diff options
author | Robert Göhler <github@ghlr.de> | 2024-06-18 21:36:11 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-06-18 21:36:11 +0200 |
commit | 6c1bf9201acd7684397bbcccc3b756107bb8b98b (patch) | |
tree | a58d1ca4a3bd39c2d0e16f3b336864c6a0374244 /docs/configexamples/fwall-and-vrf.rst | |
parent | 5a5c8fd3056cc0a012da204f511eb50aa403e526 (diff) | |
parent | 47f1ff461a096853ffbbd15b2554c9c289f03607 (diff) | |
download | vyos-documentation-6c1bf9201acd7684397bbcccc3b756107bb8b98b.tar.gz vyos-documentation-6c1bf9201acd7684397bbcccc3b756107bb8b98b.zip |
Merge pull request #1485 from vyos/mergify/bp/sagitta/pr-1482
Configuration Blueprints: add new example for firewall+vrf. (backport #1482)
Diffstat (limited to 'docs/configexamples/fwall-and-vrf.rst')
-rw-r--r-- | docs/configexamples/fwall-and-vrf.rst | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/docs/configexamples/fwall-and-vrf.rst b/docs/configexamples/fwall-and-vrf.rst new file mode 100644 index 00000000..38663a18 --- /dev/null +++ b/docs/configexamples/fwall-and-vrf.rst @@ -0,0 +1,121 @@ +VRF and firewall example +------------------------ + +Scenario and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example shows how to configure a VyOS router with VRFs and firewall rules. + +Diagram used in this example: + +.. image:: /_static/images/firewall-and-vrf-blueprints.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, +``WAN``, ``LAN`` and ``PROD``, and their requirements are: + +* VRF MGMT: + * Allow connections to LAN and PROD. + * Deny connections to internet(WAN). + * Allow connections to the router. +* VRF LAN: + * Allow connections to PROD. + * Allow connections to internet(WAN). +* VRF PROD: + * Only accepts connections. +* VRF WAN: + * Allow connection to PROD. + +Configuration +^^^^^^^^^^^^^ + +First, we need to configure the interfaces and VRFs: + +.. code-block:: none + + set interfaces ethernet eth1 address '10.100.100.1/24' + set interfaces ethernet eth1 vrf 'MGMT' + set interfaces ethernet eth2 vif 150 address '10.150.150.1/24' + set interfaces ethernet eth2 vif 150 vrf 'LAN' + set interfaces ethernet eth2 vif 160 address '10.160.160.1/24' + set interfaces ethernet eth2 vif 160 vrf 'LAN' + set interfaces ethernet eth2 vif 3500 address '172.16.20.1/24' + set interfaces ethernet eth2 vif 3500 vrf 'PROD' + set interfaces loopback lo + set interfaces pppoe pppoe0 authentication password 'p4ssw0rd' + set interfaces pppoe pppoe0 authentication username 'vyos' + set interfaces pppoe pppoe0 source-interface 'eth0' + set interfaces pppoe pppoe0 vrf 'WAN' + set vrf bind-to-all + set vrf name LAN protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name LAN protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name LAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name LAN table '103' + set vrf name MGMT protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name MGMT protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name MGMT protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name MGMT table '102' + set vrf name PROD protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name PROD protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name PROD protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name PROD protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name PROD table '104' + set vrf name WAN protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name WAN protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name WAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name WAN table '101' + +And before firewall rules are shown, we need to pay attention how to configure +and match interfaces and VRFs. In case where an interface is assigned to a +non-default VRF, if we want to use inbound-interface or outbound-interface in +firewall rules, we need to: + +* For **inbound-interface**: use the interface name with the VRF name, like + ``MGMT`` or ``LAN``. +* For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, + ``eth2*`` or similar. + +Next, we need to configure the firewall rules. First we will define all rules +for transit traffic between VRFs. + +.. code-block:: none + + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter default-log + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 description 'MGMT - Allow to LAN and PROD' + set firewall ipv4 forward filter rule 10 inbound-interface name 'MGMT' + set firewall ipv4 forward filter rule 10 outbound-interface name 'eth2*' + set firewall ipv4 forward filter rule 99 action 'drop' + set firewall ipv4 forward filter rule 99 description 'MGMT - Drop all going to mgmt' + set firewall ipv4 forward filter rule 99 outbound-interface name 'eth1' + set firewall ipv4 forward filter rule 120 action 'accept' + set firewall ipv4 forward filter rule 120 description 'LAN - Allow to PROD' + set firewall ipv4 forward filter rule 120 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 120 outbound-interface name 'eth2.3500' + set firewall ipv4 forward filter rule 130 action 'accept' + set firewall ipv4 forward filter rule 130 description 'LAN - Allow internet' + set firewall ipv4 forward filter rule 130 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 130 outbound-interface name 'pppoe0' + +Also, we are adding global state policies, in order to allow established and +related traffic, in order not to drop valid responses: + +.. code-block:: none + + set firewall global-options state-policy established action 'accept' + set firewall global-options state-policy invalid action 'drop' + set firewall global-options state-policy related action 'accept' + +And finally, we need to allow input connections to the router itself only from +vrf MGMT: + +.. code-block:: none + + set firewall ipv4 input filter default-action 'drop' + set firewall ipv4 input filter default-log + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 description 'MGMT - Allow input' + set firewall ipv4 input filter rule 10 inbound-interface name 'MGMT'
\ No newline at end of file |