Akhirnya, VyOS Stream telah dirilis pada kuartal pertama tahun ini!
Berbeda dengan rolling release, branch stream hanya akan menerima fitur-fitur yang benar-benar siap untuk dimasukkan ke rilis LTS di masa depan.
Saya menggunakannya untuk melakukan beberapa pengujian di lab rumah saya, berikut hasilnya.
Persiapan
Saya menggunakan dua node VM untuk proyek lab rumah ini dengan 1 Core CPU, 1GB Memori, dan 10GB untuk root disk dengan sistem operasi VyOS 1.5 Stream 2025 Q1.
| Node Hostname | Peran Node | vCPU | Memori | RootDisk | privateNet |
|---|---|---|---|---|---|
| btnlab01rtr01 | Master Router | 1 Core | 1 GB | 10 GB | 10.78.78.251 |
| btnlab01rtr02 | Secondary Router | 1 Core | 1 GB | 10 GB | 10.78.78.251 |
Pemetaan interface dan jaringan:
- eth0
198.51.100.253/24gateway198.51.100.254untuk virtual IP jaringan publik - eth1
10.78.78.0/24gateway10.78.78.254untuk jaringan privat
Instalasi
Sayangnya, VyOS Stream hanya menyediakan image ISO generic; tidak ada varian tambahan. Jadi satu-satunya cara saat ini adalah dengan boot ISO ke CD-ROM pada mesin virtual. Setelah selesai, login ke live ISO dengan user default vyos dan password vyos dan ikuti instruksi seperti pada gambar di bawah ini
lalu reboot dan keluarkan ISO dari CD-ROM.
Inisialisasi Setup
Jalankan di semua node.
Masuk ke mode konfigurasi dengan perintahconfigure
Pada bagian ini kita mengkonfigurasi pengaturan umum atau global untuk setiap router.
set service ssh port 22
set system name-server 1.1.1.1
set system name-server 1.0.0.1
set system time-zone Asia/Jakarta
set system option reboot-on-panic
set system option time-format 24-hour
set system option performance throughput
del service ntp
set service ntp server time.cloudflare.com
Tambahan, tambahkan banner sebelum dan sesudah login.
set system login banner post-login "=============================================================================================================\nATTENTION!! UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.\nYou must have explicit, authorized permission to access or configure this device.\nUnauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n============================================================================================================="
set system login banner pre-login "=============================================================================================================\nATTENTION!! UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.\nYou must have explicit, authorized permission to access or configure this device.\nUnauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.\nAll activities performed on this device are logged and monitored.\n============================================================================================================="
Tambahan, ganti user default vyos dan buat user vikiadm serta tambahkan ssh public key.
set system login user vikiadm authentication encrypted-password '$6$rounds=4096$Fp08IS0HCcUvA0ln$3h.4UN9EXy4Pevt8McdNqajmpDxax2cvg6k01lnxCdZgI8d4AS833fSdnHH70dDFf2zkhmJT3fnGc0ZQLV1Eh1'
set system login user vikiadm authentication public-keys [email protected] type ssh-ed25519
set system login user vikiadm authentication public-keys [email protected] key AAAAC3NzaC1lZDI1NTE5AAAAIHgl+ZYCgd4eq+aMMO4uD9sjFv+tjFKFfAk+cvaYxzcq
Konfigurasi firewall dan aturan nat umum, untuk saat ini semua protokol incoming diizinkan pada interface eth1.
set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 10 action accept
set firewall ipv4 input filter rule 10 protocol icmp
set firewall ipv4 input filter rule 10 state established
set firewall ipv4 input filter rule 10 state related
set firewall ipv4 input filter rule 10 state new
set firewall ipv4 input filter rule 99 action accept
set firewall ipv4 input filter rule 99 protocol all
set firewall ipv4 input filter rule 99 inbound-interface name eth1
set firewall ipv4 input filter rule 99 source group network-group privateNet
set firewall ipv4 input filter rule 99 description allow-privateNet
set firewall ipv4 input filter rule 100 action accept
set firewall ipv4 input filter rule 100 protocol tcp
set firewall ipv4 input filter rule 100 destination port 22
set firewall ipv4 input filter rule 100 description allow-ssh
set nat source rule 100 description privateNet
set nat source rule 100 source address 10.78.78.0/24
set nat source rule 100 outbound-interface name eth0
set nat source rule 100 translation address masquerade
Jangan lupa untuk
commitperubahan konfigurasi saat ini dansavekonfigurasi
Script Transisi High Availability
Buat script transisi untuk layanan vrrp agar dapat menangani public ip dan default gateway untuk jaringan privat.
script transisi untuk menjadi master
cat <<EOF | tee /config/scripts/vrrp-master.sh
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash \$(readlink -f \$0) \$@"
fi
source /opt/vyatta/etc/functions/script-template
configure
del protocols static route 0.0.0.0/0 next-hop 10.78.78.254
set protocols static route 0.0.0.0/0 next-hop 198.51.100.254
commit
save
exit
EOF
script transisi untuk menjadi backup dan fault
cat <<EOF | tee /config/scripts/vrrp-backup.sh
#!/bin/vbash
if [ "$(id -g -n)" != 'vyattacfg' ] ; then
exec sg vyattacfg -c "/bin/vbash \$(readlink -f \$0) \$@"
fi
source /opt/vyatta/etc/functions/script-template
configure
del protocols static route 0.0.0.0/0 next-hop 198.51.100.254
set protocols static route 0.0.0.0/0 next-hop 10.78.78.254
commit
save
exit
EOF
Router Master
Jalankan hanya di master.
Masuk ke mode konfigurasi dengan perintahconfigure
Atur hostname, interface, dan alamat IP.
set system host-name btnlab01vrtr01
set interface ethernet eth0 description publicNet
set interface ethernet eth1 description privateNet
set interface ethernet eth1 address 10.78.78.251/24
Atur config-sync untuk router secondary, pada tahap ini hanya beberapa konfigurasi yang perlu disinkronkan pada section config.
set service config-sync mode load
set service config-sync secondary address 10.78.78.252
set service config-sync secondary port 22940
set service config-sync secondary key config-sync-key
set service config-sync section firewall
set service config-sync section nat
set service config-sync section pki
set service config-sync section policy
set service config-sync section vpn
set service config-sync section service ntp
set service config-sync section qos interfaces
set service config-sync section qos policy
set service config-sync section interfaces wireguard
set service config-sync section system time-zone
set service config-sync section system option
set service config-sync section system static-host-mapping
Atur high availability vrrp ke router secondary, pada dasarnya mirip dengan konfigurasi keepalived. Nilai prioritas yang lebih tinggi meningkatkan peluang router menjadi master.
set high-availability vrrp group defaultHA interface eth1
set high-availability vrrp group defaultHA hello-source-address 10.78.78.251
set high-availability vrrp group defaultHA peer-address 10.78.78.252
set high-availability vrrp group defaultHA address 10.78.78.254/24 interface eth1
set high-availability vrrp group defaultHA address 103.150.80.130/28 interface eth0
set high-availability vrrp group defaultHA no-preempt
set high-availability vrrp group defaultHA priority 101
set high-availability vrrp group defaultHA track interface eth1
set high-availability vrrp group defaultHA vrid 96
set high-availability vrrp sync-group sync member defaultHA
set high-availability vrrp sync-group sync health-check ping 10.78.78.252
set high-availability vrrp sync-group sync health-check interval 10
set high-availability vrrp sync-group sync health-check failure-count 3
set high-availability vrrp sync-group sync transition-script master '/config/scripts/vrrp-master.sh defaultHA'
set high-availability vrrp sync-group sync transition-script fault '/config/scripts/vrrp-backup.sh defaultHA'
set high-availability vrrp sync-group sync transition-script backup '/config/scripts/vrrp-backup.sh defaultHA'
Konfigurasi conntrack-sync dan aktifkan helpers
set service conntrack-sync accept-protocol tcp
set service conntrack-sync accept-protocol udp
set service conntrack-sync accept-protocol icmp
set service conntrack-sync event-listen-queue-size 8
set service conntrack-sync failover-mechanism vrrp sync-group sync
set service conntrack-sync interface eth1
set service conntrack-sync mcast-group 224.0.0.50
set service conntrack-sync sync-queue-size 8
Digunakan untuk failover stateful tanpa sinkronisasi conntrack, firewall backup akan melihat koneksi aktif sebagai “baru” saat failover, sehingga sesi (misal VPN, banking) bisa terputus.
Jangan lupa untuk
commitperubahan konfigurasi saat ini dansavekonfigurasi
Router Secondary
Jalankan hanya di master.
Masuk ke mode konfigurasi dengan perintahconfigure
Atur hostname, interface, dan alamat IP.
set system host-name btnlab01vrtr02
set interface ethernet eth0 description publicNet
set interface ethernet eth1 description privateNet
set interface ethernet eth1 address 10.78.78.252/24
Atur layanan https untuk menyediakan config-sync via api
set service https port 22940
set service https listen-address 10.78.78.251
set service https allow-client address 10.78.78.252
Atur high availability vrrp ke router master, pada dasarnya mirip dengan konfigurasi keepalived. Nilai prioritas yang lebih tinggi meningkatkan peluang router menjadi master.
set high-availability vrrp group defaultHA interface eth1
set high-availability vrrp group defaultHA hello-source-address 10.78.78.252
set high-availability vrrp group defaultHA peer-address 10.78.78.251
set high-availability vrrp group defaultHA address 10.78.78.254/24 interface eth1
set high-availability vrrp group defaultHA address 103.150.80.130/28 interface eth0
set high-availability vrrp group defaultHA no-preempt
set high-availability vrrp group defaultHA priority 100
set high-availability vrrp group defaultHA track interface eth1
set high-availability vrrp group defaultHA vrid 96
set high-availability vrrp sync-group sync member defaultHA
set high-availability vrrp sync-group sync health-check ping 10.78.78.251
set high-availability vrrp sync-group sync health-check interval 10
set high-availability vrrp sync-group sync health-check failure-count 3
set high-availability vrrp sync-group sync transition-script master '/config/scripts/vrrp-master.sh defaultHA'
set high-availability vrrp sync-group sync transition-script fault '/config/scripts/vrrp-backup.sh defaultHA'
set high-availability vrrp sync-group sync transition-script backup '/config/scripts/vrrp-backup.sh defaultHA'
Jangan lupa untuk
commitperubahan konfigurasi saat ini dansavekonfigurasi
Perintah Operasional
Jika Anda menjalankan perintah ini di mode konfigurasi, tambahkan
runsebelum menjalankan perintah.
Untuk melihat aturan firewall jalankan show firewall dan show firewall statistics
Untuk melihat aturan nat masquerade jalankan show nat source rules dan show nat source statistics
Untuk melihat status high availability jalankan show vrrp dan show vrrp statistics
dan jika ingin menguji transisi Virtual IP, Anda bisa menjalankan perintah restart vrrp.
Berdasarkan pengalaman saya, menguji VyOS Stream release ini sangat nyaman dan performanya lebih baik dibandingkan rolling release yang harus diuji secara berkala. Saya rasa ini sudah cukup untuk melakukan PoC di lingkungan staging sebelum mengimplementasikannya langsung di lingkungan produksi. Ke depannya, saya mungkin akan menggunakannya sebagai reverse proxy server dan vpn server dengan kombinasi sistem otomasi yang sudah dipersiapkan seperti API, Ansible, Terraform, Cloud-init, dan lain-lain.