Newbie with vyos


#1

Full disclosure… total newbie with vyos and routers in general. Here is what I’d like to accomlpish:

Internet - Home Router (Tomato) - LAN

Vyos - virtual switch in ProxMox hosting various vms

I would like the vm’s to have access to the internet via vyos and my home router, but not be able to access any other machines on my LAN. Below is the current config… that gets me real close. The vm’s on proxmox can get to the internet, but they are also able to get to any of my LAN machines. Below is the output from show configuration commands… i have just stripped out the login user commands. My LAN is 192.168.10.0/24 and the proxmox switch is on 10.10.10.0/24


set interfaces ethernet eth0 address '192.168.10.2/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '10.10.10.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback 'lo'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop '192.168.10.1'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system gateway-address '192.168.10.1'
set system host-name 'vyos'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'

I would be greatly appreciative if someone could tell me what I need to do to hide all of my LAN machines from the vyos/proxmox switch. If you could also explain they why’s of what you are telling me to do, that would be even better. I have only been playing with vyos for a few hours and i realize I have a very steep learning curve in front of me.

If I have not been clear or you need more information, please let me know. I tried to search the forums… but unfortunately… I dont even know enough yet to be able to phrase my question to obtain reasonable search results.

Thanks,

Doug Fletcher


#2

You need to add firewall rules to prevent access to other subnets.


#3

I really hate to admit this, but it took me a full 2 days to realize that every example of “typical” firewall rules for vyos would do exactly what I wanted. I was so focused on just stopping communications from my general LAN subnet (192.168.10.0/24) and my test network (10.10.10.0/24) that it never dawned on me the more generalized firewall rules still do what I needed. But now that make me wonder… if I wanted to just specifically block communications between those too networks, what would rules look like? Can someone give me a starting point or a brief example?

Thanks,

Doug


#4

I think it would be better for you to understand how it works rather than someone just hand you the answer.

https://support.rackspace.com/how-to/configuring-interface-based-firewall-on-the-vyatta-network-appliance/

https://wiki.vyos.net/wiki/Zone-policy_example


#5

I wanted to update this thread with my progress. Here is what I did to get the results I was looking for. I imagine I will get some good feedback on my methods and hopefully suggestions on how to improve.

Configure interfaces

set interfaces ethernet eth0 address '192.168.10.2/24'
set interfaces ethernet eth0 description 'Outside'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '10.10.10.1/24'
set interfaces ethernet eth1 description 'Inside'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'

Set default gateway

set protocols static route 0.0.0.0/0 next-hop '192.168.10.1'

Set DNS

Set system name-server 192.168.10.1

Start ssh server

set service ssh port '22'
commit
save

At this point, there are no firewall rules. I believe vyos is just acting as a router. I am able to ping from machines on the “inside” (eth1) interface to the internet as well as ping to my local LAN (Between my main firewall and the vyos vm (192.168.10.0/24). However, when i tried to ping from my local lan to machines on the otherside of the vyos router (10.10.10.0/24), those ping where not successful. Then it dawned on my that I just needed to add a route on my main firewall/router to send packets destined to 10.10.10.0/24 to 192.168.10.2 (vyos) as the next hop. Once I added that static route I was able to ping both ways.

From previous experiments, it appears that just setting up NAT on vyos got me pretty close to what I was looking for… so I started there.

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.10.10.0/24'
set nat source rule 100 translation address 'masquerade'

Once I do this, there is no need for the static route to 10.10.10.0 in my main firewall anymore becuase all that triffic should be natted now and I should see any 10.10.10.0/24 address on my main LAN.

At this stage, I cannot ping any 10.10.10.0/24 addresses from my LAN(192.168.10.x), but from the 10.10.10.0 addresses, I am able to ping both internet and 192.168.10.0 addresses.

So now I need firewall rules.

First I want vyos to be a stateful firewall

set firewall state-policy established action 'accept'
set firewall state-policy related action 'accept'

Second I block all incomming traffic from the eth0 side

edit firewall name untrusted
set firewall name untrusted default-action 'drop'
set firewall name untrusted description 'deny traffic from internet'
exit

I know I need to allow a few protocols (ssh, icmp) thru so I create the protect-vyos firewall

edit firewall name protect-vyos
set firewall name protect-vyos default-action 'drop'
set firewall name protect-vyos rule 310 action 'accept'
set firewall name protect-vyos rule 310 destination port '22'
set firewall name protect-vyos rule 310 protocol 'tcp'
set firewall name protect-vyos rule 900 action 'accept'
set firewall name protect-vyos rule 900 description 'allow icmp'
set firewall name protect-vyos rule 900 protocol 'icmp'
exit

The I applied these rules to the corresponding interface

set interfaces ethernet eth0 firewall in name 'untrusted'
set interfaces ethernet eth0 firewall local name 'protect-vyos'
commit
save

I test again… and I cannot ping any 10.10.10.0/24 addresses from my LAN(192.168.10.x), but from the 10.10.10.0 addresses, I am able to ping both internet and 192.168.10.0 addresses.

hmmm… close but no cigar. So I make another rule specifically for dropping traffic destined to 192.168.10.0

edit firewall name untrusted 
set firewall name block-lan default-action 'accept'
set firewall name block-lan rule 10 action 'drop'
set firewall name block-lan rule 10 destination address '192.168.10.0/24'
exit

and apply this to what I think is the right interface

set interfaces ethernet eth1 firewall in name 'block-lan'
set interfaces ethernet eth1 firewall 'out'
config

Success! (I think). At least from my testing this does what I want. Now… as I stated in my first post, routing/firewalls are not my strong suit. I have very little experience with either, so feel free to tell me where I have gone really wrong… or what a better (preferred) way of doing what I wanted to.

Also, I have noticed that a lot of the last parameters are enclosed in single quotes. Are they only required if there are spaces in the parameter? Sometimes i used them… sometimes I didn’t and it didn’t seem to change the outcome at all.

Lastly, is there a code block formatting option on this new forum?

Doug


#6

No one has anything to add to this thread? Or is the new forum just not very busy yet?


#7

Formated a bit your last post
We just migrated, still need to do redirects from old forum