前言
国内同学熟悉VyOS应该不算太多。在软路由里,如果把某快比做当年的D-Link,那和VyOS相对应的应该就是Cisco了。
VyOS源自当年开源的Vyatta OS,后者被收购后,网上开发者在原来Vayatta的基础上继续开发,形成了今天的VyOS。EdgeRouter上搭载的EdgeOS也是源自Vyatta OS,因此二者非常类似,但是在一些扩展功能上,有一些区别。
因此,VyOS和EdgeRouter可以说是绝配,EdgeRouter以高稳定,高性能,低价格(千兆转发的EdgeRouter-X售价不到400元人民币) 的硬件而著称;VyOS就非常适合虚拟化的场合。
安装VyOS
VyOS可以安装在软路由机器上,也可以安装在VMWare虚拟化平台上,在主流的VPS市场,例如AWS,Azure,GCP,都可以找到相应的安装源。
我们也提供了一个自己编译好基于最新的equuleus版本,有兴趣的朋友可以在这里下载VyOS-1.2.6.iso光盘映像。接下来要用一个Windows下的工具软件Rufus将光盘映像写入到可启动的U盘上,你可以从官网下载,也可以使用提供的镜像链接下载。写盘的时候,选择MBR分区,支持BIOS或EFI启动即可。第一次刻写会提示你是否升级到最新的Syslinux引导模块,点击确认升级即可开始刻录。
启动后,显示器会进入命令行界面,使用vyos作为用户名和密码登录。登录后,我们需要将系统安装在本地硬盘上,输入命令“install image”可以启动安装程序。
[email protected]:~$ install image Welcome to the VyOS install program. This script will walk you through the process of installing the VyOS image to a local hard drive. Would you like to continue? (Yes/No) [Yes]: Probing drives: OK Looking for pre-existing RAID groups...none found. The VyOS image will require a minimum 2000MB root. Would you like me to try to partition a drive automatically or would you rather partition it manually with parted? If you have already setup your partitions, you may skip this step Partition (Auto/Parted/Skip) [Auto]: I found the following drives on your system: sda 4294MB Install the image on? [sda]: This will destroy all data on /dev/sda. Continue? (Yes/No) [No]: Yes Looking for config files from previous installations on sda1... How big of a root partition should I create? (2000MB - 4294MB) [4294]MB: Creating filesystem on /dev/sda1: | OK Done! Mounting /dev/sda1... What would you like to name this image? [1.2.5]: OK. This image will be named: 1.2.5 Copying squashfs image... Copying kernel and initrd images... Done! I found the following configuration files: /opt/vyatta/etc/config/config.boot /opt/vyatta/etc/config.boot.default Which one should I copy to sda? [/opt/vyatta/etc/config/config.boot]: Copying /opt/vyatta/etc/config/config.boot to sda. Enter password for administrator account Enter password for user 'vyos': Retype password for user 'vyos': I need to install the GRUB boot loader. I found the following drives on your system: sda 4294MB Which drive should GRUB modify the boot partition on? [sda]: Setting up grub: OK Done! [email protected]:~$
一路回答Yes, 最后输入你为VyOS新设置的密码。完成安装后,一定要输入”reboot”命令重启系统,否则你的设置无法保存到新建立的硬盘分区。
第一次配置
重启后,我们登录系统进行第一次配置。我们需要完成以下任务:
- 配置WAN口并添加缺省路由
- 设置系统DNS服务器
- 启用SSH
- 设置WAN口防火墙策略
- 配置本地局域网
配置WAN口
DHCP
使用DHCP获取IP地址时,系统会自动获取缺省路由和DNS服务器设置,因此我们只需要启用DHCP模式就好。
configure set interfaces ethernet eth0 address dhcp
静态地址
使用静态地址时,需要设置缺省路由以及系统DNS服务器:
configure set interfaces ethernet eth0 address 192.168.1.100/24 set system name-server '8.8.8.8' set protocols static route 0.0.0.0/0 next-hop 192.168.1.254 distance 1
PPPOE
PPPOE模式下,需要设置相应接口的MTU,一般是1492个字节。
configure set interfaces pppoe pppoe0 authentication password '123456' set interfaces pppoe pppoe0 authentication user '051212345678' set interfaces pppoe pppoe0 description 'China Unioncom' set interfaces pppoe pppoe0 mtu '1492' set interfaces pppoe pppoe0 source-interface 'eth0'
启用SSH
set service ssh port '22'
配置WAN口防火墙策略
除了本地出口流量外,我们只允许从互联网端ping和ssh访问路由器。
set firewall all-ping 'enable' set firewall name WAN_IN default-action 'drop' set firewall name WAN_IN rule 10 action 'accept' set firewall name WAN_IN rule 10 description 'Allow established/related' set firewall name WAN_IN rule 10 state established 'enable' set firewall name WAN_IN rule 10 state related 'enable' set firewall name WAN_IN rule 20 action 'drop' set firewall name WAN_IN rule 20 description 'Drop invalid state' set firewall name WAN_IN rule 20 state invalid 'enable' set firewall name WAN_LOCAL default-action 'drop' set firewall name WAN_LOCAL rule 10 action 'accept' set firewall name WAN_LOCAL rule 10 description 'Allow established/related' set firewall name WAN_LOCAL rule 10 state established 'enable' set firewall name WAN_LOCAL rule 10 state related 'enable' set firewall name WAN_LOCAL rule 20 action 'drop' set firewall name WAN_LOCAL rule 20 description 'Drop invalid state' set firewall name WAN_LOCAL rule 20 state invalid 'enable' set firewall name WAN_LOCAL rule 30 action 'accept' set firewall name WAN_LOCAL rule 30 description 'Ping from internet' set firewall name WAN_LOCAL rule 30 icmp type-name 'echo-request' set firewall name WAN_LOCAL rule 30 log 'disable' set firewall name WAN_LOCAL rule 30 protocol 'icmp' set firewall name WAN_LOCAL rule 40 action 'accept' set firewall name WAN_LOCAL rule 40 description 'allow remote management' set firewall name WAN_LOCAL rule 40 destination port '22' set firewall name WAN_LOCAL rule 40 protocol 'tcp'
然后我们将防火墙策略绑定在WAN口上。
set interfaces ethernet eth0 firewall in name 'WAN_IN' set interfaces ethernet eth0 firewall local name 'WAN_LOCAL'
配置本地局域网
除了设置相应端口的静态地址外,我们还启用了相应的DHCP服务。
set interfaces ethernet eth1 address 192.168.3.254/24 set service dhcp-server shared-network-name LAN subnet 192.168.3.0/24 default-route 192.168.3.254 set service dhcp-server shared-network-name LAN subnet 192.168.3.0/24 range 0 start 192.168.3.5 set service dhcp-server shared-network-name LAN subnet 192.168.3.0/24 range 0 stop 192.168.3.200 set service dhcp-server shared-network-name LAN subnet 192.168.3.0/24 dns-server 192.168.3.254
DNS代理服务
设置系统上游DNS服务器。
set system name-server 1.1.1.1 set system name-server 8.8.4.4
配置DNS代理,使用系统上游DNS服务器,监听LAN口地址。
set service dns forwarding system set service dns forwarding listen-address 192.168.3.254 set service dns forwarding allow-from 192.168.3.0/24
出口NAT
set nat source rule 1000 outbound-interface eth0 set nat source rule 1000 translation address 'masquerade' commit;save;exit
小贴士
有些时候,我们想参考现有的配置,你可以使用以下命令将配置转化为命令。
show configuration commands
升级系统:
add system image <url>
显示目前LAN口DHCP地址租用清单:
show dhcp server leases
配置编辑命令
- edit:进入子项目编辑状态,例如edit interfaces ethernet eth1
- copy:复制子项目,例如 copy rule 10 to rule 100
- rename: 给子项目重命名,例如 rename rule 10 to rule 100