Finalmente, migrar um roteador antigo do Vyatta 6.3 para o VyOS e estou tendo alguns problemas.
Devido à incompatibilidade do 6.3, a configuração do VyOS foi reescrita ao fazer referência ao antigo config.boot do VC e ao exemplo do VyOS.
A configuração do IPv6 provavelmente não é bem o que deveria ser, mas esse não é o principal problema que estou tendo. Quando o novo servidor VyOS está em execução, a rede interna não pode acessar nenhum dos endereços no bloco CIDR. Além disso, os endereços no bloco CIDR, além do gateway (.17), que eram acessíveis pela Internet, ficaram inacessíveis após cerca de 8 horas. A reinicialização na configuração antiga do VC não exibiu nenhum desses sintomas.
Aprecie se alguém puder verificar a configuração e verificar se há alguns problemas óbvios em falta.
Algumas configurações básicas:
Rede interna 10.2.0.0/24
IP estático externo: 123.234.234.207/27
Gateway estático externo: 123.234.234.193
Bloco CIDR (sub-rede roteada): 123.123.123.16-31 / 28
Gateway CIDR: 123.123.123.17
Rede remota: 192.168.0.0/24
E a configuração real ...
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-name WANFW {
default-action drop
description "Firewall to block incoming connections from IPv6 Tunnel"
rule 5 {
action accept
description "Must be allowed or MTU discovery will break"
icmpv6 {
type packet-too-big
}
protocol icmpv6
}
rule 10 {
action accept
description "Allow ping replies"
icmpv6 {
type pong
}
protocol icmpv6
}
rule 15 {
action accept
description "May cause fragmentation issues otherwise"
icmpv6 {
type time-exceeded
}
protocol icmpv6
}
rule 20 {
action accept
description "Allow incoming IPSec"
ipsec {
match-ipsec
}
}
rule 30 {
action accept
description "Allow established TCP connections"
protocol tcp
tcp {
flags ACK
}
}
rule 35 {
action accept
description "Allow stateless UDP"
protocol udp
}
rule 40 {
action accept
description "Allow http calls"
destination {
port http,https
}
protocol tcp
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
description Murmur
destination {
address 10.2.0.70
port 64738
}
protocol tcp_udp
state {
new enable
}
}
}
name OUTSIDE-LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
state {
new enable
}
}
rule 30 {
action drop
destination {
port 22
}
protocol tcp
recent {
count 4
time 60
}
state {
new enable
}
}
rule 31 {
action accept
destination {
port 22
}
protocol tcp
state {
new enable
}
}
rule 40 {
action accept
protocol esp
}
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 123.234.234.207/27
description WAN
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id 0a:2d:35:b5:4a:25
smp_affinity auto
speed auto
}
ethernet eth1 {
address 123.123.123.17/28
description CIDR-Gateway
dhcpv6-options {
parameters-only
}
duplex auto
firewall {
in {
name OUTSIDE-IN
}
local {
name OUTSIDE-LOCAL
}
}
hw-id 4e:ca:69:29:f4:ce
smp_affinity auto
speed auto
}
ethernet eth2 {
address 10.2.0.11/24
address 2001:470::::11/64
description LAN
duplex auto
hw-id ae:61:af:ca:71:59
ipv6 {
dup-addr-detect-transmits 1
router-advert {
cur-hop-limit 64
default-preference high
link-mtu 0
managed-flag false
max-interval 600
other-config-flag true
prefix 2001:470::::/64 {
autonomous-flag true
on-link-flag true
valid-lifetime 2592000
}
reachable-time 0
retrans-timer 0
send-advert true
}
}
smp_affinity auto
speed auto
}
loopback lo {
}
tunnel tun0 {
address 2001:470::::2/64
description "HE.NET IPv6 Tunnel"
encapsulation sit
local-ip 123.123.123.17
multicast disable
remote-ip 66.220.18.42
}
}
nat {
destination {
rule 150 {
description "Murmur Server"
destination {
port 64738
}
inbound-interface eth0
protocol tcp_udp
source {
address 0.0.0.0/0
}
translation {
address 10.2.0.70
port 64738
}
}
}
source {
rule 100 {
destination {
address !192.168.0.0/24
}
outbound-interface eth0
source {
address 10.2.0.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route6 ::/0 {
next-hop-interface tun0 {
}
}
route 0.0.0.0/0 {
next-hop 123.234.234.193 {
}
}
}
}
service {
dhcpv6-server {
shared-network-name workipv6 {
subnet 2001:470::::/64 {
domain-search work.local
name-server 2001:4860:4860::8888
}
}
}
dns {
forwarding {
cache-size 0
listen-on eth2
name-server 8.8.8.8
name-server 8.8.4.4
}
}
https {
http-redirect disable
}
ssh {
port 22
}
}
system {
gateway-address 123.234.234.193
host-name miyuki
name-server 8.8.8.8
name-server 8.8.4.4
}
vpn {
ipsec {
esp-group work_esp {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 2 {
encryption 3des
hash sha1
}
}
esp-group transmitter_esp {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group work_ike {
dead-peer-detection {
action clear
interval 20
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 2 {
dh-group 2
encryption 3des
hash sha1
}
}
ike-group transmitter_ike {
dead-peer-detection {
action clear
interval 20
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal disable
site-to-site {
peer 210.210.210.128 {
authentication {
mode pre-shared-secret
pre-shared-secret Nope
}
connection-type initiate
ike-group work_ike
ikev2-reauth inherit
local-address 123.234.234.207
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group work_esp
local {
prefix 10.2.0.0/24
}
remote {
prefix 192.168.0.0/24
}
}
}
}
}
}