As I’ve mentioned before, I’m using VyOS for my router. If you’re not familiar with VyOS, go check it out. Its community version is open source, extreamly flexable, command line only, has a great community, reasonably good documentation,and people have strong opinions about it… both good and bad. What’s not to love. Is it the greatest thing since sliced bread? No, but I’m familiar with it and that is important to me.
Installing VyOS is similar to installing any number of Linux ISO’s, follow the instructions here. I’m using Stream 2025.11. By the time you read this I’m sure there will be updated vwersions of stream, and there’s always the nightly builds if that’s how you roll. The install is done locally with an attached monitor and keyboard and since I don’t have a permenent video out I replaced the network card with a GPU for the install and then put the network card back in when done. The setup I’m showing is not all inclusive, nor is this the only way to set VyOS up. 1
For me, the first thing to do after the install is to configure the management interface so that I can remove the attached video card and install the network card. To keep the addresses from moving around we need to associate the MAC addresses to the interfaces. So start with
ip aAnd copy down the MAC addresses for the motherboard interfaces. Then enter the config mode and set the host name, add a user and delete the admin account: 2
configure
set system host-name 'vyos'
commit; save
set system login user mark authentication plaintext-password <<< TEMP PASSWORD >>>
commit; saveLog out and back in with the new user.
delete system login user vyosWe’ll delete password based access after we setup the interfaces and SSH.
I’m setting up the onboard 1GbE port to use as a console port and I want it to be on Eth0, this is where the MAC address association comes in. 3
set interfaces ethernet eth0 address '192.168.2.1/24'
set interfaces ethernet eth0 description 'Console'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:xx'
set interfaces ethernet eth0 mtu '1500'
commit-confirm 10At this point I connected to the Eth0 console port and SSH’d into VyOS, and once I verified that I could still communicate:
confirm
saveTime to power down the router, remove the GPU, install the network card and power it back up. And agian, once logged in:
ip aNote the MAC Addresses for the network card.
If you need to, refer back to the previous post for how I’m configuring my network. This is how to setup the rest of the interfaces:
set interfaces ethernet eth1 description 'Not Used'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:xx' # This is the motherboard 2.5GbE port
set interfaces ethernet eth2 description 'To Switch'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:xx' # Port 1 on the network card
set interfaces ethernet eth2 vif 10 address '10.1.10.1/24'
set interfaces ethernet eth2 vif 10 description 'LAN'
set interfaces ethernet eth2 vif 10 mtu '9000'
set interfaces ethernet eth2 vif 20 address '10.1.20.1/24'
set interfaces ethernet eth2 vif 20 description 'Media'
set interfaces ethernet eth2 vif 20 mtu '1500'
set interfaces ethernet eth2 vif 30 address '10.1.30.1/24'
set interfaces ethernet eth2 vif 30 description 'Guest'
set interfaces ethernet eth2 vif 30 mtu '1500'
set interfaces ethernet eth2 vif 40 address '10.1.40.1/24'
set interfaces ethernet eth2 vif 40 description 'Management'
set interfaces ethernet eth2 vif 40 mtu '1500'
set interfaces ethernet eth2 vif 50 address '10.1.50.1/24'
set interfaces ethernet eth2 vif 50 description 'Cameras'
set interfaces ethernet eth2 vif 50 mtu '1500'
set interfaces ethernet eth2 vif 100 address '192.168.1.1/24'
set interfaces ethernet eth2 vif 100 description 'External'
set interfaces ethernet eth2 vif 100 mtu '9000'
set interfaces ethernet eth3 address 'dhcp'
set interfaces ethernet eth3 description 'WAN'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:xx' # Port 0 on the the network card
set interfaces ethernet eth3 mtu '9000'
set interfaces loopback loNext let’s set up ssh and public keys for access on two different ports, the first being the console port on Eth0 and the other being a connection to the Management zone which will be on VLAN 40. 4
set service ssh access-control allow user 'mark'
set service ssh disable-password-authentication
set service ssh listen-address '192.168.2.1'
set service ssh listen-address '10.1.40.1'
set service ssh port '22'
set system login user mark authentication public-keys mark@waywardlabs.com key '< < < MY KEY HERE > > >'
set system login user mark authentication public-keys mark@waywardlabs.com type '< < < ENCRYPTION TYPE > > >' delete system login user mark authentication plaintext-password
delete system login user mark authentication encrypted-password
commit-confirm 5Point NTP towards the right servers.
delete service ntp
set service ntp server 0.us.pool.ntp.org
set service ntp server 1.us.pool.ntp.org
set service ntp server 2.us.pool.ntp.org
set service ntp server 3.us.pool.ntp.orgAdd a DNS. For the time being I’m using 1.1.1.1 for everthing, once everything is working I’ll switch over to an internal DNS server. One step at a time.
set system name-server '1.1.1.1'Add in DHCP servers: 5
set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 option default-router '10.1.10.1'
set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 option name-server '1.1.1.1'
set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 range 0 start '10.1.10.50'
set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 range 0 stop '10.1.10.79'
set service dhcp-server shared-network-name LAN subnet 10.1.10.0/24 subnet-id '10'
set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 option default-router '10.1.20.1'
set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 option name-server '1.1.1.1'
set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 range 0 start '10.1.20.50'
set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 range 0 stop '10.1.20.79'
set service dhcp-server shared-network-name Media subnet 10.1.20.0/24 subnet-id '20'
set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 option default-router '10.1.30.1'
set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 option name-server '1.1.1.1'
set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 range 0 start '10.1.30.50'
set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 range 0 stop '10.1.30.79'
set service dhcp-server shared-network-name Guest subnet 10.1.30.0/24 subnet-id '30'
set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 option default-router '10.1.40.1'
set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 option name-server '1.1.1.1'
set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 range 0 start '10.1.40.50'
set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 range 0 stop '10.1.40.79'
set service dhcp-server shared-network-name Management subnet 10.1.40.0/24 subnet-id '40'Now setup any NAT. 6
set nat destination rule 510 description 'Port Forwarding for Server1'
set nat destination rule 510 destination port '40000-40099'
set nat destination rule 510 inbound-interface name 'eth3'
set nat destination rule 510 protocol 'tcp_udp'
set nat destination rule 510 translation address '192.168.1.10'
set nat destination rule 520 description 'Port Forwarding for Server2'
set nat destination rule 520 destination port '40100-40199'
set nat destination rule 520 inbound-interface name 'eth3'
set nat destination rule 520 protocol 'tcp_udp'
set nat destination rule 520 translation address '192.168.1.11'
set nat destination rule 530 description 'Port Forwarding for Server3'
set nat destination rule 530 destination port '40200-40299'
set nat destination rule 530 inbound-interface name 'eth3'
set nat destination rule 530 protocol 'tcp_udp'
set nat destination rule 530 translation address '192.168.1.12'
set nat source rule 100 description 'NAT source address for all traffic leaving eth3'
set nat source rule 100 outbound-interface name 'eth3'
set nat source rule 100 translation address 'masquerade'At this point all the routing is configured. Time to setup the firewall. I’m using a zone based firewall so we have to setup the rules and then then the zones. Default rules first.
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy related action 'accept'
set firewall ipv4 name fw_ACCEPT default-action 'accept'
set firewall ipv4 name fw_REJECT rule 10 action 'drop'
set firewall ipv4 name fw_EST_REL rule 10 description 'Established-Related'
set firewall ipv4 name fw_EST_REL rule 10 state 'established'
set firewall ipv4 name fw_EST_REL rule 10 state 'related'
set firewall ipv4 name fw_EST_REL rule 10 action 'accept'
set firewall ipv4 name fw_EST_REL default-action 'drop'I know… there is a global option for established/related. But I like doing both. It’s more of a bookkeeping method to make sure nothing falls through the cracks. Continuing…
set firewall ipv4 name fw_MGMNT_OUT default-action 'accept'
set firewall ipv4 name fw_LAN_OUT rule 10 description 'Drop Invalid'
set firewall ipv4 name fw_LAN_OUT rule 10 state 'invalid'
set firewall ipv4 name fw_LAN_OUT rule 10 action 'drop'
set firewall ipv4 name fw_LAN_OUT rule 10 log
set firewall ipv4 name fw_LAN_OUT default-action 'accept'
set firewall ipv4 name fw_EXT_OUT rule 10 description 'Drop Invalid'
set firewall ipv4 name fw_EXT_OUT rule 10 state 'invalid'
set firewall ipv4 name fw_EXT_OUT rule 10 action 'drop'
set firewall ipv4 name fw_EXT_OUT rule 10 log
set firewall ipv4 name fw_EXT_OUT default-action 'accept'
set firewall ipv4 name fw_WAN_EXT rule 10 description 'Established-Related'
set firewall ipv4 name fw_WAN_EXT rule 10 state 'established'
set firewall ipv4 name fw_WAN_EXT rule 10 state 'related'
set firewall ipv4 name fw_WAN_EXT rule 10 action 'accept'
set firewall ipv4 name fw_WAN_EXT rule 20 connection-status nat 'destination'
set firewall ipv4 name fw_WAN_EXT rule 20 action 'accept'
set firewall ipv4 name fw_WAN_EXT rule 20 state 'new'
set firewall ipv4 name fw_WAN_EXT default-action 'drop'
set firewall ipv4 name fw_LOCAL rule 10 action 'accept'
set firewall ipv4 name fw_LOCAL rule 10 description 'Established-Related'
set firewall ipv4 name fw_LOCAL rule 10 protocol 'all'
set firewall ipv4 name fw_LOCAL rule 10 state 'established'
set firewall ipv4 name fw_LOCAL rule 10 state 'related'
set firewall ipv4 name fw_LOCAL rule 20 description 'Drop Invalid'
set firewall ipv4 name fw_LOCAL rule 20 state 'invalid'
set firewall ipv4 name fw_LOCAL rule 20 action 'drop'
set firewall ipv4 name fw_LOCAL rule 20 log
set firewall ipv4 name fw_LOCAL rule 30 description 'Allow ICMP'
set firewall ipv4 name fw_LOCAL rule 30 protocol 'icmp'
set firewall ipv4 name fw_LOCAL rule 30 action 'accept'
set firewall ipv4 name fw_LOCAL rule 30 log
set firewall ipv4 name fw_LOCAL rule 50 description 'Allow DHCP'
set firewall ipv4 name fw_LOCAL rule 50 destination port '67'
set firewall ipv4 name fw_LOCAL rule 50 action 'accept'
set firewall ipv4 name fw_LOCAL rule 50 protocol 'udp'
set firewall ipv4 name fw_LOCAL rule 50 log
set firewall ipv4 name fw_LOCAL default-action 'drop'At this point if you are familiar with zone based firewall configurations I’m guessing that you are scratching you head why I’m doing it this way. Sometimes I wonder myself. I’m trying to add the structure that I’ll need later when I add an internal DNS server for all but the External subnet. Hopefully this looks more useful later.
And now the zones.
set firewall zone LAN default-action 'drop'
set firewall zone LAN from Cameras firewall name 'fw_REJECT'
set firewall zone LAN from External firewall name 'fw_REJECT'
set firewall zone LAN from Guest firewall name 'fw_REJECT'
set firewall zone LAN from Local firewall name 'fw_ACCEPT'
set firewall zone LAN from Management firewall name 'fw_ACCEPT'
set firewall zone LAN from Media firewall name 'fw_REJECT'
set firewall zone LAN from WAN firewall name 'fw_EST_REL'
set firewall zone LAN member interface 'eth2.10'
set firewall zone Guest default-action 'drop'
set firewall zone Guest from Cameras firewall name 'fw_REJECT'
set firewall zone Guest from External firewall name 'fw_REJECT'
set firewall zone Guest from LAN firewall name 'fw_REJECT'
set firewall zone Guest from Local firewall name 'fw_ACCEPT'
set firewall zone Guest from Management firewall name 'fw_ACCEPT'
set firewall zone Guest from Media firewall name 'fw_REJECT'
set firewall zone Guest from WAN firewall name 'fw_EST_REL'
set firewall zone Guest member interface 'eth2.30'
set firewall zone Media default-action 'drop'
set firewall zone Media from Cameras firewall name 'fw_REJECT'
set firewall zone Media from External firewall name 'fw_REJECT'
set firewall zone Media from Guest firewall name 'fw_REJECT'
set firewall zone Media from LAN firewall name 'fw_REJECT'
set firewall zone Media from Local firewall name 'fw_ACCEPT'
set firewall zone Media from Management firewall name 'fw_ACCEPT'
set firewall zone Media from WAN firewall name 'fw_EST_REL'
set firewall zone Media member interface 'eth2.20'
set firewall zone Management default-action 'drop'
set firewall zone Management from Cameras firewall name 'fw_EST_REL'
set firewall zone Management from External firewall name 'fw_EST_REL'
set firewall zone Management from Guest firewall name 'fw_EST_REL'
set firewall zone Management from LAN firewall name 'fw_EST_REL'
set firewall zone Management from Local firewall name 'fw_ACCEPT'
set firewall zone Management from Media firewall name 'fw_EST_REL'
set firewall zone Management from WAN firewall name 'fw_EST_REL'
set firewall zone Management member interface 'eth2.40'
set firewall zone Management member interface 'eth0'
set firewall zone Cameras default-action 'drop'
set firewall zone Cameras from External firewall name 'fw_REJECT'
set firewall zone Cameras from Guest firewall name 'fw_REJECT'
set firewall zone Cameras from LAN firewall name 'fw_REJECT'
set firewall zone Cameras from Local firewall name 'fw_REJECT'
set firewall zone Cameras from Management firewall name 'fw_REJECT'
set firewall zone Cameras from Media firewall name 'fw_REJECT'
set firewall zone Cameras from WAN firewall name 'fw_REJECT'
set firewall zone Cameras member interface 'eth2.50'
set firewall zone External default-action 'drop'
set firewall zone External from Cameras firewall name 'fw_REJECT'
set firewall zone External from Guest firewall name 'fw_REJECT'
set firewall zone External from LAN firewall name 'fw_REJECT'
set firewall zone External from Local firewall name 'fw_ACCEPT'
set firewall zone External from Management firewall name 'fw_ACCEPT'
set firewall zone External from Media firewall name 'fw_REJECT'
set firewall zone External from WAN firewall name 'fw_WAN_EXT'
set firewall zone External member interface 'eth2.100'
set firewall zone Local default-action 'drop'
set firewall zone Local from Cameras firewall name 'fw_LOCAL'
set firewall zone Local from External firewall name 'fw_LOCAL'
set firewall zone Local from Guest firewall name 'fw_LOCAL'
set firewall zone Local from LAN firewall name 'fw_LOCAL'
set firewall zone Local from Management firewall name 'fw_ACCEPT'
set firewall zone Local from Media firewall name 'fw_LOCAL'
set firewall zone Local from WAN firewall name 'fw_EST_REL'
set firewall zone Local local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN from Cameras firewall name 'fw_REJECT'
set firewall zone WAN from External firewall name 'fw_EXT_OUT'
set firewall zone WAN from Guest firewall name 'fw_EXT_OUT'
set firewall zone WAN from LAN firewall name 'fw_EXT_OUT'
set firewall zone WAN from Local firewall name 'fw_ACCEPT'
set firewall zone WAN from Management firewall name 'fw_MGMNT_OUT'
set firewall zone WAN from Media firewall name 'fw_EXT_OUT'
set firewall zone WAN member interface 'eth3'That completes the basic firewall setup minus the DNS server and its rules. I can also imagine that there will be some necessary modifacations as the network grows or changes, but this framework should allow for those changes or additions to be included relatively easily.
One more thing I want to add before I’m done with this portion is to add in the offloading. If I understand correctly this should allow for some transactions to pass between the Mellanox NIC ports (WAN and the switch) without any involvement of the processor. I need to come up with a way to test this.
set interfaces ethernet eth2 mtu '9000'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tsoThanks for reading, and as always comments and questions are welcome.
Comments
Loading comments…