LoginSignup
1
1

More than 3 years have passed since last update.

@tcf775

途中)さくらのクラウドでvyosでルータ冗長化

Last updated at Posted at 2020-12-08

さくらのクラウドを使っていて
VPN接続等で使っているVPCルータを冗長化しなければいけない使命感に駆られた...

しかし会社は費用がかかることを渋るのでvyOSで作ってみよう:poop::poop::poop:

脳内完成イメージ図
ダウンロード.png

さくらのクラウドで作成

さくらのクラウドでスイッチを作成
image.png

さくらのクラウドでサーバを2台作成
NICを追加して作成したスイッチに接続する
image.png

vyosのisoをダウンロードしてインストール
(私の記憶が確かならば前まで公式アーカイブにvyosあったのになくなっていた...)
vyos1.3
image.png

初期ユーザ:vyos
パスワード:vyos

install image
でインストール。
基本的に設問に答えていけば終わる。

vpsの場合
http://komo-jp.hatenablog.com/entry/2018/07/02/224950

再起動
reboot

vyos設定

configureで設定モード?
変更したらcommit
そしてsave
exitでconfigureを抜ける

configure

とりあえず、eth0を設定
set interfaces ethernet eth0 address グローバルIP
set interfaces ethernet eth0 description 'OUT eth0'
set protocols static route 0.0.0.0/0 next-hop ゲートウェイ
set system name-server ネームサーバ1-133.242.0.3
set system name-server ネームサーバ2-133.242.0.4

パスワードを設定
set system login user ユーザ名 authentication plaintext-password パスワード

そしてとりあえずsshでつなぎたいので
set service ssh port '8929'

commit
save
exit

ホスト名設定
---vyos01
set systen host-name vyos01
---vyos02
set system host-name vyos02
タイムゾーン設定
set system time-zone Asia/Tokyo
ネットワークIF設定
---vyos01
set interfaces ethernet eth1 address 192.168.20.2/24
---vyos02
set interfaces ethernet eth1 address 192.168.20.3/24

set interfaces ethernet eth1 description 'IN eth1'

ssh ポート変更
set service ssh port '8929'
ファイアウォール設定
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'

set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'

set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '8929'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'

set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
NAT設定
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.20.0/24'
set nat source rule 100 translation address masquerade
DHCP設定
---vyos01
set service dhcp-server shared-network-name dhcp01 authoritative
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 default-router 192.168.20.2
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 dns-server 192.168.20.2
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 range 0 start 192.168.20.4
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 range 0 stop 192.168.20.9
---vyos02
set service dhcp-server shared-network-name dhcp01 authoritative
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 default-router 192.168.20.3
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 dns-server 192.168.20.3
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 range 0 start 192.168.20.4
set service dhcp-server shared-network-name dhcp01 subnet 192.168.20.0/24 range 0 stop 192.168.20.9

static MAC=IP
[sample]set service dhcp‐server shared‐network‐name dhcpexample subnet 172.16.17.0/24 static‐mapping static-mapping-01 ip‐address 172.16.17.10
[sample]set service dhcp‐server shared‐network‐name dhcpexample subnet 172.16.17.0/24 static‐mapping static-mapping-01 mac‐address ff:ff:ff:ff:ff:ff
VRRP設定
router1 192.168.20.2
router2 192.168.20.3
仮想IP 192.168.20.1

----vyos01
set high-availability vrrp group nbs vrid 10
set high-availability vrrp group nbs interface eth1
set high-availability vrrp group nbs virtual-address 192.168.20.1/24
set high-availability vrrp group nbs hello-source-address '192.168.20.2'
set high-availability vrrp group nbs peer-address '192.168.20.3'
set high-availability vrrp group nbs priority '200'

----vyos02
set high-availability vrrp group nbs vrid 10
set high-availability vrrp group nbs interface eth1
set high-availability vrrp group nbs virtual-address 192.168.20.1/24
set high-availability vrrp group nbs hello-source-address '192.168.20.3'
set high-availability vrrp group nbs peer-address '192.168.20.2'
set high-availability vrrp group nbs priority '200'
1
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1