Hi All,
Looking for a bit of guidance on my Vyos in proxmox lab. Comfortable with networking, switching and routing, basic firewall rules i get cant seem to get my head around where to start in Vyos, the IN OUT LOCAL zone-based . Where am i best starting? The quick start I cant get my head around how to adapt this to work for my below goal, I attempted below (see config). Any help would be great.
My goal:
- Set up firewall so i can
sshto the firewall from my home network (192.168.1.0/24) - Block anything from my
vxlanzone getting to my home network excluding established related. - FROM
10.0.X.X/16to192.168.1.0/24 - Still have internet connectivity in
10.0.X.X/16
Longer term goal: (Happier setting the below than firewall )
- Configure with Terraform and or Ansible
- 2x Vyos VM with vrrp
- Replace existing router with these 2x Vyos vms
- Replace pihole dhcp for vyos with dhcp failover
- ipsec to remote site ( cloud vm or something )
- bonus do some sort of route sharing (
OSPForBGPover the tunnel )
- bonus do some sort of route sharing (
I Have managed to set up the interfaces, dhcp, dns forwarding , snat and networking seems fine, can ping devices from 10.0.1.0/24 and 10.0.10.0/24
Current configuration:
Setup Summary
- 3x proxmox nodes (
192.168.1.0/24) - 1x vxlan zone - vlan aware
- 1x vm one not tagged (
10.0.1.0/24) - 1x vm tagged 10 (
10.0.10.0/24) - 1x Vyos vm -
VyOS 1.5-rolling-202412160007- eth1 -
192.168.1.252/32 - eth0 -
10.0.1.254/32 - eth2 -
10.0.10.254/32
- eth1 -
Configuration commands - less users
oli@firewall:~$ show configuration commands
set firewall group interface-group INSIDE interface ‘eth0’
set firewall group interface-group INSIDE interface ‘eth2’
set firewall group interface-group OUTSIDE interface ‘eth1’
set firewall group network-group NET-INSIDE network ‘10.0.0.0/16’
set firewall group network-group NET-OUTSIDE network ‘192.168.1.0/24’
set firewall ipv4 input filter rule 100 action ‘drop’
set firewall ipv4 input filter rule 100 destination group network-group ‘NET-OUTSIDE’
set firewall ipv4 input filter rule 100 inbound-interface group ‘INSIDE’
set interfaces ethernet eth0 address ‘10.0.1.254/24’
set interfaces ethernet eth0 description ‘INSIDE’
set interfaces ethernet eth0 hw-id ‘bc:24:11:7b:37:f9’
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 address ‘192.168.1.252/24’
set interfaces ethernet eth1 description ‘OUTSIDE’
set interfaces ethernet eth1 hw-id ‘bc:24:11:0c:0d:82’
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 address ‘10.0.10.254/24’
set interfaces ethernet eth2 description ‘VLAN10’
set interfaces loopback lo
set nat source rule 1 description ‘devnet via eth1’
set nat source rule 1 outbound-interface name ‘eth1’
set nat source rule 1 source address ‘10.0.1.0/24’
set nat source rule 1 translation address ‘masquerade’
set nat source rule 2 description ‘devnet via eth1’
set nat source rule 2 outbound-interface name ‘eth1’
set nat source rule 2 source address ‘10.0.10.0/24’
set nat source rule 2 translation address ‘masquerade’
set protocols static route 0.0.0.0/0 next-hop 192.168.1.254
set service dhcp-server shared-network-name devnet authoritative
set service dhcp-server shared-network-name devnet description ‘testing’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option default-router ‘10.0.1.254’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 option name-server ‘192.168.1.114’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 range 0 start ‘10.0.1.1’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 range 0 stop ‘10.0.1.10’
set service dhcp-server shared-network-name devnet subnet 10.0.1.0/24 subnet-id ‘1’
set service dhcp-server shared-network-name vlan10 authoritative
set service dhcp-server shared-network-name vlan10 description ‘testing’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option default-router ‘10.0.10.254’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 option name-server ‘192.168.1.114’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 range 0 start ‘10.0.10.1’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 range 0 stop ‘10.0.10.10’
set service dhcp-server shared-network-name vlan10 subnet 10.0.10.0/24 subnet-id ‘10’
set service dns forwarding allow-from ‘10.0.1.0/24’
set service dns forwarding allow-from ‘10.0.10.0/24’
set service dns forwarding listen-address ‘127.0.0.1’
set service ntp allow-client address ‘127.0.0.0/8’
set service ntp allow-client address ‘169.254.0.0/16’
set service ntp allow-client address ‘10.0.0.0/8’
set service ntp allow-client address ‘172.16.0.0/12’
set service ntp allow-client address ‘192.168.0.0/16’
set service ntp allow-client address ‘::1/128’
set service ntp allow-client address ‘fe80::/10’
set service ntp allow-client address ‘fc00::/7’
set service ntp server time1.vyos.net- # had to add the - as these act as links and new users only allowed 2 
set service ntp server time2.vyos.net-
set service ntp server time3.vyos.net-
set service ssh listen-address ‘192.168.1.252’
set service ssh port ‘22’