Skip to main content

VyOS Cheatsheet

Changing user password

configure
set system login user vyos authentication plaintext-password PasswordGoesHere
commit
save
exit

from: https://support.vyos.io/support/solutions/articles/103000096301-set-change-the-password-of-a-user

Changing hostname

configure
set system host-name fw01-matt
commit
save
exit

Set system DNS server

configure
set system name-server IPHERE
commit ; save ; exit

Setting interfaces

configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth0 address IPADDRESS/MASK
commit
save
exit

Upstream gateway

configure
set protocols static route 0.0.0.0/0 next-hop GATEWAYIPHERE
commit ; save ; exit

NAT & DNS Forwarding

configure
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit ; save ; exit

DNS Forwarding from subnets

configure
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit ; save ; exit

End steps done in lab 1.1 (sec350)

Remote syslog for VyOS

configure
set system syslog host 172.16.50.5 facility authpriv level info
commit ; save ; exit

Setting up zone policy

configure

set zone-policy zone <NAME> interface ethX
set zone-policy zone <NAME> from <NAME> firewall name <SOME_FIREWALL>
# repeat if you have more than one inbound for this zone

# then you need to create the actual firewall configs that go with each zone:
set firewall name <FROM_ZONE>-to-<TO_ZONE> default-action drop
set firewall name <FROM_ZONE>-to-<TO_ZONE> enable-default-log

# allow return traffic:
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 1 action accept
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 1 state established enable
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 1 state related enable

# allow other services
set firewall name set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 10 action accept
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 10 description "some service forwarding"
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 10 destination address <IP_HERE>
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 10 destination port <N>
set firewall name <FROM_ZONE>-to-<TO_ZONE> rule 10 protocol <TCP/UDP>

# repeat above block with a different rule ID (e.g. 11, etc) for other services that need to pass a given firewall

commit ; save ; exit

If you need to debug a given firewall, easiest way is to temporarily:

configure
set firewall name <BROKEN_FIREWALL_NAME> default-action accept
commit;save;exit

To see if that firewall is indeed the problem.

RIP

configure

set protocols rip interface ethX # which interface to talk to other routers
set protocols rip network <NETID>/<MASK> # advertise this network (it's directly connected to this router)

commit ; save ; exit