VyOS是一个基于Debian的网络操作系统,是Vyatta的社区fork。Vyatta是博通的企业级的产品,通过这套系统,能在x86平台提供路由,防火墙和×××的功能。 这个系统提供了和其他诸如Cisco的IOS,Juniper的JUNOS类似的操作方式。不同于其他商业方案,它是一套完全开源的方案,使用GPL协议开源。 镜像地址:http://vyos-mirror.per.webinabox.net.au/iso/release/
首先配置服务器端口ip一:
set interfaces ethernet eth0 address '10.0.97.1/24' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id '68:05:ca:66:87:10' set interfaces ethernet eth0 smp-affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address '10.0.99.1/24' set interfaces ethernet eth1 description 'INSIDE' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 hw-id '64:00:6a:04:2d:67' set interfaces ethernet eth1 policy set interfaces ethernet eth1 smp-affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces ethernet eth2 address '10.0.98.1/24' set interfaces ethernet eth2 duplex 'auto' set interfaces ethernet eth2 hw-id '**:05:ca:3f:55:**' set interfaces ethernet eth2 smp-affinity 'auto' set interfaces ethernet eth2 speed 'auto'
# 外网端口配置 set interfaces ethernet eth3 address '**.***.***.***/24' set interfaces ethernet eth3 description 'OUTSIDE' set interfaces ethernet eth3 duplex 'auto'
# 配置改接口使用防火墙OUTSIDE-IN 策略
set interfaces ethernet eth3 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth3 hw-id '**:05:ca:66:86:**'
set interfaces ethernet eth3 smp-affinity 'auto' set interfaces ethernet eth3 speed 'auto'
set interfaces loopback lo
配置服务器端口ip二:
set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 hw-id '68:05:ca:66:87:11' set interfaces ethernet eth1 smp_affinity 'auto' set interfaces ethernet eth1 speed 'auto' set interfaces ethernet eth2 address '10.0.97.2/24' set interfaces ethernet eth2 duplex 'auto' set interfaces ethernet eth2 hw-id '68:05:ca:66:87:0d' set interfaces ethernet eth2 smp_affinity 'auto' set interfaces ethernet eth2 speed 'auto' set interfaces ethernet eth3 address '**.**.**.***/27' set interfaces ethernet eth3 description 'OUTSIDE' set interfaces ethernet eth3 duplex 'auto'
# 配置eth3使用outside-in 和outside-local 策略,使其可以内外访问。 set interfaces ethernet eth3 firewall in name 'OUTSIDE-IN' set interfaces ethernet eth3 firewall local name 'OUTSIDE-LOCAL' set interfaces ethernet eth3 hw-id '**:57:00:e6:11:**' set interfaces ethernet eth3 smp_affinity 'auto' set interfaces ethernet eth3 speed 'auto' set interfaces loopback 'lo'
其次防火墙策略配置一:
# 常规配置
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall config-trap 'disable' set firewall ip-src-route 'disable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall log-martians 'enable'
#配置outside-in 策略 set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-IN rule 20 action 'accept' set firewall name OUTSIDE-IN rule 20 icmp type-name 'echo-request' set firewall name OUTSIDE-IN rule 20 protocol 'icmp' set firewall name OUTSIDE-IN rule 20 state new 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable' set firewall twa-hazards-protection 'disable'
防火墙策略配置二:
# 配置outside-in 与 outside-out策略
set firewall name OUTSIDE-IN default-action 'drop' set firewall name OUTSIDE-IN rule 10 action 'accept' set firewall name OUTSIDE-IN rule 10 destination port '80' set firewall name OUTSIDE-IN rule 10 protocol 'tcp' set firewall name OUTSIDE-IN rule 10 state established 'enable' set firewall name OUTSIDE-IN rule 10 state related 'enable' set firewall name OUTSIDE-LOCAL rule 40 action 'accept' set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' set firewall name OUTSIDE-LOCAL rule 41 action 'accept' set firewall name OUTSIDE-LOCAL rule 41 destination port '500' set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 42 action 'accept' set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' set firewall name OUTSIDE-LOCAL rule 43 action 'accept' set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
nat 配置一:
#简单的snat配置,eth3 外网端口。
set nat source rule 10 outbound-interface 'eth3' set nat source rule 10 source address '0.0.0.0/0' set nat source rule 10 translation address 'masquerade'
nat 配置二:
#简单的snat配置,eth3 外网端口。源地址为10.0.55.0/24
set nat source rule 100 outbound-interface 'eth3' set nat source rule 100 source address '10.0.55.0/24' set nat source rule 100 translation address 'masquerade'
静态路由配置一:
# 第一配置静态路由的网关。其它配置静态路由:下一跳。使其可以互通
set protocols static route 0.0.0.0/0 next-hop **.***.207.1 set protocols static route 10.0.55.0/24 next-hop 10.0.97.2 set protocols static route 10.0.77.0/24 next-hop 10.0.99.2 set protocols static route 10.0.88.0/24 next-hop 10.0.99.2
静态路由配置二:
# 第一配置静态路由的网关。其它配置静态路由:下一跳。使其可以互通
set protocols static route 0.0.0.0/0 next-hop '**.**.**.97' set protocols static route 10.0.77.0/24 next-hop '10.0.97.1' set protocols static route 10.0.88.0/24 next-hop '10.0.97.1'
dns配置一:
set service dns forwarding cache-size '0' set service dns forwarding listen-on 'eth1' set service dns forwarding listen-on 'eth2' set service dns forwarding listen-on 'eth0' set service dns forwarding name-server '8.8.8.8' set service dns forwarding name-server '8.8.4.4' set service dns forwarding name-server '202.106.0.20' set service dns forwarding name-server '219.232.48.61'
# 配置ssh服务端口 set service ssh port '22'
dns配置二:
set service dns forwarding cache-size '0'
set service dns forwarding listen-on 'eth1'
set service dns forwarding listen-on 'eth2'
set service dns forwarding listen-on 'eth3'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
set service dns forwarding name-server '202.106.0.20'
set service dns forwarding name-server '219.232.48.61'
set service ssh port '22'
系统配置:
set system 'config-management' set system host-name 'vyos' set system login user vyos authentication encrypted-password '$6$OML2Jc**a2ZW/$34iWc.unMd6oCPCstxGw/9Q7uMnbEqF6IvocP5hEBidQYcJt8Xkz4WkFA7yTC4wSZ39hYvpqyBVxC4or9ZzxH/' set system login user vyos authentication plaintext-password '' set system login user vyos level 'admin' set system name-server '202.106.0.20' set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' set system syslog global facility all level 'info' set system syslog global facility protocols level 'debug' set system time-zone 'UTC'
vpn 配置:
set vpn ipsec ipsec-interfaces interface 'eth3' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-traversal 'enable' set vpn l2tp remote-access authentication local-users username admin password '********' set vpn l2tp remote-access authentication mode 'local' set vpn l2tp remote-access client-ip-pool start '10.0.55.100' set vpn l2tp remote-access client-ip-pool stop '10.0.55.254' set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret' set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '********' set vpn l2tp remote-access ipsec-settings ike-lifetime '3600' set vpn l2tp remote-access outside-address '**.**.**.***'