VyOS is a versatile open source router forked from Brocade's previously open source Vyatta project. Here I'll outline a basic install which will function as a single NAT router. This configuration is great for virtual lab environments.

Pre-requisites: This assumes you've already created a blank VM and mounted the VyOS image.

Default Login:
Username: VyOS
Password: VyOS

Install VyOS image to local disk:

[email protected]~$ install image

Follow the prompts...

Enter 'Configuration' mode

[email protected]~$ configure

This changes the environment so you can make changes to the settings.

Set the WAN to listen for DHCP

[email protected]# set interface ethernet eth0 address dhcp

Note: Depending on the environment you may want to consider a static IP or bridging this with a PPPoE interface.

Set a Static IP on the internal interface

[email protected]# set interface ethernet eth1 address '192.168.0.1/24'

Note: This will set the ip address of the internal interface used by clients as the default gateway.

Add a description to the interfaces

[email protected]# set interface ethernet eth0 description 'WAN Interface'
[email protected]# set interface ethernet eth1 description 'LAN Interface'

Configure NAT on WAN

[email protected]# set nat source rule 100 outbound-interface 'eth0'
[email protected]# set nat source rule 100 source address '192.168.0.0/24'
[email protected]# set nat source rule 100 translation address masquerade


Line 1: This creates a NAT rule (number 100) and sets the external interface for the rule to 'eth0'
Line 2: This identifies the clients for which the router will process NAT so they can communicate via the WAN using the same external/public IP.
Line 3: This enables masquerading for the NAT rule so all clients appear to be communicating from the one WAN IP.


Configure Stateful Firewall from WAN to internal network

[email protected]# set firewall name OUTSIDE-IN default-action 'drop'
[email protected]# set firewall name OUTSIDE-IN rule 10 action 'allow'
[email protected]# set firewall name OUTSIDE-IN rule 10 state established 'enable'
[email protected]# set firewall name OUTSIDE-IN rule 10 state related 'enable'


Line 1: Creates a firewall policy named 'OUTSIDE-IN' and sets it to drop traffic by default.
Line 2: Creates a firewall rule (number 10) which allows traffic that matches the rule.
Line 3: Specifies that the rule is applicable when there is an established session for the traffic.
Line 4:  Specifies that the rule is applicable when there <confirmbeforeposting>


Configure firewall to drop traffic sent directly to router

[email protected]# set firewall name OUTSIDE-LOCAL default-action 'drop'

Note: Drop all traffic by default
[email protected]# set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
[email protected]# set interfaces ethernet eth1 firewall local name 'OUTSIDE-LOCAL'


Line 1: Link the 'OUTSIDE-IN' firewall policy to the eth0 interface for traffic directed inbound to other devices.
Line 2: Link the 'OUTSIDE-LOCAL' firewall policy to the eth0 interface for traffic directed inbound to the router itself.