Issues Migrando do Vyatta 6.3 para o VyOS

1

Finalmente, migrar um roteador antigo do Vyatta 6.3 para o VyOS e estou tendo alguns problemas.

Devido à incompatibilidade do 6.3, a configuração do VyOS foi reescrita ao fazer referência ao antigo config.boot do VC e ao exemplo do VyOS.

A configuração do IPv6 provavelmente não é bem o que deveria ser, mas esse não é o principal problema que estou tendo. Quando o novo servidor VyOS está em execução, a rede interna não pode acessar nenhum dos endereços no bloco CIDR. Além disso, os endereços no bloco CIDR, além do gateway (.17), que eram acessíveis pela Internet, ficaram inacessíveis após cerca de 8 horas. A reinicialização na configuração antiga do VC não exibiu nenhum desses sintomas.

Aprecie se alguém puder verificar a configuração e verificar se há alguns problemas óbvios em falta.

Algumas configurações básicas:
Rede interna 10.2.0.0/24
IP estático externo: 123.234.234.207/27
Gateway estático externo: 123.234.234.193
Bloco CIDR (sub-rede roteada): 123.123.123.16-31 / 28
Gateway CIDR: 123.123.123.17
Rede remota: 192.168.0.0/24

E a configuração real ...

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-name WANFW {
        default-action drop
        description "Firewall to block incoming connections from IPv6 Tunnel"
        rule 5 {
            action accept
            description "Must be allowed or MTU discovery will break"
            icmpv6 {
                type packet-too-big
            }
            protocol icmpv6
        }
        rule 10 {
            action accept
            description "Allow ping replies"
            icmpv6 {
                type pong
            }
            protocol icmpv6
        }
        rule 15 {
            action accept
            description "May cause fragmentation issues otherwise"
            icmpv6 {
                type time-exceeded
            }
            protocol icmpv6
        }
        rule 20 {
            action accept
            description "Allow incoming IPSec"
            ipsec {
                match-ipsec
            }
        }
        rule 30 {
            action accept
            description "Allow established TCP connections"
            protocol tcp
            tcp {
                flags ACK
            }
        }
        rule 35 {
            action accept
            description "Allow stateless UDP"
            protocol udp
        }
        rule 40 {
            action accept
            description "Allow http calls"
            destination {
                port http,https
            }
            protocol tcp
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description Murmur
            destination {
                address 10.2.0.70
                port 64738
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
        rule 30 {
            action drop
            destination {
                port 22
            }
            protocol tcp
            recent {
                count 4
                time 60
            }
            state {
                new enable
            }
        }
        rule 31 {
            action accept
            destination {
                port 22
            }
            protocol tcp
            state {
                new enable
            }
        }
        rule 40 {
            action accept
            protocol esp
        }
        rule 41 {
            action accept
            destination {
                port 500
            }
            protocol udp
        }
        rule 42 {
            action accept
            destination {
                port 4500
            }
            protocol udp
        }
        rule 43 {
            action accept
            destination {
                port 1701
            }
            ipsec {
                match-ipsec
            }
            protocol udp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 123.234.234.207/27
        description WAN
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
        hw-id 0a:2d:35:b5:4a:25
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 123.123.123.17/28
        description CIDR-Gateway
        dhcpv6-options {
            parameters-only
        }
        duplex auto
        firewall {
            in {
                name OUTSIDE-IN
            }
            local {
                name OUTSIDE-LOCAL
            }
        }
        hw-id 4e:ca:69:29:f4:ce
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address 10.2.0.11/24
        address 2001:470::::11/64
        description LAN
        duplex auto
        hw-id ae:61:af:ca:71:59
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                default-preference high
                link-mtu 0
                managed-flag false
                max-interval 600
                other-config-flag true
                prefix 2001:470::::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
    smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun0 {
        address 2001:470::::2/64
        description "HE.NET IPv6 Tunnel"
        encapsulation sit
        local-ip 123.123.123.17
        multicast disable
        remote-ip 66.220.18.42
    }
}
nat {
    destination {
        rule 150 {
            description "Murmur Server"
            destination {
                port 64738
            }
            inbound-interface eth0
            protocol tcp_udp
            source {
                address 0.0.0.0/0
            }
            translation {
                address 10.2.0.70
                port 64738
            }
        }
    }
    source {
        rule 100 {
            destination {
                address !192.168.0.0/24
            }
            outbound-interface eth0
            source {
                address 10.2.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        interface-route6 ::/0 {
            next-hop-interface tun0 {
            }
        }
        route 0.0.0.0/0 {
            next-hop 123.234.234.193 {
            }
        }
    }
}
service {
    dhcpv6-server {
        shared-network-name workipv6 {
            subnet 2001:470::::/64 {
                domain-search work.local
                name-server 2001:4860:4860::8888
            }
        }
    }
    dns {
        forwarding {
            cache-size 0
            listen-on eth2
            name-server 8.8.8.8
            name-server 8.8.4.4
        }
    }
    https {
        http-redirect disable
    }
    ssh {
        port 22
    }
}
system {
    gateway-address 123.234.234.193
    host-name miyuki
    name-server 8.8.8.8
    name-server 8.8.4.4
}
vpn {
    ipsec {
        esp-group work_esp {
            compression disable
            lifetime 28800
            mode tunnel
            pfs disable
            proposal 2 {
                encryption 3des
                hash sha1
            }
        }
        esp-group transmitter_esp {
            compression disable
            lifetime 28800
            mode tunnel
            pfs disable
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group work_ike {
            dead-peer-detection {
                action clear
                interval 20
                timeout 60
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 2 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        ike-group transmitter_ike {
            dead-peer-detection {
                action clear
                interval 20
                timeout 60
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 2
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal disable
        site-to-site {
            peer 210.210.210.128 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret Nope
                }
                connection-type initiate
                ike-group work_ike
                ikev2-reauth inherit
                local-address 123.234.234.207
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group work_esp
                    local {
                        prefix 10.2.0.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
}
    
por Brad 06.07.2015 / 23:23

0 respostas