diff options
Diffstat (limited to 'docs/appendix')
-rw-r--r-- | docs/appendix/examples/azure-vpn-bgp.rst | 130 | ||||
-rw-r--r-- | docs/appendix/examples/azure-vpn-dual-bgp.rst | 155 | ||||
-rw-r--r-- | docs/appendix/examples/bgp-ipv6-unnumbered.rst | 172 | ||||
-rw-r--r-- | docs/appendix/examples/dhcp-relay-through-gre-bridge.rst | 77 | ||||
-rw-r--r-- | docs/appendix/examples/ha.rst | 580 | ||||
-rw-r--r-- | docs/appendix/examples/index.rst | 19 | ||||
-rw-r--r-- | docs/appendix/examples/ospf-unnumbered.rst | 118 | ||||
-rw-r--r-- | docs/appendix/examples/tunnelbroker-ipv6.rst | 169 | ||||
-rw-r--r-- | docs/appendix/examples/wan-load-balancing.rst | 170 | ||||
-rw-r--r-- | docs/appendix/examples/zone-policy.rst | 415 |
10 files changed, 0 insertions, 2005 deletions
diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst deleted file mode 100644 index 176e0ae0..00000000 --- a/docs/appendix/examples/azure-vpn-bgp.rst +++ /dev/null @@ -1,130 +0,0 @@ -.. _examples-azure-vpn-bgp: - -Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) ------------------------------------------------------------- - -This guide shows an example of a route-based IKEv2 site-to-site VPN to -Azure using VTI and BGP for dynamic routing updates. - -For redundant / active-active configurations see `Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) <https://docs.vyos.io/en/crux/appendix/examples/azure-vpn-dual-bgp.html>`_ - -Prerequisites -^^^^^^^^^^^^^ - -- A pair of Azure VNet Gateways deployed in active-passive - configuration with BGP enabled. - -- A local network gateway deployed in Azure representing - the Vyos device, matching the below Vyos settings except for - address space, which only requires the Vyos private IP, in - this example 10.10.0.5/32 - -- A connection resource deployed in Azure linking the - Azure VNet gateway and the local network gateway representing - the Vyos device. - -Example -^^^^^^^ - -+---------------------------------------+---------------------+ -| WAN Interface | eth0 | -+---------------------------------------+---------------------+ -| On-premises address space | 10.10.0.0/16 | -+---------------------------------------+---------------------+ -| Azure address space | 10.0.0.0/16 | -+---------------------------------------+---------------------+ -| Vyos public IP | 198.51.100.3 | -+---------------------------------------+---------------------+ -| Vyos private IP | 10.10.0.5 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway public IP | 203.0.113.2 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway BGP IP | 10.0.0.4 | -+---------------------------------------+---------------------+ -| Pre-shared key | ch00s3-4-s3cur3-psk | -+---------------------------------------+---------------------+ -| Vyos ASN | 64499 | -+---------------------------------------+---------------------+ -| Azure ASN | 65540 | -+---------------------------------------+---------------------+ - -Vyos configuration -^^^^^^^^^^^^^^^^^^ - -- Configure the IKE and ESP settings to match a subset - of those supported by Azure: - -.. code-block:: none - - set vpn ipsec esp-group AZURE compression 'disable' - set vpn ipsec esp-group AZURE lifetime '3600' - set vpn ipsec esp-group AZURE mode 'tunnel' - set vpn ipsec esp-group AZURE pfs 'dh-group2' - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' - - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' - set vpn ipsec ike-group AZURE dead-peer-detection interval '15' - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' - set vpn ipsec ike-group AZURE ikev2-reauth 'yes' - set vpn ipsec ike-group AZURE key-exchange 'ikev2' - set vpn ipsec ike-group AZURE lifetime '28800' - set vpn ipsec ike-group AZURE proposal 1 dh-group '2' - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' - -- Enable IPsec on eth0 - -.. code-block:: none - - set vpn ipsec ipsec-interfaces interface 'eth0' - -- Configure a VTI with a dummy IP address - -.. code-block:: none - - set interfaces vti vti1 address '10.10.1.5/32' - set interfaces vti vti1 description 'Azure Tunnel' - -- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. - -.. code-block:: none - - set firewall options interface vti1 adjust-mss 1350 - -- Configure the VPN tunnel - -.. code-block:: none - - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - -- **Important**: Add an interface route to reach Azure's BGP listener - -.. code-block:: none - - set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - -- Configure your BGP settings - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10' - -- **Important**: Disable connected check \ - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst deleted file mode 100644 index 13d4b5a2..00000000 --- a/docs/appendix/examples/azure-vpn-dual-bgp.rst +++ /dev/null @@ -1,155 +0,0 @@ -.. _examples-azure-vpn-dual-bgp: - -Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) ----------------------------------------------------------------------- - -This guide shows an example of a redundant (active-active) route-based IKEv2 -site-to-site VPN to Azure using VTI -and BGP for dynamic routing updates. - -Prerequisites -^^^^^^^^^^^^^ - -- A pair of Azure VNet Gateways deployed in active-active - configuration with BGP enabled. - -- A local network gateway deployed in Azure representing - the Vyos device, matching the below Vyos settings except for - address space, which only requires the Vyos private IP, in - this example 10.10.0.5/32 - -- A connection resource deployed in Azure linking the - Azure VNet gateway and the local network gateway representing - the Vyos device. - -Example -^^^^^^^ - -+---------------------------------------+---------------------+ -| WAN Interface | eth0 | -+---------------------------------------+---------------------+ -| On-premises address space | 10.10.0.0/16 | -+---------------------------------------+---------------------+ -| Azure address space | 10.0.0.0/16 | -+---------------------------------------+---------------------+ -| Vyos public IP | 198.51.100.3 | -+---------------------------------------+---------------------+ -| Vyos private IP | 10.10.0.5 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway 1 public IP | 203.0.113.2 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway 2 public IP | 203.0.113.3 | -+---------------------------------------+---------------------+ -| Azure VNet Gateway BGP IP | 10.0.0.4,10.0.0.5 | -+---------------------------------------+---------------------+ -| Pre-shared key | ch00s3-4-s3cur3-psk | -+---------------------------------------+---------------------+ -| Vyos ASN | 64499 | -+---------------------------------------+---------------------+ -| Azure ASN | 65540 | -+---------------------------------------+---------------------+ - -Vyos configuration -^^^^^^^^^^^^^^^^^^ - -- Configure the IKE and ESP settings to match a subset - of those supported by Azure: - -.. code-block:: none - - set vpn ipsec esp-group AZURE compression 'disable' - set vpn ipsec esp-group AZURE lifetime '3600' - set vpn ipsec esp-group AZURE mode 'tunnel' - set vpn ipsec esp-group AZURE pfs 'dh-group2' - set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec esp-group AZURE proposal 1 hash 'sha1' - - set vpn ipsec ike-group AZURE dead-peer-detection action 'restart' - set vpn ipsec ike-group AZURE dead-peer-detection interval '15' - set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' - set vpn ipsec ike-group AZURE ikev2-reauth 'yes' - set vpn ipsec ike-group AZURE key-exchange 'ikev2' - set vpn ipsec ike-group AZURE lifetime '28800' - set vpn ipsec ike-group AZURE proposal 1 dh-group '2' - set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256' - set vpn ipsec ike-group AZURE proposal 1 hash 'sha1' - -- Enable IPsec on eth0 - -.. code-block:: none - - set vpn ipsec ipsec-interfaces interface 'eth0' - -- Configure two VTIs with a dummy IP address each - -.. code-block:: none - - set interfaces vti vti1 address '10.10.1.5/32' - set interfaces vti vti1 description 'Azure Primary Tunnel' - - set interfaces vti vti2 address '10.10.1.6/32' - set interfaces vti vti2 description 'Azure Secondary Tunnel' - -- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes. - -.. code-block:: none - - set firewall options interface vti1 adjust-mss 1350 - set firewall options interface vti2 adjust-mss 1350 - -- Configure the VPN tunnels - -.. code-block:: none - - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - - set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3' - set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2' - set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE' - -- **Important**: Add an interface route to reach both Azure's BGP listeners - -.. code-block:: none - - set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1 - set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2 - -- Configure your BGP settings - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10' - - set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540' - set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound' - set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30' - set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10' - -- **Important**: Disable connected check, otherwise the routes learned - from Azure will not be imported into the routing table. - -.. code-block:: none - - set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check - set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check diff --git a/docs/appendix/examples/bgp-ipv6-unnumbered.rst b/docs/appendix/examples/bgp-ipv6-unnumbered.rst deleted file mode 100644 index ccc1f69a..00000000 --- a/docs/appendix/examples/bgp-ipv6-unnumbered.rst +++ /dev/null @@ -1,172 +0,0 @@ -.. _examples-bgp-ipv6-unnumbered: - -######################################### -BGP IPv6 unnumbered with extended nexthop -######################################### - -General information can be found in the :ref:`bgp` chapter. - -Configuration -============= - -- Router A: - -.. code-block:: none - - set protocols bgp 64496 address-family ipv4-unicast redistribute connected - set protocols bgp 64496 address-family ipv6-unicast redistribute connected - set protocols bgp 64496 neighbor eth1 interface v6only - set protocols bgp 64496 neighbor eth1 interface v6only peer-group 'fabric' - set protocols bgp 64496 neighbor eth2 interface v6only - set protocols bgp 64496 neighbor eth2 interface v6only peer-group 'fabric' - set protocols bgp 64496 parameters bestpath as-path multipath-relax - set protocols bgp 64496 parameters bestpath compare-routerid - set protocols bgp 64496 parameters default no-ipv4-unicast - set protocols bgp 64496 parameters router-id '192.168.0.1' - set protocols bgp 64496 peer-group fabric address-family ipv4-unicast - set protocols bgp 64496 peer-group fabric address-family ipv6-unicast - set protocols bgp 64496 peer-group fabric capability extended-nexthop - set protocols bgp 64496 peer-group fabric remote-as 'external' - -- Router B: - -.. code-block:: none - - set protocols bgp 64499 address-family ipv4-unicast redistribute connected - set protocols bgp 64499 address-family ipv6-unicast redistribute connected - set protocols bgp 64499 neighbor eth1 interface v6only - set protocols bgp 64499 neighbor eth1 interface v6only peer-group 'fabric' - set protocols bgp 64499 neighbor eth2 interface v6only - set protocols bgp 64499 neighbor eth2 interface v6only peer-group 'fabric' - set protocols bgp 64499 parameters bestpath as-path multipath-relax - set protocols bgp 64499 parameters bestpath compare-routerid - set protocols bgp 64499 parameters default no-ipv4-unicast - set protocols bgp 64499 parameters router-id '192.168.0.2' - set protocols bgp 64499 peer-group fabric address-family ipv4-unicast - set protocols bgp 64499 peer-group fabric address-family ipv6-unicast - set protocols bgp 64499 peer-group fabric capability extended-nexthop - set protocols bgp 64499 peer-group fabric remote-as 'external' - -Results -======= - -- Router A: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 198.51.100.34/24 u/u - eth1 - u/u - eth2 - u/u - lo 127.0.0.1/8 u/u - 192.168.0.1/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route - - S>* 0.0.0.0/0 [210/0] via 198.51.100.34, eth0, 03:21:53 - C>* 198.51.100.0/24 is directly connected, eth0, 03:21:53 - C>* 192.168.0.1/32 is directly connected, lo, 03:21:56 - B>* 192.168.0.2/32 [20/0] via fe80::a00:27ff:fe3b:7ed2, eth2, 00:05:07 - * via fe80::a00:27ff:fe7b:4000, eth1, 00:05:07 - -.. code-block:: none - - vyos@vyos:~$ ping 192.168.0.2 - PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. - 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.575 ms - 64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.628 ms - 64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.581 ms - 64 bytes from 192.168.0.2: icmp_seq=4 ttl=64 time=0.682 ms - 64 bytes from 192.168.0.2: icmp_seq=5 ttl=64 time=0.597 ms - - --- 192.168.0.2 ping statistics --- - 5 packets transmitted, 5 received, 0% packet loss, time 4086ms - rtt min/avg/max/mdev = 0.575/0.612/0.682/0.047 ms - -.. code-block:: none - - vyos@vyos:~$ show ip bgp summary - - IPv4 Unicast Summary: - BGP router identifier 192.168.0.1, local AS number 65020 vrf-id 0 - BGP table version 4 - RIB entries 5, using 800 bytes of memory - Peers 2, using 41 KiB of memory - Peer groups 1, using 64 bytes of memory - - Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd - eth1 4 64499 13 13 0 0 0 00:05:33 2 - eth2 4 64499 13 14 0 0 0 00:05:29 2 - - Total number of neighbors 2 - -- Router B: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 198.51.100.33/24 u/u - eth1 - u/u - eth2 - u/u - lo 127.0.0.1/8 u/u - 192.168.0.2/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route - - S>* 0.0.0.0/0 [210/0] via 198.51.100.33, eth0, 00:44:08 - C>* 198.51.100.0/24 is directly connected, eth0, 00:44:09 - B>* 192.168.0.1/32 [20/0] via fe80::a00:27ff:fe2d:205d, eth1, 00:06:18 - * via fe80::a00:27ff:fe93:e142, eth2, 00:06:18 - C>* 192.168.0.2/32 is directly connected, lo, 00:44:11 - -.. code-block:: none - - vyos@vyos:~$ ping 192.168.0.1 - PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. - 64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.427 ms - 64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.471 ms - 64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.782 ms - 64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.715 ms - - --- 192.168.0.1 ping statistics --- - 4 packets transmitted, 4 received, 0% packet loss, time 3051ms - rtt min/avg/max/mdev = 0.427/0.598/0.782/0.155 ms - -.. code-block:: none - - vyos@vyos:~$ show ip bgp summary - IPv4 Unicast Summary: - BGP router identifier 192.168.0.2, local AS number 65021 vrf-id 0 - BGP table version 4 - RIB entries 5, using 800 bytes of memory - Peers 2, using 41 KiB of memory - Peer groups 1, using 64 bytes of memory - - Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd - eth1 4 64496 14 14 0 0 0 00:06:40 2 - eth2 4 64496 14 14 0 0 0 00:06:37 2 - - Total number of neighbors 2 - diff --git a/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst b/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst deleted file mode 100644 index f94eb67f..00000000 --- a/docs/appendix/examples/dhcp-relay-through-gre-bridge.rst +++ /dev/null @@ -1,77 +0,0 @@ -.. _examples-dhcp-relay-through-gre-bridge: - - -DHCP Relay through GRE-Bridge ------------------------------ - -Diagram -^^^^^^^ - -.. image:: /_static/images/dhcp-relay-through-gre-bridge.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Configuration -^^^^^^^^^^^^^ - -DHCP Server -""""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.2.1/24' - set interfaces loopback lo address '3.3.3.3/24' - set interfaces tunnel tun100 address '172.16.0.2/30' - set interfaces tunnel tun100 encapsulation 'gre-bridge' - set interfaces tunnel tun100 local-ip '10.0.2.1' - set interfaces tunnel tun100 remote-ip '192.168.0.1' - set protocols ospf area 0 network '3.3.3.0/24' - set protocols ospf area 0 network '10.0.2.0/24' - set protocols ospf parameters router-id '3.3.3.3' - set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100 - set service dhcp-server shared-network-name asdf authoritative - set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 start '3.3.3.30' - set service dhcp-server shared-network-name asdf subnet 3.3.3.0/24 range 0 stop '3.3.3.40' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 default-router '10.0.1.2' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 start '10.0.1.200' - set service dhcp-server shared-network-name asdf subnet 10.0.1.0/24 range 0 stop '10.0.1.210' - set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 start '10.2.1.222' - set service dhcp-server shared-network-name asdf subnet 10.2.1.0/24 range 0 stop '10.2.1.233' - set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 start '172.16.0.1' - set service dhcp-server shared-network-name asdf subnet 172.16.0.0/30 range 0 stop '172.16.0.2' - - -In-Between Router -""""""""""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '192.168.0.2/24' - set interfaces ethernet eth1 address '10.0.2.2/24' - set protocols ospf area 0 network '192.168.0.0/24' - set protocols ospf area 0 network '10.0.2.0/24' - set protocols ospf parameters router-id '192.168.0.2' - - -DHCP Relay -"""""""""" - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.1.2/24' - set interfaces ethernet eth1 address '192.168.0.1/24' - set interfaces loopback lo address '1.1.1.1' - set interfaces tunnel tun100 address '172.16.0.1/30' - set interfaces tunnel tun100 encapsulation 'gre-bridge' - set interfaces tunnel tun100 local-ip '192.168.0.1' - set interfaces tunnel tun100 remote-ip '10.0.2.1' - set protocols ospf area 0 network '10.0.1.0/24' - set protocols ospf area 0 network '192.168.0.0/24' - set protocols ospf area 0 network '1.1.1.0/24' - set protocols ospf parameters router-id '1.1.1.1' - set protocols static interface-route 3.3.3.3/32 next-hop-interface tun100 - set service dhcp-relay interface 'eth0' - set service dhcp-relay interface 'tun100' - set service dhcp-relay server '3.3.3.3' - diff --git a/docs/appendix/examples/ha.rst b/docs/appendix/examples/ha.rst deleted file mode 100644 index 702cb2b2..00000000 --- a/docs/appendix/examples/ha.rst +++ /dev/null @@ -1,580 +0,0 @@ -############################# -High Availability Walkthrough -############################# - -This document walks you through a complete HA setup of two VyOS machines. This -design is based on a VM as the primary router, and a physical machine as a -backup, using VRRP, BGP, OSPF and conntrack sharing. - -The aim of this document is to walk you through setting everything up so you -and up at a point where you can reboot any machine and not lose more than a few -seconds worth of connectivity. - -Design -====== - -This is based on a real life, in production design. One of the complex issues -is ensuring you have redundant data INTO your network. We do this with a pair -of Cisco Nexus switches, and using Virtual PortChannels that are spanned across -them. This as an added bonus, also allows for complete switch failure without -an outage. How you achieve this yourself is left as an exercise to the reader -but our setup is documented here. - -Walkthrough suggestion ----------------------- - -The ``commit`` command is implied after every section. If you make an error, -``commit`` will warn you and you can fix it before getting too far into things. -Please ensure you commit early and commit often. - -If you are following through this document, it is strongly suggested you -complete the entire document, ONLY doing the virtual router1 steps, and then -come back and walk through it AGAIN on the backup hardware router. - -This ensures you don't go to fast, or miss a step. However, it will make your -life easier to configure the fixed IP address and default route now on the -hardware router. - -Example Network ---------------- - -In this document, we have been allocated 203.0.113.0/24 by our upstream -provider, which we are publishing on VLAN100. - -They want us to establish a BGP session to their routers on 192.0.2.11 and -192.0.2.12 from our routers 192.0.2.21 and 192.0.2.22. They are AS 65550 and -we are AS65551. - -Our routers are going to have a floating IP address of 203.0.113.1, and use -.2 and .3 as their fixed IPs. - -We are going to use 10.200.201.0/24 for an 'internal' network on VLAN201. - -When traffic is originated from the 10.200.201.0/24 network, it will be -masqueraded to 203.0.113.1 - -For connection between sites, we are running a WireGuard link to two REMOTE -routers, and using OSPF over those links to distribute routes. That remote -site is expected to send traffic from anything in 10.201.0.0/16 - -VLANs ------ - -These are the vlans we wll be using: - -* 50: Upstream, using the 192.0.2.0/24 network allocated by them. -* 100: 'Public' network, using our 203.0.113.0/24 network. -* 201: 'Internal' network, using 10.200.201.0/24 - -Hardware --------- - -* switch1 (Nexus 10gb Switch) -* switch2 (Nexus 10gb Switch) -* compute1 (VMware ESXi 6.5) -* compute2 (VMware ESXi 6.5) -* compute3 (VMware ESXi 6.5) -* router2 (Random 1RU machine with 4 NICs) - -Note that router1 is a VM that runs on one of the compute nodes. - -Network Cabling ---------------- - -* From Datacenter - This connects into port 1 on both switches, and is tagged - as VLAN 50 -* Cisco VPC Crossconnect - Ports 39 and 40 bonded between each switch -* Hardware Router - Port 8 of each switch -* compute1 - Port 9 of each switch -* compute2 - Port 10 of each switch -* compute3 - Port 11 of each switch - -This is ignoring the extra Out-of-band management networking, which should be -on totally different switches, and a different feed into the rack, and is out -of scope of this. - -.. note:: Our implementation uses VMware's Distributed Port Groups, which allows - VMware to use LACP. This is a part of the ENTERPRISE licence, and is not - available on a Free licence. If you are implementing this and do not have - access to DPGs, you should not use VMware, and use some other virtualization - platform instead. - - -Basic Setup (via console) -========================= - -Create your router1 VM so it is able to withstand a VM Host failing, or a -network link failing. Using VMware, this is achieved by enabling vSphere DRS, -vSphere Availability, and creating a Distributed Port Group that uses LACP. - -Many other Hypervisors do this, and I'm hoping that this document will be -expanded to document how to do this for others. - -Create an 'All VLANs' network group, that passes all trunked traffic through -to the VM. Attach this network group to router1 as eth0. - -.. note:: VMware: You must DISABLE SECURITY on this Port group. Make sure that - ``Promiscuous Mode``\ , ``MAC address changes`` and ``Forged transmits`` are - enabled. All of these will be done as part of failover. - -Bonding on Hardware Router --------------------------- - -Create a LACP bond on the hardware router. We are assuming that eth0 and eth1 -are connected to port 8 on both switches, and that those ports are configured -as a Port-Channel. - -.. code-block:: none - - set interfaces bonding bond0 description 'Switch Port-Channel' - set interfaces bonding bond0 hash-policy 'layer2' - set interfaces bonding bond0 member interface 'eth0' - set interfaces bonding bond0 member interface 'eth1' - set interfaces bonding bond0 mode '802.3ad' - - -Assign external IP addresses ----------------------------- - -VLAN 100 and 201 will have floating IP addresses, but VLAN50 does not, as this -is talking directly to upstream. Create our IP address on vlan50. - -For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every -command is identical, this will not be specified unless different things need -to be performed on different hosts. - -.. code-block:: none - - set interfaces ethernet eth0 vif 50 address '192.0.2.21/24' - -In this case, the hardware router has a different IP, so it would be - -.. code-block:: none - - set interfaces ethernet bond0 vif 50 address '192.0.2.22/24' - -Add (temporary) default route ------------------------------ - -It is assumed that the routers provided by upstream are capable of acting as a -default router, add that as a static route. - -.. code-block:: none - - set protocols static route 0.0.0.0/0 next-hop 192.0.2.11 - commit - save - - -Enable SSH ----------- - -Enable SSH so you can now SSH into the routers, rather than using the console. - -.. code-block:: none - - set service ssh - commit - save - -At this point you should be able to SSH into both of them, and will no longer -need access to the console (unless you break something!) - - -VRRP Configuration -================== - -We are setting up VRRP so that it does NOT fail back when a machine returns into -service, and it prioritizes router1 over router2. - -Internal Network ----------------- - -This has a floating IP address of 10.200.201.1/24, using virtual router ID 201. -The difference between them is the interface name, hello-source-address, and -peer-address. - -**router1** - -.. code-block:: none - - set interfaces ethernet eth0 vif 201 address 10.200.201.2/24 - set high-availability vrrp group int hello-source-address '10.200.201.2' - set high-availability vrrp group int interface 'eth0.201' - set high-availability vrrp group int peer-address '10.200.201.3' - set high-availability vrrp group int no-preempt - set high-availability vrrp group int priority '200' - set high-availability vrrp group int virtual-address '10.200.201.1/24' - set high-availability vrrp group int vrid '201' - - -**router2** - -.. code-block:: none - - set interfaces ethernet bond0 vif 201 address 10.200.201.3/24 - set high-availability vrrp group int hello-source-address '10.200.201.3' - set high-availability vrrp group int interface 'bond0.201' - set high-availability vrrp group int peer-address '10.200.201.2' - set high-availability vrrp group int no-preempt - set high-availability vrrp group int priority '100' - set high-availability vrrp group int virtual-address '10.200.201.1/24' - set high-availability vrrp group int vrid '201' - - -Public Network --------------- - -This has a floating IP address of 203.0.113.1/24, using virtual router ID 113. -The virtual router ID is just a random number between 1 and 254, and can be set -to whatever you want. Best practices suggest you try to keep them unique -enterprise-wide. - -**router1** - -.. code-block:: none - - set interfaces ethernet eth0 vif 100 address 203.0.113.2/24 - set high-availability vrrp group public hello-source-address '203.0.113.2' - set high-availability vrrp group public interface 'eth0.100' - set high-availability vrrp group public peer-address '203.0.113.3' - set high-availability vrrp group public no-preempt - set high-availability vrrp group public priority '200' - set high-availability vrrp group public virtual-address '203.0.113.1/24' - set high-availability vrrp group public vrid '113' - -**router2** - -.. code-block:: none - - set interfaces ethernet bond0 vif 100 address 203.0.113.3/24 - set high-availability vrrp group public hello-source-address '203.0.113.3' - set high-availability vrrp group public interface 'bond0.100' - set high-availability vrrp group public peer-address '203.0.113.2' - set high-availability vrrp group public no-preempt - set high-availability vrrp group public priority '100' - set high-availability vrrp group public virtual-address '203.0.113.1/24' - set high-availability vrrp group public vrid '113' - - -Create VRRP sync-group ----------------------- - -The sync group is used to replicate connection tracking. It needs to be assigned -to a random VRRP group, and we are creating a sync group called ``sync`` using -the vrrp group ``int``. - -.. code-block:: none - - set high-availability vrrp sync-group sync member 'int' - -Testing -------- - -At this point, you should be able to see both IP addresses when you run -``show interfaces``\ , and ``show vrrp`` should show both interfaces in MASTER -state (and SLAVE state on router2). - -.. code-block:: none - - vyos@router1:~$ show vrrp - Name Interface VRID State Last Transition - -------- ----------- ------ ------- ----------------- - int eth0.201 201 MASTER 100s - public eth0.100 113 MASTER 200s - vyos@router1:~$ - - -You should be able to ping to and from all the IPs you have allocated. - -NAT and conntrack-sync -====================== - -Masquerade Traffic originating from 10.200.201.0/24 that is heading out the -public interface. - -.. note:: We explicitly exclude the primary upstream network so that BGP or - OSPF traffic doesn't accidentally get NAT'ed. - -.. code-block:: none - - set nat source rule 10 destination address '!192.0.2.0/24' - set nat source rule 10 outbound-interface 'eth0.50' - set nat source rule 10 source address '10.200.201.0/24' - set nat source rule 10 translation address '203.0.113.1' - - -Configure conntrack-sync and disable helpers --------------------------------------------- - -Most conntrack modules cause more problems than they're worth, especially in a -complex network. Turn them off by default, and if you need to turn them on -later, you can do so. - -.. code-block:: none - - set system conntrack modules ftp disable - set system conntrack modules gre disable - set system conntrack modules nfs disable - set system conntrack modules pptp disable - set system conntrack modules sip disable - set system conntrack modules tftp disable - -Now enable replication between nodes. Replace eth0.201 with bond0.201 on the -hardware router. - -.. code-block:: none - - set service conntrack-sync accept-protocol 'tcp,udp,icmp' - set service conntrack-sync event-listen-queue-size '8' - set service conntrack-sync failover-mechanism vrrp sync-group 'sync' - set service conntrack-sync interface eth0.201 - set service conntrack-sync mcast-group '224.0.0.50' - set service conntrack-sync sync-queue-size '8' - -Testing -------- - -The simplest way to test is to look at the connection tracking stats on the -standby hardware router with the command ``show conntrack-sync statistics``. -The numbers should be very close to the numbers on the primary router. - -When you have both routers up, you should be able to establish a connection -from a NAT'ed machine out to the internet, reboot the active machine, and that -connection should be preserved, and will not drop out. - -OSPF Over WireGuard -=================== - -Wireguard doesn't have the concept of an up or down link, due to its design. -This complicates AND simplifies using it for network transport, as for reliable -state detection you need to use SOMETHING to detect when the link is down. - -If you use a routing protocol itself, you solve two problems at once. This is -only a basic example, and is provided as a starting point. - -Configure Wireguard -------------------- - -There is plenty of instructions and documentation on setting up Wireguard. The -only important thing you need to remember is to only use one WireGuard -interface per OSPF connection. - -We use small /30's from 10.254.60/24 for the point-to-point links. - -**router1** - -Replace the 203.0.113.3 with whatever the other router's IP address is. - -.. code-block:: none - - set interfaces wireguard wg01 address '10.254.60.1/30' - set interfaces wireguard wg01 description 'router1-to-offsite1' - set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'i360KoCwUGZvPq7e' - set interfaces wireguard wg01 ip ospf cost '11' - set interfaces wireguard wg01 ip ospf dead-interval '5' - set interfaces wireguard wg01 ip ospf hello-interval '1' - set interfaces wireguard wg01 ip ospf network 'point-to-point' - set interfaces wireguard wg01 ip ospf priority '1' - set interfaces wireguard wg01 ip ospf retransmit-interval '5' - set interfaces wireguard wg01 ip ospf transmit-delay '1' - set interfaces wireguard wg01 peer OFFSITE1 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer OFFSITE1 endpoint '203.0.113.3:50001' - set interfaces wireguard wg01 peer OFFSITE1 persistent-keepalive '15' - set interfaces wireguard wg01 peer OFFSITE1 pubkey 'GEFMOWzAyau42/HwdwfXnrfHdIISQF8YHj35rOgSZ0o=' - set interfaces wireguard wg01 port '50001' - - -**offsite1** - -This is connecting back to the STATIC IP of router1, not the floating. - -.. code-block:: none - - set interfaces wireguard wg01 address '10.254.60.2/30' - set interfaces wireguard wg01 description 'offsite1-to-router1' - set interfaces wireguard wg01 ip ospf authentication md5 key-id 1 md5-key 'i360KoCwUGZvPq7e' - set interfaces wireguard wg01 ip ospf cost '11' - set interfaces wireguard wg01 ip ospf dead-interval '5' - set interfaces wireguard wg01 ip ospf hello-interval '1' - set interfaces wireguard wg01 ip ospf network 'point-to-point' - set interfaces wireguard wg01 ip ospf priority '1' - set interfaces wireguard wg01 ip ospf retransmit-interval '5' - set interfaces wireguard wg01 ip ospf transmit-delay '1' - set interfaces wireguard wg01 peer ROUTER1 allowed-ips '0.0.0.0/0' - set interfaces wireguard wg01 peer ROUTER1 endpoint '192.0.2.21:50001' - set interfaces wireguard wg01 peer ROUTER1 persistent-keepalive '15' - set interfaces wireguard wg01 peer ROUTER1 pubkey 'CKwMV3ZaLntMule2Kd3G7UyVBR7zE8/qoZgLb82EE2Q=' - set interfaces wireguard wg01 port '50001' - -Test WireGuard --------------- - -Make sure you can ping 10.254.60.1 and .2 from both routers. - -Create Export Filter --------------------- - -We only want to export the networks we know we should be exporting. Always -whitelist your route filters, both importing and exporting. A good rule of -thumb is **'If you are not the default router for a network, don't advertise -it'**. This means we explicitly do not want to advertise the 192.0.2.0/24 -network (but do want to advertise 10.200.201.0 and 203.0.113.0, which we ARE -the default route for). This filter is applied to ``redistribute connected``. -If we WERE to advertise it, the remote machines would see 192.0.2.21 available -via their default route, establish the connection, and then OSPF would say -'192.0.2.0/24 is available via this tunnel', at which point the tunnel would -break, OSPF would drop the routes, and then 192.0.2.0/24 would be reachable via -default again. This is called 'flapping'. - -.. code-block:: none - - set policy access-list 150 description 'Outbound OSPF Redistribution' - set policy access-list 150 rule 10 action 'permit' - set policy access-list 150 rule 10 destination any - set policy access-list 150 rule 10 source inverse-mask '0.0.0.255' - set policy access-list 150 rule 10 source network '10.200.201.0' - set policy access-list 150 rule 20 action 'permit' - set policy access-list 150 rule 20 destination any - set policy access-list 150 rule 20 source inverse-mask '0.0.0.255' - set policy access-list 150 rule 20 source network '203.0.113.0' - set policy access-list 150 rule 100 action 'deny' - set policy access-list 150 rule 100 destination any - set policy access-list 150 rule 100 source any - - -Create Import Filter --------------------- - -We only want to import networks we know about. Our OSPF peer should only be -advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE -MATCH. You deny in access-list 100 to accept the route. - -.. code-block:: none - - set policy access-list 100 description 'Inbound OSPF Routes from Peers' - set policy access-list 100 rule 10 action 'deny' - set policy access-list 100 rule 10 destination any - set policy access-list 100 rule 10 source inverse-mask '0.0.255.255' - set policy access-list 100 rule 10 source network '10.201.0.0' - set policy access-list 100 rule 100 action 'permit' - set policy access-list 100 rule 100 destination any - set policy access-list 100 rule 100 source any - set policy route-map PUBOSPF rule 100 action 'deny' - set policy route-map PUBOSPF rule 100 match ip address access-list '100' - set policy route-map PUBOSPF rule 500 action 'permit' - - -Enable OSPF ------------ - -Every router **must** have a unique router-id. -The 'reference-bandwidth' is used because when OSPF was originally designed, -the idea of a link faster than 1gbit was unheard of, and it does not scale -correctly. - -.. code-block:: none - - set protocols ospf area 0.0.0.0 authentication 'md5' - set protocols ospf area 0.0.0.0 network '10.254.60.0/24' - set protocols ospf auto-cost reference-bandwidth '10000' - set protocols ospf log-adjacency-changes - set protocols ospf parameters abr-type 'cisco' - set protocols ospf parameters router-id '10.254.60.2' - set protocols ospf route-map PUBOSPF - - -Test OSPF ---------- - -When you have enabled OSPF on both routers, you should be able to see each -other with the command ``show ip ospf neighbour``. The state must be 'Full' -or '2-Way', if it is not then there is a network connectivity issue between the -hosts. This is often caused by NAT or MTU issues. You should not see any new -routes (unless this is the second pass) in the output of ``show ip route`` - -Advertise connected routes -========================== - -As a reminder, only advertise routes that you are the default router for. This -is why we are NOT announcing the 192.0.2.0/24 network, because if that was -announced into OSPF, the other routers would try to connect to that network -over a tunnel that connects to that network! - -.. code-block:: none - - set protocols ospf access-list 150 export 'connected' - set protocols ospf redistribute connected - - -You should now be able to see the advertised network on the other host. - -Duplicate configuration ------------------------ - -At this pont you now need to create the X link between all four routers. Use a -different /30 for each link. - -Priorities ----------- - -Set the cost on the secondary links to be 200. This means that they will not -be used unless the primary links are down. - -.. code-block:: none - - set interfaces wireguard wg01 ip ospf cost '10' - set interfaces wireguard wg02 ip ospf cost '200' - - -This will be visible in 'show ip route'. - -BGP -=== - -BGP is an extremely complex network protocol. An example is provided here. - -.. note:: Router id's must be unique. - -**router1** - - -The ``redistribute ospf`` command is there purely as an example of how this can -be expanded. In this walkthrough, it will be filtered by BGPOUT rule 10000, as -it is not 203.0.113.0/24. - -.. code-block:: none - - set policy prefix-list BGPOUT description 'BGP Export List' - set policy prefix-list BGPOUT rule 10 action 'deny' - set policy prefix-list BGPOUT rule 10 description 'Do not advertise short masks' - set policy prefix-list BGPOUT rule 10 ge '25' - set policy prefix-list BGPOUT rule 10 prefix '0.0.0.0/0' - set policy prefix-list BGPOUT rule 100 action 'permit' - set policy prefix-list BGPOUT rule 100 description 'Our network' - set policy prefix-list BGPOUT rule 100 prefix '203.0.113.0/24' - set policy prefix-list BGPOUT rule 10000 action 'deny' - set policy prefix-list BGPOUT rule 10000 prefix '0.0.0.0/0' - set policy route-map BGPOUT description 'BGP Export Filter' - set policy route-map BGPOUT rule 10 action 'permit' - set policy route-map BGPOUT rule 10 match ip address prefix-list 'BGPOUT' - set policy route-map BGPOUT rule 10000 action 'deny' - set policy route-map BGPPREPENDOUT description 'BGP Export Filter' - set policy route-map BGPPREPENDOUT rule 10 action 'permit' - set policy route-map BGPPREPENDOUT rule 10 set as-path-prepend '65551 65551 65551' - set policy route-map BGPPREPENDOUT rule 10 match ip address prefix-list 'BGPOUT' - set policy route-map BGPPREPENDOUT rule 10000 action 'deny' - set protocols bgp 65551 address-family ipv4-unicast network 192.0.2.0/24 - set protocols bgp 65551 address-family ipv4-unicast redistribute connected metric '50' - set protocols bgp 65551 address-family ipv4-unicast redistribute ospf metric '50' - set protocols bgp 65551 neighbor 192.0.2.11 address-family ipv4-unicast route-map export 'BGPOUT' - set protocols bgp 65551 neighbor 192.0.2.11 address-family ipv4-unicast soft-reconfiguration inbound - set protocols bgp 65551 neighbor 192.0.2.11 remote-as '65550' - set protocols bgp 65551 neighbor 192.0.2.11 update-source '192.0.2.21' - set protocols bgp 65551 parameters router-id '192.0.2.21' - - -**router2** - -This is identical, but you use the BGPPREPENDOUT route-map to advertise the -route with a longer path. diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst deleted file mode 100644 index b2f7bfde..00000000 --- a/docs/appendix/examples/index.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. _examples: - -Configuration Blueprints -======================== - -This chapter contains various configuration examples: - -.. toctree:: - :maxdepth: 2 - - dhcp-relay-through-gre-bridge - zone-policy - bgp-ipv6-unnumbered - ospf-unnumbered - azure-vpn-bgp - azure-vpn-dual-bgp - tunnelbroker-ipv6 - ha - wan-load-balancing diff --git a/docs/appendix/examples/ospf-unnumbered.rst b/docs/appendix/examples/ospf-unnumbered.rst deleted file mode 100644 index 39f8f69a..00000000 --- a/docs/appendix/examples/ospf-unnumbered.rst +++ /dev/null @@ -1,118 +0,0 @@ -.. _examples-ospf-unnumbered: - -######################### -OSPF unnumbered with ECMP -######################### - -General infomration can be found in the :ref:`routing-ospf` chapter. - -Configuration -============= - -- Router A: - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.0.1/24' - set interfaces ethernet eth1 address '192.168.0.1/32' - set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth1 ip ospf network 'point-to-point' - set interfaces ethernet eth2 address '192.168.0.1/32' - set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth2 ip ospf network 'point-to-point' - set interfaces loopback lo address '192.168.0.1/32' - set protocols ospf area 0.0.0.0 authentication 'md5' - set protocols ospf area 0.0.0.0 network '192.168.0.1/32' - set protocols ospf parameters router-id '192.168.0.1' - set protocols ospf redistribute connected - -- Router B: - -.. code-block:: none - - set interfaces ethernet eth0 address '10.0.0.2/24' - set interfaces ethernet eth1 address '192.168.0.2/32' - set interfaces ethernet eth1 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth1 ip ospf network 'point-to-point' - set interfaces ethernet eth2 address '192.168.0.2/32' - set interfaces ethernet eth2 ip ospf authentication md5 key-id 1 md5-key 'yourpassword' - set interfaces ethernet eth2 ip ospf network 'point-to-point' - set interfaces loopback lo address '192.168.0.2/32' - set protocols ospf area 0.0.0.0 authentication 'md5' - set protocols ospf area 0.0.0.0 network '192.168.0.2/32' - set protocols ospf parameters router-id '192.168.0.2' - set protocols ospf redistribute connected - - -Results -======= - -- Router A: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 10.0.0.1/24 u/u - eth1 192.168.0.1/32 u/u - eth2 192.168.0.1/32 u/u - lo 127.0.0.1/8 u/u - 192.168.0.1/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34 - O 10.0.0.0/24 [110/20] via 192.168.0.2, eth1 onlink, 00:13:21 - via 192.168.0.2, eth2 onlink, 00:13:21 - C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35 - O 192.168.0.1/32 [110/0] is directly connected, lo, 00:48:53 - C * 192.168.0.1/32 is directly connected, eth2, 00:56:31 - C * 192.168.0.1/32 is directly connected, eth1, 00:56:31 - C>* 192.168.0.1/32 is directly connected, lo, 00:57:36 - O>* 192.168.0.2/32 [110/1] via 192.168.0.2, eth1 onlink, 00:29:03 - * via 192.168.0.2, eth2 onlink, 00:29:03 - -- Router B: - -.. code-block:: none - - vyos@vyos:~$ show interfaces - Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down - Interface IP Address S/L Description - --------- ---------- --- ----------- - eth0 10.0.0.2/24 u/u - eth1 192.168.0.2/32 u/u - eth2 192.168.0.2/32 u/u - lo 127.0.0.1/8 u/u - 192.168.0.2/32 - ::1/128 - -.. code-block:: none - - vyos@vyos:~$ show ip route - Codes: K - kernel route, C - connected, S - static, R - RIP, - O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, - T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, - F - PBR, f - OpenFabric, - > - selected route, * - FIB route, q - queued route, r - rejected route - - S>* 0.0.0.0/0 [210/0] via 10.0.0.254, eth0, 00:57:34 - O 10.0.0.0/24 [110/20] via 192.168.0.1, eth1 onlink, 00:13:21 - via 192.168.0.1, eth2 onlink, 00:13:21 - C>* 10.0.0.0/24 is directly connected, eth0, 00:57:35 - O 192.168.0.2/32 [110/0] is directly connected, lo, 00:48:53 - C * 192.168.0.2/32 is directly connected, eth2, 00:56:31 - C * 192.168.0.2/32 is directly connected, eth1, 00:56:31 - C>* 192.168.0.2/32 is directly connected, lo, 00:57:36 - O>* 192.168.0.1/32 [110/1] via 192.168.0.1, eth1 onlink, 00:29:03 - * via 192.168.0.1, eth2 onlink, 00:29:03 diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst deleted file mode 100644 index 868b225f..00000000 --- a/docs/appendix/examples/tunnelbroker-ipv6.rst +++ /dev/null @@ -1,169 +0,0 @@ -.. _examples-tunnelbroker-ipv6: - -####################### -Tunnelbroker.net (IPv6) -####################### - -This guides walks through the setup of https://www.tunnelbroker.net/ for an -IPv6 Tunnel. - -Prerequisites -============= - -- A public, routable IPv4 address. This does not necessarily need to be static, - but you will need to update the tunnel endpoint when/if your IP address - changes, which can be done with a script and a scheduled task. -- Account at https://www.tunnelbroker.net/ -- Requested a "Regular Tunnel". You want to choose a location that is closest - to your physical location for the best response time. - -Setup initial tunnel -==================== - -Set up initial IPv6 tunnel. Replace the field below from the fields on the -tunnel information page. - -.. code-block:: none - - conf - set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be your VyOS install's public IPv6 address - set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel' - set interfaces tunnel tun0 encapsulation 'sit' - set interfaces tunnel tun0 local-ip Client_IPv4_from_Tunnelbroker # This is your public IP - set interfaces tunnel tun0 mtu '1472' - set interfaces tunnel tun0 multicast 'disable' - set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker # This is the IP of the Tunnelbroker server - set protocols static interface-route6 ::/0 next-hop-interface tun0 # Tell all traffic to go over this tunnel - commit - -If your WAN connection is over PPPoE, you may need to set the MTU on the above -tunnel lower than 1472. - -At this point you should be able to ping an IPv6 address, try pinging Google: - -.. code-block:: none - - ping6 -c2 2001:4860:4860::8888 - - 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=21.7 ms - 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=21.1 ms - - --- 2001:4860:4860::8888 ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1001ms - rtt min/avg/max/mdev = 21.193/21.459/21.726/0.304 ms - -Assuming the pings are successful, you need to add some DNS servers. -Some options: - -.. code-block:: none - - set system name-server 2001:4860:4860::8888 # Google - set system name-server 2001:4860:4860::8844 # Google - set system name-server 2606:4700:4700::1111 # Cloudflare - set system name-server 2606:4700:4700::1001 # Cloudflare - commit - -You should now be able to ping something by IPv6 DNS name: - -.. code-block:: none - - # ping6 -c2 one.one.one.one - PING one.one.one.one(one.one.one.one) 56 data bytes - 64 bytes from one.one.one.one: icmp_seq=1 ttl=58 time=16.8 ms - 64 bytes from one.one.one.one: icmp_seq=2 ttl=58 time=17.4 ms - - --- one.one.one.one ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1001ms - rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms - -Assuming everything works, you can proceed to client configuration - -LAN Configuration -================= - -At this point your VyOS install should have full IPv6, but now your LAN devices -need access. - -With Tunnelbroker.net, you have two options: - -- Routed /64. This is the default assignment. In IPv6-land, it's good for a - single "LAN", and is somewhat equivalent to a /24. - Example: `2001:470:xxxx:xxxx::/64` -- Routed /48. This is something you can request by clicking the "Assign /48" - link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k - LANs. Example: `2001:470:xxxx::/48` - -Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So -if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore -the assigned /64, and request the /48 and use that. - -Single LAN Setup -================ - -Single LAN setup where eth1 is your LAN interface. Use the /64 (all the xxxx -should be replaced with the information from your `Routed /64` tunnel): - -.. code-block:: none - - set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64' - set service router-advert interface eth1 name-server '2001:4860:4860::8888' - set service router-advert interface eth1 name-server '2001:4860:4860::8844' - set service router-advert interface eth1 prefix 2001:470:xxxx:xxxx::/64 - -Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively. - -This accomplishes a few things: - -- Sets your LAN interface's IP address -- Enables router advertisements. This is an IPv6 alternative for DHCP (though - DHCPv6 can still be used). With RAs, Your devices will automatically find the - information they need for routing and DNS. - -Multiple LAN/DMZ Setup -====================== - -In this, you use the `Routed /48` information. This allows you to assign a -different /64 to every interface, LAN, or even device. Or you could break your -network into smaller chunks like /56 or /60. - -The format of these addresses: - -- `2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker. -- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN -- `2001:470:xxxx:2::/64`: Another subnet -- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet. - -In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff -(1-65535). - -So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc: - -.. code-block:: none - - set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64' - set service router-advert interface eth1 name-server '2001:4860:4860::8888' - set service router-advert interface eth1 name-server '2001:4860:4860::8844' - set service router-advert interface eth1 prefix 2001:470:xxxx:1::/64 - - set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64' - set service router-advert interface eth2 name-server '2001:4860:4860::8888' - set service router-advert interface eth2 name-server '2001:4860:4860::8844' - set service router-advert interface eth2 prefix 2001:470:xxxx:2::/64 - - set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64' - set service router-advert interface eth3 name-server '2001:4860:4860::8888' - set service router-advert interface eth3 name-server '2001:4860:4860::8844' - set service router-advert interface eth3 prefix 2001:470:xxxx:3::/64 - -Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively. - -Firewall -======== - -Finally, don't forget the :ref:`firewall`. The usage is identical, except for -instead of `set firewall name NAME`, you would use `set firewall ipv6-name -NAME`. - -Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 -firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall -ipv6-name`. diff --git a/docs/appendix/examples/wan-load-balancing.rst b/docs/appendix/examples/wan-load-balancing.rst deleted file mode 100644 index 7093defe..00000000 --- a/docs/appendix/examples/wan-load-balancing.rst +++ /dev/null @@ -1,170 +0,0 @@ -.. _wan-load-balancing: - -WAN Load Balancer examples -========================== - - -Example 1: Distributing load evenly ------------------------------------ - -The setup used in this example is shown in the following diagram: - -.. image:: /_static/images/Wan_load_balancing1.png - :width: 80% - :align: center - :alt: Network Topology Diagram - - -Overview -^^^^^^^^ - * All traffic coming in trough eth2 is balanced between eth0 and eth1 - on the router. - * Pings will be sent to four targets for health testing (33.44.55.66, - 44.55.66.77, 55.66.77.88 and 66.77.88.99). - * All outgoing packets are assigned the source address of the assigned - interface (SNAT). - * eth0 is set to be removed from the load balancer's interface pool - after 5 ping failures, eth1 will be removed after 4 ping failures. - -Create static routes to ping targets -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Create static routes through the two ISPs towards the ping targets and -commit the changes: - -.. code-block:: none - - set protocols static route 33.44.55.66/32 next-hop 11.22.33.1 - set protocols static route 44.55.66.77/32 next-hop 11.22.33.1 - set protocols static route 55.66.77.88/32 next-hop 22.33.44.1 - set protocols static route 66.77.88.99/32 next-hop 22.33.44.1 - -Configure the load balancer -^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Configure the WAN load balancer with the parameters described above: - -.. code-block:: none - - set load-balancing wan interface-health eth0 failure-count 5 - set load-balancing wan interface-health eth0 nexthop 11.22.33.1 - set load-balancing wan interface-health eth0 test 10 type ping - set load-balancing wan interface-health eth0 test 10 target 33.44.55.66 - set load-balancing wan interface-health eth0 test 20 type ping - set load-balancing wan interface-health eth0 test 20 target 44.55.66.77 - set load-balancing wan interface-health eth1 failure-count 4 - set load-balancing wan interface-health eth1 nexthop 22.33.44.1 - set load-balancing wan interface-health eth1 test 10 type ping - set load-balancing wan interface-health eth1 test 10 target 55.66.77.88 - set load-balancing wan interface-health eth1 test 20 type ping - set load-balancing wan interface-health eth1 test 20 target 66.77.88.99 - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 - set load-balancing wan rule 10 interface eth1 - -Example 2: Failover based on interface weights ----------------------------------------------- - -This examples uses the failover mode. - -Overview -^^^^^^^^ -In this example eth0 is the primary interface and eth1 is the secondary -interface to provide simple failover functionality. If eth0 fails, eth1 -takes over. - -Create interface weight based configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The configuration steps are the same as in the previous example, except -rule 10 so we keep the configuration, remove rule 10 and add a new rule -for the failover mode: - -.. code-block:: none - - delete load-balancing wan rule 10 - set load-balancing wan rule 10 failover - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 weight 10 - set load-balancing wan rule 10 interface eth1 weight 1 - -Example 3: Failover based on rule order ---------------------------------------- - -The previous example used the failover command to send traffic thorugh -eth1 if eth0 fails. In this example failover functionality is provided -by rule order. - -Overview -^^^^^^^^ -Two rules will be created, the first rule directs traffic coming in -from eth2 to eth0 and the second rule directs the traffic to eth1. If -eth0 fails the first rule is bypassed and the second rule matches, -directing traffic to eth1. - -Create rule order based configuration -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -We keep the configurtation from the previous example, delete rule 10 -and create the two new rules as described: - -.. code-block:: none - - delete load-balancing wan rule 10 - set load-balancing wan rule 10 inbound-interface eth2 - set load-balancing wan rule 10 interface eth0 - set load-balancing wan rule 20 inbound-interface eth2 - set load-balancing wan rule 20 interface eth1 - -Example 4: Failover based on rule order - priority traffic ----------------------------------------------------------- - -A rule order for prioritising traffic is useful in scenarios where the -secondary link has a lower speed and should only carry high priority -traffic. It is assumed for this example that eth1 is connected to a -slower connection than eth0 and should prioritise VoIP traffic. - -Overview -^^^^^^^^ -A rule order for prioritising traffic is useful in scenarios where the -secondary link has a lower speed and should only carry high priority -traffic. It is assumed for this example that eth1 is connected to a -slower connection than eth0 and should prioritise VoIP traffic. - -Create rule order based configuration with low speed secondary link -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -We keep the configuration from the previous example, delete rule 20 and -create a new rule as described: - -.. code-block:: none - - delete load-balancing wan rule 20 - set load-balancing wan rule 20 inbound-interface eth2 - set load-balancing wan rule 20 interface eth1 - set load-balancing wan rule 20 destination port sip - set load-balancing wan rule 20 protocol tcp - set protocols static route 0.0.0.0/0 next-hop 11.22.33.1 - -Example 5: Exclude traffic from load balancing ----------------------------------------------- - -In this example two LAN interfaces exist in different subnets instead -of one like in the previous examples: - -.. image:: /_static/images/Wan_load_balancing_exclude1.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -Adding a rule for the second interface -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Based on the previous example, another rule for traffic from the second -interface eth3 can be added to the load balancer. However, traffic meant -to flow between the LAN subnets will be sent to eth0 and eth1 as well. -To prevent this, another rule is required. This rule excludes traffic -between the local subnets from the load balancer. It also excludes -locally-sources packets (required for web caching with load balancing). -eth+ is used as an alias that refers to all ethernet interfaces: - -.. code-block:: none - - set load-balancing wan rule 5 exclude - set load-balancing wan rule 5 inbound-interface eth+ - set load-balancing wan rule 5 destination address 10.0.0.0/8 diff --git a/docs/appendix/examples/zone-policy.rst b/docs/appendix/examples/zone-policy.rst deleted file mode 100644 index bfe77c2e..00000000 --- a/docs/appendix/examples/zone-policy.rst +++ /dev/null @@ -1,415 +0,0 @@ -.. _examples-zone-policy: - -Zone-Policy example -------------------- - -Native IPv4 and IPv6 -^^^^^^^^^^^^^^^^^^^^ - -We have three networks. - -.. code-block:: none - - WAN - 172.16.10.0/24, 2001:0DB8:0:9999::0/64 - LAN - 192.168.100.0/24, 2001:0DB8:0:AAAA::0/64 - DMZ - 192.168.200.0/24, 2001:0DB8:0:BBBB::0/64 - - -**This specific example is for a router on a stick, but is very easily -adapted for however many NICs you have**: - - -* Internet - 192.168.200.100 - TCP/80 -* Internet - 192.168.200.100 - TCP/443 -* Internet - 192.168.200.100 - TCP/25 -* Internet - 192.168.200.100 - TCP/53 -* VyOS actis as DHCP, DNS forwarder, NAT, router and firewall. -* 192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web - and mail (SMTP/IMAP) server. -* 192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It - can SSH to VyOS. -* LAN and DMZ hosts have basic outbound access: Web, FTP, SSH. -* LAN can access DMZ resources. -* DMZ cannot access LAN resources. -* Inbound WAN connect to DMZ host. - -.. image:: /_static/images/zone-policy-diagram.png - :width: 80% - :align: center - :alt: Network Topology Diagram - -The VyOS interface is assigned the .1/:1 address of their respective -networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30. - -It will look something like this: - -.. code-block:: none - - interfaces { - ethernet eth0 { - duplex auto - hw-id 00:53:ed:6e:2a:92 - smp_affinity auto - speed auto - vif 10 { - address 172.16.10.1/24 - address 2001:db8:0:9999::1/64 - } - vif 20 { - address 192.168.100.1/24 - address 2001:db8:0:AAAA::1/64 - } - vif 30 { - address 192.168.200.1/24 - address 2001:db8:0:BBBB::1/64 - } - } - loopback lo { - } - } - - -Zones Basics -^^^^^^^^^^^^ - -Each interface is assigned to a zone. The interface can be physical or -virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly -the same. - -Traffic flows from zone A to zone B. That flow is what I refer to as a -zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations. - -Ruleset are created per zone-pair-direction. - -I name rule sets to indicate which zone-pair-direction they represent. -eg. ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN. - -In VyOS, you have to have unique Ruleset names. In the event of overlap, -I add a "-6" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This -allows for each auto-completion and uniqueness. - -In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is -the firewall itself. - -If your computer is on the LAN and you need to SSH into your VyOS box, -you would need a rule to allow it in the LAN-Local ruleset. If you want -to access a webpage from your VyOS box, you need a rule to allow it in -the Local-LAN ruleset. - -In rules, it is good to keep them named consistently. As the number of -rules you have grows, the more consistency you have, the easier your -life will be. - -.. code-block:: none - - Rule 1 - State Established, Related - Rule 2 - State Invalid - Rule 100 - ICMP - Rule 200 - Web - Rule 300 - FTP - Rule 400 - NTP - Rule 500 - SMTP - Rule 600 - DNS - Rule 700 - DHCP - Rule 800 - SSH - Rule 900 - IMAPS - -The first two rules are to deal with the idiosyncrasies of VyOS and -iptables. - -Zones and Rulesets both have a default action statement. When using -Zone-Policies, the default action is set by the zone-policy statement -and is represented by rule 10000. - -It is good practice to log both accepted and denied traffic. It can save -you significant headaches when trying to troubleshoot a connectivity -issue. - -To add logging to the default rule, do: - -.. code-block:: none - - set firewall name <ruleSet> enable-default-log - - -By default, iptables does not allow traffic for established session to -return, so you must explicitly allow this. I do this by adding two rules -to every ruleset. 1 allows established and related state packets through -and rule 2 drops and logs invalid state packets. We place the -established/related rule at the top because the vast majority of traffic -on a network is established and the invalid rule to prevent invalid -state packets from mistakenly being matched against other rules. Having -the most matched rule listed first reduces CPU load in high volume -environments. Note: I have filed a bug to have this added as a default -action as well. - -''It is important to note, that you do not want to add logging to the -established state rule as you will be logging both the inbound and -outbound packets for each session instead of just the initiation of the -session. Your logs will be massive in a very short period of time.'' - -In VyOS you must have the interfaces created before you can apply it to -the zone and the rulesets must be created prior to applying it to a -zone-policy. - -I create/configure the interfaces first. Build out the rulesets for each -zone-pair-direction which includes at least the three state rules. Then -I setup the zone-policies. - -Zones do not allow for a default action of accept; either drop or -reject. It is important to remember this because if you apply an -interface to a zone and commit, any active connections will be dropped. -Specifically, if you are SSH’d into VyOS and add local or the interface -you are connecting through to a zone and do not have rulesets in place -to allow SSH and established sessions, you will not be able to connect. - -The following are the rules that were created for this example (may not -be complete), both in IPv4 and IPv6. If there is no IP specified, then -the source/destination address is not explicit. - -.. code-block:: none - - WAN – DMZ:192.168.200.200 – tcp/80 - WAN – DMZ:192.168.200.200 – tcp/443 - WAN – DMZ:192.168.200.200 – tcp/25 - WAN – DMZ:192.168.200.200 – tcp/53 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53 - - DMZ - Local - tcp/53 - DMZ - Local - tcp/123 - DMZ - Local - tcp/67,68 - - LAN - Local - tcp/53 - LAN - Local - tcp/123 - LAN - Local - tcp/67,68 - LAN:192.168.100.10 - Local - tcp/22 - LAN:2001:0DB8:0:AAAA::10 - Local - tcp/22 - - LAN - WAN - tcp/80 - LAN - WAN - tcp/443 - LAN - WAN - tcp/22 - LAN - WAN - tcp/20,21 - - DMZ - WAN - tcp/80 - DMZ - WAN - tcp/443 - DMZ - WAN - tcp/22 - DMZ - WAN - tcp/20,21 - DMZ - WAN - tcp/53 - DMZ - WAN - udp/53 - - Local - WAN - tcp/80 - Local - WAN - tcp/443 - Local - WAN - tcp/20,21 - - Local - DMZ - tcp/25 - Local - DMZ - tcp/67,68 - Local - DMZ - tcp/53 - Local - DMZ - udp/53 - - Local - LAN - tcp/67,68 - - LAN - DMZ - tcp/80 - LAN - DMZ - tcp/443 - LAN - DMZ - tcp/993 - LAN:2001:0DB8:0:AAAA::10 - DMZ:2001:0DB8:0:BBBB::200 - tcp/22 - LAN:192.168.100.10 - DMZ:192.168.200.200 - tcp/22 - -Since we have 4 zones, we need to setup the following rulesets. - -.. code-block:: none - - Lan-wan - Lan-local - Lan-dmz - Wan-lan - Wan-local - Wan-dmz - Local-lan - Local-wan - Local-dmz - Dmz-lan - Dmz-wan - Dmz-local - -Even if the two zones will never communicate, it is a good idea to -create the zone-pair-direction rulesets and set enable-default-log. This -will allow you to log attempts to access the networks. Without it, you -will never see the connection attempts. - -This is an example of the three base rules. - -.. code-block:: none - - name wan-lan { - default-action drop - enable-default-log - rule 1 { - action accept - state { - established enable - related enable - } - } - rule 2 { - action drop - log enable - state { - invalid enable - } - } - } - - -Here is an example of an IPv6 DMZ-WAN ruleset. - -.. code-block:: none - - ipv6-name dmz-wan-6 { - default-action drop - enable-default-log - rule 1 { - action accept - state { - established enable - related enable - } - } - rule 2 { - action drop - log enable - state { - invalid enable - } - rule 100 { - action accept - log enable - protocol ipv6-icmp - } - rule 200 { - action accept - destination { - port 80,443 - } - log enable - protocol tcp - } - rule 300 { - action accept - destination { - port 20,21 - } - log enable - protocol tcp - } - rule 500 { - action accept - destination { - port 25 - } - log enable - protocol tcp - source { - address 2001:db8:0:BBBB::200 - } - } - rule 600 { - action accept - destination { - port 53 - } - log enable - protocol tcp_udp - source { - address 2001:db8:0:BBBB::200 - } - } - rule 800 { - action accept - destination { - port 22 - } - log enable - protocol tcp - } - } - -Once you have all of your rulesets built, then you need to create your -zone-policy. - -Start by setting the interface and default action for each zone. - -.. code-block:: none - - set zone-policy zone dmz default-action drop - set zone-policy zone dmz interface eth0.30 - -In this case, we are setting the v6 ruleset that represents traffic -sourced from the LAN, destined for the DMZ. Because the zone-policy -firewall syntax is a little awkward, I keep it straight by thinking of -it backwards. - -.. code-block:: none - - set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6 - -DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out -a bunch at one time. - -In the end, you will end up with something like this config. I took out -everything but the Firewall, Interfaces, and zone-policy sections. It is -long enough as is. - - -IPv6 Tunnel -^^^^^^^^^^^ - -If you are using a IPv6 tunnel from HE.net or someone else, the basis is -the same except you have two WAN interface. One for v4 and one for v6. - -You would have 5 zones instead of just 4 and you would configure your v6 -ruleset between your tunnel interface and your LAN/DMZ zones instead of -to the WAN. - -LAN, WAN, DMZ, local and TUN (tunnel) - -v6 pairs would be: - -.. code-block:: none - - lan-tun - lan-local - lan-dmz - tun-lan - tun-local - tun-dmz - local-lan - local-tun - local-dmz - dmz-lan - dmz-tun - dmz-local - -Notice, none go to WAN since WAN wouldn't have a v6 address on it. - -You would have to add a couple of rules on your wan-local ruleset to -allow protocol 41 in. - -Something like: - -.. code-block:: none - - rule 400 { - action accept - destination { - address 172.16.10.1 - } - log enable - protocol 41 - source { - address ip.of.tunnel.broker - } - } - |