I just started using vyos, built a home firewall over the past week, everything works great, even got an openvpn to nordvpn up, following some of the posts here. I forgot the dns masq on vtun0, which stumped me for a bit LOL whoops!
I keep a ssh open to the router, running βsudo iftop -P -i eth0β to monitor who the vyos router is talking to on the Internet. I see openvpn gets almost all of the traffic, but there is plenty of other traffic, likely ntp, dns, etc.
Iβve noticed that vyos constantly talks to sites like recyber.nΠ΅t, sΠ΅curity.criminalΡp.com etc., which are βresearch sitesβ collecting data. I donβt mind contributing research data every once in a while, but not every few seconds. I checked those sites, and they donβt say anything about providing services such as dns, ntp, so Iβm wondering what the traffic is for.
I searched both here and the web for vyos and recyber and found nothing, so thought I would ask here.
Unless openvpn is leaking, all LAN traffic should be routed out the vpn. Anything left should be coming from the router.
A separate issue, Iβve been combing thru logs, and did discover that the dhcp client to my ISP is generating a lot of traffic to the ISP dhcp server:
Feb 27 xxxx:xxxx:30 vyos dhclient[2013]: DHCPREQUEST for xxx.xxx.133.19 on eth0 to xxx.xxx.237.33 port 67
:
Feb 27 xxxx:xxxx:49 vyos dhclient[2013]: message repeated 44 times: [ DHCPREQUEST for xxx.xxx.133.19 on eth0 to xxx.xxx.237.33 port 67]
:
Feb 27 xxxx:xxxx:04 vyos dhclient[2013]: DHCPREQUEST for xxx.xxx.133.19 on eth0 to xxx.xxx.237.33 port 67
:
Feb 27 xxxx:xxxx:35 vyos dhclient[2013]: message repeated 74 times: [ DHCPREQUEST for xxx.xxx.133.19 on eth0 to xxx.xxx.237.33 port 67]
:
Feb 27 xxxx:xxxx:50 vyos dhclient[2013]: DHCPREQUEST for xxx.xxx.133.19 on eth0 to xxx.xxx.237.33 port 67
Okay looks like I misconfigured the firewall. I disconnected everything except the Internet link eth0, and still the world is talking to my router, even though I thought I locked it down. For some reason, Iβm really struggling with firewall rules. Iβll get it eventually.
I guess I just donβt understand the vyos firewall at all. Iβm running 1.3.0-rc6
I have outside traffic completely locked down, only allow established connections from internal, yet dozens of internet sites keep talking directly to the router. All of those should be dropped.
sudo iftop -P -i eth0
shows internet sites talking to the router almost every second
vyos@vyos# show firewall
all-ping disable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name NORD-IN {
default-action accept
}
name NORD-LOCAL {
default-action accept
}
name NORD-OUT {
default-action accept
}
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
}
name OUTSIDE-OUT {
default-action drop
}
name WLAN-IN {
default-action accept
}
name WLAN-LOCAL {
default-action accept
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
[edit]
vyos@vyos#
I canβt figure out what Iβm doing wrong. Feels like the firewall isnβt working.