Yêu cầu của dự án:
Nhu cầu cần xây dựng hệ thống wifi được quản lý bằng địa chỉ MAC
Thiết lập được việc Allow/Deny kết nối với mạng nội bộ cho thiết bị bắt wifi
Thiết lập việc chỉ kết nối với Internet bên ngoài (Guests) – wifi
Môi trường thực hiện:
- Operating sytem: Vyos router 1.1.8 64bit
- Máy ảo trên Vmware hoặc máy vật lý (có 2 card mạng)
- Yêu cầu phần cứng (Rất nhỏ)
- Tùy theo mô hình mạng thực tế mà thay đổi VLAN ID, địa chỉ mạng cho phù hợp yêu cầu
Cài đặt vyos router và cấu hình:
- Cài đặt Vyos router
- Mount iso file hoặc usb boot, hoặc DVD (vyos-1.1.8-amd64.iso)
- install image (Để cài đặt vyos router)
- Cấu hình Vyos router
- Setup allow ping & disable broadcast
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall config-trap disable
- Setup group firewall
# Setup for LAN
set firewall group address-group allowed-ip address 12.100.8.92
set firewall group address-group allowed-ip address 12.100.8.83
set firewall group address-group allowed-ip address 12.100.8.56
set firewall group address-group allowed-ip address 12.100.8.54
set firewall group address-group allowed-ip address 12.100.8.57
set firewall group address-group allowed-ip address 10.104.81.110
# Setup for wifi group
set firewall group address-group allowed-ip-vlan16 address 12.100.6.2
# Setup remote group
set firewall group address-group remote address 12.100.8.92
set firewall group address-group remote address 12.100.8.83
set firewall group address-group remote address 10.104.81.110
#Setup network group
set firewall group network-group development network 12.100.8.0/21
set firewall group network-group dmz network 12.100.1.0/24
set firewall group network-group hcm network 12.100.32.0/24
set firewall group network-group server network 12.100.2.0/24
set firewall group network-group tcs network 12.100.5.0/24
#Setup disable IPV6
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall log-martians enable
#Setup Wifi name
set firewall name Wifi-abc default-action drop
set firewall name Wifi-abc rule 1 action accept
set firewall name Wifi-abc rule 1 state established enable
set firewall name Wifi-abc rule 1 state related enable
# Template for Inbound rule <Rule 2-1000>
set firewall name Wifi-abc rule 2 action accept
set firewall name Wifi-abc rule 2 description “IT Laptop”
set firewall name Wifi-abc rule 2 destination address 12.100.0.0/16
set firewall name Wifi-abc rule 2 source mac-address e4:b3:18:c7:85:6c
# Prevent inbound connection <Rule 1000>
set firewall name Wifi-abc rule 1000 action drop
set firewall name Wifi-abc rule 1000 description “Deny 12.100.0.0/16 connect”
set firewall name Wifi-abc rule 1000 destination address 12.100.0.0/16
# Template for Outband rule <Rule 1001-8888>
set firewall name Wifi-abc rule 1001 action accept
set firewall name Wifi-abc rule 1001 description Shacho-mobile-1
set firewall name Wifi-abc rule 1001 source mac-address cc:08:8d:2e:a8:4b
# remote group
set firewall name remote default-action drop
set firewall name remote rule 1 action accept
set firewall name remote rule 1 state established enable
set firewall name remote rule 1 state related enable
set firewall name remote rule 2 action accept
set firewall name remote rule 2 source group address-group remote
#Abcv group
set firewall name abc-v default-action drop
set firewall name abc-v rule 1 action accept
set firewall name abc-v rule 1 state established enable
set firewall name abc-v rule 1 state related enable
set firewall name abc-v rule 10 action accept
set firewall name abc-v rule 10 source group address-group allowed-ip
set firewall name abc-v rule 20 action accept
set firewall name abc-v rule 20 destination accept address 12.100.0.0/16
set firewall name abc-v rule 20 protocol icmp
set firewall name abc-v rule 21 action drop
set firewall name abc-v rule 21 protocol icmp
# ICMP configuration
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
set firewall twa-hazards-protection disable
#Setup network interfaces
#PPPoE interface
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 description “Connect to VNPT”
set interfaces ethernet eth0 pppoe 1 default-route auto
set interfaces ethernet eth0 pppoe 1 mtu 1492
set interfaces ethernet eth0 pppoe 1 name-server auto
set interfaces ethernet eth0 pppoe 1 user-id *********
set interfaces ethernet eth0 pppoe 1 password *********
set interfaces ethernet eth0 pppoe 1 service-name *********
set interfaces ethernet eth0 smp_affinity auto
set interfaces ethernet eth0 speed auto
# Trunking interVlan eth0
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 smp_affinity auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 12 address 12.100.2.80/24
set interfaces ethernet eth0 vif 12 description “Connect to Server”
set interfaces ethernet eth0 vif 12 firewall local name remote
set interfaces ethernet eth0 vif 16 address 12.100.16.1/24
set interfaces ethernet eth0 vif 16 description “Connect to Wifi-abc”
set interfaces ethernet eth0 vif 16 firewall in name Wifi-abc
set interfaces ethernet eth0 vif 16 firewall local name remote
set interfaces ethernet eth0 vif 18 address 12.100.8.80/21
set interfaces ethernet eth0 vif 18 description “Connect to Development”
set interfaces ethernet eth0 vif 18 firewall in name abc-v
set interfaces ethernet eth0 vif 18 firewall local name remote
# NAT configuration
set nat destination rule 1 description “BinhLT RDP service”
set nat destination rule 1 destination address 100.100.100.100
set nat destination rule 1 destination port 103389
set nat destination rule 1 inbound-interface pppoe1
set nat destination rule 1 protocol tcp
set nat destination rule 1 translation address 12.100.8.92
set nat destination rule 1 translation port 2310
set nat source rule 1 outbound-interface pppoe1
set nat source rule 1 translation address masquerade
set nat source rule 2 outbound-interface eth0.18
set nat source rule 2 translation address masquerade
set nat source rule 3 outbound-interface eth0.12
set nat source rule 3 translation address masquerade
set nat source rule 4 outbound-interface eth0.16
set nat source rule 4 translation address masquerade
# Route configuration
set protocols static route 12.100.0.0/16 next-hop 12.100.8.1
# DHCP server
set service dhcp-server disabled false
set service dhcp-server shared-network-name wifi-abc authoritative enable
set service dhcp-server shared-network-name wifi-abc description “DHCP For Wifi-abc”
set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 default-router 12.100.6.1
set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 12.100.8.56
set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 8.8.8.8
# DNS configuration
set service dns forwarding cache-size 150
set service dns forwarding listen-on pppoe1
set service dns forwarding listen-on eth0.18
set service dns forwarding listen-on eth0.16
set service dns forwarding listen-on eth0.12
set service dns forwarding name-server 12.100.8.56
# SSH configuration
set service ssh port 17877
# Telnet configuration
set service telnet listen-address 12.100.8.83
set service telnet listen-address 12.100.8.92
set service telnet port 17877
