Vyos sites Paris, Lyon, Marseille

Introduction

VyOS est une plateforme de routage et de firewall open source qui offre une large gamme de fonctionnalités de gestion de réseau.

Vyos est particulièrement apprécié pour sa flexibilité, ses capacités de personnalisation, et son coût, par rapport aux solutions propriétaires. Sur les sites, nous allons utiliser :

  • Routage Statique : Configuration manuelle des routes pour contrôler le chemin du trafic réseau. Cela est utile pour des réseaux simples ou pour des chemins spécifiques qui ne changent pas fréquemment.

  • NAT (Network Address Translation) : Masquage des adresses IP internes pour l’accès à Internet et la gestion des communications réseau.

  • VRRP (Virtual Router Redundancy Protocol) : Permet à plusieurs routeurs de partager la même adresse IP virtuelle pour la passerelle par défaut, assurant une redondance en cas de défaillance d’un routeur.

  • DHCP Haute Disponibilité : Configuration en mode actif-passif pour le service DHCP, garantissant que les clients continuent de recevoir des adresses IP même en cas de défaillance d’un serveur DHCP.

Vyos 1

Configuration

Par défaut, le clavier est en Querty. Pour le modifier, il suffit d’effectuer cette commande :

sudo loadkeys fr

Dans un premier temps, nous allons mettre notre vyos en dhcp pour lui attribuer une adresse ip :

conf
set interfaces ethernet eth0 address dhcp
commit
save
exit

Pour vérifier la configuration des interfaces :

sh int

Nous allons aussi ajouter le service SSH pour pouvoir faire des copier-collers de commandes :

conf
set service ssh port 22
commit
save
exit

Nous allons maintenant ajouter notre configuration :

vi config-vyos-1-lyon.sh
#!/bin/vbash

source /opt/vyatta/etc/functions/script-template

configure
set system host-name RFW-VYOS-LYON-1
set system name-server 192.168.245.2
set protocols static route 0.0.0.0/0 next-hop 192.168.245.2
set interfaces ethernet eth0
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN'

set nat source rule 20 outbound-interface name eth0
set nat source rule 20 translation address 192.168.245.165



set interfaces ethernet eth1 address 10.0.9.253/23
set interfaces ethernet eth1 description 'VPRODUCTIONL'
set interfaces ethernet eth2 address 10.0.11.253/23
set interfaces ethernet eth2 description 'VSERVERL'
set interfaces ethernet eth3 address 10.0.13.253/23
set interfaces ethernet eth3 description 'LMGMTL'

set service ssh port '22'

set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
default-router '10.0.13.254'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 lease '86400'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 range 0 start 
'10.0.12.40'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 range 0 stop
'10.0.13.200'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 subnet-id '160'

set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
default-router '10.0.11.254'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 lease '86400'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 range 0 start 
'10.0.10.40'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 range 0 stop 
'10.0.11.200'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 subnet-id '150'

set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
default-router '10.0.9.254'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 lease '86400'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 range 0 start 
'10.0.8.40'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 range 0 stop 
'10.0.9.200'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 subnet-id 
'140'


set service dhcp-server high-availability mode active-passive
set service dhcp-server high-availability source-address 10.0.13.253
set service dhcp-server high-availability remote 10.0.13.252
set service dhcp-server high-availability name HADHCP
set service dhcp-server high-availability status primary



set high-availability vrrp group VLAN140 address 10.0.9.254/23 interface eth1
set high-availability vrrp group VLAN140 interface eth1
set high-availability vrrp group VLAN140 priority 150
set high-availability vrrp group VLAN140 track interface eth1
set high-availability vrrp group VLAN140 track interface eth1
set high-availability vrrp group VLAN140 vrid 140
set high-availability vrrp group VLAN140 preempt-delay 60

set high-availability vrrp group VLAN150 address 10.0.11.254/23 interface eth2
set high-availability vrrp group VLAN150 interface eth2
set high-availability vrrp group VLAN150 priority 150
set high-availability vrrp group VLAN150 track interface eth2
set high-availability vrrp group VLAN150 track interface eth2
set high-availability vrrp group VLAN150 vrid 150
set high-availability vrrp group VLAN150 preempt-delay 60

set high-availability vrrp group VLAN160 address 10.0.13.254/23 interface eth3
set high-availability vrrp group VLAN160 interface eth3
set high-availability vrrp group VLAN160 priority 150
set high-availability vrrp group VLAN160 track interface eth3
set high-availability vrrp group VLAN160 track interface eth3
set high-availability vrrp group VLAN160 vrid 160
set high-availability vrrp group VLAN160 preempt-delay 60



set high-availability vrrp sync-group MAIN member VLAN140
set high-availability vrrp sync-group MAIN member VLAN150
set high-availability vrrp sync-group MAIN member VLAN160


commit

save

exit

Nous allons donner les droits d’exécutions à notre fichier :

chmod +x config-vyos-1-lyon.sh

Puis nous allons appliquer notre configuration :

sg vyattacfg -c ./config-vyos-1-lyon.sh

Nous pouvons utiliser la commande sh int pour regarder si notre configuration s’est bien appliquée :

sh int

Ajout dans Netbird

Nous allons ajouter notre vyos dans Netbird pour gérer l’accès au reste du réseau :

curl -fsSL https://pkgs.netbird.io/install.sh | bash && netbird up -m 
https://netbird.innovalia.xyz/ -k 7282BFB4-6D53-4C67-ADAD-86D0C0AD04F4

Vyos 2

Configuration

Nous allons effectuer la même configuration que pour notre premier vyos à l’exception du fichier de configuration :

vi config-vyos-2-lyon.sh
#!/bin/vbash

source /opt/vyatta/etc/functions/script-template

configure
set system host-name RFW-VYOS-LYON-2
set system name-server 192.168.245.2
set protocols static route 0.0.0.0/0 next-hop 192.168.245.2
set interfaces ethernet eth0
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN'

set nat source rule 20 outbound-interface name eth0
set nat source rule 20 translation address 192.168.245.166



set interfaces ethernet eth1 address 10.0.9.252/23
set interfaces ethernet eth1 description 'VPRODUCTIONL'
set interfaces ethernet eth2 address 10.0.11.252/23
set interfaces ethernet eth2 description 'VSERVERL'
set interfaces ethernet eth3 address 10.0.13.252/23
set interfaces ethernet eth3 description 'LMGMTL'

set service ssh port '22'

set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
default-router '10.0.13.254'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 lease '86400'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 range 0 start 
'10.0.12.40'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 range 0 stop 
'10.0.13.200'
set service dhcp-server shared-network-name LMGMTL subnet 10.0.12.0/23 subnet-id '160'

set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
default-router '10.0.11.254'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 lease '86400'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 range 0 start 
'10.0.10.40'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 range 0 stop 
'10.0.11.200'
set service dhcp-server shared-network-name VSERVERL subnet 10.0.10.0/23 subnet-id '150'

set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
default-router '10.0.9.254'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
name-server '10.0.10.1'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
ntp-server '10.0.20.17'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 option 
domain-name 'innovalia.xyz'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 lease '86400'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 range 0 start 
'10.0.8.40'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 range 0 stop 
'10.0.9.200'
set service dhcp-server shared-network-name VPRODUCTIONL subnet 10.0.8.0/23 subnet-id 
'140'


set service dhcp-server high-availability mode active-passive
set service dhcp-server high-availability source-address 10.0.13.252
set service dhcp-server high-availability remote 10.0.13.253
set service dhcp-server high-availability name HADHCP
set service dhcp-server high-availability status secondary



set high-availability vrrp group VLAN140 address 10.0.9.254/23 interface eth1
set high-availability vrrp group VLAN140 interface eth1
set high-availability vrrp group VLAN140 priority 150
set high-availability vrrp group VLAN140 track interface eth1
set high-availability vrrp group VLAN140 track interface eth1
set high-availability vrrp group VLAN140 vrid 140
set high-availability vrrp group VLAN140 preempt-delay 60

set high-availability vrrp group VLAN150 address 10.0.11.254/23 interface eth2
set high-availability vrrp group VLAN150 interface eth2
set high-availability vrrp group VLAN150 priority 150
set high-availability vrrp group VLAN150 track interface eth2
set high-availability vrrp group VLAN150 track interface eth2
set high-availability vrrp group VLAN150 vrid 150
set high-availability vrrp group VLAN150 preempt-delay 60

set high-availability vrrp group VLAN160 address 10.0.13.254/23 interface eth3
set high-availability vrrp group VLAN160 interface eth3
set high-availability vrrp group VLAN160 priority 150
set high-availability vrrp group VLAN160 track interface eth3
set high-availability vrrp group VLAN160 track interface eth3
set high-availability vrrp group VLAN160 vrid 160
set high-availability vrrp group VLAN160 preempt-delay 60



set high-availability vrrp sync-group MAIN member VLAN140
set high-availability vrrp sync-group MAIN member VLAN150
set high-availability vrrp sync-group MAIN member VLAN160


commit

save

exit

Nous allons donner les droits d’exécutions à notre fichier :

chmod +x config-vyos-2-lyon.sh

Puis nous allons appliquer notre configuration :

sg vyattacfg -c ./config-vyos-2-lyon.sh

Nous pouvons utiliser la commande sh int pour voir si notre configuration s’est bien appliquée :

sh int

Ajout dans Netbird

Nous allons ajouter notre vyos dans Netbird pour gérer l’accès au reste du réseau :

curl -fsSL https://pkgs.netbird.io/install.sh | bash && netbird up -m 
https://netbird.innovalia.xyz/ -k 7282BFB4-6D53-4C67-ADAD-86D0C0AD04F4