Proxmox lab setup help

General questions
, ,
1

Hi All,

Looking for a bit of guidance on my Vyos in proxmox lab. Comfortable with networking, switching and routing, basic firewall rules i get cant seem to get my head around where to start in Vyos, the IN OUT LOCAL zone-based . Where am i best starting? The quick start I cant get my head around how to adapt this to work for my below goal, I attempted below (see config). Any help would be great.

My goal:

  • Set up firewall so i can ssh to the firewall from my home network (192.168.1.0/24)
  • Block anything from my vxlan zone getting to my home network excluding established related.
  • FROM 10.0.X.X/16 to 192.168.1.0/24
  • Still have internet connectivity in 10.0.X.X/16

Longer term goal: (Happier setting the below than firewall )

  • Configure with Terraform and or Ansible
  • 2x Vyos VM with vrrp
  • Replace existing router with these 2x Vyos vms
  • Replace pihole dhcp for vyos with dhcp failover
  • ipsec to remote site ( cloud vm or something )
    • bonus do some sort of route sharing ( OSPF or BGP over the tunnel )

I Have managed to set up the interfaces, dhcp, dns forwarding , snat and networking seems fine, can ping devices from 10.0.1.0/24 and 10.0.10.0/24

Current configuration:

Setup Summary
  • 3x proxmox nodes ( 192.168.1.0/24)
  • 1x vxlan zone - vlan aware
  • 1x vm one not tagged (10.0.1.0/24)
  • 1x vm tagged 10 (10.0.10.0/24)
  • 1x Vyos vm - VyOS 1.5-rolling-202412160007
    • eth1 - 192.168.1.252/32
    • eth0 - 10.0.1.254/32
    • eth2 - 10.0.10.254/32
Configuration commands - less users

oli@firewall:~$ show configuration commands
set firewall group interface-group INSIDE interface ‘eth0’
set firewall group interface-group INSIDE interface ‘eth2’
set firewall group interface-group OUTSIDE interface ‘eth1’
set firewall group network-group NET-INSIDE network ‘10.0.0.0/16’
set firewall group network-group NET-OUTSIDE network ‘192.168.1.0/24’
set firewall ipv4 input filter rule 100 action ‘drop’
set firewall ipv4 input filter rule 100 destination group network-group ‘NET-OUTSIDE’
set firewall ipv4 input filter rule 100 inbound-interface group ‘INSIDE’
set interfaces ethernet eth0 address ‘10.0.1.254/24’
set interfaces ethernet eth0 description ‘INSIDE’
set interfaces ethernet eth0 hw-id ‘bc:24:11:7b:37:f9’
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 address ‘192.168.1.252/24’
set interfaces ethernet eth1 description ‘OUTSIDE’
set interfaces ethernet eth1 hw-id ‘bc:24:11:0c:0d:82’
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 address ‘10.0.10.254/24’
set interfaces ethernet eth2 description ‘VLAN10’
set interfaces loopback lo
set nat source rule 1 description ‘devnet via eth1’
set nat source rule 1 outbound-interface name ‘eth1’
set nat source rule 1 source address ‘10.0.1.0/24’
set nat source rule 1 translation address ‘masquerade’
set nat source rule 2 description ‘devnet via eth1’
set nat source rule 2 outbound-interface name ‘eth1’
set nat source rule 2 source address ‘10.0.10.0/24’
set nat source rule 2 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop 192.168.1.254
set service dhcp-server shared-network-name devnet authoritative
set service dhcp-server shared-network-name devnet description ‘testing’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option default-router ‘10.0.1.254’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option name-server ‘192.168.1.114’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 range 0 start ‘10.0.1.1’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 range 0 stop ‘10.0.1.10’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 subnet-id ‘1’
set service dhcp-server shared-network-name vlan10 authoritative
set service dhcp-server shared-network-name vlan10 description ‘testing’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option default-router ‘10.0.10.254’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option name-server ‘192.168.1.114’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 range 0 start ‘10.0.10.1’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 range 0 stop ‘10.0.10.10’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 subnet-id ‘10’
set service dns forwarding allow-from ‘10.0.1.0/24’
set service dns forwarding allow-from ‘10.0.10.0/24’
set service dns forwarding listen-address ‘127.0.0.1’
set service ntp allow-client address ‘127.0.0.0/8’
set service ntp allow-client address ‘169.254.0.0/16’
set service ntp allow-client address ‘10.0.0.0/8’
set service ntp allow-client address ‘172.16.0.0/12’
set service ntp allow-client address ‘192.168.0.0/16’
set service ntp allow-client address ‘::1/128’
set service ntp allow-client address ‘fe80::/10’
set service ntp allow-client address ‘fc00::/7’
set service ntp server time1.vyos.net- # had to add the - as these act as links and new users only allowed 2 :smile:
set service ntp server time2.vyos.net-
set service ntp server time3.vyos.net-
set service ssh listen-address ‘192.168.1.252’
set service ssh port ‘22’

2
  1. Your input chain rule (Rule 100) is configured to drop traffic from INSIDE to NET-OUTSIDE. However, the input chain controls traffic destined to the router itself, so this rule might not align with your goal to block traffic between vxlan and your home network.
  2. The forward chain doesn’t currently have rules to enforce blocking traffic from 10.0.0.0/16 to 192.168.1.0/24 or to allow internet access.
  3. there’s no explicit firewall rule in the input chain to allow ssh on 192.168.1.252
    Could you try the following
set firewall ipv4 input filter default-action ‘drop’
set firewall ipv4 input filter rule 10 action ‘accept’
set firewall ipv4 input filter rule 10 description ‘Allow SSH from home network’
set firewall ipv4 input filter rule 10 source group network-group ‘NET-OUTSIDE’
set firewall ipv4 input filter rule 10 destination port ‘22’
set firewall ipv4 input filter rule 10 protocol ‘tcp’

set firewall ipv4 input filter rule 20 action ‘accept’
set firewall ipv4 input filter rule 20 description ‘Allow established/related traffic’
set firewall ipv4 input filter rule 20 state established ‘enable’
set firewall ipv4 input filter rule 20 state related ‘enable’

set firewall ipv4 forward filter default-action ‘drop’

set firewall ipv4 forward filter rule 10 action ‘accept’
set firewall ipv4 forward filter rule 10 description ‘Allow established/related traffic’
set firewall ipv4 forward filter rule 10 state established ‘enable’
set firewall ipv4 forward filter rule 10 state related ‘enable’

set firewall ipv4 forward filter rule 20 action ‘drop’
set firewall ipv4 forward filter rule 20 description ‘Block vxlan to home network’
set firewall ipv4 forward filter rule 20 source group network-group ‘NET-INSIDE’
set firewall ipv4 forward filter rule 20 destination group network-group ‘NET-OUTSIDE’

set firewall ipv4 forward filter rule 30 action ‘accept’
set firewall ipv4 forward filter rule 30 description ‘Allow vxlan internet access’
set firewall ipv4 forward filter rule 30 source group network-group ‘NET-INSIDE’
set firewall ipv4 forward filter rule 30 destination address ‘0.0.0.0/0’
3

Thanks @son for the input, really helped understand a bit more about the firewall rules.

I have applied the commands you gave.

  1. I can still ssh to the firewall from home-network. :smiley:
  2. vms on vxlan can ping 8.8.8.8 / 1.1.1.1 but cannot do name resolution
    I did change name-server on the dhcp server to be the gateway for each network. But this didn’t help with name resolution.
- delete service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option name-server ‘192.168.1.114’
+ set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option name-server ‘10.0.1.254’
- delete service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option name-server ‘192.168.1.114’
+ set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option name-server ‘10.0.10.254’

Not sure about the dns issue though, Don’t think its a firewall rule issue though, I have tweaked dns with the below to use the dns set by system which is in home-network 192.168.1.114-115

set service dns forwarding allow-from '10.0.0.0/16'
set service dns forwarding listen-address '127.0.0.1'
set service dns forwarding system
  1. vxlan vms couldn’t ping gateway or other vms added the below and now they can, not sure this is the best aproach if i want to do any rules between 10.0.1.0/24 and 10.0.10.0/24 in the future.
set firewall ipv4 input filter rule 1 action 'accept'                                                                                                                                         
set firewall ipv4 input filter rule 1 description 'allow from vxlan'                                                                                                                          
set firewall ipv4 input filter rule 1 destination group network-group 'NET-INSIDE'                                                                                                            
set firewall ipv4 input filter rule 1 protocol 'all'                                                                                                                                          
set firewall ipv4 input filter rule 1 source group network-group 'NET-INSIDE'
  1. The vxlan vms cannot reach home-network which is great :smiley:
  2. I have also added a forward filter to allow NET-OUTSIDE to NET-INSIDE so i can reach the vms from home-network for configuration with ansible etc.

Again , thanks for the help.

4

Any hints on how to re-fix dns now I have blocked 10.0.0.0/16 to 192.168.1.0/24 where my dns are 192.168.1.114-115 ?

5

Can you try to add a firewall rule to allow DNS traffic from the VXLAN network to your DNS servers.

First, create an address group for the DNS servers:

set firewall group address-group ADR-DNS-v4 address '192.168.1.114-192.168.1.115'

Next, add a rule in the forward chain to allow DNS traffic from your VXLAN network to those DNS servers:

set firewall ipv4 forward filter rule X action 'accept'
set firewall ipv4 forward filter rule X description 'Allow DNS from VXLAN to DNS servers'
set firewall ipv4 forward filter rule X source group network-group 'NET-INSIDE'
set firewall ipv4 forward filter rule X destination group address-group 'ADR-DNS-v4'
set firewall ipv4 forward filter rule X protocol 'udp'
set firewall ipv4 forward filter rule X destination port '53'

Make sure this rule goes in before the rule that blocks traffic from the VXLAN network to the home network. This way, DNS traffic gets through before any blocks are applied.

7

Hi @son ,

I added these but no luck, what did work was reading the quickstart guide and adding in

set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

Everything all now works.

Thanks for your help.

8

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.