首頁 探索 說明
註冊 登入
jeremy
/
HON95-wiki
镜像来自 https://github.com/HON95/wiki
1
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 7fb9edd69e
分支列表 標籤列表
HON95-wiki
/
config
/
network
/
vyos.md

vyos.md 5.3 KB
文件歷史 原始文件

title: VyOS breadcrumbs:

  • title: Configuration
  • title: Network --- {% include header.md %}

Foreword

As VyOS is Debian-based, the Linux router notes are also highly related.

Resources

Installation

See Installation (VyOS).

  1. (Recommended) Disable Intel Hyper-Threading.
  2. Download the latest rolling release (free) or LTS release (paid) ISO.
  3. Burn and boot from it (it's a live image).
  4. Log in using user vyos and password vyos.
  5. Run install image to run the permanent installation wizard.
    • Keep the suggested image name.
    • Use the /opt/vyatta/etc/config.boot.default default config file.
  6. Remove the live image and reboot.

Initial Configuration

An example of a full configuration. Except intuitive stuff I forgot to mention.

  1. Log in as user vyos and password as set in the installation (or vyos if using the live media).
    • It'll drop you directly into operational mode.
  2. Fix the keyboard layout:
    • Run config TUI: set console keymap
    • FIXME: This doesn't seem to work. Relogging or restarting doesn't help either.
  3. Enter configuration mode: configure
    • This changes the prompt from $ to #.
  4. Set hostname:
    1. Note: <host-name>.<domain-name> should be an FQDN.
    2. Hostname: set system host-name <hostname>
    3. Domain name: set system domain-name <domain-name>
  5. Set the DNS servers: set system name-server <ip-address> (for each server)
  6. Set the time zone: set system time-zone Europe/Oslo (Norway)
  7. Set NTP servers:
    1. Remove default NTP servers: delete system ntp <server> (for each server)
    2. Add new NTP servers: set system ntp server ntp.justervesenet.no (example)
  8. Enable Ctrl+Alt+Del reboot: set system options ctrl-alt-del-action reboot (or ignore)
  9. Replace default user:
    1. Add new user with password: set system login user <username> authentication plaintext-password "<password>" (remember quotation marks if it contains spaces)
    2. Commit and log into the new user.
    3. Delete the default user: delete system login user vyos
  10. Set up a WAN-facing interface with an IP address (steps not included).
  11. Set default routes: set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop> (for IPv4 and IPv6)
  12. (Optional) Set black hole route: set protocols static route[6] <prefix> blackhole (for IPv4 and IPv6)
  13. Enable LLDP: set service lldp interface all
  14. Enable SSHD:
    1. Enable: set service ssh
    2. More options: VyOS SSH
  15. Enable unicast reverse path forwarding (uRPF) globally: set firewall source-validation strict
  16. Set firewall options:
    1. Enter firewall section.
    2. set all-ping enable
    3. set broadcast-ping disable
    4. set receive-redirects disable
    5. set ipv6-receive-redirects disable
    6. set ip-src-route disable
    7. set ipv6-src-route disable
    8. set log-martians disable
    9. set send-redirects disable
  17. Setup firewall:
    1. Set default policies:
      • set firewall state-policy established action accept
      • set firewall state-policy related action accept
      • set firewall state-policy invalid action drop
    2. Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with -4 and -6 to avoid conflict.
    3. Attach rule sets to interfaces (typically "local" and "out").
  18. Tuning:
    • TODO This can be done in the interface ethernet configs instead.
    • See the Linux router notes.
    • Enable GRO (example): ethtool -K <if> gro on
    • Increase RX/TX buffer sizes (example): ethtool -K <if> gro on
    • Enable scatter/gather aka vectored I/O (example): ethtool -K <if> sg on
    • Make any ethtool (e.g.) commands permanent by adding them to /config/scripts/vyos-postconfig-bootup.script.
  19. Commit and save: commit and save.

General Configuration

CLI

  • The system is in "operational mode" ($) after logging in. Enter "configuration mode" (#) using the configure command.
  • Use ? to show alternatives and tab to auto-complete.
  • Use run to run operational mode commands in configuration mode.

Basics

  • System information:
    • Show log: show log [tail]
  • Interface and routing information:
    • L2/L3 interfaces overview: show interfaces
    • Routes: show ip routes and show ipv6 routes
  • Configuration changes:
    • Show configuration: show
    • Apply changes: commit
    • Apply changes with confirmation: commit-confirm [comment <comment>] [minutes], then confirm within X minutes when you've verified that the changes are working as intended. Not confirming in time will cause the system to reboot.
    • Save changes: save

Tasks

Reset Admin Password

Reboot the device and wait for the boot screen. In the boot screen, select the "lost password change (KVM)" option. It will boot to into a prompt asking you to set a new password. After setting a new password, the device will automatically reboot.

Random Notes

  • The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped.

{% include footer.md %}