Setting up VyOS as a Home Router#
Notes on my configuration to use VyOS on a Cisco ASA5525-X as a home router with multiple VLANs and IPv6 prefix delegation support.
Basic Settings#
Set the hostname, timezone, and NTP. Disable NTP server (clients can get from the internet).
set system host-name 'shasta'
set service ntp server time.nist.gov
delete service ntp allow-client
set system time-zone 'America/Los_Angeles'Set the serial console parameters to allow backup serial access with a Cisco serial cable so we don’t need video out.
set system console device ttyS0 speed '115200'Create a new user instead of the default vyos user. Command specifies a plaintext password, but that is only for entry on the CLI. It will be saved as an encrypted password.
set system login user admin authentication plaintext-password adminAfter verifying the new user works (log out and back in), you can default the vyos user.
delete system login user vyosCreate a LAN bridge for the multiple ethernet ports on the ASA that are VLAN-aware (repeat for as many ports that are in the bridge)
set interfaces bridge br0 description 'LAN Bridge'
set interfaces bridge br0 enable-vlan
set interfaces bridge br0 member interface eth0 allowed-vlan '20'
set interfaces bridge br0 member interface eth0 allowed-vlan '10'
set interfaces bridge br0 member interface eth0 allowed-vlan '30'
set interfaces bridge br0 member interface eth0 allowed-vlan '40'
set interfaces bridge br0 member interface eth0 allowed-vlan '50'
set interfaces bridge br0 vif 10 address '10.95.10.1/24'
set interfaces bridge br0 vif 10 description 'MGMT-10'
set interfaces bridge br0 vif 20 address '10.95.20.1/24'
set interfaces bridge br0 vif 20 description 'TRUST-20'
set interfaces bridge br0 vif 30 address '10.95.30.1/24'
set interfaces bridge br0 vif 30 description 'IOT-30'
set interfaces bridge br0 vif 40 address '10.95.40.1/24'
set interfaces bridge br0 vif 40 description 'GUEST-40'
set interfaces bridge br0 vif 50 address '10.95.50.1/24'
set interfaces bridge br0 vif 50 description 'LAB-50'Set interface configuration for the WAN interface. Set DHCP on the WAN interface to get a IPv4 address on the WAN and request a /60 prefix from the ISP.
set interfaces ethernet eth3 description 'WAN (port 0)'
set interfaces ethernet eth3 address 'dhcp'
set interfaces ethernet eth3 address 'dhcpv6'
set interfaces ethernet eth3 hw-id '00:fd:22:b7:c8:8b'
set interfaces ethernet eth3 dhcpv6-options pd 0 length '60'Serve specific address ranges from the /60 prefix to each of the bridge VLAN interfaces. Set the address of the VLAN interface to be the first address in each range.
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.10 address '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.10 sla-id '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.20 address '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.20 sla-id '2'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.30 address '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.30 sla-id '3'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.40 address '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.40 sla-id '4'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.50 address '1'
set interfaces ethernet eth3 dhcpv6-options pd 0 interface br0.50 sla-id '5'Extra settings to make sure PD works with my ISP (Comcast/Xfinity).
set interfaces ethernet eth3 dhcpv6-options rapid-commit
set interfaces ethernet eth3 ipv6 address autoconfSet NAT rules for IPv4 from all internal addresses out to the WAN interface
set nat source rule 5010 description 'Masquerade for WAN'
set nat source rule 5010 outbound-interface name 'eth3'
set nat source rule 5010 protocol 'all'
set nat source rule 5010 source address '10.95.0.0/16'
set nat source rule 5010 translation address 'masquerade'Enable SSH server and set to only listen on the management VLAN interface to later restict access with firewall rules.
set service ssh listen-address '10.95.10.1'
set service ssh port '22'DHCP#
Set the hostfile to update based on DHCP address allocations
set service dhcp-server hostfile-updateSet up a DHCP server for one of the VLAN address ranges.
set service dhcp-server shared-network-name vlan10 authoritative
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 lease '86400'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 option default-router '10.95.10.1'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 option name-server '10.95.10.1'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 range vlan10range start '10.95.10.100'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 range vlan10range stop '10.95.10.254'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 subnet-id '1'Add an option to advertise a TFTP server phones, etc.
set service dhcp-server shared-network-name vlan10 option tftp-server-name '10.95.10.12'Set a DHCP static mapping for a host.
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 static-mapping denali ip-address '10.95.10.11'
set service dhcp-server shared-network-name vlan10 subnet 10.95.10.0/24 static-mapping denali mac 'a8:a1:59:46:4c:51'Set a system domain name to append to DNS entries in the hostfile. For example the above mapping will resolve to denali.local.lan.
set system domain-name 'local.lan'Set static hostname mapping for devices that may not be using DHCP
set system static-host-mapping host-name srv1.local.lan inet '10.95.10.15'DNS#
Allow DNS forwarding from the LAN. Increase the cache size to reduce the number of outboudn DNS requests.
set service dns forwarding allow-from '10.95.0.0/16'
set service dns forwarding cache-size '100004'
set service dns forwarding listen-address '10.95.10.1'
set service dns forwarding listen-address '10.95.20.1'
set service dns forwarding listen-address '10.95.30.1'
set service dns forwarding listen-address '10.95.40.1'
set service dns forwarding listen-address '10.95.50.1'
set service dns forwarding systemSet system nameservers (Cloudflare)
set system name-server '1.1.1.1'
set system name-server '1.0.0.1'
set system name-server '2606:4700:4700::1111'
set system name-server '2606:4700:4700::1001'IPv6 Router Advertisement#
Set up IPv6 router advertisement to allow for clients to get addresses via SLAAC. Repeat for each VLAN interface.
set service router-advert interface br0.10 default-lifetime '300'
set service router-advert interface br0.10 default-preference 'high'
set service router-advert interface br0.10 hop-limit '64'
set service router-advert interface br0.10 interval max '30'
set service router-advert interface br0.10 name-server '2606:4700:4700::1111'
set service router-advert interface br0.10 name-server '2606:4700:4700::1001'
set service router-advert interface br0.10 other-config-flag
set service router-advert interface br0.10 prefix ::/64 preferred-lifetime '300'
set service router-advert interface br0.10 prefix ::/64 valid-lifetime '900'
set service router-advert interface br0.10 reachable-time '900000'
set service router-advert interface br0.10 retrans-timer '0'Firewall Rules#
Set interface and address group names to use in firewall rules.
set firewall group interface-group LANv6 interface 'br0.10'
set firewall group interface-group LANv6 interface 'br0.20'
set firewall group interface-group LANv6 interface 'br0.30'
set firewall group interface-group LANv6 interface 'br0.40'
set firewall group interface-group LANv6 interface 'br0.50'
set firewall group interface-group WAN interface 'eth3'
set firewall group network-group LAN network '10.95.0.0/16'Filter types:
- Input: packets into the router (from WAN or LAN)
- Outbound: packets out of the router (to LAN or WAN)
- Forward: packets routing through the router (WAN to LAN, LAN to WAN, or LAN to LAN routing)
IPv4 Input Filter: allow established/related from WAN and input packets from the LAN (can be more restictive to control management interface and only allow DNS, DHCP, etc.).
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 20 action 'accept'
set firewall ipv4 input filter rule 20 description 'Allow established/related input traffic'
set firewall ipv4 input filter rule 20 inbound-interface group 'WAN'
set firewall ipv4 input filter rule 20 state 'established'
set firewall ipv4 input filter rule 20 state 'related'
set firewall ipv4 input filter rule 30 action 'drop'
set firewall ipv4 input filter rule 30 description 'Drop invalid'
set firewall ipv4 input filter rule 30 inbound-interface group 'WAN'
set firewall ipv4 input filter rule 30 state 'invalid'
set firewall ipv4 input filter rule 1000 action 'accept'
set firewall ipv4 input filter rule 1000 description 'Allow packets from LAN to router'
set firewall ipv4 input filter rule 1000 source group network-group 'LAN'IPv4 Forward Filter: allow established/related from the outside and allow outbound from the LAN.
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 description 'Allow established/related forwarding traffic'
set firewall ipv4 forward filter rule 20 inbound-interface group 'WAN'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'
set firewall ipv4 forward filter rule 30 action 'drop'
set firewall ipv4 forward filter rule 30 description 'Drop invalid'
set firewall ipv4 forward filter rule 30 inbound-interface group 'WAN'
set firewall ipv4 forward filter rule 30 state 'invalid'
set firewall ipv4 forward filter rule 1000 action 'accept'
set firewall ipv4 forward filter rule 1000 description 'Allow outbound from LAN'
set firewall ipv4 forward filter rule 1000 source group network-group 'LAN'IPv4 Output Filter: allow all (we trust our router)
set firewall ipv4 output filter default-action 'accept'IPv6 Input Filter: allow established/related from WAN, allow ICMPv6 and DHCPv6 (required for proper IPv6 function), and input packets from the LAN (can be more restictive to control management interface and only allow DNS, DHCP, etc.).
set firewall ipv6 input filter default-action 'drop'
set firewall ipv6 input filter rule 20 action 'accept'
set firewall ipv6 input filter rule 20 description 'Allow IPv6 established/related input traffic'
set firewall ipv6 input filter rule 20 inbound-interface group 'WAN'
set firewall ipv6 input filter rule 20 state 'established'
set firewall ipv6 input filter rule 20 state 'related'
set firewall ipv6 input filter rule 30 action 'accept'
set firewall ipv6 input filter rule 30 description 'Allow ICMPv6 input'
set firewall ipv6 input filter rule 30 inbound-interface group 'WAN'
set firewall ipv6 input filter rule 30 protocol 'ipv6-icmp'
set firewall ipv6 input filter rule 40 action 'accept'
set firewall ipv6 input filter rule 40 description 'Allow DHCPv6 input traffic'
set firewall ipv6 input filter rule 40 destination port '546'
set firewall ipv6 input filter rule 40 inbound-interface group 'WAN'
set firewall ipv6 input filter rule 40 protocol 'udp'
set firewall ipv6 input filter rule 40 source port '547'
set firewall ipv6 input filter rule 1000 action 'accept'
set firewall ipv6 input filter rule 1000 description 'Allow inbound from LAN'
set firewall ipv6 input filter rule 1000 inbound-interface group 'LANv6'IPv6 Forward Filter: allow established/related from the outside, allow IPv6 ICMP (required for proper IPv6 function), and allow outbound from the LAN.
set firewall ipv6 forward filter default-action 'drop'
set firewall ipv6 forward filter rule 20 action 'accept'
set firewall ipv6 forward filter rule 20 description 'Allow IPv6 established/related forwarding traffic'
set firewall ipv6 forward filter rule 20 inbound-interface group 'WAN'
set firewall ipv6 forward filter rule 20 state 'established'
set firewall ipv6 forward filter rule 20 state 'related'
set firewall ipv6 forward filter rule 30 action 'accept'
set firewall ipv6 forward filter rule 30 description 'Allow IPv6 ICMP forwarding'
set firewall ipv6 forward filter rule 30 inbound-interface group 'WAN'
set firewall ipv6 forward filter rule 30 protocol 'ipv6-icmp'
set firewall ipv6 forward filter rule 1000 action 'accept'
set firewall ipv6 forward filter rule 1000 description 'Allow outbound from LAN'
set firewall ipv6 forward filter rule 1000 inbound-interface group 'LANv6'IPv6 Output Filter: allow all (we trust our router)
set firewall ipv6 output filter default-action 'accept'Cloudflared Container#
Set up a container to run clouflared to provide an Cloudflare Tunnel into the network to expose some internal LAN services without port forwarding or opening firewall rules.
set container name cloudflared allow-host-networks
set container name cloudflared command 'tunnel --no-autoupdate run'
set container name cloudflared description 'Cloudflared container for shasta tunnel'
set container name cloudflared environment TUNNEL_TOKEN value '<TUNNEL TOKEN HERE>'
set container name cloudflared image 'cloudflare/cloudflared:latest'
set container name cloudflared restart 'on-failure'Tailscale Container#
This sets up a container to run Tailscale on the router. This works, but needs additional firewall rules to handle the address space that Tailnet device use to allow for packet forwarding out to the WAN as well as to local LAN devices.
Advertises as an exit node and advertises subnet routes to specific LAN interfaces.
set container name tailscale allow-host-networks
set container name tailscale capability 'net-admin'
set container name tailscale capability 'net-raw'
set container name tailscale device tun destination '/dev/net/tun'
set container name tailscale device tun source '/dev/net/tun'
set container name tailscale environment TS_AUTHKEY value '<TAILSCALE AUTH KEY HERE>'
set container name tailscale environment TS_EXTRA_ARGS value '--advertise-exit-node'
set container name tailscale environment TS_HOSTNAME value 'shasta'
set container name tailscale environment TS_ROUTES value '10.95.10.0/24,10.95.20.0/24'
set container name tailscale environment TS_STATE_DIR value '/var/lib/tailscale'
set container name tailscale environment TS_USERSPACE value 'false'
set container name tailscale image 'tailscale/tailscale:latest'
set container name tailscale restart 'on-failure'
set container name tailscale volume modules destination '/lib/modules'
set container name tailscale volume modules source '/lib/modules'
set container name tailscale volume state destination '/var/lib/tailscale'
set container name tailscale volume state source '/config/tailscale/state'