Brand new on VyOS here.
It has so far been a complete love affair, you’ve built something that I like very much!
I set up VyOS 1.5-rolling-202309130022, and ran into a couple of issues. Note that I found out about my issues after I was done with my initial config, which implied bridging a number of my interfaces. I do not know if these issues existed out of the box, but I don’t see why bridging interfaces may have confused anything. And for added clarity, my eth0 WAN interface has not been touched.
My issues are:
Partially solved: my DNS was unreachable from my LAN. I added a generic firewall rule for UDP and TCP 53, using the example given for SSH, without the timer block. It now responds on my LAN, but now port 53 is authorized on all interfaces.
Although I added additional DNS Forwarding listeners with the “set service dns forwarding listen-address” command, my loopback interface does not serve DNS over ::1#53, or 127.0.0.1:53. In other words, my box cannot resolve DNS, but the clients can.
I get my DNS from DHCP, so unsure what is the issue here. In the quick start or some of the configuration doc I read, nobody makes mention of needing firewall rules to explicitly allow port 53, especially given that it’s for LAN clients.
First off, that is a thorough reply, one of the best welcomes I’ve had! Thanks
What I’m trying to do is pretty simple, staging my set up as I get acquainted with VyOS. DNS Forwarding sounded like the recommended approach, and I was surprised it didn’t automagically work. Then, DNS lookup failing on the VyOS host itself is troublesome. Slow ssh connections for reverse lookups, unable to use internet resources, repos and such.
I’m trying to stick to best practices until I get a good handle on things and play Router Ninja!
Keeping DNS internal can also help further down the line for captive portals, but I agree with your 1.1.1.1 approach totally.
Will try your firewall rules, thanks a million for that as well. Super appreciated.
That is the name-server will be blindly used in whatever vrf you are currently in.
For example if you have configured vrf INTERNET and MGMT (and nothing on default) and you have above name-servers set (1.1.1.1 and 1.0.0.1) then when being in console (or through SSH) you must do this:
force vrf INTERNET
ping ping.sunet.se
exit
before for example ping or system update works.
Another workaround (specially when scripting) is to use sudo ip vrf exec INTERNET ping ping.sunet.se.
Here is an example of how I have a /config/custom/config_backup.sh to perform manual backups: