This document will show one way of configuring the Vyatta router as an Internet firewall/gateway and will demonstrate the configuration for use with a cable modem. Furthermore, the LAN interfaces are (optionally) firewalled off from each other.
Reference
Application
Installation
Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left closest to the keyboard/mouse connectors. If your Ethernet ports are arranged vertically, eth0 is probably on the top. We'll use the dhcp server already on our network to give the new Vyatta router temporary access to the Internet for its updates.
Download the atest Vyatta Live CD ISO image, burn it to a CD and boot it on the router hardware, possibly using a USB external CD-ROM drive.
Login as 'root' with password 'vyatta'.
Install to the hard drive/CF/USB key with 'install-system'. You'll need a minimum 512MB storage device, but 2GB or more is recommended for production use. A storage device larger than 512MB is needed to perform some upgrades such as VC4 to VC4.1.
Disconnect the USB CDROM, if you used one, during the reboot.
Initial Console Configuration
Configure an Internet connection to use for upgrading/updating the Vyatta installation:
configure set interfaces ethernet eth0 address dhcp commit save
Next, we perform the update/upgrade:
full-upgrade full-upgrade -k exit reboot
This leaves the router in an updated, but mostly unconfigured state. At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.
Configure SSH Access (Optional)
Choose a LAN interface to connect to. It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration. We'll use 'eth1' here because that will work in most configurations where we use eth0 as the WAN port.
The DSL configuration below assumes the use of eth1 and the IP address 192.168.1.1 on that port.
set interfaces ethernet eth1 address 192.168.1.1/24 set service ssh commit save
Connect Your Configuration PC
Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top). Configure your workstation IP address to 192.168.2.22 (or any other valid 192.168.1.0/24 address)
Here are sample Linux commands to configure your workstation/notebook and to connect to the router. (If you use Windows, use Network Properties.) The first command simply adds a second IP address to your workstation's eth0 interface so as not to interrupt your existing connections. Adjust as necessary:
sudo ifconfig eth0:0 192.168.1.22 ssh -l vyatta 192.168.1.1
Program the Router
You can cut and paste the following script, once you edit it for your application. I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration. You can always 'discard' any uncommitted changes and redo. You can also reboot the router to discard any committed, but unsaved changes.
You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot.
#### Generic 3-Port Internet Gateway ### configure System options #configure set system host-nameyour-router-name # the next line is commented out as it was previously configured #
set system domain-name your.domain
# use tab key for time zone choices
set system time-zone America/Phoenix
# these are free OpenDNS servers
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user vyatta authentication plaintext-password your-vyatta-password
set system login user root authentication plaintext-password your-root-password
# optionally enable logging to the console
#set system syslog console
### configure Interface options
## Internet (WAN) interface uses DHCP to get its IP addressset interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set interfaces ethernet eth0 firewall local name TO-ROUTER
#show interfaces
## Internal LAN #1 router interface
# the next line is commented out as it was previously configured
#set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 firewall in name LAN-TO-LAN
## Internal LAN #2 router interface
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 firewall in name LAN-TO-LAN
#show interfaces
### configure Services options
## enable web browser configuration via HTTPS (optional)
set service https
## configure DHCP server (optional)
# DHCP serving internal LAN #1 on eth1 (optional)
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
# if using router as local caching DNS server uncomment this next line:
#set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL authoritative enable
# DHCP serving internal LAN #2 on eth2 (optional)
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 default-router 192.168.2.1
# if using router as local caching DNS server uncomment this next line:
#set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH2_POOL authoritative enable
#show service dhcp-server
## configure NAT (Optional but needed for private (RFC 1918) internal address ranges)
# here we configure NAT from all private (RFC 1918) internal address ranges
set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade
set service nat rule 20 source address 172.16.0.0/12
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade
set service nat rule 30 source address 10.0.0.0/8
set service nat rule 30 outbound-interface eth0
set service nat rule 30 type masquerade
#show service nat
### configure Firewall options
## FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable
## TO-ROUTER
set firewall name TO-ROUTER description "Traffic Destined for Router Itself"
# rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable
# rule 20
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
# adjust the source address for permitted SSH access to your needs
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable
# rule 30
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable
# rule 32
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable
# rule 34
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable
## LAN-TO-LAN
set firewall name LAN-TO-LAN description "Block Internal LAN Interaction"
# rule 10 - Blocks internal LAN #1 from LAN #2
set firewall name LAN-TO-LAN rule 10 description "Block 192.168.2.x From 192.168.1.x"
set firewall name LAN-TO-LAN rule 10 action reject
set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 10 log disable
# rule 20 - Blocks internal LAN #2 from LAN #1
set firewall name LAN-TO-LAN rule 20 description "Block 192.168.1.x From 192.168.2.x"
set firewall name LAN-TO-LAN rule 20 action reject
set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 20 log disable
# rule 30
set firewall name LAN-TO-LAN rule 30 description "Block 192.168.x.x From 172.16.x.x"
set firewall name LAN-TO-LAN rule 30 action reject
set firewall name LAN-TO-LAN rule 30 source address 172.16.0.0/12
set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 30 log disable
# rule 40
set firewall name LAN-TO-LAN rule 40 description "Block 172.16.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 40 action reject
set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 40 destination address 172.16.0.0/8
set firewall name LAN-TO-LAN rule 40 log disable
# rule 50
set firewall name LAN-TO-LAN rule 50 description "Block 192.168.x.x From 10.x.x.x"
set firewall name LAN-TO-LAN rule 50 action reject
set firewall name LAN-TO-LAN rule 50 source address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 50 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 50 log disable
# rule 60
set firewall name LAN-TO-LAN rule 60 description "Block 10.x.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 60 action reject
set firewall name LAN-TO-LAN rule 60 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 60 destination address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 60 log disable
# rule 999
set firewall name LAN-TO-LAN rule 999 description "Allow All Traffic Not Previously Blocked"
set firewall name LAN-TO-LAN rule 999 action accept
set firewall name LAN-TO-LAN rule 999 source address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 destination address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 log disable
#commit
#save
Troubleshooting
This command will report what Linux sees on the PCI bus. Check that it correctly identifies any add-in cards. Here is an example showing a Sangoma ADSL card:
lspci 00:08.0 Network controller: Globespan Semiconductor Inc. Pulsar [PCI ADSL Card] (rev 01)
This command will show you which kernel modules (drivers) are loaded. If the proper modules (drivers) aren't loaded, Vyatta didn't find your hardware device. Try removing and reapplying power (not just a reboot) and/or reseating any PCI cards. Maybe even try a different slot or IRQ. This is an example showing Wanpipe drivers for an ADSL card:
lsmod wanec 326456 0 wanpipe_lip 103300 0 af_wanpipe 34496 0 wanpipe 435356 0 wanpipe_syncppp 27864 1 wanpipe wanrouter 39528 5 wanec,wanpipe_lip,af_wanpipe,wanpipe,wanpipe_syncppp sdladrv 65152 2 wanpipe,wanrouter
Caching DNS
Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups. It can result in a snappier browsing experience.
Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.
You may edit the /etc/dnsmasq.conf file and specify which interface to listen on. Since the firewall in the example above blocks outside access, I'll skip this.
You may also want to increase the cache size from the default of 150. It may improve the performance at the cost of some memory.
cache-size=2000
The integrated dnsmasq DHCP server is disabled by default...good. We already use the Vyatta DHCP server function.
Beep When Fully Booted
wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-22_i386.deb dpkg -i beep_1.2.2-22_i386.deb echo "beep -l 200 -f 750 -n -l 200 -f 1000" >> /etc/init.d/rc.local
| < Prev | Next > |
|---|
