VyOS是Vyatta系统的社区fork版本,只能说是相当牛逼的开源路由系统。Vyatta是博通的企业级的产品,企业路由的所有功能基本都支持,还支持虚拟机。
基本配置第一部分
#安装系统, 进相关配置 install image 分区-复制文件-配置GRUB reboot #======== #查看网卡信息
#计划分配eth0外网线, eth1内网有线, eth2内网无线; eth3做外网双线 #假设外网 ip/mask 10.10.0.3/29 gw 10.10.0.2 #假设内网 ip/mask 192.168.0.1/24 #假设无线 ip/mask 172.28.0.1/24 #假设外网(2) ip/mask 10.11.0.1/29 gw 10.11.0.2 #进入配置模式 configure #首先配置内网网卡,然后用ssh软件连进去复制配置,或者加载配置文件 #配置eth1网卡相关 #设定网卡描述 set interfaces ethernet eth1 description "LAN interface" #设定网卡工作模式 set interfaces ethernet eth1 duplex auto #设定网卡连接速率 set interfaces ethernet eth1 speed auto #设定多核CPU中断 set interfaces ethernet eth1 smp_affinity auto #设定最大传输单元 set interfaces ethernet eth1 mtu 1500 #设定网卡IP/Mask set interfaces ethernet eth1 address 192.168.0.1/24 #启用SSH远程管理 set service ssh port ‘22‘ #配置lo回环网卡 set interfaces loopback lo description "LOCAL-NET" #配置eth0网卡相关 #添加描述 set interfaces ethernet eth0 description "WAN interface" #设定网卡工作模式 set interfaces ethernet eth0 duplex auto #设定网卡连接速率 set interfaces ethernet eth0 speed auto #设定多核CPU中断 set interfaces ethernet eth0 smp_affinity auto #设定最大传输单元 set interfaces ethernet eth0 mtu 1500 #设定网卡IP/Mask set interfaces ethernet eth1 address 10.10.0.3/29 #设置外网网关 set system gateway-address 10.10.0.2 #绑定外网网关ARP set protocols static arp 10.10.0.2 hwaddr 00:16:4d:40:2e:02 #修改系统名称 set system host-name VyOS-R1 #修改系统域名 set system domain-name r1.domain.com #修改系统vyos用户登录密码 set system login user vyos level ‘admin‘ set system login user vyos authentication encrypted-password PASSWORD #设置时区 set system time-zone Asia/Shanghai #设置ntp服务器 set system ntp server "time.asia.apple.com" #设置欢迎信息 set system login banner pre-login "\n\tUNAUTHORIZED USE OF THIS SYSTEM NIS PROHIBITED!\n" #实际修改/etc/issue set system login banner post-login "\n\tWelcome to Vyatta!\n" #实际修改/etc/motd #配置DNS forwarder set service dns forwarding cache-size ‘0‘ set service dns forwarding listen-on ‘eth1‘ set service dns forwarding listen-on ‘eth2‘ set service dns forwarding name-server ‘8.8.8.8‘ set service dns forwarding name-server ‘8.8.4.4‘ #设置内网LAN DHCP服务 set service dhcp-server disabled ‘false‘ set service dhcp-server shared-network-name LAN description "LAN DHCP" set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router 192.168.0.1 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start 192.168.0.60 stop 192.168.0.254 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease ‘86400‘ set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server 192.168.0.1 #静态绑定固定设备IP/MAC set protocols static arp 192.168.0.60 hwaddr 00:01:02:03:04:05 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping USER1 ip-address 192.168.0.60 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping USER1 mac-address 00:01:02:03:04:05 set protocols static arp 192.168.0.61 hwaddr 00:01:02:03:04:06 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping USER2 ip-address 192.168.0.61 set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 static-mapping USER2 mac-address 00:01:02:03:04:06 ... #设置内网WIFI DHCP服务 set service dhcp-server shared-network-name WIFI description "WIFI DHCP" set service dhcp-server shared-network-name WIFI subnet 172.28.0.0/24 default-router 172.28.0.1 set service dhcp-server shared-network-name WIFI subnet 172.28.0.0/24 start 172.28.0.60 stop 172.28.0.254 set service dhcp-server shared-network-name WIFI subnet 172.28.0.0/24 lease ‘86400‘ set service dhcp-server shared-network-name WIFI subnet 172.28.0.0/24 dns-server 172.28.0.1 #静态绑定移动设备IP/MAC set protocols static arp 172.28.0.60 hwaddr 0a:0b:0c:0d:0e:0f set service dhcp-server shared-network-name LAN subnet 172.28.0.0/24 static-mapping PHONE1 ip-address 172.28.0.60 set service dhcp-server shared-network-name LAN subnet 172.28.0.0/24 static-mapping PHONE1 mac-address 0a:0b:0c:0d:0e:0f ... #设置内网SNAT通过eth0上网 #规则:固定端1000-1999;移动端2000-2999. set nat source rule 1001 description "USER1 SNAT" set nat source rule 1001 source address 192.168.0.60 set nat source rule 1001 outbound-interface eth0 set nat source rule 1001 translation address masquerade set nat source rule 1002 description "USER2 SNAT" set nat source rule 1002 source address 192.168.0.61 set nat source rule 1002 outbound-interface eth0 set nat source rule 1002 translation address masquerade ... set nat source rule 2001 description "PHONE1 SNAT" set nat source rule 2001 source address 172.28.0.60 set nat source rule 2001 outbound-interface eth0 set nat source rule 2001 translation address masquerade ... #设置内网DNAT #规则:100-999可用,每个规则供5个段 #规则100,web1服务映射,10.10.0.3(eth0):80->192.168.0.50:80 #规则105,web2服务映射,10.10.0.3(eth0):8080->192.168.0.51:80 #规则110,ftp服务映射,10.10.0.3(eth0):21->192.168.0.53:21 #================================== set nat destination rule 100 description "WEB SERVER1" set nat destination rule 100 inbound-interface eth0 set nat destination rule 100 destination address 10.10.0.3 set nat destination rule 100 protocol tcp set nat destination rule 100 source address 0.0.0.0/0 set nat destination rule 100 destination port 80 set nat destination rule 100 translation address 192.168.0.50 set nat destination rule 100 translation port 80 set nat destination rule 101 description "WEB SERVER1" set nat destination rule 101 inbound-interface eth1 set nat destination rule 101 destination address 10.10.0.3 set nat destination rule 101 protocol tcp set nat destination rule 101 source address 0.0.0.0/0 set nat destination rule 101 destination port 80 set nat destination rule 101 translation address 192.168.0.50 set nat destination rule 101 translation port 80 #启用NAT回环 set nat source rule 100 description "WEB SERVER1" set nat source rule 100 outbound-interface eth1 set nat source rule 100 destination address 192.168.0.50 set nat source rule 100 protocol tcp set nat source rule 100 source address 192.168.0.0/24 set nat source rule 100 destination port 80 set nat source rule 100 translation address masquerade set nat source rule 101 description "WEB SERVER1" set nat source rule 101 outbound-interface eth2 set nat source rule 101 destination address 192.168.0.50 set nat source rule 101 protocol tcp set nat source rule 101 source address 172.28.0.0/24 set nat source rule 101 destination port 80 set nat source rule 101 translation address masquerade #================================== set nat destination rule 105 description "WEB SERVER2" set nat destination rule 105 inbound-interface eth0 set nat destination rule 105 destination address 10.10.0.3 set nat destination rule 105 protocol tcp set nat destination rule 105 source address 0.0.0.0/0 set nat destination rule 105 destination port 8080 set nat destination rule 105 translation address 192.168.0.51 set nat destination rule 105 translation port 80 set nat destination rule 106 description "WEB SERVER2" set nat destination rule 106 inbound-interface eth1 set nat destination rule 106 destination address 10.10.0.3 set nat destination rule 106 protocol tcp set nat destination rule 106 source address 0.0.0.0/0 set nat destination rule 106 destination port 8080 set nat destination rule 106 translation address 192.168.0.51 set nat destination rule 106 translation port 80 #启用NAT回环 set nat source rule 105 description "WEB SERVER2" set nat source rule 105 outbound-interface eth1 set nat source rule 105 destination address 192.168.0.51 set nat source rule 105 protocol tcp set nat source rule 105 source address 192.168.0.0/24 set nat source rule 105 destination port 80 set nat source rule 105 translation address masquerade set nat source rule 106 description "WEB SERVER2" set nat source rule 106 outbound-interface eth2 set nat source rule 106 destination address 192.168.0.51 set nat source rule 106 protocol tcp set nat source rule 106 source address 172.28.0.0/24 set nat source rule 106 destination port 80 set nat source rule 106 translation address masquerade #================================== set nat destination rule 110 description "FTP SERVER" set nat destination rule 110 inbound-interface eth0 set nat destination rule 110 destination address 10.10.0.3 set nat destination rule 110 protocol tcp set nat destination rule 110 source address 0.0.0.0/0 set nat destination rule 110 destination port 21 set nat destination rule 110 translation address 192.168.0.53 set nat destination rule 110 translation port 21 set nat destination rule 111 description "FTP SERVER" set nat destination rule 111 inbound-interface eth1 set nat destination rule 111 destination address 10.10.0.3 set nat destination rule 111 protocol tcp set nat destination rule 111 source address 0.0.0.0/0 set nat destination rule 111 destination port 21 set nat destination rule 111 translation address 192.168.0.53 set nat destination rule 111 translation port 21 #启用NAT回环 set nat source rule 110 description "FTP SERVER" set nat source rule 110 outbound-interface eth1 set nat source rule 110 destination address 192.168.0.53 set nat source rule 110 protocol tcp set nat source rule 110 source address 192.168.0.0/24 set nat source rule 110 destination port 21 set nat source rule 110 translation address masquerade set nat source rule 111 description "FTP SERVER" set nat source rule 111 outbound-interface eth2 set nat source rule 111 destination address 192.168.0.53 set nat source rule 111 protocol tcp set nat source rule 111 source address 172.28.0.0/24 set nat source rule 111 destination port 21 set nat source rule 111 translation address masquerade ... #配置防火墙相关 等待第二部分
原文地址:http://caidui.blog.51cto.com/8574756/1660762
