Vyatta Internet Gateway Router Howto - DHCP
 

Sonora Communications, Inc.

  • Increase font size
  • Default font size
  • Decrease font size

Vyatta Internet Gateway Router Howto - DHCP

E-mail Print PDF

This document will show one way of configuring the Vyatta router as an Internet firewall/gateway and will demonstrate the configuration for use with a cable modem. Furthermore, the LAN interfaces are (optionally) firewalled off from each other.

Reference

Vyatta Open Source Router

Vyatta Forums

Application

Installation

Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left closest to the keyboard/mouse connectors. If your Ethernet ports are arranged vertically, eth0 is probably on the top. We'll use the dhcp server already on our network to give the new Vyatta router temporary access to the Internet for its updates.

Download the latest Vyatta Live CD ISO image, burn it to a CD and boot it on the router hardware, possibly using a USB external CD-ROM drive.

Login as 'vyatta' with password 'vyatta'.

There are two methods of installation: disk-based and image-based.  I think image-based is probably the newer, better method, but until I'm comfortable with it I'll stick to the old way.

Install to the hard drive/CF card/USB key. You'll need a minimum 1GB storage device, but 2GB or more is recommended for production use.

sudo install-system

Disconnect the USB CDROM, if you used one, during the first reboot.

Initial Console Configuration

Configure an Internet connection to use for upgrading/updating the Vyatta installation:

configure
set interfaces ethernet eth0 address dhcp
commit
save

Next, we perform the update/upgrade:

sudo full-upgrade
sudo full-upgrade -k
reboot

This leaves the router in an updated, but mostly unconfigured state. At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.

Initial SSH Access (Optional)

If you want to finish the configuration via SSH instead of standing at the router console, choose a network interface to connect to for configuration purposes. It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration. We'll use 'eth1' here because that will work in most configurations where we use eth0 as the WAN port.

The configuration below assumes the use of eth1 and the IP address 192.168.1.1 on that port.

configure
set interfaces ethernet eth1 address 192.168.1.1/24
set service ssh
commit
save
exit

Connect Your Configuration PC

Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top). Configure your workstation IP address to 192.168.2.22 (or any other valid 192.168.1.0/24 address) and SSH into the router to continue your configuration. Make sure you get a link light when both devices are turned on. You may need a crossover cable if you don't get a link light.

Here are sample Linux commands to configure your workstation/notebook and to connect to the router. If you use Microsoft Windows, use Network Properties. The first command simply adds a second IP address to your workstation's eth0 interface so as not to interrupt your existing connections. Adjust as necessary:

sudo ifconfig eth0:0 192.168.1.22
ssh -l vyatta 192.168.1.1

Program the Router

You can cut and paste from the following script, once you edit it for your application.  I have found it's not always possible to past the whole configuration in one go.  You may have to paste a section at a time.

I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration. Use your own jusdgement as to whether you need to run any of the commented lines.

You can always 'discard' any uncommitted changes and redo. You can also just reboot the router to discard any committed, but unsaved changes.  Don't 'save' until you are sure the commands worked properly.

You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot.

#### Generic 3-Port Internet Gateway

### configure System options

#configure
set system host-name your-router-name
set system domain-name your.domain
# use tab key for time zone choices
set system time-zone America/Phoenix
# these are free OpenDNS servers
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user vyatta authentication plaintext-password your-vyatta-password
set system login user root authentication plaintext-password your-root-password
# optionally enable logging to the console
#set system syslog console

### configure Interface options

## Internet (WAN) interface uses DHCP to get its IP address
# the next line is commented out as it was previously configured
#set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set interfaces ethernet eth0 firewall local name TO-ROUTER
#show interfaces

## Internal LAN #1 router interface
# the next line is commented out as it was previously configured
#set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 firewall in name LAN-TO-LAN

## Internal LAN #2 router interface
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 firewall in name LAN-TO-LAN
#show interfaces

### configure Services options

## enable web browser configuration via HTTPS (optional)
set service https

## enable SSH access on the non-standard port 222 (optional)
#set service ssh port 222

## configure DHCP server (optional)
# DHCP serving internal LAN #1 on eth1 (optional)
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
# if using router as local caching DNS server uncomment this next line:
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL authoritative enable
# DHCP serving internal LAN #2 on eth2 (optional)
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 default-router 192.168.2.1
# if using router as local caching DNS server uncomment this next line:
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH2_POOL authoritative enable
#show service dhcp-server

## configure Caching DNS (Optional but speeds up client DNS queries)
set service dns forwarding listen-on eth1
set service dns forwarding listen-on eth2

## configure NAT (Optional but needed for private (RFC 1918) internal address ranges)
# here we configure NAT from all private (RFC 1918) internal address ranges
set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade
set service nat rule 20 source address 172.16.0.0/12
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade
set service nat rule 30 source address 10.0.0.0/8
set service nat rule 30 outbound-interface eth0
set service nat rule 30 type masquerade
#show service nat

### configure Firewall options

## FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable

## TO-ROUTER
set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
# rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable
# rule 20
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
# adjust the source address for permitted SSH access to your needs
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
# adjust the port you want to run SSH on here (ex. 222 instead of ssh)
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable
# rule 30
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable
# rule 32
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable
# rule 34
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

## LAN-TO-LAN
# this firewall is fairly loose and the default accept policy
# makes it easy to allow interaction between internal subnets
set firewall name LAN-TO-LAN description "Block Internal LAN Interaction"
set firewall name LAN-TO-LAN default-action accept
# rule 10 - Blocks internal LAN #1 from LAN #2
set firewall name LAN-TO-LAN rule 10 description "Block 192.168.2.x From 192.168.1.x"
set firewall name LAN-TO-LAN rule 10 action reject
set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 10 log disable
# rule 20 - Blocks internal LAN #2 from LAN #1
set firewall name LAN-TO-LAN rule 20 description "Block 192.168.1.x From 192.168.2.x"
set firewall name LAN-TO-LAN rule 20 action reject
set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 20 log disable
# rule 30
set firewall name LAN-TO-LAN rule 30 description "Block 192.168.x.x From 172.16.x.x"
set firewall name LAN-TO-LAN rule 30 action reject
set firewall name LAN-TO-LAN rule 30 source address 172.16.0.0/12
set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 30 log disable
# rule 40
set firewall name LAN-TO-LAN rule 40 description "Block 172.16.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 40 action reject
set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 40 destination address 172.16.0.0/8
set firewall name LAN-TO-LAN rule 40 log disable
# rule 50
set firewall name LAN-TO-LAN rule 50 description "Block 192.168.x.x From 10.x.x.x"
set firewall name LAN-TO-LAN rule 50 action reject
set firewall name LAN-TO-LAN rule 50 source address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 50 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 50 log disable
# rule 60
set firewall name LAN-TO-LAN rule 60 description "Block 10.x.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 60 action reject
set firewall name LAN-TO-LAN rule 60 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 60 destination address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 60 log disable

#commit
#save

WAN Static IP Address

If you have a static IP address for your WAN (Internet) interface, you would use these two commands in configure mode:

set system gateway-address your.wan.gw.ip
set interfaces ethernet eth0 address your.exter.nal.ip/mask

Port Forwarding (Destination NAT)

Please note that the NAT happens before the firewall, so you have to open the firewall for the destination.

You can use service names from /etc/services or you can use port numbers, or you can even mix names and numbers.

set service nat rule 2 description "Ports Forwarded to the Mail Server"
set service nat rule 2 destination address your.exter.nal.ip
set service nat rule 2 destination port smtp,ssmtp,http,https,pop3s,imaps
set service nat rule 2 inside-address address mail.svr.internal.ip
set service nat rule 2 protocol tcp
set service nat rule 2 type destination

set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 description "Accept Authorized Services for Mail Server"
set firewall name FROM-EXTERNAL rule 20 destination mail.svr.internal.ip
set firewall name FROM-EXTERNAL rule 20 destination port smtp,ssmtp,http,https,pop3s,imaps
set firewall name FROM-EXTERNAL rule 20 log disable
set firewall name FROM-EXTERNAL rule 20 protocol tcp

Troubleshooting

This command will report what Linux sees on the PCI bus. Check that it correctly identifies any add-in cards. Here is an example showing a Sangoma ADSL card:

lspci

00:08.0 Network controller: Globespan Semiconductor Inc. Pulsar [PCI ADSL Card] (rev 01)

This command will show you which kernel modules (drivers) are loaded. If the proper modules (drivers) aren't loaded, Vyatta didn't find your hardware device. Try removing and reapplying power (not just a reboot) and/or reseating any PCI cards. Maybe even try a different slot or IRQ. This is an example showing Wanpipe drivers for an ADSL card:

lsmod

wanec 326456 0
wanpipe_lip 103300 0
af_wanpipe 34496 0
wanpipe 435356 0
wanpipe_syncppp 27864 1 wanpipe
wanrouter 39528 5 wanec,wanpipe_lip,af_wanpipe,wanpipe,wanpipe_syncppp
sdladrv 65152 2 wanpipe,wanrouter

Caching DNS

Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups. It can result in a snappier browsing experience.

Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.

You may edit the /etc/dnsmasq.conf file and specify which interface to listen on. Since the firewall in the example above blocks outside access, I'll skip this.

You may also want to increase the cache size from the default of 150. It may improve the performance at the cost of some memory.

cache-size=2000

The integrated dnsmasq DHCP server is disabled by default...good. We already use the Vyatta DHCP server function.

Beep When Fully Booted

wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-24_i386.deb
sudo dpkg -i beep_1.2.2-24_i386.deb
rm beep_1.2.2-24_i386.deb
echo "beep -l 200 -f 750 -n -l 200 -f 1000" | sudo tee -a /etc/init.d/rc.local
Last Updated on Monday, 31 January 2011 12:53