wiki/wiki
1
0
Fork 0
mirror of https://git.dn42.dev/wiki/wiki synced 2025-03-14 19:43:32 +00:00
Code Issues Releases Wiki Activity

Updated vyos.md (markdown)

Browse Source
This commit is contained in:
DN42 Wiki (BURBLE-MNT) 2020-06-01 05:54:30 +00:00
parent ff52614030
commit 437c190ba4
1 changed files with 150 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
howto/vyos.md
View File

@ -92,8 +92,156 @@ set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
``` ```
####Coming Soon ###Example Firewall
- Recommended firewall configuration. In this example our VyOS router has one upstream uplink on **eth0**, and two tunnels/peers on **wg1** and **wg2**.
####Interfaces
````
ethernet eth0 {
address 192.168.1.2/30
description "Upstream/ISP"
firewall {
out {
name To_Internal_Network
}
}
hw-id 00:00:00:00:00:00
}
wireguard wg1 {
address 172.x.x.x/32
description "Tunnel 1"
firewall {
in {
name Tunnels_Inbound
}
local {
name Peer_Local_Connections
}
}
peer us-east01 {
address x.x.x.x
allowed-ips 0.0.0.0/0
port 1100
pubkey ***
}
port 1101
}
wireguard wg99 {
address 172.x.x.x/32
description "Tunnel 2"
firewall {
in {
name Tunnels_Inbound
}
local {
name Peer_Local_Connections
}
}
peer us-east02 {
address x.x.x.x
allowed-ips 0.0.0.0/0
port 1102
pubkey ***
}
port 1103
}
````
####Firewall Rules
````
group {
network-group Allowed-Transit {
network 10.0.0.0/8
network 172.20.0.0/14
}
}
name Peer_Local_Connections {
default-action drop
rule 1 {
action accept
description "Enable Stateful"
state {
established enable
related enable
}
}
rule 10 {
action accept
description "Allow BGP"
destination {
port 179
}
protocol tcp
source {
address x.x.x.x **Peer 1 IP
}
}
rule 11 {
action accept
description "Allow BGP"
destination {
port 179
}
protocol tcp
source {
address x.x.x.x **Peer 2 IP
}
}
rule 98 {
action drop
description "Black Hole"
log enable
source {
address 0.0.0.0/0
}
}
rule 99 {
action drop
description "Black Hole"
log enable
state {
invalid enable
}
}
}
name Tunnels_Inbound {
default-action drop
rule 1 {
action accept
description "Enable Stateful"
state {
established enable
related enable
}
}
rule 50 {
action accept
description "Allow Peer Transit (DN42 Only)"
destination {
group {
network-group Allowed-Transit
}
}
log enable
source {
group {
network-group Allowed-Transit
}
}
}
rule 99 {
action drop
description "Black Hole"
log enable
source {
address 0.0.0.0/0
}
}
}
````
This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions. This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions.