VyOS安装和配置_vyos图形界面

VyOS是基于Linux的网络操作系统，可提供基于软件的网络路由，防火墙和VPN功能。

VyOS项目于2013年底开始，是Vyatta Core 6.6R1 的GPL部分的社区分支， 目的是维护一个自由和开源的网络操作系统，以响应终止Vyatta社区版本的决定。在这里，每个人都喜欢学习，老一辈的经理和新用户。

VyOS主要基于Debian GNU / Linux和Quagga路由引擎。其配置语法和CLI大致是从XORP项目建模的Juniper JUNOS派生而来的，该 项目是Vyatta的原始路由引擎。

在Vyatta 4.0版本中，路由引擎已更改为Quagga。从VyOS 1.2版开始，VyOS现在使用FRRouting作为路由引擎。

VyOS与任何其他路由器发行版和平台有何不同？

• VyOS不仅仅是防火墙和VPN，还包括OSPFv2，OSPFv3，BGP，VRRP等扩展的路由功能，以及广泛的路由策略映射和过滤
• 硬件路由器样式的统一命令行界面。
• 可编写脚本的CLI
• 有状态的配置系统：准备更改并立即提交或丢弃，查看先前的修订或回滚，将修订存档到远程服务器并在提交时执行挂钩
• 基于映像的升级：将多个版本保留在同一系统上，如果出现问题，则还原为以前的映像
• 多种VPN功能：OpenVPN，IPSec，Wireguard，DPMVPN，IKEv2等
• DHCP，TFTP，mDNS中继器，广播中继和DNS转发支持
• IPv4和IPv6均支持
• 在物理和虚拟平台上均可运行：小型x86板，大型服务器，KVM，Xen，VMware，Hyper-V等
• 完全免费和开源，带有文档化的内部API和构建过程
• 社区驱动。欢迎使用补丁程序，所有代码，错误和夜间构建均可公开访问

   

• 要安装VyOS，请使用提供的默认凭据登录实时系统后运行。install image

  vyos@vyos:~$ install image
  Welcome to the VyOS install program.  This script
  will walk you through the process of installing the
  VyOS image to a local hard drive.
  Would you like to continue? (Yes/No) [Yes]: Yes
  Probing drives: OK
  Looking for pre-existing RAID groups...none found.
  The VyOS image will require a minimum 2000MB root.
  Would you like me to try to partition a drive automatically
  or would you rather partition it manually with parted?  If
  you have already setup your partitions, you may skip this step
   
  Partition (Auto/Parted/Skip) [Auto]:
   
  I found the following drives on your system:
   sda    4294MB
   
  Install the image on? [sda]:
   
  This will destroy all data on /dev/sda.
  Continue? (Yes/No) [No]: Yes
   
  How big of a root partition should I create? (2000MB - 4294MB) [4294]MB:
   
  Creating filesystem on /dev/sda1: OK
  Done!
  Mounting /dev/sda1...
  What would you like to name this image? [1.2.0-rolling+201809210337]:
  OK.  This image will be named: 1.2.0-rolling+201809210337
  Copying squashfs image...
  Copying kernel and initrd images...
  Done!
  I found the following configuration files:
      /opt/vyatta/etc/config.boot.default
  Which one should I copy to sda? [/opt/vyatta/etc/config.boot.default]:
   
  Copying /opt/vyatta/etc/config.boot.default to sda.
  Enter password for administrator account
  Enter password for user 'vyos':
  Retype password for user 'vyos':
  I need to install the GRUB boot loader.
  I found the following drives on your system:
   sda    4294MB
   
  Which drive should GRUB modify the boot partition on? [sda]:
   
  Setting up grub: OK
  Done!
  

  安装完成后，取出实时CD并重新引导系统：

  vyos@vyos:~$ reboot
  Proceed with reboot? (Yes/No) [No] Yes
  

   

  vyos 基础配置

   

  1 基本配置

  #配置外网接口
  set interfaces ethernet eth0 address 10.0.1.32/24
  set interfaces ethernet eth0 description public
   
  #配置内网接口
  set interfaces ethernet eth1 address 192.168.100.1/24
  set interfaces ethernet eth1 description private
   
  #指定静态路由
  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 distance 1
  

  #启动ssh服务器
  set service ssh port 29922
   
  #设置主机名
  set system host-name vyos-master
   
  #设备时区
  set system time-zone Asia/Shanghai
  

  #提交修改
  commit
   
  #保存到启动文件
  save
  Saving configuration to '/config/config.boot'...
   
  #回退
  rollback 
  

  2 NAT

  Source NAT
  1 The internal IP addresses we want to translate
  2 The outgoing interface to perform the translation on
  3 The external IP address to translate to
   
  # 内网开放访问外网权限
  set nat source rule 100 outbound-interface eth0
  set nat source rule 100 source address 192.168.100.0/24
  set nat source rule 100 translation address masquerade
   
  # 不使用防火墙外网地址，指派特定外网ip　10.0.1.100
  set interfaces ethernet eth0 address 10.0.1.100/24
  set nat source rule 100 outbound-interface eth0
  set nat source rule 100 source address 192.168.100.0/24
  set nat source rule 100 translation address 10.0.1.100
   
  # 内网主机数量大时，使用地址池，推荐每256台主机分配1个外网地址
  ......
  set nat source rule 100 translation address 10.0.1.101-10.0.1.132
   
  # NAT Reflection 这个没搞懂是做什么用的？
  set nat source rule 110 description 'NAT Reflection: INSIDE'
  set nat source rule 110 destination address 192.168.100.0/24
  set nat source rule 110 outbound-interface eth1
  set nat source rule 110 source address 192.168.100.0/24
  set nat source rule 110 translation address masquerade
  

  Destination NAT
  1 The interface traffic will be coming in on
  2 The protocol and port we wish to forward
  3 The IP address of the internal system we wish to forward traffic to
   
  端口映射
  # 10.0.1.100:80 -> 192.168.100.101:80
  set nat destination rule 10 description 'Port Forward: 10.0.1.100:80 to 192.168.100.101:80'
  set nat destination rule 10 inbound-interface eth0
  set nat destination rule 10 destination address 10.0.1.100
  set nat destination rule 10 destination port 80
  set nat destination rule 10 protocol tcp
  set nat destination rule 10 translation address 192.168.100.101
  set nat destination rule 10 translation port 80
   
  # 10.0.1.100:29922 -> 192.168.100.101:22
  set nat destination rule 20 description 'Port Forward: 10.0.1.100:29922 to 192.168.100.101:22'
  set nat destination rule 20 inbound-interface eth0
  set nat destination rule 20 destination address 10.0.1.100
  set nat destination rule 20 destination port 29922
  set nat destination rule 20 protocol tcp
  set nat destination rule 20 translation address 192.168.100.101
  set nat destination rule 20 translation port 22
   
  # 注意防火墙要增加规则放行22, 80的通讯
   
  ip映射
  set interfaces ethernet eth0 address 10.0.1.200/24
   
  # 10.0.1.200 -> 192.168.100.102
  set nat destination rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'
  set nat destination rule 30 inbound-interface eth0
  set nat destination rule 30 destination address 10.0.1.200
  set nat destination rule 30 translation address 192.168.100.102
   
  set nat source rule 30 description 'NAT 1 to 1: 10.0.1.200 to 192.168.100.102'
  set nat source rule 30 outbound-interface eth1
  set nat source rule 30 source address 192.168.100.102
  set nat source rule 30 translation address 10.0.1.200
  

  3 FIREWALL

  # public区域包含外网接口，private区域包含内网接口，
  set zone-policy zone public interface eth0
  set zone-policy zone private interface eth1
   
  # 防火墙所有端口禁ping
  set firewall all-ping disable
   
  # 防火墙初始策略
  #　默认丢弃所有包
  set firewall name private-public default-action drop
   
  # private　-> public 方向的防火墙策略
  # 规则1 匹配成功的请求，允许建立与关联
  set firewall name private-public rule 1 action accept
  set firewall name private-public rule 1 state established enable
  set firewall name private-public rule 1 state related enable
   
  #　规则2 匹配失败的请求，记录日志
  set firewall name private-public rule 2 action drop
  set firewall name private-public rule 2 log enable
  set firewall name private-public rule 2 state invalid enable
   
  #　规则9999 匹配失败的请求，记录日志
  set firewall name private-public rule 9999 action drop
  set firewall name private-public rule 9999 log enable
   
  # 规则100 允许ping
  set firewall name private-public rule 100 action accept
  set firewall name private-public rule 100 log enable
  set firewall name private-public rule 100 protocol icmp
   
  # 规则200 允许http https
  set firewall name private-public rule 200 action accept
  set firewall name private-public rule 200 destination port 80,443
  set firewall name private-public rule 200 log enable
  set firewall name private-public rule 200 protocol tcp
   
  # 规则300 允许22(ssh), 29922
  set firewall name private-public rule 300 action accept
  set firewall name private-public rule 300 destination port 22,29922
  set firewall name private-public rule 300 log enable
  set firewall name private-public rule 300 protocol tcp
   
  # 规则200 允许来自10.0.1.0/24的dns请求
  set firewall name private-public rule 600 action accept
  set firewall name private-public rule 600 destination port 53
  set firewall name private-public rule 600 log enable
  set firewall name private-public rule 600 protocol tcp_udp
  set firewall name private-public rule 600 source address 10.0.1.0/24
   
  # private-public规则集作用于从private到public的访问，效果是允许ping外网ip，允许到外网80,443的请求，允许来自10.0.1.0/24子网到外网的dns请求
  set zone-policy zone public from private firewall name private-public
   
  # public -> private方向的防火墙策略
  set firewall name public-private default-action drop
  set firewall name public-private rule 1 action accept
  set firewall name public-private rule 1 state established enable
  set firewall name public-private rule 1 state related enable
   
  set firewall name public-private rule 2 action drop
  set firewall name public-private rule 2 log enable
  set firewall name public-private rule 2 state invalid enable
   
  # 规则100 允许80, 443, 22, 29922的请求
  set firewall name public-private rule 100 action accept
  set firewall name public-private rule 100 destination port 80,443,22,29922
  set firewall name public-private rule 100 log enable
  set firewall name public-private rule 100 protocol tcp
   
  set firewall name public-private rule 9999 action drop
  set firewall name public-private rule 9999 log enable
   
  # public-private规则集作用于从public到private的访问，允许到内网映射端口80,443,22,29922的访问，如ssh -p 29922 10.0.1.100, http://10.0.1.100
  set zone-policy zone private from public firewall name public-private
  

   

  ====================== End