howto/vyos.md
... ...
@@ -92,8 +92,156 @@ set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-
92 92
set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA
93 93
```
94 94
95
-####Coming Soon
96
- - Recommended firewall configuration.
95
+###Example Firewall
96
+In this example our VyOS router has one upstream uplink on **eth0**, and two tunnels/peers on **wg1** and **wg2**.
97
+
98
+####Interfaces
99
+````
100
+ ethernet eth0 {
101
+ address 192.168.1.2/30
102
+ description "Upstream/ISP"
103
+ firewall {
104
+ out {
105
+ name To_Internal_Network
106
+ }
107
+ }
108
+ hw-id 00:00:00:00:00:00
109
+ }
110
+ wireguard wg1 {
111
+ address 172.x.x.x/32
112
+ description "Tunnel 1"
113
+ firewall {
114
+ in {
115
+ name Tunnels_Inbound
116
+ }
117
+ local {
118
+ name Peer_Local_Connections
119
+ }
120
+ }
121
+ peer us-east01 {
122
+ address x.x.x.x
123
+ allowed-ips 0.0.0.0/0
124
+ port 1100
125
+ pubkey ***
126
+ }
127
+ port 1101
128
+ }
129
+ wireguard wg99 {
130
+ address 172.x.x.x/32
131
+ description "Tunnel 2"
132
+ firewall {
133
+ in {
134
+ name Tunnels_Inbound
135
+ }
136
+ local {
137
+ name Peer_Local_Connections
138
+ }
139
+ }
140
+ peer us-east02 {
141
+ address x.x.x.x
142
+ allowed-ips 0.0.0.0/0
143
+ port 1102
144
+ pubkey ***
145
+ }
146
+ port 1103
147
+ }
148
+````
149
+####Firewall Rules
150
+````
151
+
152
+ group {
153
+ network-group Allowed-Transit {
154
+ network 10.0.0.0/8
155
+ network 172.20.0.0/14
156
+ }
157
+ }
158
+ name Peer_Local_Connections {
159
+ default-action drop
160
+ rule 1 {
161
+ action accept
162
+ description "Enable Stateful"
163
+ state {
164
+ established enable
165
+ related enable
166
+ }
167
+ }
168
+ rule 10 {
169
+ action accept
170
+ description "Allow BGP"
171
+ destination {
172
+ port 179
173
+ }
174
+ protocol tcp
175
+ source {
176
+ address x.x.x.x **Peer 1 IP
177
+ }
178
+ }
179
+ rule 11 {
180
+ action accept
181
+ description "Allow BGP"
182
+ destination {
183
+ port 179
184
+ }
185
+ protocol tcp
186
+ source {
187
+ address x.x.x.x **Peer 2 IP
188
+ }
189
+ }
190
+ rule 98 {
191
+ action drop
192
+ description "Black Hole"
193
+ log enable
194
+ source {
195
+ address 0.0.0.0/0
196
+ }
197
+ }
198
+ rule 99 {
199
+ action drop
200
+ description "Black Hole"
201
+ log enable
202
+ state {
203
+ invalid enable
204
+ }
205
+ }
206
+ }
207
+ name Tunnels_Inbound {
208
+ default-action drop
209
+ rule 1 {
210
+ action accept
211
+ description "Enable Stateful"
212
+ state {
213
+ established enable
214
+ related enable
215
+ }
216
+ }
217
+ rule 50 {
218
+ action accept
219
+ description "Allow Peer Transit (DN42 Only)"
220
+ destination {
221
+ group {
222
+ network-group Allowed-Transit
223
+ }
224
+ }
225
+ log enable
226
+ source {
227
+ group {
228
+ network-group Allowed-Transit
229
+ }
230
+ }
231
+ }
232
+ rule 99 {
233
+ action drop
234
+ description "Black Hole"
235
+ log enable
236
+ source {
237
+ address 0.0.0.0/0
238
+ }
239
+ }
240
+ }
241
+````
242
+
243
+
244
+
97 245
98 246
This page is a work in progress from Owens Research. Feel free to contact for suggestions or questions.
99 247