Project 1 - Network Redundancy
Last updated
Last updated
Set Hostname:
Change champuser Passwd and add paul user:
Make paul user sudoer:
Setup Networking WAN:
Setup Networking LAN:
Add Paul user:
adduser paul
passwd paul
usermod -aG wheel paul
Allow ssh and http
Set Hostnames:
set system host-name <HOSTNAME>
Change vyos user password:
set system login user vyos authentication plaintext-password
Make a new paul user:
set system login user <name> full-name “<string>”
set system login user <name> authentication plaintext-password <password>
Set Interfaces:
set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth2 description OPT
Vyos 1 Interfaces Addresses:
set interfaces ethernet eth0 address 10.0.17.16/24
set interfaces ethernet eth1 address 10.0.5.2/24
set interfaces ethernet eth2 address 10.0.6.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
Vyos 2 Interfaces Addresses:
set interfaces ethernet eth0 address 10.0.17.76/24
set interfaces ethernet eth1 address 10.0.5.3/24
set interfaces ethernet eth2 address 10.0.6.3/24
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
LAN to WAN:
set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding system
LAN to WAN:
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outband-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade
WAN Config:
set high-availability vrrp group wangroup6 vrid 156
set high-availability vrrp group wangroup6 interface eth0
set high-availability vrrp group wangroup6 address 10.0.17.106/24
# For vyos01
set high-availability vrrp group wangroup6 priority 200
# For vyos02
set high-availability vrrp group wangroup6 priority 100
LAN Config:
set high-availability vrrp group langroup0 vrid 10
set high-availability vrrp group langroup0 interface eth1
set high-availability vrrp group langroup0 address 10.0.5.1/24
# For vyos01
set high-availability vrrp group langroup0 priority 200
# For vyos02
set high-availability vrrp group langroup0 priority 100
OPT Config:
set high-availability vrrp group optgroup0 vrid 20
set high-availability vrrp group optgroup0 interface eth2
set high-availability vrrp group optgroup0 address 10.0.6.1/24
# For vyos01
set high-availability vrrp group optgroup0 priority 200
# For vyos02
set high-availability vrrp group optgroup0 priority 100
Below is done on both vyos boxes!
Web Server on port 80 (web01)
set nat destination rule 20 destination address 10.0.17.106
set nat destination rule 20 destination port 80
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 80
set nat destination rule 20 description HTTP->WEB01
SSH on port 22 (web01)
set nat destination rule 30 destination address 10.0.17.106
set nat destination rule 30 destination port 22
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 protocol tcp
set nat destination rule 30 translation address 10.0.5.100
set nat destination rule 30 translation port 22
set nat destination rule 30 description SSH->WEB01
Follow this guide and stop at the end of step 2 https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7
The ssh prompt will now look like:
set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 priority '200'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 priority '200'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup6 address 10.0.17.106/24
set high-availability vrrp group wangroup6 interface 'eth0'
set high-availability vrrp group wangroup6 priority '200'
set high-availability vrrp group wangroup6 vrid '156'
set interfaces ethernet eth0 address '10.0.17.16/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.2/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTP->WEB01'
set nat destination rule 20 destination address '10.0.17.106'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSH->WEB01'
set nat destination rule 30 destination address '10.0.17.106'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos1-paul'
set system name-server '10.0.17.2'
set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 priority '100'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 priority '100'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup6 address 10.0.17.106/24
set high-availability vrrp group wangroup6 interface 'eth0'
set high-availability vrrp group wangroup6 priority '100'
set high-availability vrrp group wangroup6 vrid '156'
set interfaces ethernet eth0 address '10.0.17.76/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.3/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.3/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTP->WEB01'
set nat destination rule 20 destination address '10.0.17.106'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSH->WEB01'
set nat destination rule 30 destination address '10.0.17.106'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos2-paul'
set system name-server '10.0.17.2'