Tuesday, August 14, 2012

Another Vyatta config guide

I find myself using the Vyatta virtual router (http://www.vyatta.org) for most everytime I need a router. It hasn't yet replaced my core enterprise routers, but it fits in nicely for smaller environments. This example is going to be a basic home configuration - The internet facing interface receives its address via DHCP, the internal interface is static at 10.0.0.1/24 and provides DHCP, DNS, and Proxy services. Additionally, an internal web server is published via HTTPS.
NOTE: I am using Vyatta version 6.4 which changed some of the configuration commands. Confirm the version you are running to ensure the commands are appropriate


1. Deploy the router

Deploying the router is probably the easiest step to perform, especially if you are running VMware. If your running VMware, simply go to http://www.vyatta.com/downloads/vmware_ovf.php to get the link for the latest OVF available. Import this into VMware and your good to go.

If your running some other virtualization stack (Hyper-V, Xen, etc...), you will need to install from ISO. The latest stable version can be found at http://packages.vyatta.com/vyatta/iso/stable/, just download the LiveCD, create a VM with 512MB RAM, 4GB disk, 2 NICs, and boot from the ISO. NOTE: Be careful the type of NIC chosen as not all adapters are supported by Vyatta. For Hyper-V, you have to use the Legacy Network Adapter. The default adapter type will not work
Once booted, log into the console with username/password of vyatta/vyatta. At the prompt type install system, accept the default options, allow the install to overwrite the disk, and set the password. When installed, type poweroff and remove the ISO. Power back up and your up and running.

NOTE: I find it a good step to write down the MAC addresses of the interfaces so I can easily determine which is internal and which is external.

2. Configure the interfaces

Log into the console as the vyatta user and enter configuration mode by typing configure.

Identify the interfaces
The first step needed is to determine which interface is which. We know that we will have 1 interface on the open internet, and the other interface on the trusted network - we obviously dont want to get these backwards.
While in configuration mode, type show interfaces and you will see something similar to below.
vyatta@vyatta# show interfaces
 ethernet eth0 {
     hw-id 00:15:5d:14:ed:2e
 }
 ethernet eth1 {
     hw-id 00:15:5d:14:ed:2f
 }
 loopback lo {
 }

The router sees the interfaces as eth0 and eth1 and provides the associated MAC addresses. Using the MAC addresses of the interfaces, I can determine which interface is which, and even move them based on need. In my case, eth0 is the external interface

Configure DHCP
Since our external interface will be receiving its IP address from our ISP, we configure it to use DHCP. To configure eth0 for DHCP, simply type set interfaces ethernet eth0 address dhcp

Configure Static Address
Our internal network is owned/managed by us, so we can choose to use a private addressing scheme for our systems. To configure eth1 for a static address, simply type set interfaces ethernet eth1 address 10.0.0.1/24

Commit the Changes
Whenever you make a change the the Vyatta configuration, it doesn't take effect until you commit them. Additionally, the changes aren't resilient (don't remain after reboot) until you save them.
To commit the changes, type commit
To save the changes, type save

3. Configure the services

System Names
We want to give our router a descriptive name as well as create an internal domain name. In this case I am naming it intRtr for internet router, and giving it a domain of goad.local. This gives me a unique name and domain to identify the router and other systems.
set system host-name intRtr
set system domain-name goad.local

DHCP
Next we configure the DHCP server on the router. This involves creating a pool of addresses for DHCP to use, configuring the default gateway, DNS server and domain name.

set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 start 10.0.0.65 stop 10.0.0.199
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 default-router 10.0.0.1
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 dns-server 10.0.0.1
set service dhcp-server shared-network-name ETH1_POOL subnet 10.0.0.0/24 domain-name goad.local
set service dhcp-server shared-network-name ETH1_POOL authoritative enable 


DNS
Now that clients have DHCP addresses, it is time to configure the DNS server. In this case we are creating a caching DNS server that receives requests, forwards them to the external DNS server, and caches them for future reference. This speeds up recurring requests, as well as contains the configuration for easy management.

set service dns forwarding dhcp eth0
set service dns forwarding listen-on eth1


PROXY
Now we set the outbound proxy
set service webproxy listen-address 10.0.0.1
set service webproxy listen-address 10.0.0.1 disable-transparent
NOTE: This means that clients will have to configure their browsers as http://10.0.0.1:3128 to utilize the proxy

4. Configure outbound NAT for all traffic

For anything other that web traffic (or web traffic we don't want to proxy), we enable Network Address Translation.

set nat source rule 10 source address 10.0.0.0/24
set nat source rule 10 outbound-interface eth0
set nat source rule 10 translation address masquerade

5. Configure web publishing

Finally, we want to publish the web server so that when someone browses to port 443 on the external interface, it is forwarded internally.

set nat destination rule 200 destination port https
set nat destination rule 200 inbound-interface eth0
set nat destination rule 200 translation address 10.0.0.2
set nat destination rule 200 translation port https
set nat destination rule 200 protocol tcp
set interfaces ethernet eth0 firewall in name FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 20 description "Allow https"
set firewall name FROM-EXTERNAL rule 20 action accept
set firewall name FROM-EXTERNAL rule 20 destination address 10.0.0.2
set firewall name FROM-EXTERNAL rule 20 destination port https
set firewall name FROM-EXTERNAL rule 20 protocol tcp


Thats it, commit and save and your golden

1 comment:

Anonymous said...

What about hairpin nat or reflection nat for the https server?