VyOS セットアップ
無料のソフトウェアルーターです。KVM仮想環境にインストールします。
KVM にてインストール (超簡単)
apt install qemu-kvm libvirt-daemon-system virtinst libvirt-clients qemu-utils bridge-utils
export name=VyOS6.cpunk
export cdrom='vyos-1.5-rolling-202402230022-amd64.iso'
# qemu-img create -f raw $name.img 2G
virt-install -n $name \
--ram 4096 \
--vcpus 4 \
--cdrom $cdrom \
--os-variant ubuntu22.04 \
--network bridge=br0 \
--network bridge=br1 \
--network bridge=br2 \
--nographics \
--hvm \
--virt-type kvm \
--disk path=/vm/$name.img,bus=virtio,size=8 \
--noautoconsole
Login ID/PW : vyos
virsh console $name
install image
reboot
raw ファイルなのでqcow2 に変換
qemu-img convert -O qcow2 VyOS.neo.img VyOS.neo.qcow2
# File size: 2GB -> 484MB
vi /etc/libvirt/qemu/VyOS.neo.xml
<driver name='qemu' type='qcow2'/>
<source file='/vm/VyOS.neo.qcow2'/>
virsh define /etc/libvirt/qemu/VyOS.neo.xml
設定
configure で設定モード、commit で設定変更の適用、save で恒久的に保存(/config/config.boot)
Interface (Ethernet)
set interfaces eth0 address 192.168.8.9/24
set interfaces eth1 address 192.168.9.9/24
set interfaces eth2 address 192.168.23.9/24
Interface (PPPOE)
set interfaces pppoe pppoe0 authentication user *****
set interfaces pppoe pppoe0 authentication password *****
set interfaces pppoe pppoe0 mtu 1454
set interfaces pppoe pppoe0 disabled # Not yet!
set interfaces pppoe pppoe0 source-interface eth0
Firewall (In)
set firewall name PPPOE0_IN default-action drop
set firewall name PPPOE0_IN rule 8 action accept
set firewall name PPPOE0_IN rule 8 state established enable
set firewall name PPPOE0_IN rule 8 state related enable
// Attach a firewall to pppoe0
set interfaces pppoe pppoe0 firewall in name PPPOE0_IN
Firewall (Out)
set firewall group network-group Private network 10.0.0.0/8
set firewall group network-group Private network 172.16.0.0/12
set firewall group network-group Private network 192.168.0.0/16
set firewall group network-group Private network 169.254.0.0/16
set firewall name PPPOE0_OUT default-action accept
set firewall name PPPOE0_OUT rule 9 action reject
set firewall name PPPOE0_OUT rule 9 destination group network-group Private
// Attach a firewall to pppoe0
set interfaces pppoe pppoe0 firewall out name PPPOE0_OUT
Policy
set policy route wan rule 10 destination address 0.0.0.0/0
set policy route wan rule 10 protocol tcp
set policy route wan rule 10 set tcp-mss 1414
set policy route wan rule 10 tcp flags SYN,!ACK,!FIN,!RST
// Attach a policy to pppoe0
set interfaces pppoe pppoe0 policy route wan
Protocol (routing)
set protocols static route 0.0.0.0/0 interface pppoe0
set protocols static route 192.168.8.0/24 interface eth0
set protocols static route 192.168.9.0/24 interface eth1
set protocols static route 192.168.23.0/24 interface eth2
SNAT (Source NAT, IP masquerade)
set nat source rule 99 outbound-interface pppoe0
set nat source rule 99 source address 192.168.23.0/24
set nat source rule 99 translation address masquerade
DHCP-server
set service dhcp-server shared-network-name NTT_NETWORK subnet 192.168.8.0/24 option default-router 192.168.8.10
set service dhcp-server shared-network-name NTT_NETWORK subnet 192.168.8.0/24 option name-server 8.8.8.8
set service dhcp-server shared-network-name NTT_NETWORK subnet 192.168.8.0/24 range 0 start 192.168.8.150
set service dhcp-server shared-network-name NTT_NETWORK subnet 192.168.8.0/24 range 0 stop 192.168.8.240
set service dhcp-server shared-network-name NTT_NETWORK subnet 192.168.8.0/24 subnet-id 8
set service dhcp-server shared-network-name MYNETWORK subnet 192.168.23.0/24 option default-router 192.168.23.10
set service dhcp-server shared-network-name MYNETWORK subnet 192.168.23.0/24 option name-server 8.8.8.8
set service dhcp-server shared-network-name MYNETWORK subnet 192.168.23.0/24 range 0 start 192.168.23.150
set service dhcp-server shared-network-name MYNETWORK subnet 192.168.23.0/24 range 0 stop 192.168.23.240
set service dhcp-server shared-network-name MYNETWORK subnet 192.168.23.0/24 subnet-id 23
SSH
set service ssh listen-address 192.168.23.9
set service ssh port 22
DNS forwarding
set service dns forwarding listen-address 192.168.8.10
set service dns forwarding listen-address 192.168.9.10
set service dns forwarding listen-address 192.168.23.10
set service dns forwarding system
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server 2001:4860:4860::8888
set system name-server 2001:4860:4860::8844