-
Notifications
You must be signed in to change notification settings - Fork 5
/
vyos-cfme-ansible-launch-instance-and-configure-nat-gateway.yml
141 lines (126 loc) · 5.3 KB
/
vyos-cfme-ansible-launch-instance-and-configure-nat-gateway.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
- name: Create a VyOS instance
hosts: localhost
gather_facts: True
connection: local
vars:
keypair: id_rsa_os1_rcalvaga
instance_type: t2.micro
security_group: ssh-sec-group
#image: ami-7ee7bc05
image: ami-92e86ae8
region: us-east-1
vpc_subnet_id: subnet-0264793e
instance_name: vyos-instance
private_ip1: 192.168.122.10
private_ip2: 192.168.0.10
tasks:
- name: Launch VyOS instance
ec2:
assign_public_ip: yes
key_name: "{{ keypair }}"
group: "{{ security_group }}"
instance_type: "{{ instance_type }}"
image: "{{ image }}"
wait: true
region: "{{ region }}"
instance_tags:
Name: "{{ instance_name }}"
exact_count: 1
count_tag:
Name: "{{ instance_name }}"
vpc_subnet_id: "{{ vpc_subnet_id }}"
private_ip: "{{ private_ip1 }}"
register: ec2
# - debug: var=ec2
- set_fact: ec2_id={{ ec2.instance_ids[0] }}
- name: Add secondary private IP
ec2_eni:
instance_id: "{{ ec2_id }}"
attached: True
device_index: 1
security_groups: "{{ security_group }}"
region: "{{ region }}"
private_ip_address: "{{ private_ip2 }}"
subnet_id: subnet-2b1c0117
delete_on_termination: true
state: present
- name: Add new instance to host group
add_host: hostname={{ ec2.instances[0].public_ip }} groupname=vyos_launched
- name: Wait for SSH to come up
wait_for: host={{ ec2.instances[0].public_dns_name }} port=22 delay=60 timeout=320 state=started
- name: Configuring VyOS Host as a NAT Gateway
hosts: vyos_launched
gather_facts: True
connection: local
tasks:
- name: Configure network interfaces
vyos_config:
timeout: 120
lines:
- set interfaces ethernet eth0 address dhcp
- set interfaces ethernet eth0 description 'OUTSIDE'
- set interfaces ethernet eth1 address '192.168.0.1/24'
- set interfaces ethernet eth1 description 'INSIDE'
save: yes
ignore_errors: yes
- name: Configure Source NAT for our "Inside" network
vyos_config:
lines:
- set nat source rule 100 outbound-interface 'eth0'
- set nat source rule 100 source address '192.168.0.0/24'
- set nat source rule 100 translation address masquerade
save: yes
- name: Configure a DHCP Server
vyos_config:
lines:
- set service dhcp-server disabled 'false'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start '192.168.0.9' stop '192.168.0.254'
save: yes
- name: And a DNS forwarder
vyos_config:
lines:
- set service dns forwarding cache-size '0'
- set service dns forwarding listen-on 'eth1'
- set service dns forwarding name-server '8.8.8.8'
- set service dns forwarding name-server '8.8.4.4'
save: yes
- name: Add a set of firewall policies for our "Outside" interface
vyos_config:
lines:
- set firewall name OUTSIDE-IN default-action 'drop'
- set firewall name OUTSIDE-IN rule 10 action 'accept'
- set firewall name OUTSIDE-IN rule 10 state established 'enable'
- set firewall name OUTSIDE-IN rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL default-action 'drop'
- set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
- set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
- set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
- set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
- set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
- set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
- set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
save: yes
- name: Apply the firewall policies
vyos_config:
lines:
- set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
- set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
save: yes
- name: Show the Configuration
vyos_command:
commands:
- show configuration