109 lines
2.4 KiB
Markdown
109 lines
2.4 KiB
Markdown
# FW01 Configuration
|
|
|
|
## Initial Setup
|
|
- Change password:
|
|
```
|
|
set system login user vyos authentication plaintext-password password
|
|
```
|
|
|
|
## Hostname Configuration
|
|
```
|
|
configure
|
|
set system host-name fw01-charlotte
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Interface Configuration
|
|
```
|
|
configure
|
|
set interfaces ethernet eth0 description SEC350-WAN
|
|
set interfaces ethernet eth1 description CHARLOTTE-DMZ
|
|
set interfaces ethernet eth2 description CHARLOTTE-LAN
|
|
set interfaces ethernet eth0 address 10.0.17.151/24
|
|
set interfaces ethernet eth1 address 172.16.50.2/29
|
|
set interfaces ethernet eth2 address 172.16.150.2/24
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Gateway & DNS Configuration
|
|
```
|
|
configure
|
|
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
|
|
set system name-server 10.0.17.2
|
|
commit
|
|
save
|
|
```
|
|
|
|
## NAT Configuration
|
|
```
|
|
configure
|
|
# DMZ to WAN NAT
|
|
set nat source rule 10 description "NAT FROM DMZ to WAN"
|
|
set nat source rule 10 outbound-interface eth0
|
|
set nat source rule 10 source address 172.16.50.0/29
|
|
set nat source rule 10 translation address masquerade
|
|
|
|
# LAN to WAN NAT
|
|
set nat source rule 20 description "NAT FROM LAN to WAN"
|
|
set nat source rule 20 outbound-interface eth0
|
|
set nat source rule 20 source address 172.16.150.0/24
|
|
set nat source rule 20 translation address masquerade
|
|
|
|
# MGMT to WAN NAT
|
|
set nat source rule 30 description "NAT FROM MGMT to WAN"
|
|
set nat source rule 30 outbound-interface eth0
|
|
set nat source rule 30 source address 172.16.200.0/28
|
|
set nat source rule 30 translation address masquerade
|
|
|
|
commit
|
|
save
|
|
```
|
|
|
|
## DNS Forwarding Configuration
|
|
```
|
|
configure
|
|
# DMZ DNS Forwarding
|
|
set service dns forwarding listen-address 172.16.50.2
|
|
set service dns forwarding allow-from 172.16.50.0/29
|
|
|
|
# LAN DNS Forwarding
|
|
set service dns forwarding listen-address 172.16.150.2
|
|
set service dns forwarding allow-from 172.16.150.0/24
|
|
|
|
set service dns forwarding system
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Zone Configuration
|
|
```
|
|
configure
|
|
set zone-policy zone WAN interface eth0
|
|
set zone-policy zone DMZ interface eth1
|
|
set zone-policy zone LAN interface eth2
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Firewall Configuration
|
|
copy current configuration from `configs` directory
|
|
|
|
## RIP Configuration
|
|
```
|
|
configure
|
|
set protocols rip interface eth2
|
|
set protocols rip network '172.16.50.0/29'
|
|
commit
|
|
save
|
|
```
|
|
|
|
## Syslog Configuration (remove when appropriate)
|
|
```
|
|
# When log01 is active
|
|
set system syslog host 172.16.50.5 facility authpriv level info
|
|
|
|
# When log01 is retired
|
|
delete system syslog host 172.16.50.5
|
|
```
|