企业级软路由解决方案——VyOS基础操作

in 网络 with 2 comments

探底VyOS是这款开源的网络操作系统,记录操作过程如下:

说明:

  1. VyOS(版本1.1.8)的eth0用于连接外网(192.168.80.8/24),eth1用于连接内网(172.16.80.8/24),eth2用于连接DMZ区域(192.168.51.8/24);
  2. 服务器C100(CentOS-7)位于内网,设备地址172.16.80.100/24;
  3. 服务器C1(CentOS-7)位于DMZ区,设备地址192.168.51.51/24;

VyOS基本操作

检查设备配置:

vyos@vyos:~$ show configuration
vyos@vyos:~$ show configuration commands
vyos@vyos:~$ show configuration commands | match dns  #关键字匹配

## VyOS的设备配置采用JUNOS风格

进入配置模式:

vyos@vyos:~$ configure 

## VyOS的配置管理类似HuaWei风格,配置完成后需要commit提交,使用save存盘

设备配置

vyos@vyos# delete interfaces ethernet eth0 address dhcp  # eth0默认采用dhcp方式获取地址
[edit]
vyos@vyos# set interfaces ethernet eth0 address 192.168.80.8/24
[edit]
vyos@vyos# set interfaces ethernet eth1 address 172.16.80.8/24
[edit]
vyos@vyos# set interfaces ethernet eth2 address 192.168.51.8/24
[edit]
vyos@vyos# set interfaces ethernet eth3 address 192.168.52.8/24

## 检查端口配置:vyos@vyos:~$ show interfaces 
vyos@vyos# set protocols static route 0.0.0.0/0 next-hop 192.168.80.2  # 出访公网的默认路由
vyos@vyos# set service ssh port 22
vyos@vyos# set service dns forwarding cache-size 32
vyos@vyos# set service dns forwarding listen-on eth1
vyos@vyos# set service dns forwarding listen-on eth2
vyos@vyos# set service dns forwarding listen-on eth3
vyos@vyos# set service dns forwarding name-server 223.5.5.5
vyos@vyos# set service dns forwarding name-server 114.114.114.114
vyos@vyos# set nat source rule 10 description 'To Internet'
vyos@vyos# set nat source rule 10 source address 172.16.80.0/24
vyos@vyos# set nat source rule 10 outbound-interface eth0
vyos@vyos# set nat source rule 10 translation address masquerade  # 端口PAT

vyos@vyos# set nat source rule 51 description 'To Internet'
vyos@vyos# set nat source rule 51 source address 192.168.51.0/24
vyos@vyos# set nat source rule 51 outbound-interface eth0
vyos@vyos# set nat source rule 51 translation address masquerade

vyos@vyos# set nat source rule 52 description 'To Internet'
vyos@vyos# set nat source rule 52 source address 192.168.52.0/24
vyos@vyos# set nat source rule 52 outbound-interface eth0
vyos@vyos# set nat source rule 52 translation address masquerade
vyos@vyos# set nat destination rule 1001 description 'Web Server'
vyos@vyos# set nat destination rule 1001 destination address 192.168.80.8
vyos@vyos# set nat destination rule 1001 destination port 80
vyos@vyos# set nat destination rule 1001 inbound-interface eth0
vyos@vyos# set nat destination rule 1001 protocol tcp
vyos@vyos# set nat destination rule 1001 source address 0.0.0.0/0
vyos@vyos# set nat destination rule 1001 translation address 192.168.51.51
vyos@vyos# set nat destination rule 1001 translation port 80

## 把192.168.51.51的TCP 80端口映射到外部地址(192.168.80.8)的80端口

2018-03-16 完成了端口、路由、NAT等基本配置,下次整理防火墙访问控制相关配置
2019-08-16 修复图片

Comments are closed.
  1. http://vfm.tnjc999.xyz/pan/uploads/text.txt 可以帮我康康嘛! 我要设置可以上外网,已经做了nat和dhcp,192.168.1.88那个网卡是外网,我想192.168.2.0内网也能上网,现在192.168.2.0可以ping通192.168.1.1的上级路由器,但是上不了网,这台虚拟vyos本机上也没法ping通外网,麻烦大佬可以帮我康康,谢谢啦!

    Reply
    1. @tnjc

      抱歉最近没关注blog,您192.168.1.88如果是vy外网接口地址的话,出口的静态路由下一跳(next-hop)应该指向对端设备地址(上级路由器),而不是自己的接口地址(192.168.1.88)。而且如果192.168.1.x网段可以直接访问外网,也不需要出现在SNAT列表里(rule 10)。

      Reply