The most basic VyOS configuration possible
Here is the bare minimum configuration necessary to make VyOS a functional, minimally-secure router.
Strictly speaking, there are are only a few configurations necessary to use VyOS home router.
- Set interface IP addresses
- Block traffic coming from the internet
- NAT outgoing traffic
- Give out IPs by DHCP
For the sake of this tutorial, I'll assume the interface connected to the internet is eth0 and the interface connected to the home network is eth1
Interface IPs
The LAN interface absolutely needs a static IP that will not change
Enter configuration mode
conf
Set interface IP address (The IP can be changed to something else if wanted)
set interface ethernet eth1 address 192.168.10.1/24
The configuration of the WAN interface will depend on your ISP. If you have a static address, you can use the same command as the LAN interface for the interface eth0. If the address is dynamic (not PPPoE) you can use this command:
set interface ethernet eth0 address dhcp
After making changes, make sure to apply and save the changes.
commit
save
Blocking traffic
These three commands will make it so traffic trying to come into your network from the internet will be blocked.
set firewall ipv4 forward filter rule 1000 inbound-interface name eth0
set firewall ipv4 forward filter rule 1000 action drop
set firewall ipv4 forward filter rule 1000 state new
These three command will make it so traffic destined to your router from the internet will be blocked.
set firewall ipv4 input filter rule 1000 inbound-interface name eth0
set firewall ipv4 input filter rule 1000 action drop
set firewall ipv4 input filter rule 1000 state new
After making changes, make sure to apply and save the changes.
commit
save
NAT-ing traffic
The following two commands will make it so traffic leaving your router towards the internet will have the internet address of your router as it's source address.
set nat source rule 1000 outbound-interface name eth0
set nat source rule 1000 translation address masquerade
After making changes, make sure to apply and save the changes.
commit
save
DHCP Server
The following commands will configure your router to give out IP addresses to your clients between 100 and 200. If you chose a different subnet when addressing your LAN interface earlier, it is important that the IP values here reflect the same subnet.
set service dhcp-server listen-interface eth1
set service dhcp-server shared-network-name home authoritative
set service dhcp-server shared-network-name home subnet 192.168.10.0/24 subnet-id 10
set service dhcp-server shared-network-name home subnet 192.168.10.0/24 range 100-200 start 192.168.10.100
set service dhcp-server shared-network-name home subnet 192.168.10.0/24 range 100-200 stop 192.168.10.200
set service dhcp-server shared-network-name home subnet 192.168.10.0/24 range 100-200 option default-router 192.168.10.1
set service dhcp-server shared-network-name home subnet 192.168.10.0/24 range 100-200 option name-server 8.8.8.8
After making changes, make sure to apply and save the changes.
commit
save
You are now ready to start using your router.
Notes
If your ISP requires PPPoE, you can refer to this documentation: https://docs.vyos.io/en/latest/configuration/interfaces/pppoe.html