My Lab Environment v2.0 (Part 2 - Router & Firewall)

Part 1 - Introduction

Part 2 - Router & Firewall (This Article)

Part 3 - Virtual Machines & Templates

Part 4 – Creating Active Directory [This article]

The first post in this series covered the general ideas behind my lab and the topology I want for my network. This post details how to setup VyOS as a router and firewall to meet my requirements.

Getting VyOS

Head over to the VyOS website and download the latest bits. At the time of writing, version 1.1.3 was the current stable release. For use with Hyper-V or VMware, use the “amd64” iso file. It has the right drivers and tools included for your hypervisor. That enables you to perform a clean shutdown of the OS from within Hyper-V for example.

Creating the VM

Real IT Pro’s use PowerShell, I know. But for the sake of demonstration I’m going to create the virtual machine by hand in the GUI. Open Hyper-V manager and create a new virtual machine. I named mine “GW01”:

New Virtual Machine Wizard

Next specify a VM generation. For Linux virtual machines always select “Generation 1”:

New Virtual Machine Wizard

As I mentioned, VyOS does not need a lot of RAM. I chose 512 MB. Don’t use Dynamic Memory here, because that is not supported with VyOS. VyOS is based on Debian which does not support dynamic memory at the time of writing.

New Virtual Machine Wizard

Next we are choosing our first network adapter. Connect it to the NAT virtual switch.

New Virtual Machine Wizard

Accept the defaults for the system drive.

New Virtual Machine Wizard

You can point your VM to the ISO file you downloaded earlier now.

New Virtual Machine Wizard

After initial configuration open the properties of your VM and add 2 additional network adapters: one connected to the PROD internal switch and one to the DMZ internal switch. After this you should have 3 network adapters configured.

New Virtual Machine Wizard

That’s it. Let’s power on your VM now.

Installing VyOS

It takes a few seconds for the VM to boot and VyOS to load. After that you’ll be greeted with a login prompt. Enter “vyos” as user and password. Don’t worry, we’re going to change the passwords afterwards. Be careful if you’re not using the ubiquitous qwerty keyboard layout as I do 🙂

What you see on the screen is already a fully functioning VyOS instance running in memory. For our lab we are going to install it to our virtual disk however. It all boils down to booting the VM and typing “install image”. I created a small video that shows you how it’s done.

After installation, simply detach the ISO file from your virtual machine and boot it again.

Configuring VyOS

I can’t possibly explain everything there is in operating a VyOS router, but these resources go a long way:

The learning curve is quite steep the first few days, but after that it becomes rather straightforward.

To configure VyOS you have to enter configuration mode with the “config” command. From there, we can perform all operations we want. Because typing in the Hyper-V console is not much fun the first thing we are going to do is get our router connected to a network. That way you can use a terminal program like PuTTY or another SSH client. I very much like the way you can just paste a bunch of configuration commands to get them processed.

After you made some changes, you need to enter the “commit” and “save” commands. The first one applies the changes while the second one persists them to disk so they will remain in effect after a reboot.

Let’s get our router connected. Because it’s Linux, each ethernet interface has a name like this:

  • eth0 (NAT)
  • eth1 (PROD)
  • eth2 (DMZ)

Enter configuration mode by typing “config” and have a look at the current interfaces:

show int

This gives you a list like this:

VyOS Interfaces

Our eth0 interface is connected to the NAT virtual switch. Behind this switch is the VMware NAT service that hands out IP addresses with DHCP and will provide our machines with internet access. Let’s configure our interface to get an IP automatically. Issue the following commands:

set int ethernet eth0 address dhcp
set int ethernet eth0 description NAT

If all goes well, your router is now connected to the internet.

Let’s configure our other interfaces:

set int ethernet eth1 address
set int ethernet eth1 description PROD
set int ethernet eth2 address
set int ethernet eth2 description DMZ

Do a “show int” again and the result should look something like this:

VyOS Interfaces

If you exit configuration mode and do a “show int” there, you will get the following result:

VyOS IP Information

Now before we are able to connect to our router with SSH, we need to enable that. To do so, issue the following commands:

set service ssh port 22

In the first article I already mentioned that I like to put the host computer on the PROD and DMZ networks too for management purposes. This is a good moment to do so. Open network connections, right-click the “vEthernet (PROD)” adapter and give it an IP address in the PROD range (I’m using Do the same for the DMZ network ( in my configuration). Don't enter a default gateway or DNS server.

Network Connections

We can now launch a SSH client and connect to the address. I’m using RoyalTS here, but PuTTY is nice as well (and free).


Let’s configure some general system properties. Issue the following commands:

set system domain-name
set system host-name gw01
set system name-server
set system name-server
set system time-zone Europe/Brussels

In stead of ‘’ choose the domain name that you’re planning on using for your Active Directory domain. The DNS servers I use are from OpenDNS. For a list of timezone conventions go here.

Exit your way out of configuration mode and reboot your box by entering “reboot now”.

As you probably are familiar with the VyOS configuration mode now and how to commit and save your settings, I'm not going to mention those explicitly further down this post.

Configuring Internet Access (NAT)

To get our virtual machines connected to the internet we have to setup NAT so that all connections use the same external IP address. To connect both PROD and DMZ to the internet, issue the following commands in configuration mode:

set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address
set nat source rule 10 translation address masquerade
set nat source rule 11 outbound-interface eth0
set nat source rule 11 source address
set nat source rule 11 translation address masquerade

Tip: copy and paste the text above into your terminal!

We are telling VyOS that outbound connections from our internal networks should use eth0 to connect to the outside world.

Firewall Settings

VyOS can operate in a couple of different firewall modes, but I’m finding the zone-based approach the simplest solution. You create a firewall zone per network and based on that zone you define your access policies. We will create 3 zones now:

set zone-policy zone NAT interface eth0
set zone-policy zone PROD interface eth1
set zone-policy zone DMZ interface eth2

Creating firewall policies is a tedious process but you always need some default rules in every policy. These are the ones I use:

set firewall name PROD-NAT default-action drop
set firewall name PROD-NAT rule 1 action accept
set firewall name PROD-NAT rule 1 state established enable
set firewall name PROD-NAT rule 1 state related enable
set firewall name PROD-NAT rule 2 action drop
set firewall name PROD-NAT rule 2 log enable
set firewall name PROD-NAT rule 2 state invalid enable
set firewall name PROD-NAT rule 9999 action drop
set firewall name PROD-NAT rule 9999 log enable
set zone-policy zone NAT from PROD firewall name PROD-NAT

The rules above are relevant for traffic from my PROD network to the outside world. You can see that reflected in the naming conventions. Each rule has a number. Rule 1 means that already established connections are accepted, Rule 2 means that invalid connections are dropped and logged and rule 9999 means that we drop everything else and log those too. If you create new rules you give them other numbers (between 2 and 9999 that is).

These are the other rules that I have in that zone policy:

set firewall name PROD-NAT rule 100 action accept
set firewall name PROD-NAT rule 100 log enable
set firewall name PROD-NAT rule 100 protocol icmp
set firewall name PROD-NAT rule 200 action accept
set firewall name PROD-NAT rule 200 destination port 80,443
set firewall name PROD-NAT rule 200 log enable
set firewall name PROD-NAT rule 200 protocol tcp
set firewall name PROD-NAT rule 600 action accept
set firewall name PROD-NAT rule 600 destination port 53
set firewall name PROD-NAT rule 600 log enable
set firewall name PROD-NAT rule 600 protocol tcp_udp
set firewall name PROD-NAT rule 600 source address

Rule 100 means that ping is allowed to the internet. Rule 200 lets HTTP and HTTPS traffic pass and rule 600 enables DNS traffic, but only from my own DNS server  - which will be I want my domain machines to use the internal DNS server, not the one on the internet.

The complete list of zone policies I create is:

  • PROD to NAT
  • NAT to PROD
  • DMZ to NAT
  • NAT to DMZ
  • PROD to DMZ
  • DMZ to PROD

I always start with the basic set of rules (that don’t allow anything basically) and go from there. Only if I want a certain port to be opened I add some rules to my policy.

You can download the complete listing of commands I used here

Some Additional Tips

  • Using VyOS requires some practice in the beginning. Take a VM checkpoint if you want to test stuff out and revert if you messed up.
  • To take a look or export your complete configuration issue the “show” command in configuration mode without parameters. My complete VyOS configuration can be downloaded here
  • If you want to see some live logging, type “monitor log”
  • To clear the screen, type “CTRL-L”

In the next article we'll look at how I manage my virtual machine templates, how I keep them up to date and how I deploy them. We are going to test our firewall in a later article.