Part 4 – Creating Active Directory [This article]
The first post in this series covered the general ideas behind my lab and the topology I want for my network. This post details how to setup VyOS as a router and firewall to meet my requirements.
Head over to the VyOS website and download the latest bits. At the time of writing, version 1.1.3 was the current stable release. For use with Hyper-V or VMware, use the “amd64” iso file. It has the right drivers and tools included for your hypervisor. That enables you to perform a clean shutdown of the OS from within Hyper-V for example.
Creating the VM
Real IT Pro’s use PowerShell, I know. But for the sake of demonstration I’m going to create the virtual machine by hand in the GUI. Open Hyper-V manager and create a new virtual machine. I named mine “GW01”:
Next specify a VM generation. For Linux virtual machines always select “Generation 1”:
As I mentioned, VyOS does not need a lot of RAM. I chose 512 MB. Don’t use Dynamic Memory here, because that is not supported with VyOS. VyOS is based on Debian which does not support dynamic memory at the time of writing.
Next we are choosing our first network adapter. Connect it to the NAT virtual switch.
Accept the defaults for the system drive.
You can point your VM to the ISO file you downloaded earlier now.
After initial configuration open the properties of your VM and add 2 additional network adapters: one connected to the PROD internal switch and one to the DMZ internal switch. After this you should have 3 network adapters configured.
That’s it. Let’s power on your VM now.
It takes a few seconds for the VM to boot and VyOS to load. After that you’ll be greeted with a login prompt. Enter “vyos” as user and password. Don’t worry, we’re going to change the passwords afterwards. Be careful if you’re not using the ubiquitous qwerty keyboard layout as I do 🙂
What you see on the screen is already a fully functioning VyOS instance running in memory. For our lab we are going to install it to our virtual disk however. It all boils down to booting the VM and typing “install image”. I created a small video that shows you how it’s done.
After installation, simply detach the ISO file from your virtual machine and boot it again.
I can’t possibly explain everything there is in operating a VyOS router, but these resources go a long way:
The learning curve is quite steep the first few days, but after that it becomes rather straightforward.
To configure VyOS you have to enter configuration mode with the “config” command. From there, we can perform all operations we want. Because typing in the Hyper-V console is not much fun the first thing we are going to do is get our router connected to a network. That way you can use a terminal program like PuTTY or another SSH client. I very much like the way you can just paste a bunch of configuration commands to get them processed.
After you made some changes, you need to enter the “commit” and “save” commands. The first one applies the changes while the second one persists them to disk so they will remain in effect after a reboot.
Let’s get our router connected. Because it’s Linux, each ethernet interface has a name like this:
- eth0 (NAT)
- eth1 (PROD)
- eth2 (DMZ)
Enter configuration mode by typing “config” and have a look at the current interfaces:
This gives you a list like this:
Our eth0 interface is connected to the NAT virtual switch. Behind this switch is the VMware NAT service that hands out IP addresses with DHCP and will provide our machines with internet access. Let’s configure our interface to get an IP automatically. Issue the following commands:
set int ethernet eth0 address dhcp set int ethernet eth0 description NAT commit save
If all goes well, your router is now connected to the internet.
Let’s configure our other interfaces:
set int ethernet eth1 address 10.0.0.1/24 set int ethernet eth1 description PROD set int ethernet eth2 address 10.0.1.1/24 set int ethernet eth2 description DMZ commit save
Do a “show int” again and the result should look something like this:
If you exit configuration mode and do a “show int” there, you will get the following result:
Now before we are able to connect to our router with SSH, we need to enable that. To do so, issue the following commands:
set service ssh port 22 commit save
In the first article I already mentioned that I like to put the host computer on the PROD and DMZ networks too for management purposes. This is a good moment to do so. Open network connections, right-click the “vEthernet (PROD)” adapter and give it an IP address in the PROD range (I’m using 10.0.0.250). Do the same for the DMZ network (10.0.1.250 in my configuration). Don't enter a default gateway or DNS server.
Let’s configure some general system properties. Issue the following commands:
set system domain-name thvo.net set system host-name gw01 set system name-server 126.96.36.199 set system name-server 188.8.131.52 set system time-zone Europe/Brussels commit save
Exit your way out of configuration mode and reboot your box by entering “reboot now”.
As you probably are familiar with the VyOS configuration mode now and how to commit and save your settings, I'm not going to mention those explicitly further down this post.
Configuring Internet Access (NAT)
To get our virtual machines connected to the internet we have to setup NAT so that all connections use the same external IP address. To connect both PROD and DMZ to the internet, issue the following commands in configuration mode:
set nat source rule 10 outbound-interface eth0 set nat source rule 10 source address 10.0.0.0/24 set nat source rule 10 translation address masquerade set nat source rule 11 outbound-interface eth0 set nat source rule 11 source address 10.0.1.0/24 set nat source rule 11 translation address masquerade
Tip: copy and paste the text above into your terminal!
We are telling VyOS that outbound connections from our internal networks should use eth0 to connect to the outside world.
VyOS can operate in a couple of different firewall modes, but I’m finding the zone-based approach the simplest solution. You create a firewall zone per network and based on that zone you define your access policies. We will create 3 zones now:
set zone-policy zone NAT interface eth0 set zone-policy zone PROD interface eth1 set zone-policy zone DMZ interface eth2
Creating firewall policies is a tedious process but you always need some default rules in every policy. These are the ones I use:
set firewall name PROD-NAT default-action drop set firewall name PROD-NAT rule 1 action accept set firewall name PROD-NAT rule 1 state established enable set firewall name PROD-NAT rule 1 state related enable set firewall name PROD-NAT rule 2 action drop set firewall name PROD-NAT rule 2 log enable set firewall name PROD-NAT rule 2 state invalid enable set firewall name PROD-NAT rule 9999 action drop set firewall name PROD-NAT rule 9999 log enable set zone-policy zone NAT from PROD firewall name PROD-NAT
The rules above are relevant for traffic from my PROD network to the outside world. You can see that reflected in the naming conventions. Each rule has a number. Rule 1 means that already established connections are accepted, Rule 2 means that invalid connections are dropped and logged and rule 9999 means that we drop everything else and log those too. If you create new rules you give them other numbers (between 2 and 9999 that is).
These are the other rules that I have in that zone policy:
set firewall name PROD-NAT rule 100 action accept set firewall name PROD-NAT rule 100 log enable set firewall name PROD-NAT rule 100 protocol icmp set firewall name PROD-NAT rule 200 action accept set firewall name PROD-NAT rule 200 destination port 80,443 set firewall name PROD-NAT rule 200 log enable set firewall name PROD-NAT rule 200 protocol tcp set firewall name PROD-NAT rule 600 action accept set firewall name PROD-NAT rule 600 destination port 53 set firewall name PROD-NAT rule 600 log enable set firewall name PROD-NAT rule 600 protocol tcp_udp set firewall name PROD-NAT rule 600 source address 10.0.0.10
Rule 100 means that ping is allowed to the internet. Rule 200 lets HTTP and HTTPS traffic pass and rule 600 enables DNS traffic, but only from my own DNS server - which will be 10.0.0.10. I want my domain machines to use the internal DNS server, not the one on the internet.
The complete list of zone policies I create is:
- PROD to NAT
- NAT to PROD
- DMZ to NAT
- NAT to DMZ
- PROD to DMZ
- DMZ to PROD
I always start with the basic set of rules (that don’t allow anything basically) and go from there. Only if I want a certain port to be opened I add some rules to my policy.
Some Additional Tips
- Using VyOS requires some practice in the beginning. Take a VM checkpoint if you want to test stuff out and revert if you messed up.
- To take a look or export your complete configuration issue the “show” command in configuration mode without parameters. My complete VyOS configuration can be downloaded here
- If you want to see some live logging, type “monitor log”
- To clear the screen, type “CTRL-L”
In the next article we'll look at how I manage my virtual machine templates, how I keep them up to date and how I deploy them. We are going to test our firewall in a later article.