文章说明：简单介绍vyos软路由上网功能配置。

一、vyos安装

【Vyos-开源篇-1】- VMware安装vyos虚拟机

二、上网配置

2.1、DHCP上网

configure #进入配置模式
set interfaces ethernet eth0 address dhcp #配置eth0口dhcp自动获取IP地址
commit #应用配置
save #保存配置

2.2、静态IP上网

configure #进入配置模式
set interfaces ethernet eth0 address 192.168.1.2/24 #配置eth0口静态IP上网
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 #配置默认路由
commit #应用配置
save #保存配置

2.3、PPPOE拨号上网

configure #进入配置模式
set interfaces pppoe pppoe1 authentication user 'your-user' #配置拨号用户
set interfaces pppoe pppoe1 authentication password 'your-password' #配置拨号密码
set interfaces pppoe pppoe1 default-route 'none' #不配置默认路由
set interfaces pppoe pppoe1 mtu '1500' #配置最大传输单元
set interfaces pppoe pppoe1 source-interface 'eth0' #绑定拨号接口
set firewall options interface pppoe1 adjust-mss 1200 #配置最大报文段大小
set protocols static interface-route 0.0.0.0/0 next-hop-interface pppoe1 #配置默认路由走pppoe1接口，跟上面的不配置默认路由一起使用，否则都不使用
commit #应用配置
save #保存配置

2.4、PPPOE拨号ipv6

set firewall global-options all-ping 'enable'

set firewall ipv4 name LAN-LOCAL default-action 'accept'
set firewall ipv4 name LAN-WAN default-action 'accept'
set firewall ipv4 name LOCAL-LAN default-action 'accept'
set firewall ipv4 name LOCAL-WAN default-action 'accept'
set firewall ipv4 name WAN-LAN default-action 'drop'
set firewall ipv4 name WAN-LAN rule 1 action 'accept'
set firewall ipv4 name WAN-LAN rule 1 state 'established'
set firewall ipv4 name WAN-LAN rule 1 state 'related'
set firewall ipv4 name WAN-LAN rule 10 action 'accept'
set firewall ipv4 name WAN-LAN rule 10 destination address '10.10.0.0/24'
set firewall ipv4 name WAN-LAN rule 10 log
set firewall ipv4 name WAN-LAN rule 10 protocol 'tcp_udp'
set firewall ipv4 name WAN-LOCAL default-action 'drop'
set firewall ipv4 name WAN-LOCAL rule 1 action 'accept'
set firewall ipv4 name WAN-LOCAL rule 1 state 'established'
set firewall ipv4 name WAN-LOCAL rule 1 state 'related'
set firewall ipv4 name WAN-LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN-LOCAL rule 10 protocol 'icmp'

set firewall ipv6 name LAN-LOCAL-6 default-action 'accept'
set firewall ipv6 name LAN-WAN-6 default-action 'accept'
set firewall ipv6 name LOCAL-LAN-6 default-action 'accept'
set firewall ipv6 name LOCAL-WAN-6 default-action 'accept'
set firewall ipv6 name WAN-LAN-6 default-action 'drop'
set firewall ipv6 name WAN-LAN-6 rule 1 action 'accept'
set firewall ipv6 name WAN-LAN-6 rule 1 state 'established'
set firewall ipv6 name WAN-LAN-6 rule 1 state 'related'
set firewall ipv6 name WAN-LOCAL-6 default-action 'drop'
set firewall ipv6 name WAN-LOCAL-6 rule 1 action 'accept'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'related'
set firewall ipv6 name WAN-LOCAL-6 rule 1 state 'established'
set firewall ipv6 name WAN-LOCAL-6 rule 10 action 'accept'
set firewall ipv6 name WAN-LOCAL-6 rule 10 protocol 'ipv6-icmp'
set firewall ipv6 name WAN-LOCAL-6 rule 20 action 'accept'
set firewall ipv6 name WAN-LOCAL-6 rule 20 destination port '546'
set firewall ipv6 name WAN-LOCAL-6 rule 20 protocol 'udp'
set firewall ipv6 name WAN-LOCAL-6 rule 20 source port '547'

set firewall zone LAN from LOCAL firewall ipv6-name 'LOCAL-LAN-6'
set firewall zone LAN from LOCAL firewall name 'LOCAL-LAN'
set firewall zone LAN from WAN firewall ipv6-name 'WAN-LAN-6'
set firewall zone LAN from WAN firewall name 'WAN-LAN'
set firewall zone LAN member interface 'br0'

set firewall zone LOCAL from LAN firewall ipv6-name 'LAN-LOCAL-6'
set firewall zone LOCAL from LAN firewall name 'LAN-LOCAL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL-6'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone

set firewall zone WAN from LAN firewall ipv6-name 'LAN-WAN-6'
set firewall zone WAN from LAN firewall name 'LAN-WAN'
set firewall zone WAN from LOCAL firewall ipv6-name 'LOCAL-WAN-6'
set firewall zone WAN from LOCAL firewall name 'LOCAL-WAN'
set firewall zone WAN member interface 'pppoe0'

set interfaces bridge br0 address '10.10.0.1/24'
set interfaces bridge br0 description 'LAN bridge'
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2

set interfaces pppoe pppoe0 authentication password 'xxxxx'
set interfaces pppoe pppoe0 authentication username 'xxxxx'
set interfaces pppoe pppoe0 description 'China Unicom'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface br0 address '1'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface br0 sla-id '0'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
set interfaces pppoe pppoe0 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 source-interface 'eth0'

set nat source rule 100 outbound-interface name 'pppoe0'
set nat source rule 100 source address '10.10.0.0/24'
set nat source rule 100 translation address 'masquerade'

set service dhcp-server dynamic-dns-update
set service dhcp-server hostfile-update
set service dhcp-server listen-interface 'br0'
set service dhcp-server shared-network-name br0 authoritative
set service dhcp-server shared-network-name br0 option ntp-server '10.10.0.1'
set service dhcp-server shared-network-name br0 option time-zone 'Asia/Shanghai'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 lease '86400'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 option default-router '10.10.0.1'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 option name-server '116.116.116.116'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 option name-server '223.5.5.5'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 range 100 start '10.10.0.100'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 range 100 stop '10.10.0.200'
set service dhcp-server shared-network-name br0 subnet 10.10.0.0/24 subnet-id '1'

set service router-advert interface br0 link-mtu '1490'
set service router-advert interface br0 prefix ::/64 valid-lifetime '172800'
set service router-advert interface pppoe0

三、DNS配置

3.1、系统DNS

set service dns forwarding allow-from '0.0.0.0/0'
set service dns forwarding cache-size '10000'
set service dns forwarding dnssec 'off'
set service dns forwarding listen-address '0.0.0.0'
set service dns forwarding name-server 114.114.114.114
set service dns forwarding name-server 223.5.5.5
set service dns forwarding no-serve-rfc1918
set service dns forwarding system

3.2、DHCP获取DNS

configure #进入配置
set system name-server eth0 #从eth0口获取DNS
commit #应用配置
save #保存配置

3.3、自定义DNS

configure #进入配置
set system name-server 223.5.5.5 #设置阿里DNS
set system name-server 114.114.114.114 #设置114DNS
commit #应用配置
save #保存配置

四、NAT配置

4.1、SNAT配置

configure #进入配置
set nat source rule 100 outbound-interface name eth0 #设置eth0口出向nat
set nat source rule 100 source address 192.168.2.0/24 #设置内网源网段
set nat source rule 100 translation address masquerade #nat成出接口IP上网
commit #应用配置
save #保存配置

4.2、DNAT配置

configure #进入配置
set nat destination rule 100 inbound-interface name eth0 #入接口eth0口
set nat destination rule 100 destination address 192.168.1.2 #从eth0入站访问192.168.1.2
set nat destination rule 100 destination port 80 #从eth0入站访问192.168.1.2的80端口
set nat destination rule 100 protocol tcp #从eth0入站访问192.168.1.2的tcp80端口
set nat destination rule 100 translation address 192.168.2.2 #映射给内网192.168.2.2
set nat destination rule 100 translation port 8080 #映射给内网192.168.2.2的8080端口
commit #应用配置
save #保存配置

五、DHCPServer配置

configure #进入配置
set service dhcp-server shared-network-name eth1 authoritative #开启特定共享网络的授权，防止出现冲突和混乱
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 option default-router 192.168.2.1 #配置终端获取的网关IP，默认为eth1的接口IP地址
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 lease 86400 #设置dhcp过期时间86400秒
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 option name-server 223.5.5.5 #下发DNS223.5.5.5
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 option name-server 114.114.114.114 #下发DNS114.114.114.114
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 range 0 start 192.168.2.2 #设置dhcp下发范围0，开始192.168.2.2
set service dhcp-server shared-network-name eth1 subnet 192.168.2.0/24 range 0 stop 192.168.2.10 #设置dhcp下发范围0，结束192.168.2.10
commit #应用配置
save #保存配置

六、路由配置

6.1、静态路由

configure #进入配置
set protocols static route 10.0.0.0/24 next-hop 192.168.1.1 #去10.0.0.0/24下一跳192.168.1.1
commit #应用配置
save #保存配置

6.2、静态优先级

configure #进入配置
set protocols static route 10.0.0.0/24 next-hop 192.168.1.254 distance 2 #静态路由默认优先级为1，设置distance为2时，优先级低于没有设置distance的静态路由，或者设置了distance为1的静态路由
commit #应用配置
save #保存配置

6.3、策略路由

configure #进入配置
set policy route lan-map interface eth0 #eth0口调用lan-map策略路由
set policy route lan-map rule 10 source address 192.168.2.2 #配置名称lan-map匹配源地址192.168.2.2
set policy route lan-map rule 10 set table 10 #配置名称lan-map打上table10的标签
set protocols static table 10 route 10.0.0.0/24 next-hop 192.168.1.100 #匹配table10标签的源地址192.168.2.2去10.0.0.0/24下一跳192.168.1.100
commit #应用配置
save #保存配置

七、配置SSH登录

configure #进入配置
set service ssh port 22 #配置ssh端口号为22
set service ssh acl permit '10.0.0.0/8' #配置仅允许A类网段登录
set service ssh acl permit '172.16.0.0/12' #配置仅允许B类网段登录
set service ssh acl permit '192.168.0.0/16' #配置仅允许C类网段登录
commit #应用配置
save #保存配置