Configure VyOS as a Basic NAT Router
VyOS is a versatile open source router forked from Brocade's previously open source Vyatta project. Here I'll outline a basic install which will function as a single NAT router. This configuration is great for virtual lab environments.
Pre-requisites: This assumes you've already created a blank VM and mounted the VyOS image.
Default Login:
Username: VyOS
Password: VyOS
Install VyOS image to local disk:
vyos@vyos~$ install image
Follow the prompts...
Enter 'Configuration' mode
vyos@vyos~$ configure
This changes the environment so you can make changes to the settings.
Set the WAN to listen for DHCP
vyos@vyos# set interface ethernet eth0 address dhcp
Note: Depending on the environment you may want to consider a static IP or bridging this with a PPPoE interface.
Set a Static IP on the internal interface
vyos@vyos# set interface ethernet eth1 address '192.168.0.1/24'
Note: This will set the ip address of the internal interface used by clients as the default gateway.
Add a description to the interfaces
vyos@vyos# set interface ethernet eth0 description 'WAN Interface'
vyos@vyos# set interface ethernet eth1 description 'LAN Interface'
Configure NAT on WAN
vyos@vyos# set nat source rule 100 outbound-interface 'eth0'
vyos@vyos# set nat source rule 100 source address '192.168.0.0/24'
vyos@vyos# set nat source rule 100 translation address masquerade
Line 1: This creates a NAT rule (number 100) and sets the external interface for the rule to 'eth0'
Line 2: This identifies the clients for which the router will process NAT so they can communicate via the WAN using the same external/public IP.
Line 3: This enables masquerading for the NAT rule so all clients appear to be communicating from the one WAN IP.
Configure Stateful Firewall from WAN to internal network
vyos@vyos# set firewall name OUTSIDE-IN default-action 'drop'
vyos@vyos# set firewall name OUTSIDE-IN rule 10 action 'allow'
vyos@vyos# set firewall name OUTSIDE-IN rule 10 state established 'enable'
vyos@vyos# set firewall name OUTSIDE-IN rule 10 state related 'enable'
Line 1: Creates a firewall policy named 'OUTSIDE-IN' and sets it to drop traffic by default.
Line 2: Creates a firewall rule (number 10) which allows traffic that matches the rule.
Line 3: Specifies that the rule is applicable when there is an established session for the traffic.
Line 4: Specifies that the rule is applicable when there <confirmbeforeposting>
Configure firewall to drop traffic sent directly to router
vyos@vyos# set firewall name OUTSIDE-LOCAL default-action 'drop'
Note: Drop all traffic by default
Link firewall rules, interfaces and direction
vyos@vyos# set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
vyos@vyos# set interfaces ethernet eth1 firewall local name 'OUTSIDE-LOCAL'
Line 1: Link the 'OUTSIDE-IN' firewall policy to the eth0 interface for traffic directed inbound to other devices.
Line 2: Link the 'OUTSIDE-LOCAL' firewall policy to the eth0 interface for traffic directed inbound to the router itself.