Vyatta Internet Gateway Router Sample Configuration
 

Sonora Communications, Inc.

  • Increase font size
  • Default font size
  • Decrease font size

Vyatta Internet Gateway Router Sample Configuration

E-mail Print PDF

THIS IS A WORK IN PROGRESS and was Written for Vyatta VC3

Vyatta OFR Highlights

The Vyatta Linux-based router provides a flexible, high-performance alternative to Cisco routers.  It is free, professional, open-source software.

Vyatta OFR runs on standard x86 hardware and supports many types of interfaces.  It has a comprehensive command line interface (CLI) implemented as a Linux shell.  The Vyatta OFR also has a comprehensive graphical user interface (GUI) accesses via a web browser.

Support

One of the best things about the Vyatta OFR is professional support.  Purchasing support from Vyatta helps you and the Vyatta community.

There is also a mailing list and a wiki for free support.  Don't expect professional support on the mailing list, but it is fairly active and Vyatta representatives do participate.

Searching List Archives

The mailing list archives are not searchable, however on Google, you can use the "site:" operator:

<search terms> site:mailman.vyatta.com

Other Resources

IP Subnet Calculator

Internet Access Application

Fix a Bug First (VC3)

There is a bug when configuring state match rules on protocols other than TCP that complicates building a NAT firewall.

Here is a workaround for the VC3 release that removes the error checking that only allows state rules to be configured in conjunction with TCP:

Log in as root and edit: /opt/vyatta/share/perl5/VyattaIpTablesRule.pm and change the following line from:

if (($self->{_protocol} eq "tcp") || ($self->{_protocol} eq "6")) {

to:

if (1) {

Sample Internet Access Configuration

Image

The diagram shows our example network.  Your application will no doubt be different.  Hopefully, you can use this example to save some time in designing your own application.  Note that in this subnetted example the Internet access router needs a route to the subnetted network pointing to the Vyata router.

We'll be implementing the following features:

  • 4-Port Ethernet Router
    • Internet
    • Two Private Internal Networks
    • Another Internal Router with Its Own Static IP Address
  • Internet Access
  • NAT
    • Private Networks Using 192.168.x.x Addresses
  • Firewall
    • Stateful - Allows Only Established Related Traffic In
    • Private Networks Protected From Each Other
    • Allows Forwarded Port Traffic
  • Port Forwarding (Destination NAT)
    • SMTP, HTTP, HTTPS and RDP
    • Forwarded to Internal Servers on Private Network
  • DHCP Server
    • Private Networks
  • NTP Time Synchronization
    • Using Free Public Time Servers (ntp.org)
  • Remote Management
    • SSH, HTTP and HTTPS
    • Using Non-Standard Ports for HTTP and HTTPS
    • Allows Standard HTTP and HTTPS to Be Forwarded to Internal Servers 
  • Subnetting
    • Optional
    • For Certain Applications

The NTP time server and the DNS servers are free public servers and you can leave them as they are if you wish.  There is no need to change them. 

The following configuration file can be copied and then edited in place for your configuration.

/opt/vyatta/etc/config/config.boot

/*XORP Configuration File, v1.0*/
protocols {
    static {
        disable: false
        route 0.0.0.0/0 {
            next-hop: 123.123.123.1
            metric: 1
        }
    }
}
policy {
}
interfaces {
    restore: false
    loopback lo {
        description: "Loopback"
    }
    ethernet eth0 {
        disable: false
        discard: false
        description: "Internet"
        duplex: "auto"
        speed: "auto"
        address 123.123.123.2 {
            prefix-length: 30
            disable: false
        }
        firewall {
            in {
                name: "from-external"
            }
            local {
                name: "to-router"
            }
        }
    }
    ethernet eth1 {
        disable: false
        discard: false
        description: "Internal Network #1"
        duplex: "auto"
        speed: "auto"
        address 192.168.1.1 {
            prefix-length: 24
            disable: false
        }
        firewall {
            in {
                name: "lan-to-lan"
            }
        }
    }
    ethernet eth2 {
        disable: false
        discard: false
        description: "Internal Network #2"
        duplex: "auto"
        speed: "auto"
        address 192.168.2.1 {
            prefix-length: 24
            disable: false
        }
        firewall {
            in {
                name: "lan-to-lan"
            }
        }
    }
    ethernet eth3 {
        disable: false
        discard: false
        description: "Internal Subnetted Network"
        duplex: "auto"
        speed: "auto"
        address 123.123.123.5 {
            prefix-length: 30
            disable: false
        }
        firewall {
            in {
                name: "lan-to-lan"
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name "eth1_pool" {
            subnet 192.168.1.0/24 {
                start 192.168.1.65 {
                    stop: 192.168.1.199
                }
                client-prefix-length: 24
                dns-server 209.218.76.2
                dns-server 208.67.220.220
                default-router: 192.168.1.1
                lease: 86400
                authoritative: "disable"
            }
        }
        shared-network-name "eth2_pool" {
            subnet 192.168.2.0/24 {
                start 192.168.2.65 {
                    stop: 192.168.2.199
                }
                client-prefix-length: 24
                dns-server 209.218.76.2
                dns-server 208.67.220.220
                default-router: 192.168.2.1
                lease: 86400
                authoritative: "disable"
            }
        }
    }
    nat {
        rule 2 {
            type: "destination"
            protocols: "tcp"
            destination {
                address: "123.123.123.2"
                port-name smtp
            }
            inside-address {
                address: 192.168.1.2
            }
        }
        rule 4 {
            type: "destination"
            protocols: "tcp"
            destination {
                address: "123.123.123.2"
                port-name http
            }
            inside-address {
                address: 192.168.1.2
            }
        }
        rule 6 {
            type: "destination"
            protocols: "tcp"
            destination {
                address: "123.123.123.2"
                port-name https
            }
            inside-address {
                address: 192.168.1.2
            }
        }

        rule 8 {
            type: "destination"
            protocols: "tcp"
            destination {
                address: "123.123.123.2"
                port-number 3389
            }
            inside-address {
                address: 192.168.1.2
            }
        }
        rule 10 {
            type: "masquerade"
            outbound-interface: "eth0"
            source {
                network: "192.168.1.0/24"
            }
        }
        rule 20 {
            type: "masquerade"
            outbound-interface: "eth0"
            source {
                network: "192.168.2.0/24"
            }
        }
    }
    ssh {
        port: 22
        protocol-version: "v2"
    }
    webgui {
        http-port: 81
        https-port: 444
    }
}
firewall {
    log-martians: "enable"
    send-redirects: "disable"
    receive-redirects: "disable"
    ip-src-route: "disable"
    broadcast-ping: "disable"
    syn-cookies: "enable"
    name "lan-to-lan" {
        description: "Block Internal LAN Interaction"
        rule 10 {
            description: "Block 192.168.x.x Networks"
            protocol: "all"
            action: "reject"
            log: "disable"
            source {
                network: "192.168.0.0/16"
            }
            destination {
                network: "192.168.0.0/16"
            }
        }
        rule 20 {
            description: "Block 172.16.x.x Networks"
            protocol: "all"
            action: "reject"
            log: "disable"
            source {
                network: "192.168.0.0/16"
            }
            destination {
                network: "172.16.0.0/12"
            }
        }
        rule 30 {
            description: "Block 10.x.x.x Networks"
            protocol: "all"
            action: "reject"
            log: "disable"
            source {
                network: "192.168.0.0/16"
            }
            destination {
                network: "10.0.0.0/8"
            }
        }
        rule 40 {
            description: "Allow All Traffic Not Previously Blocked"
            protocol: "all"
            action: "accept"
            log: "disable"
            source {
                network: "0.0.0.0/0"
            }
            destination {
                network: "0.0.0.0/0"
            }
        }
    }
    name "from-external" {
        description: "Block Unwanted Internet Traffic"
        rule 10 {
            description: "Accept Established-Related Connections"
            protocol: "all"
            state {
                established: "enable"
                new: "disable"
                related: "enable"
                invalid: "disable"
            }
            action: "accept"
            log: "disable"
        }
        rule 20 {
            description: "Pass Subnet Traffic"
            protocol: "all"

            action: "accept"
            log: "disable"
            source {
                network: "0.0.0.0/0"
            }
            destination {
                network: "123.123.123.4/30"
            }
        }
        rule 30 {
            description: "Pass SMTP"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                address: "0.0.0.0/0"
            }
            destination {
                address: "123.123.123.2"
                port-name smtp
            }
        }
        rule 40 {
            description: "Pass HTTP"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "0.0.0.0/0"
            }
            destination {
                address: "123.123.123.2"
                port-name http
            }
        }
        rule 50 {
            description: "Pass HTTPS"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "0.0.0.0/0"
            }
            destination {
                address: "123.123.123.2"
                port-name https
            }
        }
        rule 60 {
            description: "Pass RDP"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "0.0.0.0/0"
            }
            destination {
                address: "123.123.123.2"
                port-number 3389
            }
        }
    }
    name "to-router" {
        description: "Traffic Destined for Router"
        rule 10 {
            description: "Accept Established-Related Connections"
            protocol: "all"
            state {
                established: "enable"
                new: "disable"
                related: "enable"
                invalid: "disable"
            }
            action: "accept"
            log: "disable"
        }
        rule 20 {
            description: "SSH Access"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "200.200.200.0/29"
            }
            destination {
                port-name ssh
            }
        }
        rule 30 {
            description: "WebGUI Access"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "200.200.200.0/29"
            }
            destination {
                port-number 81
            }
        }
        rule 40 {
            description: "Secure WebGUI Access"
            protocol: "tcp"
            action: "accept"
            log: "disable"
            source {
                network: "200.200.200.0/29"
            }
            destination {
                port-number 444
            }
        }
        rule 60 {
            description: "Accept ICMP Unreachable"
            protocol: "icmp"
            icmp {
                type: "3"
            }
            action: "accept"
            log: "disable"
        }
        rule 70 {
            description: "Accept ICMP Echo Request"
            protocol: "icmp"
            icmp {
                type: "8"
            }
            action: "accept"
            log: "disable"
        }
        rule 80 {
            description: "Accept ICMP Time-Exceeded"
            protocol: "icmp"
            icmp {
                type: "11"
            }
            action: "accept"
            log: "disable"
        }
    }
}
system {
    host-name: "router"
    domain-name: "yourdomain.com"
    name-server 208.67.222.222
    name-server 208.67.220.220
    time-zone: "GMT"
    ntp-server "pool.ntp.org"
    login {
        user root {
            full-name: ""
            authentication {
                plaintext-password: "vyatta"
            }
        }
        user vyatta {
            full-name: ""
            authentication {
                plaintext-password: "vyatta"
            }
        }
    }
    package {
        auto-sync: 1
        repository community {
            component: "main"
            url: "http://archive.vyatta.com/vyatta"
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "firewall@1:webgui@1:serial@1:nat@2:dhcp-server@2:dhcp-relay@1:cluster@1" === */
Last Updated on Tuesday, 15 December 2009 18:11