FiOS “Three-Router” with VyOS and ESXi, Part 7: Define Internal Network

2 minute read

Now that our primary router is communicating with the outside world, and we have some reasonable security in place with our firewall, we can set up our private internal network.

Recall that our design is such that the primary router will access the Home Network (VLAN 1 on our switch and untagged elsewhere) via its second vNIC, which is assigned to the Home Network port group on the ESXi virtual switch. This vNIC will show up as eth1 inside the Vyatta VM.

vyos@primary-router:~# run show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             108.0.0.123/24                    u/u  FiOS Public Internet 
eth1             10.0.0.1/24                       u/u  Home Network 
lo               127.0.0.1/8                       u/u  
                 ::1/128

To get started, we need to pick an IP address block for this network. Any private IP space other than 192.168.1.0/24 will work (we don’t want confusion between this network and the network behind the Verizon hardware router that the set-top boxes will sit on, which will come into play later).

Let’s use 10.0.0.0/24. We’ll have the router listen on the .1 address, auto negotiate speed and duplex, and apply the LAN‑TO‑LAN firewall rule set to traffic arriving on that interface. Remember that we configured the LAN‑TO‑LAN rule set to allow all traffic by default.

vyos@primary-router:~# set interfaces ethernet eth1 address 10.0.0.1/24
vyos@primary-router:~# set interfaces ethernet eth1 description Home-Network
vyos@primary-router:~# set interfaces ethernet eth1 duplex auto
vyos@primary-router:~# set interfaces ethernet eth1 speed auto
vyos@primary-router:~# set interfaces ethernet eth1 firewall in name LAN-TO-LAN
vyos@primary-router:~# compare

Review your configurations, and then commit and save them.

vyos@primary-router:~# commit
vyos@primary-router:~# save

If we want hosts on this network to dynamically receive addresses when they appear on the network, then we need to set up a DHCP server as well.

We’ll configure DHCP on this network to assign addresses between 10.0.0.100 and 10.0.0.199, with the default gateway and DNS both set to 10.0.0.1 (our primary router). We’re going to set the domain name for these hosts to home.local although you can use anything you’d like.

vyos@primary-router:~# set service dhcp-server disabled false
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool authoritative enable
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24 default-router 10.0.0.1
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24 dns-server 10.0.0.1
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24 domain-name home.local
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24 lease 86400
vyos@primary-router:~# set service dhcp-server shared-network-name HomeNetworkPool subnet 10.0.0.0/24 start 10.0.0.100 stop 10.0.0.199

Since we’re directing our DHCP clients to send their DNS requests to the router (10.0.0.1), we need to also set up a DNS server to listen for those requests and forward them on to an external DNS provider. You can use any DNS server you’d like; 8.8.8.8 is Google’s public DNS service. Also note that we’re going to cache up to 2000 lookups locally (for faster response later) and listen for DNS requests on eth1.

vyos@primary-router:~# set service dns forwarding cache-size 2000
vyos@primary-router:~# set service dns forwarding listen-on eth1
vyos@primary-router:~# set service dns name-server 8.8.8.8

Let’s review our changes…

vyatta@primary-router:~# compare

When you’re satisfied, commit and save.

vyatta@primary-router:~# commit
vyatta@primary-router:~# save

If you have your switch configured with extra access ports on VLAN 1, you can plug a test system into one of those ports. Your test system should receive a DHCP address in the 10.0.0.100–199 range. You should be able to ping the gateway (10.0.0.1), but no Internet access yet.

You May Also Enjoy

Route 53 Dynamic DNS with VyOS

1 minute read

The Amazon Web Services team has a great writeup on Medium about how to roll your own dynamic DNS provider using Route 53. Actually, it uses a smattering of ...