Writeup of Wasabi’s VyOS script for WRCCDC.
Writeup by Payton Erickson (UCI’s CCDC team)

---

The setup of the Script

#!/bin/vbash

function get_next_if() {
        excluded_interfaces=("$@")
        lowest_ifindex=-1
        lowest_ifname=""
        for interface_path in /sys/class/net/*; do
                found=false
                interface=$(basename "$interface_path")
                for excluded_interface in "${excluded_interfaces[@]}"; do
                        if [ "$excluded_interface" == "$interface" ]; then
                                found=true
                                break
                        fi
                done
                if [ "$found" == true ]; then
                        continue
                fi
                ifindex=$(udevadm info -q property "$interface_path" | grep -E '^IFINDEX=' | cut -d'=' -f2)
                if [[ "$ifindex" =~ ^[0-9]+$ ]]; then
                        if [ "$lowest_ifindex" -eq -1 ] || [ "$ifindex" -lt "$lowest_ifindex" ]; then
                          lowest_ifindex="$ifindex"
                          lowest_ifname="$interface"
                        fi
                fi
        done
        if [ "$lowest_ifindex" -eq -1 ]; then
                echo ""
        else
                echo "$lowest_ifname"
        fi
}

echo "Determining Interfaces"

# workaround for udevd, not ideal but workable. 
WAN_INT=$(get_next_if "lo")
LAN_INT=$(get_next_if "lo" "${WAN_INT}")

if [[ -n "$WAN_INT" && -n "$LAN_INT" && "$WAN_INT" != "$LAN_INT" ]]; then
    echo "Interfaces are good: WAN:${WAN_INT}, LAN:${LAN_INT}"
else
    echo "Conditions not met. Interfaces not correct. WAN:${WAN_INT}, LAN:${LAN_INT}"
    exit 1
fi

This part just gets the interfaces, but normally eth0 is WAN and eth1 is LAN.

echo "Beginning Configuration of Router NAT rules"
export IPV4_ADDR=$(ip -4 addr show dev $WAN_INT | grep -oP 'inet\s+\K[^\s]+'|sed "s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.\)\([0-9]\+\)\/\([0-9]\+\)/\10\/\3/")
export TEAM_ROUTER=$(echo "${IPV4_ADDR}" | awk -F'.' '{print $3}')
export CURRENT_LAN_ADDR=$(ip -4 addr show dev $LAN_INT | grep -oP 'inet\s+\K[^\s]+')

export FINAL_LAN_ADDR="192.168.220.2/24"
export FINAL_LAN_SUBNET=$(echo "${FINAL_LAN_ADDR}"|sed "s/\([0-9]\+\.[0-9]\+\.[0-9]\+\.\)\([0-9]\+\)\/\([0-9]\+\)/\10\/\3/")
export TEMP_CONF=$(mktemp)

Now the script gets a few things needed for the configuration of the router.
IPV4_ADDR = The address assigned to the router via dhcp on the WAN side. This is normally something like 10.100.1XX.2
TEAM_ROUTER = Uses the IP address to get the team number (01, 02, ect.)
CURRENT_LAN_ADDR = The LAN IP as it is now. By default it should be something like 192.168.0.1

FINAL_LAN_SUBNET = WRCCDC uses 192.168.220.0/24 for the LAN.
FINAL_LAN_ADDR = The router IP is set to 192.168.220.2.
TEMP_CONF = Temporary conf file

if [ -f "/configured.runonce" -o -f "/boot/configured.runonce" ]; then
    echo "Configuration already set. "
    exit 0
fi

if [ -z "$IPV4_ADDR" ]; then
        echo "Error: Could not configure IPv4 Address Automatically"
        exit 1
fi

if [ -n "${CURRENT_LAN_ADDR}" ] && [ "${CURRENT_LAN_ADDR}" = "${FINAL_LAN_ADDR}" ]; then
    echo "Configuration already appears set. Stopping"
    exit 1
fi

echo "Got IPv4 Address: ${IPV4_ADDR}, will be storing configuration in ${TEMP_CONF}"

If the script has already been ran it wont run it again.

---

Configuring the router for the comp

Now we get into the important parts of the script. This is where changes are made to the configuration of the router.

source /opt/vyetta/etc/functions/script-template
configure

These lines allow the script to use VyOS specific functions and aliases, then switches to configure mode.

delete system login banner

This did not work on my version of VyOS, but I could change the post-login by running the following command: set system login banner post-login "Login Banner/Message Here"

delete nat
delete interfaces ethernet $LAN_INT
delete service lldp
delete service ntp
delete service dns forwarding
commit

Clears the settings for nat, lan, lldp, ntp, and dns forwarding.

set interfaces ethernet $LAN_INT address '192.168.220.2/24'
commit

Sets the IP of the router on the LAN side to 192.168.220.2, then applies the changes.

set nat destination rule 10 destination address '$FINAL_LAN_SUBNET'
set nat destination rule 10 inbound-interface '$LAN_INT'
set nat destination rule 10 translation address '$IPV4_ADDR'

Creates a new NAT rule with the destination addresses to 192.168.220.0/24. Then sets LAN (eth1) as the inbound interface. Then sets the translation addresses to 10.100.1XX.0/24. If you want to use the command manually with eth1 change the '$LAN_INT' to name eth

What this is actually doing, is telling VyOS that rule 10 will translate addresses from 10.100.1XX.YYY into 192.168.220.YYY addresses on the LAN interface.

set nat destination rule 20 destination address '$IPV4_ADDR'
set nat destination rule 20 inbound-interface '$WAN_INT'
set nat destination rule 20 translation address '$FINAL_LAN_SUBNET'

This part adds a new NAT rule with destination addresses set to the WAN address: 10.100.1XX.0/24. Then it sets WAN (eth0) as the inbound interface, and the translation addresses to 192.168.220.0/24.

This is the same thing as the previous set of rules, except now in reverse. It tells the router that rule 20 translates addresses from 192.168.220.YYY into 10.100.1XX.YYY on the WAN interface.

set nat source rule 10 outbound-interface '$WAN_INT'
set nat source rule 10 source address '$IPV4_ADDR'
set nat source rule 10 translation address '$FINAL_LAN_SUBNET'

Back to rule 10: These commands tell the router to do the same thing as before, translating addresses 10.100.1XX.YYY into 192.168.220.YYY addresses. The difference is that now instead of defining where the packets are going to go, we are telling the router where to look for the packets.

After this set of rules, rule 10 tells the router to take source packets on the WAN interface (eth0) that have an IP like 10.100.1XX.YYY and translate them to 192.168.220.YYY packets. Then the destination of those packets is on the LAN interface (eth1).

set nat source rule 20 outbound-interface '$LAN_INT'
set nat source rule 20 source address '$FINAL_LAN_SUBNET'
set nat source rule 20 translation address '$IPV4_ADDR'

Back to rule 20: These commands are the reverse of the commands above. They tell the router to look for packets with addresses 192.168.220.YYY and translate them to 10.100.1XX.YYY addresses. The router will look for these packets on the LAN interface.

After this set of rules, rule 20 tells the router to take source packets on the LAN interface (eth1) that have an IP like 192.168.220.YYY and translate them to 10.100.1XX.YYY packets. Then the destination of those packets is on the WAN interface (eth0).

set nat source rule 30 outbound-interface '$WAN_INT'
set nat source rule 30 translation address 'masquerade'

This rule lets the router hide the private IPs (192.168.220.0/24) behind the new public IPs we made (10.100.1XX.YYY). This is a website that explains the concept pretty well:

https://www.ibm.com/docs/en/i/7.2?topic=translation-masquerade-hide-nat

commit
set system host-name 'team-router$TEAM_ROUTER'

This commits the previous changes and changes the hostname of the router to ‘team-routerXX’

set system time-zone America/Los_Angeles
set firewall all-ping enable

Tells the router to respond to pings, but this is outdated syntax. VyOS now uses set firewall global-options all-ping enable

set service lldp interface all
set service lldp legacy-protocols cdp

Enables lldp on all interfaces, and sets the type to Cisco’s version cdp. lldp is a way of allowing other devices to get information about the router. Read more about it here: https://www.geeksforgeeks.org/link-layer-discovery-protocol-lldp/

set service dns forwarding allow-from 0.0.0.0/0
set service dns forwarding listen-address 0.0.0.0

These commands allow dns forwarding and listens for it on every IP.

set system ntp listen-address 0.0.0.0

This command is used to make the router respond to ntp commands from any IP. It is a outdated command, VyOS now uses set service ntp listen-address 0.0.0.0
This command may cause an error if no ntp server is setup before trying to commit

delete service https
commit
save

Disables the https api, then saves the changes permanently.

General Notes:

If you have to type commands manually for some reason there are some shortcuts I know from Cisco
configure –> conf (switches between normal mode and configuring the router)
interface –> inter
destination –> dest
address –> addr
ethernet –> eth

If you want to practice setting up these networks and getting use to these commands look into GNS3 or you could use another network lab called pnet. Either one is good practice for learning how to setup networks.