Loading... # 设置主机名 set system host-name 'vrouter-xx' # 开启SSH服务 set service ssh listen-address '192.168.20.1' set service ssh listen-address '11.213.12.250' set service ssh port '50022' # 配置静态路由 set protocols static route 0.0.0.0/0 next-hop '69.213.12.249' set protocols static route 10.0.0.0/8 next-hop '192.168.20.2' set protocols static route 172.16.0.0/16 next-hop '192.168.20.2' # 开启DNS转发服务 set service dns forwarding cache-size '150' set service dns forwarding listen-on 'eth0.2' set service dns forwarding name-server '223.5.5.5' set service dns forwarding name-server '223.6.6.6' set service dns forwarding 'system' # 配置本地DNS域名服务器 set system name-server '223.5.5.5' set system name-server '223.6.6.6' # 设置用户 set system login user root authentication encrypted-password '111' set system login user root authentication plaintext-password '' set system login user root level 'admin' set system login user vyos authentication encrypted-password '111' set system login user vyos authentication plaintext-password '' set system login user vyos level 'admin' # 设置NTP服务器 set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' # 配置接口(不带VLAN标签) set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id '00:0c:29:9a:b3:a6' set interfaces ethernet eth0 smp_affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth0 address '192.168.20.1/29' set interfaces ethernet eth0 description 'connect to sw-core' # 配置接口(带VLAN标签) set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 hw-id '00:0c:29:9a:b3:a6' set interfaces ethernet eth0 smp_affinity 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth0 vif 2 address '192.168.20.1/29' set interfaces ethernet eth0 vif 2 description 'connect to sw-core' set interfaces ethernet eth0 vif 3 address '111.213.12.250/29' set interfaces ethernet eth0 vif 3 address '111.213.12.251/29' set interfaces ethernet eth0 vif 3 description 'connect to wan' set interfaces ethernet eth0 vif '10' set interfaces ethernet eth0 vif 20 address '172.16.20.250/24' # 配置NAT(目的NAT) set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' set nat destination rule 10 inbound-interface 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' # 配置NAT(域内NAT(Hairpin NAT/NAT Reflection)) set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' set nat destination rule 110 inbound-interface 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' set nat source rule 110 outbound-interface 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' # 配置NAT(1-to-1 NAT) set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' set interfaces ethernet eth1 address '192.0.2.30/24' set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' set nat destination rule 2000 inbound-interface 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' set nat source rule 2000 outbound-interface 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' # 配置NAT(源NAT) set nat source rule 100 outbound-interface 'eth0.3' set nat source rule 100 source address '0.0.0.0/0' set nat source rule 100 translation address 'masquerade' set nat source rule 101 outbound-interface 'eth0.20' set nat source rule 101 source address '0.0.0.0/0' set nat source rule 101 translation address 'masquerade' # 禁用IPv6 set system ipv6 'disable' # 配置pbr # PBR ## 感兴趣流量 edit policy route LAN-1 rule 10 set destination address 0.0.0.0/0 set source address 10.5.0.0/24 set set table 1 up edit rule 20 set destination address 0.0.0.0/0 set source address 10.5.1.0/24 set set table 2 up edit rule 30 set destination address 0.0.0.0/0 set source address 0.0.0.0/0 set set table main commit ## 路由表,或者说下一跳 set protocols static table 1 route 0.0.0.0/0 next-hop 198.51.100.1 set protocols static table 2 route 0.0.0.0/0 next-hop 203.0.113.1 ## 从哪个接口匹配感兴趣流量 set interfaces ethernet eth1 vif 101 policy route LAN-1 commit # proxy-arp set interfaces ethernet ethX vif 1 ip enable-proxy-arp # 查询路由信息 show ip route # 查询接口信息 show interface brief # 配置dhcp set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 start '192.168.1.100' stop '192.168.1.200' # ipv6 # 配置接口ipv6 set interfaces ethernet eth0 address '2001:db8::1/64' # 启用ipv6路由 set protocols static route6 ::/0 next-hop '2001:db8::2' # 设置ipv6NDP代理(如果需要) set interfaces ethernet eth0 ipv6 router-advert prefix '2001:db8::/64' send-advert true # 配置IPv6防火墙规则 set firewall ipv6-name OUTSIDE-IN default-action 'drop' set firewall ipv6-name OUTSIDE-IN rule 10 action 'accept' set firewall ipv6-name OUTSIDE-IN rule 10 state established 'enable' set firewall ipv6-name OUTSIDE-IN rule 10 state related 'enable' set firewall ipv6-name OUTSIDE-IN rule 20 action 'accept' set firewall ipv6-name OUTSIDE-IN rule 20 destination port '80' # 启用IPv6 DHCPv6服务器(如果需要) set service dhcpv6-server shared-network-name LAN subnet 2001:db8::/64 start '2001:db8::100' stop '2001:db8::200' # l2tp vpn # l2tp set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-traversal 'enable' set vpn l2tp remote-access authentication local-users username 111 password '111' set vpn l2tp remote-access authentication local-users username 112 password '111' set vpn l2tp remote-access authentication local-users username 113 password '111' set vpn l2tp remote-access authentication mode 'local' set vpn l2tp remote-access client-ip-pool start '192.168.12.100' set vpn l2tp remote-access client-ip-pool stop '192.168.12.200' set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret' set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '111' set vpn l2tp remote-access outside-address '111' set vpn l2tp remote-access dns-servers server-1 '223.5.5.5'" pptp vpn "set vpn pptp remote-access authentication local-users username 111 password '111@123' set vpn pptp remote-access authentication local-users username 112 password '111@123' set vpn pptp remote-access authentication local-users username 113 password '111@123' set vpn pptp remote-access authentication mode 'local' set vpn pptp remote-access client-ip-pool start '192.168.14.1' set vpn pptp remote-access client-ip-pool stop '192.168.14.200' set vpn pptp remote-access dns-servers server-1 '223.5.5.5' set vpn pptp remote-access mtu '1360' set vpn pptp remote-access outside-address '111' delete vpn pptp remote-access authentication local-users username 111 password '111@123' delete vpn pptp remote-access authentication local-users username 112 password '111@123' 1 delete vpn pptp remote-access authentication mode 'local' delete vpn pptp remote-access client-ip-pool start '192.168.14.1' delete vpn pptp remote-access client-ip-pool stop '192.168.14.200' delete vpn pptp remote-access dns-servers server-1 '223.5.5.5' delete vpn pptp remote-access mtu '1360' delete vpn pptp remote-access outside-address '111' # ipsec vpn # ipsec set vpn ipsec ipsec-interfaces interface eth0 set vpn ipsec ike-group IKE-1W proposal 1 set vpn ipsec ike-group IKE-1W proposal 1 encryption 3des set vpn ipsec ike-group IKE-1W proposal 1 hash sha1 set vpn ipsec ike-group IKE-1W proposal 1 dh-group 2 set vpn ipsec ike-group IKE-1W lifetime 3600 show vpn ipsec ike-group IKE-1W set vpn ipsec esp-group ESP-1W proposal 1 show vpn ipsec esp-group set vpn ipsec esp-group ESP-1W proposal 1 encryption 3des set vpn ipsec esp-group ESP-1W proposal 1 hash sha1 set vpn ipsec esp-group ESP-1W lifetime 1800 show vpn ipsec esp-group ESP-1W edit vpn ipsec site-to-site peer 111 set authentication mode pre-shared-secret set authentication pre-shared-secret 111 set default-esp-group ESP-1W set ike-group IKE-1W set local-address 69.211.159.138 set tunnel 1 local prefix 10.255.187.0/24 set tunnel 1 remote prefix 192.168.0.0/16 top commit show vpn ipsec sa show vpn ipsec status set nat source rule 5 destination address '192.168.0.0/16' set nat source rule 5 'exclude' set nat source rule 5 outbound-interface 'eth0' set nat source rule 5 source address '10.255.187.0/24' set nat source rule 10 outbound-interface 'eth0' set nat source rule 10 source address '10.255.187.0/24' set nat source rule 10 translation address 'masquerade' commit # nat set nat destination rule 600 description 'dahua-15-tcp22' set nat destination rule 600 destination address '111' set nat destination rule 600 destination port '60022' set nat destination rule 600 inbound-interface 'any' set nat destination rule 600 protocol 'tcp' set nat destination rule 600 translation address '10.2.5.15' set nat destination rule 600 translation port '22' # l2tp/ipsec conf set interface ethernet lo set vpn ipsec ipsec-interfaces interface 'lo' set vpn ipsec nat-networks allowed-network '0.0.0.0/0' set vpn ipsec nat-traversal 'enable' set vpn l2tp remote-access authentication local-users username test password 'test' set vpn l2tp remote-access authentication mode 'local' set vpn l2tp remote-access client-ip-pool start '192.168.12.100' set vpn l2tp remote-access client-ip-pool stop '192.168.12.200' set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret' set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'test' set vpn l2tp remote-access outside-address '111' set vpn l2tp remote-access dns-servers server-1 '223.5.5.5' 最后修改:2023 年 11 月 03 日 © 允许规范转载 赞 如果觉得我的文章对你有用,请随意赞赏