Vyatta Internet Gateway Router Howto - Sangoma DSL
 

Sonora Communications, Inc.

  • Increase font size
  • Default font size
  • Decrease font size

Vyatta Internet Gateway Router Howto - Sangoma DSL

E-mail Print PDF

This document will show one way of configuring the Vyatta router as an Internet firewall/gateway and will demonstrate the configuration of the Sangoma S518 ADSL interface card.  Furthermore, the LAN interfaces are (optionally) firewalled off from each other.

Reference

Vyatta Open Source Router

Vyatta Forums

Sangoma

Application

Installation

Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left.  We'll use the dhcp server already on our network to give the new Vyatta router access to the Internet for its updates.

Download the Vyatta 4.1.4 Live CD ISO image,burn it to a CD and boot it on the router hardware, possibly using a USB CD-ROM drive.

Login as 'root' with password 'vyatta'.

Install to the hard drive/CF/USB key with 'install-system'.   You'll need a minimum 512MB storage device, but 1GB or more is recommended.  A storage device larger than 512MB is needed to perform some upgrades such as VC4 to VC4.1.

Disconnect the USB CDROM, if you used one, during the reboot.

Initial Console Configuration

Configure an Internet connection to use for upgrading/updating the Vyatta installation:

configure
set interfaces ethernet eth0 address dhcp
commit

Next, we perform the update/upgrade:

full-upgrade
full-upgrade -k
exit
reboot

This leaves the router in an updated, but unconfigured state.   Note that we did not 'save' the previous configuration.

At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.

Configure SSH Access (Optional)

Choose a LAN interface to connect to.  It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration.  We'll use 'eth1' here because that will work in most configurations.

The DSL configuration below assumes the use of eth1 and the IP address 192.168.2.1 on that port.

set interfaces ethernet eth1 address 192.168.2.1/24
set service ssh allow-root true
set service ssh protocol-version v2
commit
save

Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top).  Configure your workstation IP address to 192.168.2.<something> and SSH into the router and continue your configuration.  Make sure you get a link light when both devices are turned on.  You may need a crossover cable.

Here are sample Linux commands to configure your workstation/notebook and to connect to the router.  The first command simply adds a second IP address to your eth0 interface so as not to interrup[t your existing connections.  Adjust as necessary:

sudo ifconfig eth0:0 192.168.2.22
ssh -l root 192.168.2.1

Program the Router

You can cut and paste the following script, once you edit it for your application.  I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration.  You can always 'discard' any uncommitted changes and redo.  You can also reboot the router to discard any committed, but unsaved changes.

You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot.

### configure System options

#configure
set system host-name <your-router-name>
set system domain-name <your.domain.name>
# use tab key for time zone choices
set system time-zone <your-time-zone>
# these are free OpenDNS servers
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user vyatta authentication plaintext-password <your-password>
set system login user root authentication plaintext-password <your-root-password>
#
# optionally enable logging to the console
#set system syslog console

### configure Interface options

## Sangoma S518 DSL WAN interface supports PPPOE and PPPOA
set interfaces adsl adsl0 pvc auto pppoe 0 default-route auto
set interfaces adsl adsl0 pvc auto pppoe 0 user-id <your-pppoe-username>
set interfaces adsl adsl0 pvc auto pppoe 0 password <your-pppoe-password>
set interfaces adsl adsl0 pvc auto pppoe 0 firewall in name FROM-EXTERNAL
set interfaces adsl adsl0 pvc auto pppoe 0 firewall local name TO-ROUTER
#show interfaces adsl

## LAN 1 interface
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 firewall in name LAN-TO-LAN

## LAN 2 interface
# the next line is commented out as it was previously configured above
#set interfaces ethernet eth1 address 192.168.2.1/24
set interfaces ethernet eth1 firewall in name LAN-TO-LAN

#show interfaces

### configure Services options

## configure DHCP server (optional)

# DHCP serving LAN 1 on eth0 (optional)
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
# if using caching DNS server use this instead of the OpenDNS servers:
#set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 authoritative enable

# DHCP serving LAN 2 on eth2 (optional)
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 default-router 192.168.2.1
# if using caching DNS server use this instead  of the OpenDNS servers:
#set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 authoritative enable

#show service dhcp-server

## configure NAT

# here we NAT from all 192.168.x.x addresses and from all 10.x.x.x internal adresses by manipulationg the netmasks
set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface pppoe0
set service nat rule 10 type masquerade

set service nat rule 20 source address 10.0.0.0/8
set service nat rule 20 outbound-interface pppoe0
set service nat rule 20 type masquerade

#show service nat

### configure Firewall options

## FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable

## TO-ROUTER
set firewall name TO-ROUTER description "Traffic Destined for Router"
# rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable
# rule 20
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
# adjust the source address to your needs
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable
# rule 30
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable
# rule 32
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable
# rule 34
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable

## LAN-TO-LAN
set firewall name LAN-TO-LAN description "Block Internal LAN Interaction"
# rule 10
set firewall name LAN-TO-LAN rule 10 description "Block 192.168.2.x From 192.168.1.x"
set firewall name LAN-TO-LAN rule 10 action reject
set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 10 log disable
# rule 20
set firewall name LAN-TO-LAN rule 20 description "Block 192.168.1.x From 192.168.2.x"
set firewall name LAN-TO-LAN rule 20 action reject
set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 20 log disable
# rule 30
set firewall name LAN-TO-LAN rule 30 description "Block 192.168.x.x From 10.x.x.x"
set firewall name LAN-TO-LAN rule 30 action reject
set firewall name LAN-TO-LAN rule 30 source address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 30 log disable
# rule 40
set firewall name LAN-TO-LAN rule 40 description "Block 10.x.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 40 action reject
set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 40 destination address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 40 log disable
# rule 999
set firewall name LAN-TO-LAN rule 999 description "Allow All Traffic Not Previously Blocked"
set firewall name LAN-TO-LAN rule 999 action accept
set firewall name LAN-TO-LAN rule 999 source address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 destination address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 log disable

#commit

#save

Troubleshooting

This command will report what Linux sees on the PCI bus.  Check that it correctly identifies the ADSL board.

lspci

00:08.0 Network controller: Globespan Semiconductor Inc. Pulsar [PCI ADSL Card] (rev 01)

This command will show you which kernel modules (drivers) are loaded.  If the wanpipe modules aren't loaded, Vyatta didn't find your ADSL card.  Try removing and reapplying power (not just a reboot) and/or reseating the ADSL card.  Maybe even try a different slot.

lsmod

wanec                 326456  0
wanpipe_lip           103300  0
af_wanpipe             34496  0
wanpipe               435356  0
wanpipe_syncppp        27864  1 wanpipe
wanrouter              39528  5 wanec,wanpipe_lip,af_wanpipe,wanpipe,wanpipe_syncppp
sdladrv                65152  2 wanpipe,wanrouter

Caching DNS

Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups.  It can result in a snappier browsing experience.

Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.

wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/dnsmasq_2.45-1_all.deb
wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/dnsmasq-base_2.45-1_i386.deb
wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/libdbus-1-3_1.2.1-3_i386.deb
dpkg -i dnsmasq_2.45-1_all.deb dnsmasq-base_2.45-1_i386.deb libdbus-1-3_1.2.1-3_i386.deb

You may edit the /etc/dnsmasq.conf file and specify which interface to listen on.  Since the firewall in the example above blocks outside access, I'll skip this.

You may also want to increase the cache size from the default of 150.  It may improve the performance at the cost of some memory.

cache-size=2000

The integrated dnsmasq DHCP server is disabled by default...good.  We already use the Vyatta DHCP server function.

Beep When Fully Booted

wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-22_i386.deb
dpkg -i beep_1.2.2-22_i386.deb

echo "beep -l 200 -f 750 -n  -l 200 -f 1000" >> /etc/init.d/rc.local

Last Updated on Monday, 31 January 2011 12:53