197 lines
No EOL
6 KiB
Markdown
197 lines
No EOL
6 KiB
Markdown
# EDGE01 Configuration
|
|
|
|
## Initial Setup
|
|
- Change password:
|
|
```
|
|
configure
|
|
set system login user vyos authentication plaintext-password password123!
|
|
commit
|
|
save
|
|
```
|
|
- Change hostname:
|
|
```
|
|
configure
|
|
set system host-name edge01-charlotte
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Interface Configuration
|
|
```
|
|
configure
|
|
set interfaces ethernet eth0 description SEC350-WAN
|
|
set interfaces ethernet eth1 description CHARLOTTE-DMZ
|
|
set interfaces ethernet eth2 description CHARLOTTE-LAN
|
|
set interfaces ethernet eth0 address 10.0.17.151/24
|
|
set interfaces ethernet eth1 address 172.16.50.2/29
|
|
set interfaces ethernet eth2 address 172.16.150.2/24
|
|
commit
|
|
save
|
|
```
|
|
## Gateway and DNS Configuration
|
|
```
|
|
configure
|
|
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
|
|
set system name-server 10.0.17.2
|
|
commit
|
|
save
|
|
```
|
|
## NAT Configuration
|
|
```
|
|
configure
|
|
# DMZ to WAN NAT
|
|
set nat source rule 10 description "NAT FROM DMZ to WAN"
|
|
set nat source rule 10 outbound-interface eth0
|
|
set nat source rule 10 source address 172.16.50.0/29
|
|
set nat source rule 10 translation address masquerade
|
|
|
|
# LAN to WAN NAT
|
|
set nat source rule 20 description "NAT FROM LAN to WAN"
|
|
set nat source rule 20 outbound-interface eth0
|
|
set nat source rule 20 source address 172.16.150.0/24
|
|
set nat source rule 20 translation address masquerade
|
|
|
|
# MGMT to WAN NAT
|
|
set nat source rule 30 description "NAT FROM MGMT to WAN"
|
|
set nat source rule 30 outbound-interface eth0
|
|
set nat source rule 30 source address 172.16.200.0/28
|
|
set nat source rule 30 translation address masquerade
|
|
|
|
# Port Forwarding for HTTP
|
|
set nat destination rule 10 description "HTTP->NGINX01"
|
|
set nat destination rule 10 inbound-interface eth0
|
|
set nat destination rule 10 destination port 80
|
|
set nat destination rule 10 protocol tcp
|
|
set nat destination rule 10 translation address 172.16.50.3
|
|
|
|
# Port Forwarding for SSH
|
|
set nat destination rule 20 description "SSH->JUMP"
|
|
set nat destination rule 20 inbound-interface eth0
|
|
set nat destination rule 20 destination port 22
|
|
set nat destination rule 20 protocol tcp
|
|
set nat destination rule 20 translation address 172.16.50.4
|
|
|
|
commit
|
|
save
|
|
```
|
|
## DNS Forwarding Configuration
|
|
```
|
|
configure
|
|
# DMZ DNS Forwarding
|
|
set service dns forwarding listen-address 172.16.50.2
|
|
set service dns forwarding allow-from 172.16.50.0/29
|
|
|
|
# LAN DNS Forwarding
|
|
set service dns forwarding listen-address 172.16.150.2
|
|
set service dns forwarding allow-from 172.16.150.0/24
|
|
|
|
set service dns forwarding system
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Zone Configuration
|
|
```
|
|
configure
|
|
set zone-policy zone WAN interface eth0
|
|
set zone-policy zone DMZ interface eth1
|
|
set zone-policy zone LAN interface eth2
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Firewall Configuration
|
|
```
|
|
configure
|
|
# Create Zone-Based Firewalls
|
|
|
|
# WAN-to-DMZ
|
|
set firewall name WAN-to-DMZ default-action drop
|
|
set firewall name WAN-to-DMZ enable-default-log
|
|
set firewall name WAN-to-DMZ rule 1 action accept
|
|
set firewall name WAN-to-DMZ rule 1 state established enable
|
|
set firewall name WAN-to-DMZ rule 10 description "allow HTTP from WAN to DMZ"
|
|
set firewall name WAN-to-DMZ rule 10 action accept
|
|
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
|
|
set firewall name WAN-to-DMZ rule 10 destination port 80
|
|
set firewall name WAN-to-DMZ rule 10 protocol tcp
|
|
|
|
set firewall name WAN-to-DMZ rule 20 action accept
|
|
set firewall name WAN-to-DMZ rule 20 description "SSH to JUMP"
|
|
set firewall name WAN-to-DMZ rule 20 destination address 172.16.50.4
|
|
set firewall name WAN-to-DMZ rule 20 destination port 22
|
|
set firewall name WAN-to-DMZ rule 20 protocol tcp
|
|
|
|
|
|
# DMZ-to-WAN
|
|
set firewall name DMZ-to-WAN default-action drop
|
|
set firewall name DMZ-to-WAN enable-default-log
|
|
set firewall name DMZ-to-WAN rule 1 action accept
|
|
set firewall name DMZ-to-WAN rule 1 state established enable
|
|
|
|
# LAN-to-DMZ
|
|
set firewall name LAN-to-DMZ default-action drop
|
|
set firewall name LAN-to-DMZ enable-default-log
|
|
set firewall name LAN-to-DMZ rule 1 action accept
|
|
set firewall name LAN-to-DMZ rule 1 state established enable
|
|
set firewall name LAN-to-DMZ rule 10 description "Allow HTTP from LAN to DMZ"
|
|
set firewall name LAN-to-DMZ rule 10 action accept
|
|
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
|
|
set firewall name LAN-to-DMZ rule 10 destination port 80
|
|
set firewall name LAN-to-DMZ rule 10 protocol tcp
|
|
set firewall name LAN-to-DMZ rule 20 description "Allow SSH from MGMT-01 to DMZ"
|
|
set firewall name LAN-to-DMZ rule 20 action accept
|
|
set firewall name LAN-to-DMZ rule 20 destination port 22
|
|
set firewall name LAN-to-DMZ rule 20 protocol tcp
|
|
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
|
|
|
|
# DMZ-to-LAN
|
|
set firewall name DMZ-to-LAN default-action drop
|
|
set firewall name DMZ-to-LAN enable-default-log
|
|
set firewall name DMZ-to-LAN rule 1 action accept
|
|
set firewall name DMZ-to-LAN rule 1 state established enable
|
|
set firewall name DMZ-to-LAN rule 10 description "wazuh agent communication with server"
|
|
set firewall name DMZ-to-LAN rule 10 action accept
|
|
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
|
|
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
|
|
set firewall name DMZ-to-LAN rule 10 protocol tcp
|
|
|
|
# LAN-to-WAN
|
|
set firewall name LAN-to-WAN default-action drop
|
|
set firewall name LAN-to-WAN enable-default-log
|
|
set firewall name LAN-to-WAN rule 1 action accept
|
|
|
|
# WAN-to-LAN
|
|
set firewall name WAN-to-LAN default-action drop
|
|
set firewall name WAN-to-LAN enable-default-log
|
|
set firewall name WAN-to-LAN rule 1 action accept
|
|
set firewall name WAN-to-LAN rule 1 state established enable
|
|
|
|
# Apply Zone Policies
|
|
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
|
|
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
|
|
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
|
|
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
|
|
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
|
|
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
|
|
|
|
commit
|
|
save
|
|
```
|
|
## Rip Configuration
|
|
```
|
|
configure
|
|
set protocols rip interface eth2
|
|
set protocols rip network '172.16.50.0/29'
|
|
commit
|
|
save
|
|
```
|
|
|
|
## SSH Configuration
|
|
```
|
|
# Restrict SSH access to LAN interface only
|
|
configure
|
|
set service ssh listen-address 172.16.150.2
|
|
commit
|
|
save
|
|
``` |