6 KiB
6 KiB
EDGE01 Configuration
Initial Setup
- Change password:
configure
set system login user vyos authentication plaintext-password password123!
commit
save
- Change hostname:
configure
set system host-name edge01-charlotte
commit
save
Interface Configuration
configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description CHARLOTTE-DMZ
set interfaces ethernet eth2 description CHARLOTTE-LAN
set interfaces ethernet eth0 address 10.0.17.151/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
Gateway and DNS Configuration
configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
NAT Configuration
configure
# DMZ to WAN NAT
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
# LAN to WAN NAT
set nat source rule 20 description "NAT FROM LAN to WAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24
set nat source rule 20 translation address masquerade
# MGMT to WAN NAT
set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
# Port Forwarding for HTTP
set nat destination rule 10 description "HTTP->NGINX01"
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 172.16.50.3
# Port Forwarding for SSH
set nat destination rule 20 description "SSH->JUMP"
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 destination port 22
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 172.16.50.4
commit
save
DNS Forwarding Configuration
configure
# DMZ DNS Forwarding
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
# LAN DNS Forwarding
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit
save
Zone Configuration
configure
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
save
Firewall Configuration
configure
# Create Zone-Based Firewalls
# WAN-to-DMZ
set firewall name WAN-to-DMZ default-action drop
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable
set firewall name WAN-to-DMZ rule 10 description "allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp
set firewall name WAN-to-DMZ rule 20 action accept
set firewall name WAN-to-DMZ rule 20 description "SSH to JUMP"
set firewall name WAN-to-DMZ rule 20 destination address 172.16.50.4
set firewall name WAN-to-DMZ rule 20 destination port 22
set firewall name WAN-to-DMZ rule 20 protocol tcp
# DMZ-to-WAN
set firewall name DMZ-to-WAN default-action drop
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
# LAN-to-DMZ
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action accept
set firewall name LAN-to-DMZ rule 1 state established enable
set firewall name LAN-to-DMZ rule 10 description "Allow HTTP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp
set firewall name LAN-to-DMZ rule 20 description "Allow SSH from MGMT-01 to DMZ"
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
# DMZ-to-LAN
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
set firewall name DMZ-to-LAN rule 10 description "wazuh agent communication with server"
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
set firewall name DMZ-to-LAN rule 10 protocol tcp
# LAN-to-WAN
set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action accept
# WAN-to-LAN
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable
# Apply Zone Policies
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
commit
save
Rip Configuration
configure
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
commit
save
SSH Configuration
# Restrict SSH access to LAN interface only
configure
set service ssh listen-address 172.16.150.2
commit
save