HON95-wiki/config/network/vyos.md

---

title: VyOS breadcrumbs:

• title: Configuration
• title: Network --- {% include header.md %}

Foreword

As VyOS is Debian-based, the Linux router notes are also highly related.

Resources

• VyOS User Guide

Installation

See Installation (VyOS).

1. (Recommended) Disable Intel Hyper-Threading.
2. Download the latest rolling release (free) or LTS release (paid) ISO.
3. Burn and boot from it (it's a live image).
4. Log in using user vyos and password vyos.
5. Run install image to run the permanent installation wizard.
   • Keep the suggested image name to keep track of versions.
   • If asked about which config to copy, any one is fine.
6. Remove the live image and reboot.

Initial Configuration

An example of a full configuration. Except intuitive stuff I forgot to mention.

1. Log in as user vyos and password as set in the installation (or vyos if using the live media).
   • It'll drop you directly into operational mode.
2. Fix the keyboard layout:
   • Run config TUI: set console keymap
   • FIXME: This doesn't seem to work. Relogging or restarting doesn't help either.
3. Enter configuration mode: configure
   • This changes the prompt from $ to #.
4. Set hostname:
   1. Note: <host-name>.<domain-name> should be an FQDN.
   2. Hostname: set system host-name <hostname>
   3. Domain name: set system domain-name <domain-name>
5. Set the DNS servers: set system name-server <ip-address> (for each server)
6. Set the time zone: set system time-zone Europe/Oslo (Norway)
7. (Optional) Replace the NTP servers:
   1. Remove default NTP servers: delete system ntp <server> (for each server)
   2. Add new NTP servers: set system ntp server ntp.justervesenet.no (example)
8. (Optional) Enable Ctrl+Alt+Del reboot: set system options ctrl-alt-del-action reboot (or ignore)
9. Replace default user:
   1. Add new user with password: set system login user <username> authentication plaintext-password "<password>" (remember quotation marks if it contains spaces)
   2. Commit and log into the new user.
   3. Delete the default user: delete system login user vyos
10. Set up a plain WAN-facing interface with an IP address (without LAG or VLAN):
    1. Show all Ethernet interfaces: run show interfaces ethernet
    2. Enter interface config: edit interfaces ethernet <if>
    3. Set description: set description <description>
    4. (Alternative) Set static address (IPv4 + IPv6): set address <addr>/<prefix-length>
    5. (Alternative) Set to get IPv4 address from DHCPv4: set address dhcp
    6. (Alternative) Set to get IPv6 address from DHCPv6: set address dhcpv6
    7. (Alternative) Set to get IPv6 address from SLAAC: set ipv6 address autoconf
    8. (Optional) Set firewall policies: set firewall {local | in | out} <...>
11. (Optional) Set up a LAG interface:
    1. Enter interface config: edit interfaces bonding bond<n>
    2. Set member interfaces: set member interface <if>
    3. Enable LACP: set mode 802.3ad
    4. Set hashing policy: set hash-policy layer2+3
    5. Configure as a normal interface.
12. (Optional) Set up a VLAN interface:
    1. Enter the parent/physical interface config.
    2. Enter the VLAN subinterface config: edit vif <VID>
    3. Configure as a normal interface.
13. Set default routes: set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop> (for IPv4 and IPv6)
14. (Optional) Set black hole route: set protocols static route[6] <prefix> blackhole (for IPv4 and IPv6)
15. Enable LLDP: set service lldp interface all
16. Setup SSHD:
    1. Enable server: set service ssh
    2. (Optional) Commit and log in through SSH instead of the console.
    3. (Optional) Add your personal pubkey by entering it:
       1. Enter section: edit system login user <user> authentication public-keys <some-key-id>
       2. Set key type: set type ssh-rsa
       3. Set key (only the Base64-encoded part): set key <key>
    4. (Optional) Add your personal pubkey bu downloading it: loadkey <username> <URI>
    5. Disable password login (pubkeys only): set service ssh disable-password-authentication
17. Enable unicast reverse path forwarding (uRPF) globally: set firewall source-validation strict
18. Set firewall options:
    1. Enter firewall section.
    2. set all-ping enable
    3. set broadcast-ping disable
    4. set receive-redirects disable
    5. set ipv6-receive-redirects disable
    6. set ip-src-route disable
    7. set ipv6-src-route disable
    8. set log-martians disable
    9. set send-redirects disable
19. Setup firewall:
    1. Set default policies:
       • set firewall state-policy established action accept
       • set firewall state-policy related action accept
       • set firewall state-policy invalid action drop
    2. Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with -4 and -6 to avoid conflict.
    3. Attach rule sets to interfaces (typically "local" and "out").
20. Tuning:
    • TODO This can be done in the interface ethernet configs instead.
    • See the Linux router notes.
    • Enable GRO (example): ethtool -K <if> gro on
    • Increase RX/TX buffer sizes (example): ethtool -G <if> tx 4096 rx 4096
    • Enable scatter/gather aka vectored I/O (example): ethtool -K <if> sg on
    • Make any ethtool (e.g.) commands permanent by adding them to /config/scripts/vyos-postconfig-bootup.script.
21. Commit and save: commit and save.

General Configuration

CLI

• The system is in "operational mode" ($) after logging in. Enter "configuration mode" (#) using the configure command.
• Use ? to show alternatives and tab to auto-complete.
• Use run to run operational mode commands in configuration mode.

Basics

• System information:
  • Show log: show log [tail]
• Interface and routing information:
  • L2/L3 interfaces overview: show interfaces
  • Routes: show ip routes and show ipv6 routes
• Configuration changes:
  • Show configuration: show
    • Running this in conf mode shows any changes.
    • Run this in op mode if you intend to copy it from the terminal, to avoid the change indentation.
  • Apply changes: commit
  • Apply changes with confirmation: commit-confirm [comment <comment>] [minutes]
    • Run confirm within N minutes when you've verified that the changes are working as intended.
    • Not confirming in time will cause the system to reboot.
  • Save changes: save

Tasks

Reset Admin Password

Reboot the device and wait for the boot screen. In the boot screen, select the "lost password change (KVM)" option. It will boot to into a prompt asking you to set a new password. After setting a new password, the device will automatically reboot.

Random Notes

• The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped. The relay is also very bugged at the moment so I'd recommend not using it until it gets fixed. See T377 and T1276.

{% include footer.md %}