VyOS - Configuration Blueprints и архитектура
VyOS - Configuration Blueprints и архитектура
Готовые к развертыванию шаблоны конфигурации VyOS для типичных сценариев использования. Каждый шаблон представляет собой полную рабочую конфигурацию, которую можно адаптировать под конкретные требования.
Как использовать шаблоны
Метод 1: Через CLI
# Войти в configuration mode
configure
# Скопировать команды из шаблона (set команды)
# Вставить в CLI
# Применить конфигурацию
commit
# Сохранить
saveМетод 2: Через config.boot файл
# Сохранить шаблон в файл
sudo vi /config/config.boot.template
# Загрузить конфигурацию
configure
load /config/config.boot.template
commit
saveМетод 3: Через API
# Использовать VyOS API для применения конфигурации
# См. раздел "Автоматизация VyOS" для деталейШаблон 1: SOHO Router (Малый офис / Домашний офис)
Описание
Базовый роутер для малого офиса (до 50 устройств):
- WAN интерфейс с DHCP от провайдера
- LAN с DHCP сервером
- NAT для выхода в интернет
- Базовый firewall
- DNS forwarding
- NTP
- SSH доступ
Топология
Internet (ISP DHCP)
|
[eth0] WAN
VyOS Router
[eth1] LAN
|
192.168.1.0/24
(Client devices)Полная конфигурация
configure
# Системные настройки
set system host-name soho-router
set system time-zone Europe/Moscow
set system name-server 8.8.8.8
set system name-server 8.8.4.4
# Логин пользователя
set system login user admin authentication plaintext-password 'changeme123'
set system login user admin level admin
# SSH сервис
set service ssh port 22
set service ssh disable-password-authentication
# NTP
set service ntp server 0.ru.pool.ntp.org
set service ntp server 1.ru.pool.ntp.org
# WAN интерфейс (получает IP от провайдера через DHCP)
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN'
# LAN интерфейс
set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description 'LAN'
# DHCP сервер для LAN
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 name-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name internal.local
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start 192.168.1.100
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop 192.168.1.200
# DNS forwarding
set service dns forwarding listen-address 192.168.1.1
set service dns forwarding cache-size 10000
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
# NAT для выхода в интернет
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.1.0/24
set nat source rule 100 translation address masquerade
# Firewall - WAN_LOCAL (защита самого роутера от WAN)
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol icmp
# Firewall - WAN_IN (защита LAN от WAN)
set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 state invalid enable
# Применить firewall к интерфейсам
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall in name WAN_IN
commit
saveКастомизация
# Изменить LAN подсеть
set interfaces ethernet eth1 address 10.0.0.1/24
set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 default-router 10.0.0.1
set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 range 0 start 10.0.0.100
set service dhcp-server shared-network-name LAN subnet 10.0.0.0/24 range 0 stop 10.0.0.200
set service dns forwarding listen-address 10.0.0.1
set nat source rule 100 source address 10.0.0.0/24
# Добавить статические DHCP аренды
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping server1 mac '00:11:22:33:44:55'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 static-mapping server1 ip-address '192.168.1.10'
# Открыть порт для внешнего доступа (например, web сервер)
set nat destination rule 100 inbound-interface eth0
set nat destination rule 100 protocol tcp
set nat destination rule 100 destination port 80
set nat destination rule 100 translation address 192.168.1.10
set nat destination rule 100 translation port 80
# Разрешить forwarding для этого порта
set firewall name WAN_IN rule 100 action accept
set firewall name WAN_IN rule 100 protocol tcp
set firewall name WAN_IN rule 100 destination address 192.168.1.10
set firewall name WAN_IN rule 100 destination port 80Шаблон 2: Branch Office Router (Филиал с VPN)
Описание
Роутер для филиала компании с VPN подключением к головному офису:
- WAN интерфейс со статическим IP
- LAN с несколькими VLAN (офис, гости, принтеры)
- IPsec Site-to-Site VPN до головного офиса
- QoS для приоритизации VoIP
- DHCP с резервированием для оборудования
- Syslog на центральный сервер
Топология
Internet
|
[eth0] WAN (203.0.113.10/24)
VyOS Router
|
[eth1] LAN Trunk
|
Switch
|
+--- VLAN 10 (192.168.10.0/24) Office
+--- VLAN 20 (192.168.20.0/24) Guests
+--- VLAN 30 (192.168.30.0/24) Printers
IPsec Tunnel to HQ
192.168.0.0/24 (HQ LAN)Полная конфигурация
configure
# Системные настройки
set system host-name branch-office
set system time-zone Europe/Moscow
set system domain-name company.local
# Логин
set system login user admin authentication plaintext-password 'SecurePass123!'
set system login user admin level admin
# SSH
set service ssh port 22
set service ssh disable-password-authentication
# NTP
set service ntp server ntp1.company.local
set service ntp server 0.ru.pool.ntp.org
# Syslog на центральный сервер
set system syslog host 192.168.0.10 facility all level info
set system syslog global facility all level info
# WAN интерфейс (статический IP от провайдера)
set interfaces ethernet eth0 address 203.0.113.10/24
set interfaces ethernet eth0 description 'WAN'
# LAN интерфейс (trunk для VLANs)
set interfaces ethernet eth1 description 'LAN-TRUNK'
# VLAN 10 - Office
set interfaces ethernet eth1 vif 10 address 192.168.10.1/24
set interfaces ethernet eth1 vif 10 description 'Office-VLAN'
# VLAN 20 - Guests
set interfaces ethernet eth1 vif 20 address 192.168.20.1/24
set interfaces ethernet eth1 vif 20 description 'Guest-VLAN'
# VLAN 30 - Printers
set interfaces ethernet eth1 vif 30 address 192.168.30.1/24
set interfaces ethernet eth1 vif 30 description 'Printer-VLAN'
# DHCP сервер для Office VLAN
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 default-router 192.168.10.1
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 name-server 192.168.0.10
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 domain-name company.local
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 lease 86400
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 range 0 start 192.168.10.100
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 range 0 stop 192.168.10.200
# Статические аренды для оборудования
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 static-mapping voip-phone1 mac '00:11:22:33:44:01'
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 static-mapping voip-phone1 ip-address '192.168.10.11'
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 static-mapping voip-phone2 mac '00:11:22:33:44:02'
set service dhcp-server shared-network-name OFFICE subnet 192.168.10.0/24 static-mapping voip-phone2 ip-address '192.168.10.12'
# DHCP для Guest VLAN (короткий lease)
set service dhcp-server shared-network-name GUESTS subnet 192.168.20.0/24 default-router 192.168.20.1
set service dhcp-server shared-network-name GUESTS subnet 192.168.20.0/24 name-server 8.8.8.8
set service dhcp-server shared-network-name GUESTS subnet 192.168.20.0/24 lease 3600
set service dhcp-server shared-network-name GUESTS subnet 192.168.20.0/24 range 0 start 192.168.20.100
set service dhcp-server shared-network-name GUESTS subnet 192.168.20.0/24 range 0 stop 192.168.20.250
# DHCP для Printer VLAN
set service dhcp-server shared-network-name PRINTERS subnet 192.168.30.0/24 default-router 192.168.30.1
set service dhcp-server shared-network-name PRINTERS subnet 192.168.30.0/24 name-server 192.168.0.10
set service dhcp-server shared-network-name PRINTERS subnet 192.168.30.0/24 lease 86400
set service dhcp-server shared-network-name PRINTERS subnet 192.168.30.0/24 range 0 start 192.168.30.100
set service dhcp-server shared-network-name PRINTERS subnet 192.168.30.0/24 range 0 stop 192.168.30.200
# DNS forwarding
set service dns forwarding listen-address 192.168.10.1
set service dns forwarding listen-address 192.168.20.1
set service dns forwarding listen-address 192.168.30.1
set service dns forwarding cache-size 10000
set service dns forwarding name-server 192.168.0.10
set service dns forwarding name-server 8.8.8.8
# Default route
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
# NAT для выхода в интернет
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.10.0/24
set nat source rule 100 translation address masquerade
set nat source rule 101 outbound-interface eth0
set nat source rule 101 source address 192.168.20.0/24
set nat source rule 101 translation address masquerade
set nat source rule 102 outbound-interface eth0
set nat source rule 102 source address 192.168.30.0/24
set nat source rule 102 translation address masquerade
# NAT exclude для VPN трафика
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 192.168.10.0/24
set nat source rule 10 destination address 192.168.0.0/24
set nat source rule 10 exclude
# IPsec Site-to-Site VPN до головного офиса
set vpn ipsec ike-group IKE-HQ proposal 1 encryption aes256
set vpn ipsec ike-group IKE-HQ proposal 1 hash sha256
set vpn ipsec ike-group IKE-HQ proposal 1 dh-group 14
set vpn ipsec ike-group IKE-HQ lifetime 28800
set vpn ipsec esp-group ESP-HQ proposal 1 encryption aes256
set vpn ipsec esp-group ESP-HQ proposal 1 hash sha256
set vpn ipsec esp-group ESP-HQ lifetime 3600
set vpn ipsec esp-group ESP-HQ pfs dh-group14
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret 'VerySecretPSK123!'
set vpn ipsec site-to-site peer 203.0.113.1 ike-group IKE-HQ
set vpn ipsec site-to-site peer 203.0.113.1 local-address 203.0.113.10
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group ESP-HQ
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 192.168.10.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 192.168.0.0/24
# QoS для приоритизации VoIP
set traffic-policy shaper WAN-OUT bandwidth 100mbit
set traffic-policy shaper WAN-OUT default bandwidth 80%
set traffic-policy shaper WAN-OUT default queue-type fq-codel
# Высокий приоритет для VoIP
set traffic-policy shaper WAN-OUT class 10 bandwidth 15%
set traffic-policy shaper WAN-OUT class 10 priority 1
set traffic-policy shaper WAN-OUT class 10 match VOIP ip dscp ef
set traffic-policy shaper WAN-OUT class 10 match VOIP-SIP ip destination port 5060
set traffic-policy shaper WAN-OUT class 10 match VOIP-RTP ip destination port 10000-20000
# Применить QoS
set interfaces ethernet eth0 traffic-policy out WAN-OUT
# Firewall - WAN_LOCAL
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol icmp
# Разрешить IKE и ESP для IPsec
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 40 destination port 500
set firewall name WAN_LOCAL rule 41 action accept
set firewall name WAN_LOCAL rule 41 protocol udp
set firewall name WAN_LOCAL rule 41 destination port 4500
set firewall name WAN_LOCAL rule 42 action accept
set firewall name WAN_LOCAL rule 42 protocol esp
# Firewall - WAN_IN
set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 state invalid enable
# Firewall - GUEST изоляция (запретить доступ к внутренним сетям)
set firewall name GUEST_OUT default-action accept
set firewall name GUEST_OUT rule 10 action drop
set firewall name GUEST_OUT rule 10 destination address 192.168.10.0/24
set firewall name GUEST_OUT rule 11 action drop
set firewall name GUEST_OUT rule 11 destination address 192.168.30.0/24
set firewall name GUEST_OUT rule 12 action drop
set firewall name GUEST_OUT rule 12 destination address 192.168.0.0/24
# Применить firewall
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth1 vif 20 firewall out name GUEST_OUT
commit
saveШаблон 3: Datacenter Edge Router (ЦОД с BGP)
Описание
Граничный роутер для датацентра:
- Dual WAN с BGP к двум провайдерам
- Публичные IP адреса
- NAT для внутренних серверов
- Destination NAT для публичных сервисов
- High Availability (VRRP)
- OSPF для внутренней маршрутизации
- Строгий firewall
Топология
ISP1 (AS 65001) ISP2 (AS 65002)
| |
[eth0] 203.0.113.2/30 [eth1] 198.51.100.2/30
\ /
\ VyOS Router /
\ /
[eth2] Internal
|
172.16.0.1/24
(Server Network)Полная конфигурация
configure
# Системные настройки
set system host-name dc-edge-router
set system time-zone Europe/Moscow
set system domain-name dc.company.local
# Логин
set system login user admin authentication plaintext-password 'VerySecurePass123!'
set system login user admin level admin
# SSH
set service ssh port 22
set service ssh disable-password-authentication
set service ssh listen-address 172.16.0.1
# NTP
set service ntp server ntp1.yandex.ru
set service ntp server ntp2.yandex.ru
# Syslog
set system syslog global facility all level info
set system syslog host 172.16.0.10 facility all level warning
# WAN1 интерфейс (ISP1)
set interfaces ethernet eth0 address 203.0.113.2/30
set interfaces ethernet eth0 description 'ISP1-WAN'
# WAN2 интерфейс (ISP2)
set interfaces ethernet eth1 address 198.51.100.2/30
set interfaces ethernet eth1 description 'ISP2-WAN'
# Internal интерфейс
set interfaces ethernet eth2 address 172.16.0.1/24
set interfaces ethernet eth2 description 'Internal-Servers'
# BGP конфигурация
set protocols bgp 64512 parameters router-id 172.16.0.1
# BGP neighbor ISP1
set protocols bgp 64512 neighbor 203.0.113.1 remote-as 65001
set protocols bgp 64512 neighbor 203.0.113.1 description 'ISP1'
set protocols bgp 64512 neighbor 203.0.113.1 address-family ipv4-unicast
set protocols bgp 64512 neighbor 203.0.113.1 address-family ipv4-unicast default-originate
set protocols bgp 64512 neighbor 203.0.113.1 address-family ipv4-unicast soft-reconfiguration inbound
# BGP neighbor ISP2
set protocols bgp 64512 neighbor 198.51.100.1 remote-as 65002
set protocols bgp 64512 neighbor 198.51.100.1 description 'ISP2'
set protocols bgp 64512 neighbor 198.51.100.1 address-family ipv4-unicast
set protocols bgp 64512 neighbor 198.51.100.1 address-family ipv4-unicast default-originate
set protocols bgp 64512 neighbor 198.51.100.1 address-family ipv4-unicast soft-reconfiguration inbound
# Анонсировать наши сети
set protocols bgp 64512 address-family ipv4-unicast network 203.0.113.0/28
set protocols bgp 64512 address-family ipv4-unicast network 198.51.100.0/28
# Prefix filtering для входящих анонсов
set policy prefix-list BGP-IN rule 10 action permit
set policy prefix-list BGP-IN rule 10 prefix 0.0.0.0/0
set policy prefix-list BGP-IN rule 10 le 24
set policy route-map BGP-FILTER rule 10 action permit
set policy route-map BGP-FILTER rule 10 match ip address prefix-list BGP-IN
set protocols bgp 64512 neighbor 203.0.113.1 address-family ipv4-unicast route-map import BGP-FILTER
set protocols bgp 64512 neighbor 198.51.100.1 address-family ipv4-unicast route-map import BGP-FILTER
# OSPF для внутренних сетей (если есть другие роутеры)
set protocols ospf parameters router-id 172.16.0.1
set protocols ospf area 0 network 172.16.0.0/24
# Redistribute BGP в OSPF (default route)
set protocols ospf redistribute bgp
# Source NAT для внутренних серверов (через WAN1)
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 172.16.0.0/24
set nat source rule 100 translation address masquerade
# Source NAT через WAN2 (backup)
set nat source rule 101 outbound-interface eth1
set nat source rule 101 source address 172.16.0.0/24
set nat source rule 101 translation address masquerade
# Destination NAT для публичных сервисов
# Web сервер на 172.16.0.20
set nat destination rule 100 inbound-interface eth0
set nat destination rule 100 protocol tcp
set nat destination rule 100 destination address 203.0.113.10
set nat destination rule 100 destination port 80
set nat destination rule 100 translation address 172.16.0.20
set nat destination rule 100 translation port 80
set nat destination rule 101 inbound-interface eth0
set nat destination rule 101 protocol tcp
set nat destination rule 101 destination address 203.0.113.10
set nat destination rule 101 destination port 443
set nat destination rule 101 translation address 172.16.0.20
set nat destination rule 101 translation port 443
# Mail сервер на 172.16.0.21
set nat destination rule 110 inbound-interface eth0
set nat destination rule 110 protocol tcp
set nat destination rule 110 destination address 203.0.113.11
set nat destination rule 110 destination port 25
set nat destination rule 110 translation address 172.16.0.21
set nat destination rule 110 translation port 25
set nat destination rule 111 inbound-interface eth0
set nat destination rule 111 protocol tcp
set nat destination rule 111 destination address 203.0.113.11
set nat destination rule 111 destination port 587
set nat destination rule 111 translation address 172.16.0.21
set nat destination rule 111 translation port 587
# Firewall - WAN1_LOCAL
set firewall name WAN1_LOCAL default-action drop
set firewall name WAN1_LOCAL rule 10 action accept
set firewall name WAN1_LOCAL rule 10 state established enable
set firewall name WAN1_LOCAL rule 10 state related enable
set firewall name WAN1_LOCAL rule 20 action drop
set firewall name WAN1_LOCAL rule 20 state invalid enable
set firewall name WAN1_LOCAL rule 30 action accept
set firewall name WAN1_LOCAL rule 30 protocol icmp
# Разрешить BGP
set firewall name WAN1_LOCAL rule 40 action accept
set firewall name WAN1_LOCAL rule 40 protocol tcp
set firewall name WAN1_LOCAL rule 40 source address 203.0.113.1
set firewall name WAN1_LOCAL rule 40 destination port 179
# Firewall - WAN2_LOCAL (аналогично WAN1)
set firewall name WAN2_LOCAL default-action drop
set firewall name WAN2_LOCAL rule 10 action accept
set firewall name WAN2_LOCAL rule 10 state established enable
set firewall name WAN2_LOCAL rule 10 state related enable
set firewall name WAN2_LOCAL rule 20 action drop
set firewall name WAN2_LOCAL rule 20 state invalid enable
set firewall name WAN2_LOCAL rule 30 action accept
set firewall name WAN2_LOCAL rule 30 protocol icmp
set firewall name WAN2_LOCAL rule 40 action accept
set firewall name WAN2_LOCAL rule 40 protocol tcp
set firewall name WAN2_LOCAL rule 40 source address 198.51.100.1
set firewall name WAN2_LOCAL rule 40 destination port 179
# Firewall - WAN1_IN (входящий трафик)
set firewall name WAN1_IN default-action drop
set firewall name WAN1_IN rule 10 action accept
set firewall name WAN1_IN rule 10 state established enable
set firewall name WAN1_IN rule 10 state related enable
set firewall name WAN1_IN rule 20 action drop
set firewall name WAN1_IN rule 20 state invalid enable
# Разрешить HTTP/HTTPS на web сервер
set firewall name WAN1_IN rule 100 action accept
set firewall name WAN1_IN rule 100 protocol tcp
set firewall name WAN1_IN rule 100 destination address 172.16.0.20
set firewall name WAN1_IN rule 100 destination port 80
set firewall name WAN1_IN rule 101 action accept
set firewall name WAN1_IN rule 101 protocol tcp
set firewall name WAN1_IN rule 101 destination address 172.16.0.20
set firewall name WAN1_IN rule 101 destination port 443
# Разрешить SMTP на mail сервер
set firewall name WAN1_IN rule 110 action accept
set firewall name WAN1_IN rule 110 protocol tcp
set firewall name WAN1_IN rule 110 destination address 172.16.0.21
set firewall name WAN1_IN rule 110 destination port 25
set firewall name WAN1_IN rule 111 action accept
set firewall name WAN1_IN rule 111 protocol tcp
set firewall name WAN1_IN rule 111 destination address 172.16.0.21
set firewall name WAN1_IN rule 111 destination port 587
# Firewall - WAN2_IN (аналогично WAN1_IN)
set firewall name WAN2_IN default-action drop
set firewall name WAN2_IN rule 10 action accept
set firewall name WAN2_IN rule 10 state established enable
set firewall name WAN2_IN rule 10 state related enable
set firewall name WAN2_IN rule 20 action drop
set firewall name WAN2_IN rule 20 state invalid enable
# Применить firewall
set interfaces ethernet eth0 firewall local name WAN1_LOCAL
set interfaces ethernet eth0 firewall in name WAN1_IN
set interfaces ethernet eth1 firewall local name WAN2_LOCAL
set interfaces ethernet eth1 firewall in name WAN2_IN
# Conntrack optimization для высокой нагрузки
set system conntrack table-size 262144
set system conntrack timeout tcp established 432000
set system conntrack timeout tcp close 10
commit
saveШаблон 4: Service Provider Edge Router (Провайдер)
Описание
Граничный роутер для провайдера (ISP):
- BGP с upstream провайдерами
- BGP с клиентами
- PPPoE сервер для клиентов
- RADIUS authentication
- Traffic shaping per-client
- IPv6 dual-stack
Топология
Upstream Provider (AS 65000)
|
[eth0] 203.0.113.2/30
|
VyOS Router (AS 64600)
|
[eth1] PPPoE Server
|
10.0.0.0/8 (PPPoE pool)
|
DSL ClientsОсновная конфигурация (упрощенная)
configure
# Системные настройки
set system host-name isp-edge-router
set system time-zone Europe/Moscow
# Логин
set system login user admin authentication plaintext-password 'ISPSecurePass123!'
set system login user admin level admin
# SSH
set service ssh port 22
set service ssh disable-password-authentication
# NTP
set service ntp server ntp1.yandex.ru
set service ntp server ntp2.yandex.ru
# Upstream интерфейс
set interfaces ethernet eth0 address 203.0.113.2/30
set interfaces ethernet eth0 description 'Upstream-Provider'
# PPPoE server интерфейс
set interfaces ethernet eth1 description 'PPPoE-Clients'
# PPPoE сервер
set service pppoe-server interface eth1
set service pppoe-server authentication mode radius
set service pppoe-server authentication radius server 192.168.100.10 key 'radius-secret'
set service pppoe-server gateway-address 10.0.0.1
set service pppoe-server client-ip-pool start 10.0.0.10
set service pppoe-server client-ip-pool stop 10.255.255.254
# BGP с upstream
set protocols bgp 64600 parameters router-id 203.0.113.2
set protocols bgp 64600 neighbor 203.0.113.1 remote-as 65000
set protocols bgp 64600 neighbor 203.0.113.1 description 'Upstream-Provider'
set protocols bgp 64600 neighbor 203.0.113.1 address-family ipv4-unicast
# Получать full table или default route
set protocols bgp 64600 neighbor 203.0.113.1 address-family ipv4-unicast default-originate
# Анонсировать наши сети
set protocols bgp 64600 address-family ipv4-unicast network 10.0.0.0/8
# Traffic shaping для клиентов (пример)
set traffic-policy shaper CLIENT-100M bandwidth 100mbit
set traffic-policy shaper CLIENT-100M default bandwidth 100%
set traffic-policy shaper CLIENT-100M default queue-type fq-codel
# Firewall для защиты
set firewall name UPSTREAM_LOCAL default-action drop
set firewall name UPSTREAM_LOCAL rule 10 action accept
set firewall name UPSTREAM_LOCAL rule 10 state established enable
set firewall name UPSTREAM_LOCAL rule 10 state related enable
set firewall name UPSTREAM_LOCAL rule 20 action drop
set firewall name UPSTREAM_LOCAL rule 20 state invalid enable
set firewall name UPSTREAM_LOCAL rule 30 action accept
set firewall name UPSTREAM_LOCAL rule 30 protocol icmp
set firewall name UPSTREAM_LOCAL rule 40 action accept
set firewall name UPSTREAM_LOCAL rule 40 protocol tcp
set firewall name UPSTREAM_LOCAL rule 40 destination port 179
set interfaces ethernet eth0 firewall local name UPSTREAM_LOCAL
commit
saveШаблон 5: Multi-WAN Load Balancing
Описание
Роутер с балансировкой нагрузки между несколькими WAN каналами:
- 2-3 WAN интерфейса
- Load balancing с весами
- Failover при отказе канала
- Policy-based routing для критичного трафика
Топология
WAN1 (100 Mbps) WAN2 (50 Mbps)
| |
[eth0] [eth1]
\ /
\ VyOS /
\ Router /
[eth2]
|
LAN Network
192.168.1.0/24Полная конфигурация
configure
# Системные настройки
set system host-name multi-wan-router
set system time-zone Europe/Moscow
# Логин
set system login user admin authentication plaintext-password 'MultiWAN123!'
set system login user admin level admin
# SSH
set service ssh port 22
# NTP
set service ntp server 0.pool.ntp.org
# WAN1 интерфейс (основной, 100 Mbps)
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN1-Primary'
# WAN2 интерфейс (резервный, 50 Mbps)
set interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description 'WAN2-Backup'
# LAN интерфейс
set interfaces ethernet eth2 address 192.168.1.1/24
set interfaces ethernet eth2 description 'LAN'
# DHCP сервер для LAN
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 name-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start 192.168.1.100
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop 192.168.1.200
# DNS forwarding
set service dns forwarding listen-address 192.168.1.1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
# Load balancing конфигурация
set load-balancing wan interface-health eth0 failure-count 3
set load-balancing wan interface-health eth0 success-count 1
set load-balancing wan interface-health eth0 nexthop dhcp
set load-balancing wan interface-health eth0 test 10 type ping
set load-balancing wan interface-health eth0 test 10 target 8.8.8.8
set load-balancing wan interface-health eth1 failure-count 3
set load-balancing wan interface-health eth1 success-count 1
set load-balancing wan interface-health eth1 nexthop dhcp
set load-balancing wan interface-health eth1 test 10 type ping
set load-balancing wan interface-health eth1 test 10 target 8.8.4.4
# Load balancing правило (вес 2:1 для WAN1:WAN2)
set load-balancing wan rule 10 inbound-interface eth2
set load-balancing wan rule 10 source address 192.168.1.0/24
set load-balancing wan rule 10 interface eth0 weight 2
set load-balancing wan rule 10 interface eth1 weight 1
# Sticky connections для established соединений
set load-balancing wan sticky-connections inbound
# NAT для обоих WAN
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.1.0/24
set nat source rule 100 translation address masquerade
set nat source rule 101 outbound-interface eth1
set nat source rule 101 source address 192.168.1.0/24
set nat source rule 101 translation address masquerade
# Firewall для WAN интерфейсов
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol icmp
set firewall name WAN_IN default-action drop
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 state invalid enable
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth1 firewall local name WAN_LOCAL
set interfaces ethernet eth1 firewall in name WAN_IN
commit
saveМониторинг Load Balancing
# Проверить статус WAN интерфейсов
show load-balancing wan
# Проверить health checks
show load-balancing wan interface-health
# Статистика по правилам
show load-balancing wan ruleШаблон 6: High Availability (VRRP) Пара
Описание
Пара роутеров в HA конфигурации для критичных сервисов:
- VRRP для failover
- Синхронизация conntrack
- Identical конфигурация (кроме VRRP priority)
Топология
Internet
|
[eth0 WAN]
|
VyOS Router 1 (MASTER)
VRRP Priority: 200
|
VyOS Router 2 (BACKUP)
VRRP Priority: 100
|
[eth1 LAN]
|
192.168.1.0/24
(Virtual IP: 192.168.1.1)Конфигурация Router 1 (MASTER)
configure
# Системные настройки
set system host-name ha-router-1
set system time-zone Europe/Moscow
# Логин
set system login user admin authentication plaintext-password 'HASecure123!'
set system login user admin level admin
# SSH
set service ssh port 22
# WAN интерфейс
set interfaces ethernet eth0 address 203.0.113.10/24
set interfaces ethernet eth0 description 'WAN'
# LAN интерфейс с реальным IP
set interfaces ethernet eth1 address 192.168.1.2/24
set interfaces ethernet eth1 description 'LAN'
# VRRP для LAN (Virtual IP)
set high-availability vrrp group LAN vrid 10
set high-availability vrrp group LAN interface eth1
set high-availability vrrp group LAN virtual-address 192.168.1.1/24
set high-availability vrrp group LAN priority 200
set high-availability vrrp group LAN preempt true
set high-availability vrrp group LAN authentication type simple
set high-availability vrrp group LAN authentication password 'vrrp-secret'
# VRRP для WAN (Virtual IP)
set high-availability vrrp group WAN vrid 20
set high-availability vrrp group WAN interface eth0
set high-availability vrrp group WAN virtual-address 203.0.113.1/24
set high-availability vrrp group WAN priority 200
set high-availability vrrp group WAN preempt true
set high-availability vrrp group WAN authentication type simple
set high-availability vrrp group WAN authentication password 'vrrp-secret'
# Conntrack синхронизация
set high-availability vrrp sync-group SYNC member LAN
set high-availability vrrp sync-group SYNC member WAN
# DHCP сервер (использует virtual IP)
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 name-server 192.168.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start 192.168.1.100
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop 192.168.1.200
# DNS forwarding
set service dns forwarding listen-address 192.168.1.1
set service dns forwarding name-server 8.8.8.8
# Default route
set protocols static route 0.0.0.0/0 next-hop 203.0.113.254
# NAT (использует virtual WAN IP)
set nat source rule 100 outbound-interface eth0
set nat source rule 100 source address 192.168.1.0/24
set nat source rule 100 translation address masquerade
# Firewall
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 state invalid enable
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 protocol icmp
# Разрешить VRRP
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 protocol vrrp
set interfaces ethernet eth0 firewall local name WAN_LOCAL
commit
saveКонфигурация Router 2 (BACKUP)
# Идентична Router 1, но с измененными параметрами:
set system host-name ha-router-2
# Реальный IP на LAN
set interfaces ethernet eth1 address 192.168.1.3/24
# Реальный IP на WAN
set interfaces ethernet eth0 address 203.0.113.11/24
# VRRP priority ниже (BACKUP)
set high-availability vrrp group LAN priority 100
set high-availability vrrp group WAN priority 100
# Всё остальное идентично Router 1Проверка HA статуса
# Проверить VRRP статус
show vrrp
# Детальная информация
show vrrp detail
# Проверить conntrack синхронизацию
show high-availability syncТестирование и валидация шаблонов
Базовые тесты после применения шаблона
# 1. Проверить конфигурацию
show configuration
# 2. Проверить интерфейсы
show interfaces
show interfaces addresses
# 3. Проверить маршрутизацию
show ip route
# 4. Проверить NAT
show nat source statistics
# 5. Проверить firewall
show firewall
# 6. Тестировать connectivity
ping 8.8.8.8
ping -c 3 google.com
# 7. Проверить DNS
nslookup google.com
# 8. Проверить сервисы
show service dhcp-server statistics
show service sshТест производительности
# Проверить throughput с iperf3
# На сервере (LAN)
iperf3 -s
# На клиенте (через роутер)
iperf3 -c <server-ip> -t 60
# Проверить latency
ping <target> -c 100
# Смотреть avg/stddev
# Проверить загрузку роутера
show system cpu
show system memoryЛучшие практики при использовании шаблонов
- Всегда backup перед применением
save /config/config.boot.before-template- Применять поэтапно в тестовом окружении
# Сначала протестировать на staging роутере- Документировать изменения
# Создать README с описанием специфики вашего deployment- Использовать commit-confirm для критичных изменений
commit-confirm 10
# Тестируем
confirm # Если всё OK- Адаптировать под свои требования
# Изменить IP адреса
# Изменить названия интерфейсов
# Добавить специфичные правила- Мониторить после применения
# Использовать monitor log
# Проверять метрики
# Тестировать все функции- Хранить шаблоны в version control
git init
git add config-templates/
git commit -m "Added SOHO template"Заключение
Эти шаблоны предоставляют solid foundation для типичных сценариев развертывания VyOS:
- SOHO Router: Простой роутер для малого офиса
- Branch Office: Филиал с VPN и VLANs
- Datacenter Edge: ЦОД с BGP dual-homing
- Service Provider: ISP edge с PPPoE
- Multi-WAN: Балансировка нагрузки
- High Availability: VRRP failover
Адаптируйте эти шаблоны под свои требования, тестируйте тщательно, и документируйте все изменения для будущего reference.
Проверено OpenNix LLC · Обновлено