SEC-440: Systems Security
Home Tech Journals Personal Projects Sysadmin Wiki

Project 1 - Network Redundancy

Base Configurations:

Xubuntu-WAN and LAN

Set Hostname:

Change champuser Passwd and add paul user:

Make paul user sudoer:

Setup Networking WAN:

Setup Networking LAN:

Web01 Setup:

Add Paul user:

adduser paul
passwd paul
usermod -aG wheel paul

Allow ssh and http

Vyos1 and 2

Set Hostnames:

set system host-name <HOSTNAME>

Change vyos user password:

set system login user vyos authentication plaintext-password

Make a new paul user:

set system login user <name> full-name <string>
set system login user <name> authentication plaintext-password <password>

Set Interfaces:

set interfaces ethernet eth0 description WAN
set interfaces ethernet eth1 description LAN
set interfaces ethernet eth2 description OPT

Vyos 1 Interfaces Addresses:

set interfaces ethernet eth0 address 10.0.17.16/24
set interfaces ethernet eth1 address 10.0.5.2/24
set interfaces ethernet eth2 address 10.0.6.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2

Vyos 2 Interfaces Addresses:

set interfaces ethernet eth0 address 10.0.17.76/24
set interfaces ethernet eth1 address 10.0.5.3/24
set interfaces ethernet eth2 address 10.0.6.3/24
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2

Setup DNS

LAN to WAN:

set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding system

Setup NAT

LAN to WAN:

set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outband-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade

Setup VRRP

WAN Config:

set high-availability vrrp group wangroup6 vrid 156
set high-availability vrrp group wangroup6 interface eth0
set high-availability vrrp group wangroup6 address 10.0.17.106/24
# For vyos01
set high-availability vrrp group wangroup6 priority 200
# For vyos02
set high-availability vrrp group wangroup6 priority 100

LAN Config:

set high-availability vrrp group langroup0 vrid 10
set high-availability vrrp group langroup0 interface eth1
set high-availability vrrp group langroup0 address 10.0.5.1/24
# For vyos01
set high-availability vrrp group langroup0 priority 200
# For vyos02
set high-availability vrrp group langroup0 priority 100

OPT Config:

set high-availability vrrp group optgroup0 vrid 20
set high-availability vrrp group optgroup0 interface eth2
set high-availability vrrp group optgroup0 address 10.0.6.1/24
# For vyos01
set high-availability vrrp group optgroup0 priority 200
# For vyos02
set high-availability vrrp group optgroup0 priority 100

Setup Port Forwarding

Below is done on both vyos boxes!

Web Server on port 80 (web01)

set nat destination rule 20 destination address 10.0.17.106
set nat destination rule 20 destination port 80
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 80
set nat destination rule 20 description HTTP->WEB01

SSH on port 22 (web01)

set nat destination rule 30 destination address 10.0.17.106
set nat destination rule 30 destination port 22
set nat destination rule 30 inbound-interface eth0
set nat destination rule 30 protocol tcp
set nat destination rule 30 translation address 10.0.5.100
set nat destination rule 30 translation port 22
set nat destination rule 30 description SSH->WEB01

Adding 2fa to SSH

Follow this guide and stop at the end of step 2 https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7

The ssh prompt will now look like:

VYOS01 Config

set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 priority '200'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 priority '200'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup6 address 10.0.17.106/24
set high-availability vrrp group wangroup6 interface 'eth0'
set high-availability vrrp group wangroup6 priority '200'
set high-availability vrrp group wangroup6 vrid '156'
set interfaces ethernet eth0 address '10.0.17.16/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.2/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTP->WEB01'
set nat destination rule 20 destination address '10.0.17.106'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSH->WEB01'
set nat destination rule 30 destination address '10.0.17.106'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos1-paul'
set system name-server '10.0.17.2'

VYOS02 Config

set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 priority '100'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 priority '100'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup6 address 10.0.17.106/24
set high-availability vrrp group wangroup6 interface 'eth0'
set high-availability vrrp group wangroup6 priority '100'
set high-availability vrrp group wangroup6 vrid '156'
set interfaces ethernet eth0 address '10.0.17.76/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.3/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth2 address '10.0.6.3/24'
set interfaces ethernet eth2 description 'OPT'
set nat destination rule 20 description 'HTTP->WEB01'
set nat destination rule 20 destination address '10.0.17.106'
set nat destination rule 20 destination port '80'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '80'
set nat destination rule 30 description 'SSH->WEB01'
set nat destination rule 30 destination address '10.0.17.106'
set nat destination rule 30 destination port '22'
set nat destination rule 30 inbound-interface 'eth0'
set nat destination rule 30 protocol 'tcp'
set nat destination rule 30 translation address '10.0.5.100'
set nat destination rule 30 translation port '22'
set nat source rule 10 description 'NAT FROM LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos2-paul'
set system name-server '10.0.17.2'
PreviousCourse OverviewNextProject 2 - Web and Proxy Redundancy

Last updated