The greatest challenge to any thinker is stating the problem in a way that will allow a solution

Bertrand Russell

By

On 8 Nov 2011

Networking

Tags: , ,


While not a daily requirement, every so often I find myself needing to set-up a virtual router.  The first time I came across Vyatta was when setting up a VMware lab-in-a-box, and more recently to replicate the functionality provided by the Virtual Router in a VMware Lab Manager unfenced lab (I’ll explain later if you don’t know what that is).

The best part of a Vyatta router is, like most things in life, that it’s free (for the Core version – which provides all the routing functions that you’d normally expect from a router).

This post will take you through the basic set-up for a router, and them some configuration examples for a few useful set-ups.

The one vaguely irritating thing about Vyatta is that you have to register to download the manuals, which is an inconvenience; on the other hand, the manuals are very good.

I’ll assume that you’re setting up your router in a virtual (VMware) environment on this post, but you can of course use physical hardware, if that fits your needs.

Basic Set-Up

This section will get your router on the network so it can be configured further via SSH

  1. Download the latest version, in OVF format (if you’re going virtual, ISO if you’re going physical)
  2. Once you’ve created a VM with the OVF or installed onto a physical machine, boot up
  3. Login via the via the local (VI Client) console, using user/pass vyatta / vayatta
  4. Enter the following to get your router onto the network (edit router name, IP address, default gateway as appropriate)…
configure
set system host-name my-router
set interfaces ethernet eth0 address 192.168.10.10/24
set system gateway-address 192.168.10.1
set service ssh
commit
save

You should now be able to SSH (using Putty etc) to your router

Initial Set-Up

A basic appreciation of security suggests that you should change the default admin user / pass.  Even if you don’t expect your router to be publicly accessible it is good practice to get rid of default logins.

The following example deletes the default vyatta user and replaces it with a new one (administrator / mypassword – have more imagination for your own set-up..!!)…

set system login user administrator
set system login user administrator authentication plaintext-password mypassword
set system login user administrator level admin     
delete system login user vyatta

Next on the to-do list, to my mind, is to configure your interfaces.  Label/describe them all, and add IP addresses where appropriate.  For example, to add a description to the main interface, and add an additional interface do something like…

set interfaces ethernet eth0 description “Main / Outside network”
set interfaces ethernet eth1 address 10.0.0.1/24
set interfaces ethernet eth1 description “Internal network”

Devices will now be able to pass traffic between the two networks via the router.

Network Address Translation (NAT)

NAT allows devices on one network to appear as though they are on another network, and is most commonly used when trying to allow devices on a private address range (eg 10.0.0.0 / 8) to communicate with devices in the public address space.  Though there are many different applications.

This is achieved by the router tinkering with the header of the IP packets as they pass through, replacing either the source or destination IP address and/or port as required.

Masquerade

This is synonymous with the NAT commonly performed by household broadband routers for outgoing internet connections, whereby you can have numerous internal devices (PC’s, laptops, smartphones, etc) all communicating out onto the internet through the single, public address assigned to your broadband router.  It allows all internal devices to behave/hide/masquerade behind a single address.

The following example allows all internal devices in the 10.0.0.0 / 24 range to be dynamically NAT’ed out through the eth0 interface, to the outside world it will appear as if all connections are coming from the router itself (rather than the devices behind it)…

set service nat rule 10 type masquerade
set service NAT rule 10 description OUTGOING_DYNAMIC_NAT
set service nat rule 10 source address 10.0.0.0/24
set service nat rule 10 outbound-interface eth0

…the rule number (10) is user defined and can be any number from 1 to 9999.

Outgoing / Source Translation

This is like a more controlled version of the above, whereby every internal device needs to be specifically configured with an outgoing IP address.  The outgoing address can either be that of the router itself, or additional addresses can be configured on the outside interface to be used by internal devices.

The following example creates a new address on the outside eth0 interface (192.168.10.11), and allows the internal device on 10.0.0.28 to communicate with the outside network using 192.168.10.11.

set interfaces ethernet eth0 address 192.168.10.11/24
set service nat rule 20 description OUTGOING_FOR_28
set service nat rule 20 type source
set service nat rule 20 outbound-interface eth0
set service nat rule 20 source address 10.0.0.28
set service nat rule 20 outside-address address 192.168.10.11
set service nat rule 20 protocol all

Note that devices in the outside network cannot communicate in to 10.0.0.28, for that you need incoming destination translation.

Incoming / Destination Translation

Destination NAT allows internal devices to be accessible to the outside world, so that they can be connected into.

The following example creates a new address on the outside eth0 interface (192.168.10.12), and allows the internal device on 10.0.0.35 to be connected to from the outside network using 192.168.10.12.

set interfaces ethernet eth0 address 192.168.10.12/24
set service nat rule 30 description INCOMING_FOR_35
set service nat rule 30 type destination
set service nat rule 30 inbound-interface eth0
set service nat rule 30 destination address 192.168.10.12
set service nat rule 30 inside-address address 10.0.0.35
set service nat rule 30 protocol all

Leave a Reply

XHTML: You can use these tags if you know what they are: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.