lotte/ChamplainTechJournals
1
Code Activity
ChamplainTechJournals/net-sec-controls-sec350/machines/FW01.md
Charlotte Croce fbd588721e migrate to git.charlotte.sh
2025-04-19 23:42:08 -04:00

2.4 KiB
Raw Permalink Blame History

FW01 Configuration

Initial Setup

  • Change password:
set system login user vyos authentication plaintext-password password

Hostname Configuration

configure
set system host-name fw01-charlotte
commit
save

Interface Configuration

configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description CHARLOTTE-DMZ
set interfaces ethernet eth2 description CHARLOTTE-LAN
set interfaces ethernet eth0 address 10.0.17.151/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save

Gateway & DNS Configuration

configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save

NAT Configuration

configure
# DMZ to WAN NAT
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade

# LAN to WAN NAT
set nat source rule 20 description "NAT FROM LAN to WAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24
set nat source rule 20 translation address masquerade

# MGMT to WAN NAT
set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade

commit
save

DNS Forwarding Configuration

configure
# DMZ DNS Forwarding
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29

# LAN DNS Forwarding
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24

set service dns forwarding system
commit
save

Zone Configuration

configure
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
save

Firewall Configuration

copy current configuration from configs directory

RIP Configuration

configure
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
commit
save

Syslog Configuration (remove when appropriate)

# When log01 is active
set system syslog host 172.16.50.5 facility authpriv level info

# When log01 is retired
delete system syslog host 172.16.50.5