Test de la distribution vyos pour x86 sur un i7 6700 HP G1 400 SFF avec carte X520-DA2 + WAS-110

Je précise que c'est un test, il se peut qu'il y ait des configs non optimales, commentaires et ajustements sont les bienvenus. Je n'ai notamment pas compris comment utiliser des valeures dynamiques (comme l'ipv4 public, ou le prefix obtenu en délégations ipv6) dans la config ou un script. Les hook proposés ne sont que post/pre boot ou config, pas très utiles ... J'ai du rater une doc...

Créer une clé USB bootable depuis le site [https://vyos.io/vyos-universal-router](https://vyos.io/vyos-universal-router%5B/url%5D), j'utilise leur "rolling update", de fait on sera en version 1.5.x. Une fois booté, login 'vyos' pass 'vyos', puis install sur le disque de la machine. (il supporte l'install sur clé USB à priori, mais il faut 2 clées)

install image
Suivre les étapes/questions ça prend 2 minutes…je choisi KVM pour utiliser écran/clavier, mais une option <serial> existe, pratique pour ce qui on un KVM série.

reboot
Après démarrage, je peux vérifier que les 2 SFP intel sont bien visible avec le bon driver

ifconfig -a

ps: si vous avez plusieurs interface basez vous sur la mac address pour identifier les deux SFP intel dans mon cas.

Pour la suite eth0 → port interne du HP G1 400, que j’utilise en port “management” avec un ip fixe, sur un réseau différent (j’utilise un portable avec un config en ip fixe sur le meme réseau pour accéder à cette interface en cas de souci).

par défaut une fois loggé vous êtes en mode user, pour changer la config il faudra utiliser la command ```configure```une fois les modification faire il faudra faire ```commit``` puis ```save```

On active l’interface management (eth0) et ssh (qui sera actif sur toutes les interface par défaut pour le moment, tant qu’on aura pas activé le firewall).

configure

set interfaces ethernet eth0 address '192.168.0.1/24'
set interfaces ethernet eth0 description 'MANAGEMENT'
set service ssh port '22'

commit
save
eth1 → SFP WAS-110 vers Bouygues

eth2 → SFP LAN vers mon switch

réseau LAN 192.168.1.0/24

on peut redémarrer et passer en ssh sur l’interface management, plus facile pour les copier/coller depuis un ordinateur…

mac XX:XX:XX:XX:XX:XX à remplacer par l’adresse mac de la bbox.

configure

set interfaces ethernet eth1 vif 100
set interfaces ethernet eth1 vif 100 address dhcp
# pas de d'option autre que le clone de la MAC pour moi (peut-etre que certain auront besoin de passer BYGTEL en vendor...)
set interfaces ethernet eth1 vif 100 address dhcpv6
set interfaces ethernet eth1 vif 100 dhcpv6-options rapid-commit
set interfaces ethernet eth1 vif 100 dhcpv6-options temporary
set interfaces ethernet eth1 vif 100 dhcpv6-options pd 0 interface eth2 sla-id 0
set interfaces ethernet eth1 vif 100 dhcpv6-options pd 0 interface eth2 address 1
#a priori par défaut le fait de cloner la mac sur eth1.100 suffit à ce vyos prenne le bon duid, pas de config du clientid non plus nécessaire chez moi...
set interfaces ethernet eth1 vif 100 description WAN
set interfaces ethernet eth1 vif 100 mac XX:XX:XX:XX:XX:XX
set interfaces ethernet eth1 vif 100 ip adjust-mss clamp-mss-to-pmtu
set interfaces ethernet eth1 vif 100 ipv6 adjust-mss clamp-mss-to-pmtu

#ipv4 lan and dhcp
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces ethernet eth2 description 'LAN'

set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option name-server '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option domain-name 'lan'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.100'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.199'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 subnet-id '1'
#to have name of devices sync to host, host are read by dns forward by default
set service dhcp-server hostfile-update

#ipv6 lan and ra and dhcp
# Configure IPv6 Router Advertisement on LAN interface
set service router-advert interface eth2 name-server 'upstream'
set service router-advert interface eth2 prefix ::/64 autonomous-flag 'true'
set service router-advert interface eth2 prefix ::/64 on-link-flag 'true'
set service router-advert interface eth2 prefix ::/64 valid-lifetime '2592000'
set service router-advert interface eth2 other-config-flag 'true'
set service router-advert interface eth2 managed-flag 'true'
set service router-advert interface eth2 default-preference 'high'
set service router-advert interface eth2 link-mtu '1500'
set service router-advert interface eth2 reachable-time '0'
set service router-advert interface eth2 retrans-timer '0'
set service router-advert interface eth2 send-advert 'true'
set service router-advert interface eth2 hop-limit '64'

#trouver comment force le dns ipv6
#set service router-advert interface eth2 name-server <TODO trouver comment allouer ce server dynamiquement ou allouer leu64 du link local eth2
# necessite aussi d'ajouter le listen-address, allow-from et la règle input firewall....
set service router-advert interface eth2 prefix ::/64
set service router-advert interface eth2 other-config-flag
set service router-advert interface eth2 managed-flag
set service router-advert interface eth2 default-preference 'high'

#utilisation du DNS forward de vyos
set system name-server 192.168.1.1
set service dns forwarding cache-size '10000'
set service dns forwarding listen-address '192.168.1.1'
set service dns forwarding allow-from '192.168.1.0/24'
# ex: google et quad9
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '9.9.9.9'
set service dns forwarding name-server '2620:fe::fe'
set service dns forwarding name-server '2001:4860:4860::8888'
#autant de ligne ipv4 ou ipv6 que necessaire

#serveur NTP France
delete service ntp server
set service ntp server 0.fr.pool.ntp.org
set service ntp server 1.fr.pool.ntp.org
set service ntp server 2.fr.pool.ntp.org

commit
save

A ce stade vous pourriez commencer à brancher la fibre ou l’ONT sur les bon ports et de voir si vous obtenez bien un IP MAIS n’ayant pas encore configuré le firewall ce ne sera que pour tester la configuration rapidement.

set nat source rule 100 outbound-interface name 'eth1.100'
set nat source rule 100 source address '192.168.1.0/24'
set nat source rule 100 translation address masquerade

set firewall group interface-group WAN interface eth1.100
set firewall group interface-group LAN interface eth2
set firewall group interface-group MANAGEMENT interface eth0
set firewall group network-group NET-INSIDE-v4 network '192.168.1.0/24'

#if not offload set firewall global-options state-policy established action accept
#if not offload set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

set firewall ipv4 name OUTSIDE-IN default-action 'drop'

set firewall ipv4 forward filter rule 100 action jump
set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
set firewall ipv4 forward filter rule 100 inbound-interface group WAN
set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4

set firewall ipv4 forward filter default-action 'drop'
set firewall ipv6 forward filter default-action 'drop'

# Allow new IPv4 connections from LAN to WAN
set firewall ipv4 forward filter rule 110 action 'accept'
set firewall ipv4 forward filter rule 110 inbound-interface group 'LAN'
set firewall ipv4 forward filter rule 110 outbound-interface group 'WAN'
set firewall ipv4 forward filter rule 110 state 'new'

# Allow new IPv6 connections from LAN to WAN
set firewall ipv6 forward filter rule 110 action 'accept'
set firewall ipv6 forward filter rule 110 inbound-interface group 'LAN'
set firewall ipv6 forward filter rule 110 outbound-interface group 'WAN'
set firewall ipv6 forward filter rule 110 state 'new'

set firewall ipv4 input filter default-action 'drop'
set firewall ipv6 input filter default-action 'drop'

#allow ssh management
set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'

set firewall ipv4 input filter rule 20 action jump
set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT
set firewall ipv4 input filter rule 20 destination port 22
set firewall ipv4 input filter rule 20 protocol tcp

set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN'

set firewall ipv4 name VyOS_MANAGEMENT rule 16 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 16 inbound-interface group 'MANAGEMENT'

set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN'

set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN'

#allow ping ICMP on ipv4
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new

#allow DNS client from LAN
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'
set firewall ipv4 input filter rule 40 protocol 'tcp_udp'
set firewall ipv4 input filter rule 40 source group network-group NET-INSIDE-v4

#allow DNS client from LAN
set firewall ipv6 input filter rule 40 action 'accept'
set firewall ipv6 input filter rule 40 destination port '53'
set firewall ipv6 input filter rule 40 protocol 'tcp_udp'
set firewall ipv6 input filter rule 40  inbound-interface group 'LAN'

#allow localhost traffic
set firewall ipv4 input filter rule 50 action 'accept'
set firewall ipv4 input filter rule 50 source address 127.0.0.0/8

#flowtable software offload (my Intel can't support hw offload fully)
set firewall flowtable FT01 interface 'eth2'
set firewall flowtable FT01 interface 'eth1.100'

#set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'offload'
set firewall ipv4 forward filter rule 10 offload-target 'FT01'
set firewall ipv4 forward filter rule 10 state 'established'
set firewall ipv4 forward filter rule 10 state 'related'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'
#set firewall ipv6 forward filter default-action 'drop'
set firewall ipv6 forward filter rule 10 action 'offload'
set firewall ipv6 forward filter rule 10 offload-target 'FT01'
set firewall ipv6 forward filter rule 10 state 'established'
set firewall ipv6 forward filter rule 10 state 'related'
set firewall ipv6 forward filter rule 20 action 'accept'
set firewall ipv6 forward filter rule 20 state 'established'
set firewall ipv6 forward filter rule 20 state 'related'

# Allow forwarded DNAT traffic based on nat match (needed also for harpin)
set firewall ipv4 forward filter rule 25 action accept
set firewall ipv4 forward filter rule 25 connection-status nat destination
set firewall ipv4 forward filter rule 25 state new

# Regular accept rule for established/related for router access
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 state 'established'
set firewall ipv4 input filter rule 10 state 'related'

set firewall ipv6 input filter rule 10 action 'accept'
set firewall ipv6 input filter rule 10 state 'established'
set firewall ipv6 input filter rule 10 state 'related'

#allow output for the router
set firewall ipv4 output filter default-action 'accept'
set firewall ipv6 output filter default-action 'accept'

# Allow DHCPv6 client traffic (for the router to receive IPv6 addresses)
set firewall ipv6 input filter rule 60 action 'accept'
set firewall ipv6 input filter rule 60 destination port '546'
set firewall ipv6 input filter rule 60 protocol 'udp'
set firewall ipv6 input filter rule 60 inbound-interface group 'WAN'

# If your router is also a DHCPv6 server, add this rule
set firewall ipv6 input filter rule 70 action 'accept'
set firewall ipv6 input filter rule 70 destination port '547'
set firewall ipv6 input filter rule 70 protocol 'udp'
set firewall ipv6 input filter rule 70 inbound-interface group 'LAN'

# Allow essential ICMPv6 traffic
set firewall ipv6 input filter rule 80 action 'accept'
set firewall ipv6 input filter rule 80 protocol 'icmpv6'

commit
save

#QOS sur l'upload qui pose souci chez moi, si > 980 ... a juster en fonction des offres et des ONT...
set qos policy cake QOSOUT bandwidth 980mbit
set qos interface eth1.100 egress QOSOUT

#example static dhcp v4
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping device1 ip-address '192.168.1.50'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping device1 mac-address 'aa:bb:cc:dd:ee:ff'
#option pour ajouter résolution au host
set system static-host-mapping host-name device1 inet 192.168.1.50

#example port forward + harpin/reflection nat
# Forward HTTP (port 80) to 192.168.1.253:80
set nat destination rule 10 description 'Forward HTTP to internal web server'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface group 'WAN'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '192.168.1.253'
set nat destination rule 10 translation port '80'

# Forward HTTP (port 80) to 192.168.1.253:80 INSIDE
set nat destination rule 11 description 'Forward HTTP to internal web server'
set nat destination rule 11 destination port '80'
set nat destination rule 11 destination address #XXXXTODOXXX trouver moyen scripter l'ip
set nat destination rule 11 inbound-interface group 'LAN'
set nat destination rule 11 protocol 'tcp'
set nat destination rule 11 translation address '192.168.1.253'
set nat destination rule 11 translation port '80'

# Forward HTTPS (port 443) to 192.168.1.253:443
set nat destination rule 20 description 'Forward HTTPS to internal web server'
set nat destination rule 20 destination port '443'
set nat destination rule 20 inbound-interface group 'WAN'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.168.1.253'
set nat destination rule 20 translation port '443'

# Forward HTTPS (port 443) to 192.168.1.253:443 INSIDE
set nat destination rule 21 description 'Forward HTTPS to internal web server'
set nat destination rule 21 destination port '443'
set nat destination rule 21 destination address #XXXXTODOXXX trouver moyen scripter l'ip
set nat destination rule 21 inbound-interface group 'LAN'
set nat destination rule 21 protocol 'tcp'
set nat destination rule 21 translation address '192.168.1.253'
set nat destination rule 21 translation port '443'

# Hairpin NAT using interface group
set nat source rule 110 description 'NAT Reflection: INSIDE'
set nat source rule 110 destination address '192.168.1.0/24'
set nat source rule 110 outbound-interface group 'LAN'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.168.1.0/24'
set nat source rule 110 translation address 'masquerade'

commit
save

Vérifier ensuite comment sécuriser ssh, section 'hardening' de la "quick start' page: [https://docs.vyos.io/en/latest/quick-start.html](https://docs.vyos.io/en/latest/quick-start.html%5B/url%5D)

Concernant le choix des performance pour le CPU, voir: [https://docs.vyos.io/en/latest/configuration/system/option.html#performance](https://docs.vyos.io/en/latest/configuration/system/option.html#performance%5B/url%5D)

Concernant les offload Ethernet, voir: [https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#offloading](https://docs.vyos.io/en/latest/configuration/interfaces/ethernet.html#offloading%5B/url%5D)

B.

Pas mal !