established
state related
}
}
name WAN_LOCAL {
default-action drop
rule 10 {
action accept
state established
state related
}
rule 20 {
action accept
destination {
port 53
}
protocol tcp_udp
}
}
}
}
interfaces {
bridge br0 {
address 10.0.0.11/24
member {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
}
}
ethernet eth1 {
hw-id d0:63:b4:05:47:3f
}
ethernet eth2 {
hw-id d0:63:b4:05:47:40
}
ethernet eth3 {
hw-id d0:63:b4:05:47:41
}
ethernet eth4 {
hw-id d0:63:b4:05:47:42
}
ethernet eth5 {
address 10.0.0.1/24
hw-id d0:63:b4:05:47:43
}
ethernet eth6 {
hw-id d0:63:b4:05:47:44
vif 300 {
address dhcp
}
}
loopback lo {
}
wireless wlan0 {
address 10.0.0.12/24
country-code nl
hw-id 2c:33:58:f3:cc:4e
physical-device phy0
security {
wpa {
cipher CCMP
mode wpa2
passphrase ****************
}
}
ssid we_can_hear_you_having_sex
type access-point
}
}
nat {
destination {
rule 10 {
description fatzohh
destination {
port 44000
}
inbound-interface {
name eth6
}
protocol tcp
translation {
address 10.0.0.3
port 22
}
}
rule 20 {
description fatzovp1
destination {
port 44001
}
inbound-interface {
name eth6
}
protocol tcp
translation {
address 10.0.0.3
port 44001
}
}
}
}
source {
rule 9 {
destination {
address 10.0.0.0/24
}
source {
address 10.0.0.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.0.0.1 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
authoritative
subnet 10.0.0.0/24 {
option {
default-router 10.0.0.1
name-server 10.0.0.1
}
range 0 {
start 10.0.0.38
stop 10.0.0.140
}
subnet-id 1
}
}
}
dns {
forwarding {
allow-from 10.0.0.0/24
cache-size 0
listen-address 10.0.0.1
}
}
ntp {
allow-client {
address 127.0.0.0/8
address 169.1.0.0/16
address 10.0.0.0/8
address 172.16.0.0/12
address 192.168.0.0/16
address ::1/128
address fe80::/10
address fc00::/7
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
listen-address 10.0.0.1
listen-address 10.0.0.11
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
}
}
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
thx ginko, i had looked at that, but there are not many NAT rules in the quick guide and I think it does look similar, have you noticed any particular errors?
how to do i specify the outbound device to be eth6.300? can hou give me hint please?
will remove the destination address in rule 9 (not needing it does it mean having it in there or not does not make any difference at all?)
thanks zero1three013 in regards to the interfaces:
eth5 is a sfp+ interface whereas eth1 to eth4 are rj45 interface with 2.5 gbps. So bridging sfp+ with 2.5 gbps and wlan0 will impact the speed of the bridge, why would you recommend that? fyi I have a 10gbps internet connection so I do not want speeds to be impacted. for those reasons I didnât combine it all in one bridge. thank you in advance for your advise
Firewall: how to apply polices to interfaces in 1.5, could you show me an example or a link to one is also good
so I went ahead and adjusted rule 9 as suggested by ginkgo, had not worked, there was another part in my config which caused an issue I think:
I had this in my config (also shown in my first post):
deleted this entry and then pings started working on LAN, DNS resolution seems still an issue from router or any LAN client, however, when I manually edit the /etc/resolv.conf on the PC/router I do get dns resolution.
I was wondering is there some simple way I can just migrate my current config on my Edge Router lite, which is working and I use to VyOS 1.5 ? I googled that a bit but does not look like it
this is my current edge config:
I donât know if anything exists to migrate an ER config to VyOS. If one exists, it wouldnât really work for your needs since thereâs enough difference between 1.3 (which is closer to ER) and 1.4/1.5 to require syntax migration, much less from an entirely different product. Just work section by section to migrate everything.
Iâm not sure how much progress youâve made since your original post, but the very first thing you need to do is get your firewall configured properly. What you have configured in your original post is just policies, you didnât apply that anywhere. Your device is wide open to the internet based on that config. Donât worry about anything else until that is done.
Also, especially considering you donât have a firewall applied right now, make sure you remove the default âvyosâ user account and make your own account in there.
Beyond that, hereâs a couple notes in addition to what others have mentioned to you:
DNS Forwarding:
You have DNS forwarding enabled, but donât have an upstream DNS server configured on the VyOS box. You can configure a system name-server, or a name-server just for forwarding:
set system name-server x.x.x.x
set service dns forwarding system
or
set service dns forwarding name-server x.x.x.x
DNS Filtering:
You can run something like AdGuard or PiHole to do the DNS filtering you are doing on the ER box. You can run the container on VyOS, or somewhere in your LAN. You can even do both so you have redundancy for your DNS. I run AdGuard and another container called adguardhome-sync that lets me just configure changes to a master instance, and the changes get pushed to all redundant AdGuard instances.
Port Forwarding:
The EdgeRouter has an auto firewall function when configuring port-forwarding (destination NAT), but VyOS doesnât have that. So youâll also need to make rules for your DNAT in your forwarding chain allowing that traffic.
The EdgeRouter also has a function for hairpin NAT that you have enabled, so if you need that, youâll need to configure that manually as well.
Multiple interfaces in the same IP range:
You have multiple interfaces in the same IP range, which could confuse VyOS on how to route destination traffic. I recommend putting those interfaces in different subnets.
