arian/vyos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
main
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
arian cf14953e23 docs update
2026-03-25 06:56:24 -04:00
README.md
docs update
2026-03-25 06:56:24 -04:00

README.md

VyOS Hypervisor Configuration Guide w/ SR-IOV on Mellanox ConnectX-3

Arian Nasr
March 19, 2026

1. Configure Hypervisor

Edit mlx4 configuration

Add the following to /etc/modprobe.d/mlx4.conf:

options mlx4_core port_type_array=2 num_vfs=8 probe_vf=0 log_num_mgm_entry_size=-1

Rebuild initramfs

update-initramfs -u -k all

Reboot the system

reboot

Tag virtual function

ip link set dev enp4s0 vf 0 vlan 40

2. Add PCI Devices to VyOS VM

Configure the network interfaces:

set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 address '192.168.0.1/24'

3. Enable SSH

set service ssh port '22'

4. Configure PPPoE Interface

set interfaces pppoe pppoe0 description 'Distributel'
set interfaces pppoe pppoe0 source-interface eth0
set interfaces pppoe pppoe0 authentication username <PPPoE username>
set interfaces pppoe pppoe0 authentication password <PPPoE password>

5. Firewall Configuration

Define groups

set firewall group interface-group WAN interface pppoe0
set firewall group interface-group LAN interface eth1
set firewall group network-group NET-INSIDE-v4 network '192.168.0.0/24'

Global options

set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

6. IPv4 Firewall Rules

Outside-In rules

set firewall ipv4 name OUTSIDE-IN default-action 'drop'
set firewall ipv4 forward filter rule 100 action jump
set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
set firewall ipv4 forward filter rule 100 inbound-interface group WAN
set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4

Default input policy

set firewall ipv4 input filter default-action 'drop'

7. Allow LAN SSH

set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'
set firewall ipv4 input filter rule 20 action jump
set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT
set firewall ipv4 input filter rule 20 destination port 22
set firewall ipv4 input filter rule 20 protocol tcp

set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN'

8. Allow LAN Ping

set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new
set firewall ipv4 input filter rule 30 source group network-group NET-INSIDE-v4

9. Allow Localhost Traffic

set firewall ipv4 input filter rule 50 action 'accept'
set firewall ipv4 input filter rule 50 source address 127.0.0.0/8

10. Apply Configuration

commit
save
exit
Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 32 KiB