How to configure VyOS as a home router

Because i’m a networking guy, i don’t like the default view of vyos configuration and I want to see clear cisco like configuration. For this i’m using “show configuration commands”. It works better I would say.

We have here:

  • free tunnel to https://tunsafe.com/vpn using wireguard
  • i have a free hotspot configured that is using wireguard to tunsafe. This hotspot have only 443 and 80 enabled. DNS works as well. This means free wifi for my neighbors.
  • ppooe connection
  • dhcp for both internal and hotspot network
  • some port forwarding
  • I’ve deleted: pppoe username and password, vyos encrypted password, some wireguard private tunnels, some bgp sessions.
  • this router is behind a esxi workstation where i have also other VM. I’ll do another post to explain all VM’s i have.
vyos esxi hardware configuration and resource consumption
vyos@CORE-Timisoara:~$ show configuration commands
set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group PRIVATE_NETS network '192.168.0.0/16'
set firewall group network-group PRIVATE_NETS network '172.16.0.0/12'
set firewall group network-group PRIVATE_NETS network '10.0.0.0/8'
set firewall ip-src-route 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall log-martians 'disable'
set firewall name LAN-LOCAL-TUNSAFE default-action 'drop'
set firewall name LAN-LOCAL-TUNSAFE rule 1000 action 'accept'
set firewall name LAN-LOCAL-TUNSAFE rule 1000 state established 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1000 state related 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1001 action 'drop'
set firewall name LAN-LOCAL-TUNSAFE rule 1001 state invalid 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1002 action 'accept'
set firewall name LAN-LOCAL-TUNSAFE rule 1002 icmp type-name 'echo-request'
set firewall name LAN-LOCAL-TUNSAFE rule 1002 protocol 'icmp'
set firewall name LAN-LOCAL-TUNSAFE rule 1002 state new 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1003 action 'accept'
set firewall name LAN-LOCAL-TUNSAFE rule 1003 destination port '67'
set firewall name LAN-LOCAL-TUNSAFE rule 1003 protocol 'udp'
set firewall name LAN-LOCAL-TUNSAFE rule 1003 state new 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1004 action 'accept'
set firewall name LAN-LOCAL-TUNSAFE rule 1004 destination port '53'
set firewall name LAN-LOCAL-TUNSAFE rule 1004 protocol 'tcp_udp'
set firewall name LAN-LOCAL-TUNSAFE rule 1004 state new 'enable'
set firewall name LAN-LOCAL-TUNSAFE rule 1005 action 'drop'
set firewall name LAN-LOCAL-TUNSAFE rule 1005 destination address '192.168.5.0/24'
set firewall name LAN-LOCAL-TUNSAFE rule 1005 protocol 'icmp'
set firewall name LAN-LOCAL-TUNSAFE rule 1005 state new 'enable'
set firewall name LAN-WAN default-action 'drop'
set firewall name LAN-WAN rule 1 action 'accept'
set firewall name LAN-WAN rule 1 state established 'enable'
set firewall name LAN-WAN rule 1 state related 'enable'
set firewall name LAN-WAN rule 2 action 'drop'
set firewall name LAN-WAN rule 2 log 'enable'
set firewall name LAN-WAN rule 2 state invalid 'enable'
set firewall name LAN-WAN rule 900 action 'accept'
set firewall name LAN-WAN rule 900 description 'allow icmp'
set firewall name LAN-WAN rule 900 protocol 'icmp'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall name PUBLIC-IN-TUNSAFE default-action 'drop'
set firewall name PUBLIC-IN-TUNSAFE rule 1000 action 'accept'
set firewall name PUBLIC-IN-TUNSAFE rule 1000 description 'Tunsafe to internet only 80/443'
set firewall name PUBLIC-IN-TUNSAFE rule 1000 destination port 'http,443'
set firewall name PUBLIC-IN-TUNSAFE rule 1000 protocol 'tcp'
set firewall name PUBLIC-IN-TUNSAFE rule 1000 source address '192.168.196.0/24'
set firewall name PUBLIC-IN-TUNSAFE rule 1001 action 'accept'
set firewall name PUBLIC-IN-TUNSAFE rule 1001 icmp type-name 'echo-request'
set firewall name PUBLIC-IN-TUNSAFE rule 1001 protocol 'icmp'
set firewall name PUBLIC-IN-TUNSAFE rule 1001 state new 'enable'
set firewall name PUBLIC-IN-TUNSAFE rule 1002 action 'accept'
set firewall name PUBLIC-IN-TUNSAFE rule 1002 destination port '67'
set firewall name PUBLIC-IN-TUNSAFE rule 1002 protocol 'udp'
set firewall name PUBLIC-IN-TUNSAFE rule 1002 state new 'enable'
set firewall name PUBLIC-IN-TUNSAFE rule 1003 action 'accept'
set firewall name PUBLIC-IN-TUNSAFE rule 1003 destination port '53'
set firewall name PUBLIC-IN-TUNSAFE rule 1003 protocol 'tcp_udp'
set firewall name PUBLIC-IN-TUNSAFE rule 1003 state new 'enable'
set firewall name WAN-LAN default-action 'drop'
set firewall name WAN-LAN rule 1 action 'accept'
set firewall name WAN-LAN rule 1 state established 'enable'
set firewall name WAN-LAN rule 1 state related 'enable'
set firewall name WAN-LAN rule 10 action 'accept'
set firewall name WAN-LAN rule 10 destination address '192.168.5.11'
set firewall name WAN-LAN rule 10 destination port '30000'
set firewall name WAN-LAN rule 10 protocol 'tcp_udp'
set firewall name WAN-LAN rule 10 source port '443'
set firewall name WAN-LAN rule 10 state new 'enable'
set firewall name WAN-LAN rule 11 action 'accept'
set firewall name WAN-LAN rule 11 destination address '192.168.5.11'
set firewall name WAN-LAN rule 11 destination port '5000'
set firewall name WAN-LAN rule 11 protocol 'tcp_udp'
set firewall name WAN-LAN rule 11 state new 'enable'
set firewall name WAN-LAN rule 12 action 'accept'
set firewall name WAN-LAN rule 12 destination address '192.168.5.118'
set firewall name WAN-LAN rule 12 destination port '80'
set firewall name WAN-LAN rule 12 protocol 'tcp_udp'
set firewall name WAN-LAN rule 12 state new 'enable'
set firewall name WAN-LAN rule 13 action 'accept'
set firewall name WAN-LAN rule 13 destination address '192.168.5.118'
set firewall name WAN-LAN rule 13 destination port '80'
set firewall name WAN-LAN rule 13 protocol 'tcp_udp'
set firewall name WAN-LAN rule 13 state new 'enable'
set firewall name WAN-LAN rule 9999 action 'drop'
set firewall name WAN-LAN rule 9999 log 'enable'
set firewall options interface wg02 adjust-mss '1380'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall state-policy established action 'accept'
set firewall state-policy invalid action 'drop'
set firewall state-policy related action 'accept'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:6b:f8:9e'
set interfaces ethernet eth0 policy
set interfaces ethernet eth0 pppoe 0 default-route 'auto'
set interfaces ethernet eth0 pppoe 0 mtu '1492'
set interfaces ethernet eth0 pppoe 0 name-server 'none'
set interfaces ethernet eth0 pppoe 0 password ''
set interfaces ethernet eth0 pppoe 0 user-id ''
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.5.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:6b:f8:a8'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address '192.168.196.1/24'
set interfaces ethernet eth2 description 'tunsafe'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 firewall in
set interfaces ethernet eth2 firewall local name 'LAN-LOCAL-TUNSAFE'
set interfaces ethernet eth2 hw-id '00:0c:29:6b:f8:b2'
set interfaces ethernet eth2 policy route 'tunsafe'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces loopback lo
set interfaces wireguard wg02 address '10.180.182.189/8'
set interfaces wireguard wg02 description 'Tunsafe-Free'
set interfaces wireguard wg02 firewall out name 'PUBLIC-IN-TUNSAFE'
set interfaces wireguard wg02 peer ams01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg02 peer ams01 endpoint '190.2.141.162:51840'
set interfaces wireguard wg02 peer ams01 persistent-keepalive '15'
set interfaces wireguard wg02 peer ams01 pubkey 'FO1Hc6UeM0lG8fSxSZYm/ED/4hfTsJ3VcnM09uDtjzM='
set nat destination rule 10 description 'ssh to syno'
set nat destination rule 10 destination port '443'
set nat destination rule 10 inbound-interface 'pppoe0'
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 source
set nat destination rule 10 translation address '192.168.5.11'
set nat destination rule 10 translation port '30000'
set nat destination rule 11 description 'syno_web'
set nat destination rule 11 destination port '5000'
set nat destination rule 11 inbound-interface 'pppoe0'
set nat destination rule 11 protocol 'tcp_udp'
set nat destination rule 11 source port '5000'
set nat destination rule 11 translation address '192.168.5.11'
set nat destination rule 12 description 'wg2'
set nat destination rule 12 destination port '51821'
set nat destination rule 12 inbound-interface 'pppoe0'
set nat destination rule 12 protocol 'tcp_udp'
set nat destination rule 12 source port '51821'
set nat destination rule 12 translation address '192.168.5.118'
set nat destination rule 13 description 'wg2'
set nat destination rule 13 destination port '80'
set nat destination rule 13 inbound-interface 'pppoe0'
set nat destination rule 13 protocol 'tcp_udp'
set nat destination rule 13 source port '80'
set nat destination rule 13 translation address '192.168.5.118'
set nat source rule 10 outbound-interface 'pppoe0'
set nat source rule 10 protocol 'all'
set nat source rule 10 source address '192.168.5.0/24'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 destination address '192.168.195.140'
set nat source rule 20 outbound-interface 'ztyqb3p3ce'
set nat source rule 20 protocol 'all'
set nat source rule 20 source address '192.168.5.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 21 outbound-interface 'wg02'
set nat source rule 21 protocol 'all'
set nat source rule 21 source address '192.168.196.0/24'
set nat source rule 21 translation address 'masquerade'
set policy route pppoe-out description 'PPPoE TCPMSS clamping'
set policy route pppoe-out rule 100 protocol 'tcp'
set policy route pppoe-out rule 100 set tcp-mss 'pmtu'
set policy route pppoe-out rule 100 tcp flags 'SYN'
set policy route tunsafe rule 1000 destination address '0.0.0.0/0'
set policy route tunsafe rule 1000 protocol 'all'
set policy route tunsafe rule 1000 set table '5'
set policy route tunsafe rule 1000 source address '192.168.196.0/24'
set protocols static table 5 route 0.0.0.0/0 next-hop 10.180.182.189
set service dhcp-server shared-network-name LAN authoritative
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 default-router '192.168.5.1'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 dns-server '192.168.5.200'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 dns-server '192.168.4.200'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 lease '86400'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 range 0 start '192.168.5.70'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 range 0 stop '192.168.5.120'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping broadlink ip-address '192.168.5.110'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping broadlink mac-address '34:ea:34:c7:cb:ca'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping fibaro ip-address '192.168.5.20'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping fibaro mac-address '00:22:4d:b7:20:88'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping purificator ip-address '192.168.5.87'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping purificator mac-address '04:cf:8c:94:c7:ae'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping umidificator ip-address '192.168.5.83'
set service dhcp-server shared-network-name LAN subnet 192.168.5.0/24 static-mapping umidificator mac-address '04:cf:8c:97:cb:98'
set service dhcp-server shared-network-name tunsafe authoritative
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 default-router '192.168.196.1'
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 dns-server '1.1.1.1'
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 lease '86400'
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 range 0 start '192.168.196.10'
set service dhcp-server shared-network-name tunsafe subnet 192.168.196.0/24 range 0 stop '192.168.196.210'
set service dns forwarding listen-on 'eth1'
set service dns forwarding listen-on 'pppoe0'
set service dns forwarding name-server '192.168.5.200'
set service dns forwarding name-server '192.168.4.200'
set service dns forwarding system
set service snmp community secret authorization 'ro'
set service snmp contact 'Paul Iercosan'
set service snmp location 'Timisoara'
set service ssh port '822'
set system config-management commit-revisions '100'
set system host-name 'CORE-Timisoara'
set system login user vyos authentication encrypted-password '<encrypted-password>'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '192.168.5.200'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system syslog host 192.168.0.241 facility all level 'debug'
set system time-zone 'Europe/Bucharest'
vyos@CORE-Timisoara:~$

Leave a reply:

Your email address will not be published.

Site Footer