探底VyOS是这款开源的网络操作系统,记录操作过程如下:
- 实验拓扑
说明:
- VyOS(版本1.1.8)的eth0用于连接外网(192.168.80.8/24),eth1用于连接内网(172.16.80.8/24),eth2用于连接DMZ区域(192.168.51.8/24);
- 服务器C100(CentOS-7)位于内网,设备地址172.16.80.100/24;
- 服务器C1(CentOS-7)位于DMZ区,设备地址192.168.51.51/24;
VyOS基本操作
检查设备配置:
vyos@vyos:~$ show configuration
vyos@vyos:~$ show configuration commands
vyos@vyos:~$ show configuration commands | match dns #关键字匹配
## VyOS的设备配置采用JUNOS风格
进入配置模式:
vyos@vyos:~$ configure
## VyOS的配置管理类似HuaWei风格,配置完成后需要commit提交,使用save存盘
设备配置
- 端口配置
vyos@vyos# delete interfaces ethernet eth0 address dhcp # eth0默认采用dhcp方式获取地址
[edit]
vyos@vyos# set interfaces ethernet eth0 address 192.168.80.8/24
[edit]
vyos@vyos# set interfaces ethernet eth1 address 172.16.80.8/24
[edit]
vyos@vyos# set interfaces ethernet eth2 address 192.168.51.8/24
[edit]
vyos@vyos# set interfaces ethernet eth3 address 192.168.52.8/24
## 检查端口配置:vyos@vyos:~$ show interfaces
- 路由配置
vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.80.2 # 出访公网的默认路由
- 配置SSH远程登陆
vyos@vyos# set service ssh port 22
- 配置DNS转发
vyos@vyos# set service dns forwarding cache-size 32
vyos@vyos# set service dns forwarding listen-on eth1
vyos@vyos# set service dns forwarding listen-on eth2
vyos@vyos# set service dns forwarding listen-on eth3
vyos@vyos# set service dns forwarding name-server 223.5.5.5
vyos@vyos# set service dns forwarding name-server 114.114.114.114
- 配置SNAT:出访公网
vyos@vyos# set nat source rule 10 description 'To Internet'
vyos@vyos# set nat source rule 10 source address 172.16.80.0/24
vyos@vyos# set nat source rule 10 outbound-interface eth0
vyos@vyos# set nat source rule 10 translation address masquerade # 端口PAT
vyos@vyos# set nat source rule 51 description 'To Internet'
vyos@vyos# set nat source rule 51 source address 192.168.51.0/24
vyos@vyos# set nat source rule 51 outbound-interface eth0
vyos@vyos# set nat source rule 51 translation address masquerade
vyos@vyos# set nat source rule 52 description 'To Internet'
vyos@vyos# set nat source rule 52 source address 192.168.52.0/24
vyos@vyos# set nat source rule 52 outbound-interface eth0
vyos@vyos# set nat source rule 52 translation address masquerade
- 配置DNAT:发布Server
vyos@vyos# set nat destination rule 1001 description 'Web Server'
vyos@vyos# set nat destination rule 1001 destination address 192.168.80.8
vyos@vyos# set nat destination rule 1001 destination port 80
vyos@vyos# set nat destination rule 1001 inbound-interface eth0
vyos@vyos# set nat destination rule 1001 protocol tcp
vyos@vyos# set nat destination rule 1001 source address 0.0.0.0/0
vyos@vyos# set nat destination rule 1001 translation address 192.168.51.51
vyos@vyos# set nat destination rule 1001 translation port 80
## 把192.168.51.51的TCP 80端口映射到外部地址(192.168.80.8)的80端口
2018-03-16 完成了端口、路由、NAT等基本配置,下次整理防火墙访问控制相关配置
2019-08-16 修复图片
本文由 SHIYL 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为: Aug 16, 2019 at 10:06 pm
http://vfm.tnjc999.xyz/pan/uploads/text.txt 可以帮我康康嘛! 我要设置可以上外网,已经做了nat和dhcp,192.168.1.88那个网卡是外网,我想192.168.2.0内网也能上网,现在192.168.2.0可以ping通192.168.1.1的上级路由器,但是上不了网,这台虚拟vyos本机上也没法ping通外网,麻烦大佬可以帮我康康,谢谢啦!
抱歉最近没关注blog,您192.168.1.88如果是vy外网接口地址的话,出口的静态路由下一跳(next-hop)应该指向对端设备地址(上级路由器),而不是自己的接口地址(192.168.1.88)。而且如果192.168.1.x网段可以直接访问外网,也不需要出现在SNAT列表里(rule 10)。