My Lab Environment v2.0 (Part 2 – Router & Firewall)

The first post in this series covered the general ideas behind my lab and the topology I want for my network. This post details how to setup VyOS as a router and firewall to meet my requirements.

Getting VyOS

Head over to the VyOS website and download the latest bits. At the time of writing, version 1.1.3 was the current stable release. For use with Hyper-V or VMware, use the “amd64” iso file. It has the right drivers and tools included for your hypervisor. That enables you to perform a clean shutdown of the OS from within Hyper-V for example.

Creating the VM

Real IT Pro’s use PowerShell, I know. But for the sake of demonstration I’m going to create the virtual machine by hand in the GUI. Open Hyper-V manager and create a new virtual machine. I named mine “GW01”:

image

Next specify a VM generation. For Linux virtual machines always select “Generation 1”:

image

As I mentioned, VyOS does not need a lot of RAM. I chose 512 MB. Don’t use Dynamic Memory here, because that is not supported with VyOS. VyOS is based on Debian which does not support dynamic memory at the time of writing.

image6

Next we are choosing our first network adapter. Connect it to the NAT virtual switch.

image9

Accept the defaults for the system drive.

image12

You can point your VM to the ISO file you downloaded earlier now.

image15

After initial configuration open the properties of your VM and add 2 additional network adapters: one connected to the PROD internal switch and one to the DMZ internal switch. After this you should have 3 network adapters configured.

image18

That’s it. Let’s power on your VM now.

Installing VyOS

It takes a few seconds for the VM to boot and VyOS to load. After that you’ll be greeted with a login prompt. Enter “vyos” as user and password. Don’t worry, we’re going to change the passwords afterwards. Be careful if you’re not using the ubiquitous qwerty keyboard layout as I do :)

What you see on the screen is already a fully functioning VyOS instance running in memory. For our lab we are going to install it to our virtual disk however. It all boils down to booting the VM and typing “install image”. I created a small video that shows you how it’s done.

After installation, simply detach the ISO file from your virtual machine and boot it again.

Configuring VyOS

I can’t possibly explain everything there is in operating a VyOS router, but these resources go a long way:

The learning curve is quite steep the first few days, but after that it becomes rather straightforward.

To configure VyOS you have to enter configuration mode with the “config” command. From there, we can perform all operations we want. Because typing in the Hyper-V console is not much fun the first thing we are going to do is get our router connected to a network. That way you can use a terminal program like PuTTY or another SSH client. I very much like the way you can just paste a bunch of configuration commands to get them processed.

After you made some changes, you need to enter the “commit” and “save” commands. The first one applies the changes while the second one persists them to disk so they will remain in effect after a reboot.

Let’s get our router connected. Because it’s Linux, each ethernet interface has a name like this:

  • eth0 (NAT)
  • eth1 (PROD)
  • eth2 (DMZ)

Enter configuration mode by typing “config” and have a look at the current interfaces:

This gives you a list like this:

image

Our eth0 interface is connected to the NAT virtual switch. Behind this switch is the VMware NAT service that hands out IP addresses with DHCP and will provide our machines with internet access. Let’s configure our interface to get an IP automatically. Issue the following commands:

If all goes well, your router is now connected to the internet.

Let’s configure our other interfaces:

Do a “show int” again and the result should look something like this:

image

If you exit configuration mode and do a “show int” there, you will get the following result:

image

Now before we are able to connect to our router with SSH, we need to enable that. To do so, issue the following commands:

In the first article I already mentioned that I like to put the host computer on the PROD and DMZ networks too for management purposes. This is a good moment to do so. Open network connections, right-click the “vEthernet (PROD)” adapter and give it an IP address in the PROD range (I’m using 10.0.0.250). Do the same for the DMZ network (10.0.1.250 in my configuration). Don’t enter a default gateway or DNS server.

image

We can now launch a SSH client and connect to the 10.0.0.1 address. I’m using RoyalTS here, but PuTTY is nice as well (and free).

image

Let’s configure some general system properties. Issue the following commands:

In stead of ‘thvo.net’ choose the domain name that you’re planning on using for your Active Directory domain. The DNS servers I use are from OpenDNS. For a list of timezone conventions go here.

Exit your way out of configuration mode and reboot your box by entering “reboot now”.

As you probably are familiar with the VyOS configuration mode now and how to commit and save your settings, I’m not going to mention those explicitly further down this post.

Configuring Internet Access (NAT)

To get our virtual machines connected to the internet we have to setup NAT so that all connections use the same external IP address. To connect both PROD and DMZ to the internet, issue the following commands in configuration mode:

Tip: copy and paste the text above into your terminal!

We are telling VyOS that outbound connections from our internal networks should use eth0 to connect to the outside world.

Firewall Settings

VyOS can operate in a couple of different firewall modes, but I’m finding the zone-based approach the simplest solution. You create a firewall zone per network and based on that zone you define your access policies. We will create 3 zones now:

Creating firewall policies is a tedious process but you always need some default rules in every policy. These are the ones I use:

The rules above are relevant for traffic from my PROD network to the outside world. You can see that reflected in the naming conventions. Each rule has a number. Rule 1 means that already established connections are accepted, Rule 2 means that invalid connections are dropped and logged and rule 9999 means that we drop everything else and log those too. If you create new rules you give them other numbers (between 2 and 9999 that is).

These are the other rules that I have in that zone policy:

Rule 100 means that ping is allowed to the internet. Rule 200 lets HTTP and HTTPS traffic pass and rule 600 enables DNS traffic, but only from my own DNS server  – which will be 10.0.0.10. I want my domain machines to use the internal DNS server, not the one on the internet.

The complete list of zone policies I create is:

  • PROD to NAT
  • NAT to PROD
  • DMZ to NAT
  • NAT to DMZ
  • PROD to DMZ
  • DMZ to PROD

I always start with the basic set of rules (that don’t allow anything basically) and go from there. Only if I want a certain port to be opened I add some rules to my policy.

You can download the complete listing of commands I used here

Some Additional Tips

  • Using VyOS requires some practice in the beginning. Take a VM checkpoint if you want to test stuff out and revert if you messed up.
  • To take a look or export your complete configuration issue the “show” command in configuration mode without parameters. My complete VyOS configuration can be downloaded here
  • If you want to see some live logging, type “monitor log”
  • To clear the screen, type “CTRL-L”

In the next article we’ll look at how I manage my virtual machine templates, how I keep them up to date and how I deploy them. We are going to test our firewall in a later article.