Quản trị mạng

Cấu hình Vyos router

Yêu cầu của dự án:

Nhu cầu cần xây dựng hệ thống wifi được quản lý bằng địa chỉ MAC

Thiết lập được việc Allow/Deny kết nối với mạng nội bộ cho thiết bị bắt wifi

Thiết lập việc chỉ kết nối với Internet bên ngoài (Guests) – wifi

Môi trường thực hiện:

  • Operating sytem: Vyos router 1.1.8 64bit
  • Máy ảo trên Vmware hoặc máy vật lý (có 2 card mạng)
  • Yêu cầu phần cứng (Rất nhỏ)
  • Tùy theo mô hình mạng thực tế mà thay đổi VLAN ID, địa chỉ mạng cho phù hợp yêu cầu

Cài đặt vyos router và cấu hình:

  1. Cài đặt Vyos router
    • Mount iso file hoặc usb boot, hoặc DVD (vyos-1.1.8-amd64.iso)
    • install image (Để cài đặt vyos router)
  2. Cấu hình Vyos router
    • Setup allow ping & disable broadcast

set firewall all-ping enable

set firewall broadcast-ping disable

set firewall config-trap disable

  1. Setup group firewall

# Setup for LAN

set firewall group address-group allowed-ip address 12.100.8.92

set firewall group address-group allowed-ip address 12.100.8.83

set firewall group address-group allowed-ip address 12.100.8.56

set firewall group address-group allowed-ip address 12.100.8.54

set firewall group address-group allowed-ip address 12.100.8.57

set firewall group address-group allowed-ip address 10.104.81.110

# Setup for wifi group

set firewall group address-group allowed-ip-vlan16 address 12.100.6.2

# Setup remote group

set firewall group address-group remote address 12.100.8.92

set firewall group address-group remote address 12.100.8.83

set firewall group address-group remote address 10.104.81.110

#Setup network group

set firewall group network-group development network 12.100.8.0/21

set firewall group network-group dmz network 12.100.1.0/24

set firewall group network-group hcm network 12.100.32.0/24

set firewall group network-group server network 12.100.2.0/24

set firewall group network-group tcs network 12.100.5.0/24

#Setup disable IPV6

set firewall ipv6-receive-redirects disable

set firewall ipv6-src-route disable

set firewall log-martians enable

#Setup Wifi name

set firewall name Wifi-abc default-action drop

set firewall name Wifi-abc rule 1 action accept

set firewall name Wifi-abc rule 1 state established enable

set firewall name Wifi-abc rule 1 state related enable

# Template for Inbound rule <Rule 2-1000>

set firewall name Wifi-abc rule 2 action accept

set firewall name Wifi-abc rule 2 description “IT Laptop”

set firewall name Wifi-abc rule 2 destination address 12.100.0.0/16

set firewall name Wifi-abc rule 2 source mac-address e4:b3:18:c7:85:6c

# Prevent inbound connection <Rule 1000>

set firewall name Wifi-abc rule 1000 action drop

set firewall name Wifi-abc rule 1000 description “Deny 12.100.0.0/16 connect”

set firewall name Wifi-abc rule 1000 destination address 12.100.0.0/16

# Template for Outband rule <Rule 1001-8888>

set firewall name Wifi-abc rule 1001 action accept

set firewall name Wifi-abc rule 1001 description Shacho-mobile-1

set firewall name Wifi-abc rule 1001 source mac-address cc:08:8d:2e:a8:4b

# remote group

set firewall name remote default-action drop

set firewall name remote rule 1 action accept

set firewall name remote rule 1 state established enable

set firewall name remote rule 1 state related enable

set firewall name remote rule 2 action accept

set firewall name remote rule 2 source group address-group remote

#Abcv group

set firewall name abc-v default-action drop

set firewall name abc-v rule 1 action accept

set firewall name abc-v rule 1 state established enable

set firewall name abc-v rule 1 state related enable

set firewall name abc-v rule 10 action accept

set firewall name abc-v rule 10 source group address-group allowed-ip

set firewall name abc-v rule 20 action accept     

set firewall name abc-v rule 20 destination accept address 12.100.0.0/16

set firewall name abc-v rule 20 protocol icmp

set firewall name abc-v rule 21 action drop

set firewall name abc-v rule 21 protocol icmp

# ICMP configuration

set firewall receive-redirects disable

set firewall send-redirects enable

set firewall source-validation disable

set firewall syn-cookies enable

set firewall twa-hazards-protection disable

#Setup network interfaces

#PPPoE interface

set interfaces ethernet eth0 duplex auto

set interfaces ethernet eth0 description “Connect to VNPT”

set interfaces ethernet eth0 pppoe 1 default-route auto

set interfaces ethernet eth0 pppoe 1 mtu 1492

set interfaces ethernet eth0 pppoe 1 name-server auto

set interfaces ethernet eth0 pppoe 1 user-id *********

set interfaces ethernet eth0 pppoe 1 password *********

set interfaces ethernet eth0 pppoe 1 service-name *********

set interfaces ethernet eth0 smp_affinity auto

set interfaces ethernet eth0 speed auto

# Trunking interVlan eth0

set interfaces ethernet eth0 duplex auto

set interfaces ethernet eth0 smp_affinity auto

set interfaces ethernet eth0 speed auto

set interfaces ethernet eth0 vif 12 address 12.100.2.80/24

set interfaces ethernet eth0 vif 12 description “Connect to Server”

set interfaces ethernet eth0 vif 12 firewall local name remote

set interfaces ethernet eth0 vif 16 address 12.100.16.1/24

set interfaces ethernet eth0 vif 16 description “Connect to Wifi-abc”

set interfaces ethernet eth0 vif 16 firewall in name Wifi-abc

set interfaces ethernet eth0 vif 16 firewall local name remote

set interfaces ethernet eth0 vif 18 address 12.100.8.80/21

set interfaces ethernet eth0 vif 18 description “Connect to Development”

set interfaces ethernet eth0 vif 18 firewall in name abc-v

set interfaces ethernet eth0 vif 18 firewall local name remote

# NAT configuration

set nat destination rule 1 description “BinhLT RDP service”

set nat destination rule 1 destination address 100.100.100.100

set nat destination rule 1 destination port 103389

set nat destination rule 1 inbound-interface pppoe1

set nat destination rule 1 protocol tcp

set nat destination rule 1 translation address 12.100.8.92

set nat destination rule 1 translation port 2310

set nat source rule 1 outbound-interface pppoe1

set nat source rule 1 translation address masquerade

set nat source rule 2 outbound-interface eth0.18

set nat source rule 2 translation address masquerade

set nat source rule 3 outbound-interface eth0.12

set nat source rule 3 translation address masquerade

set nat source rule 4 outbound-interface eth0.16

set nat source rule 4 translation address masquerade

# Route configuration

set protocols static route 12.100.0.0/16 next-hop 12.100.8.1

# DHCP server

set service dhcp-server disabled false

set service dhcp-server shared-network-name wifi-abc authoritative enable

set service dhcp-server shared-network-name wifi-abc description “DHCP For Wifi-abc”

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 default-router 12.100.6.1

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 12.100.8.56

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 8.8.8.8

# DNS configuration

set service dns forwarding cache-size 150

set service dns forwarding listen-on pppoe1

set service dns forwarding listen-on eth0.18

set service dns forwarding listen-on eth0.16

set service dns forwarding listen-on eth0.12

set service dns forwarding name-server 12.100.8.56

# SSH configuration

set service ssh port 17877

# Telnet configuration

set service telnet listen-address 12.100.8.83

set service telnet listen-address 12.100.8.92

set service telnet port 17877

Leave a Reply

avatar
  Subscribe  
Notify of