Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

This document will show one way of configuring the Vyatta router as an Internet firewall/gateway and will demonstrate the configuration for use with a cable modem. Furthermore, the LAN interfaces are (optionally) firewalled off from each other.

Reference Vyatta Open Source Router

Vyatta Forums

Application

1 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

Installation

2 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left closest to the keyboard/mouse connectors. If your Ethernet ports are arranged vertically, eth0 is probably on the top. We'll use the dhcp server already on our network to give the new Vyatta router temporary access to the Internet for its updates.

Download the latest Vyatta Live CD ISO image, burn it to a CD and boot it on the router hardware, possibly using a USB external CD-ROM drive.

Login as 'vyatta' with password 'vyatta'.

There are two methods of installation: disk-based and image-based.  I think image-based is probably the newer, better method, but until I'm comfortable with it I'll stick to the old way.

Install to the hard drive/CF card/USB key. You'll need a minimum 1GB storage device, but 2GB or more is recommended for production use. sudo install-system Disconnect the USB CDROM, if you used one, during the first reboot.

Initial Console Configuration Configure an Internet connection to use for upgrading/updating the Vyatta installation: configure set interfaces ethernet eth0 address dhcp commit save Next, we perform the update/upgrade: sudo full-upgrade sudo full-upgrade -k reboot

3 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

This leaves the router in an updated, but mostly unconfigured state. At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.

Initial SSH Access (Optional) If you want to finish the configuration via SSH instead of standing at the router console, choose a network interface to connect to for configuration purposes. It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration. We'll use 'eth1' here because that will work in most configurations where we use eth0 as the WAN port.

The configuration below assumes the use of eth1 and the IP address 192.168.1.1 on that port. configure set interfaces ethernet eth1 address 192.168.1.1/24 set service ssh commit save exit Connect Your Configuration PC Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top). Configure your workstation IP address to 192.168.2.22 (or any other valid 192.168.1.0/24 address) and SSH into the router to continue your configuration. Mak e sure you get a link light when both devices are turned on. You may need a crossover cable if you don't get a link light.

Here are sample Linux commands to configure your workstation/notebook and to connect to the router. If you use Microsoft Windows, use Network Properties. The first command simply adds a second IP address to your workstation's eth0 interface so as not to interrupt your existing connections. Adjust as necessary: sudo ifconfig eth0:0 192.168.1.22 ssh -l vyatta 192.168.1.1 Program the Router You can cut and paste from the following script, once you edit it for your application.  I have found it's not always possible to past the whole configuration in one go.  You may have to paste a section at a time.

4 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration. Use your own jusdgement as to whether you need to run any of the commented lines.

You can always 'discard' any uncommitted changes and redo. You can also just reboot the router to discard any committed, but unsaved changes.  Don't 'save' until you are sure the commands worked properly.

You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot. #### Generic 3-Port Internet Gateway ### configure System options #configure set system host-name your-router-name set system domain-name your.domain # use tab key for time zone choices set system time-zone America/Phoenix # these are free OpenDNS servers set system name-server 208.67.222.222 set system name-server 208.67.220.220 set system login user vyatta authentication plaintext-password your-vyatta-password set system login user root authentication plaintext-password your-root-password # optionally enable logging to the console #set system syslog console ### configure Interface options ## Internet (WAN) interface uses DHCP to get its IP address # the next line is commented out as it was previously configured #set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 firewall in name FROM-EXTERNAL set interfaces ethernet eth0 firewall local name TO-ROUTER #show interfaces ## Internal LAN #1 router interface # the next line is commented out as it was previously configured #set interfaces ethernet eth1 address 192.168.1.1/24

5 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

set interfaces ethernet eth1 firewall in name LAN-TO-LAN ## Internal LAN #2 router interface set interfaces ethernet eth2 address 192.168.2.1/24 set interfaces ethernet eth2 firewall in name LAN-TO-LAN #show interfaces ### configure Services options ## enable web browser configuration via HTTPS (optional) set service https ## enable SSH access on the non-standard port 222 (optional) #set service ssh port 222 ## configure DHCP server (optional) # DHCP serving internal LAN #1 on eth1 (optional) set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1 # if using router as local caching DNS server uncomment this next line: set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220 set service dhcp-server shared-network-name ETH1_POOL authoritative enable # DHCP serving internal LAN #2 on eth2 (optional) set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199 set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 default-router 192.168.2.1 # if using router as local caching DNS server uncomment this next line: set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1 set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222 set service dhcp-server shared-network-name ETH2_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220 set service dhcp-server shared-network-name ETH2_POOL authoritative enable #show service dhcp-server ## configure Caching DNS (Optional but speeds up client DNS queries) set service dns forwarding listen-on eth1

6 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

set service dns forwarding listen-on eth2 ## configure NAT (Optional but needed for private (RFC 1918) internal address ranges) # here we configure NAT from all private (RFC 1918) internal address ranges set service nat rule 10 source address 192.168.0.0/16 set service nat rule 10 outbound-interface eth0 set service nat rule 10 type masquerade set service nat rule 20 source address 172.16.0.0/12 set service nat rule 20 outbound-interface eth0 set service nat rule 20 type masquerade set service nat rule 30 source address 10.0.0.0/8 set service nat rule 30 outbound-interface eth0 set service nat rule 30 type masquerade #show service nat ### configure Firewall options ## FROM-EXTERNAL set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic" # rule 10 set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections" set firewall name FROM-EXTERNAL rule 10 action accept set firewall name FROM-EXTERNAL rule 10 state established enable set firewall name FROM-EXTERNAL rule 10 state related enable set firewall name FROM-EXTERNAL rule 10 log disable ## TO-ROUTER set firewall name TO-ROUTER description "Traffic Destined for Router Itself" # rule 10 set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections" set firewall name TO-ROUTER rule 10 action accept set firewall name TO-ROUTER rule 10 state established enable set firewall name TO-ROUTER rule 10 state related enable set firewall name TO-ROUTER rule 10 log disable # rule 20 set firewall name TO-ROUTER rule 20 description "SSH Access" set firewall name TO-ROUTER rule 20 action accept set firewall name TO-ROUTER rule 20 protocol tcp # adjust the source address for permitted SSH access to your needs set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29 # adjust the port you want to run SSH on here (ex. 222 instead of ssh) set firewall name TO-ROUTER rule 20 destination port ssh set firewall name TO-ROUTER rule 20 log disable # rule 30 set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"

7 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

set firewall name TO-ROUTER rule 30 action accept set firewall name TO-ROUTER rule 30 protocol icmp set firewall name TO-ROUTER rule 30 icmp type 3 set firewall name TO-ROUTER rule 30 log disable # rule 32 set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request" set firewall name TO-ROUTER rule 32 action accept set firewall name TO-ROUTER rule 32 protocol icmp set firewall name TO-ROUTER rule 32 icmp type 8 set firewall name TO-ROUTER rule 32 log disable # rule 34 set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded" set firewall name TO-ROUTER rule 34 action accept set firewall name TO-ROUTER rule 34 protocol icmp set firewall name TO-ROUTER rule 34 icmp type 11 set firewall name TO-ROUTER rule 34 log disable ## LAN-TO-LAN # this firewall is fairly loose and the default accept policy # makes it easy to allow interaction between internal subnets set firewall name LAN-TO-LAN description "Block Internal LAN Interaction" set firewall name LAN-TO-LAN default-action accept # rule 10 - Blocks internal LAN #1 from LAN #2 set firewall name LAN-TO-LAN rule 10 description "Block 192.168.2.x From 192.168.1.x" set firewall name LAN-TO-LAN rule 10 action reject set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24 set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24 set firewall name LAN-TO-LAN rule 10 log disable # rule 20 - Blocks internal LAN #2 from LAN #1 set firewall name LAN-TO-LAN rule 20 description "Block 192.168.1.x From 192.168.2.x" set firewall name LAN-TO-LAN rule 20 action reject set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24 set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24 set firewall name LAN-TO-LAN rule 20 log disable # rule 30 set firewall name LAN-TO-LAN rule 30 description "Block 192.168.x.x From 172.16.x.x" set firewall name LAN-TO-LAN rule 30 action reject set firewall name LAN-TO-LAN rule 30 source address 172.16.0.0/12 set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16 set firewall name LAN-TO-LAN rule 30 log disable # rule 40 set firewall name LAN-TO-LAN rule 40 description "Block 172.16.x.x From 192.168.x.x" set firewall name LAN-TO-LAN rule 40 action reject set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16 set firewall name LAN-TO-LAN rule 40 destination address 172.16.0.0/8 set firewall name LAN-TO-LAN rule 40 log disable

8 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

# rule 50 set firewall name LAN-TO-LAN rule 50 description "Block 192.168.x.x From 10.x.x.x" set firewall name LAN-TO-LAN rule 50 action reject set firewall name LAN-TO-LAN rule 50 source address 10.0.0.0/8 set firewall name LAN-TO-LAN rule 50 destination address 192.168.0.0/16 set firewall name LAN-TO-LAN rule 50 log disable # rule 60 set firewall name LAN-TO-LAN rule 60 description "Block 10.x.x.x From 192.168.x.x" set firewall name LAN-TO-LAN rule 60 action reject set firewall name LAN-TO-LAN rule 60 source address 192.168.0.0/16 set firewall name LAN-TO-LAN rule 60 destination address 10.0.0.0/8 set firewall name LAN-TO-LAN rule 60 log disable #commit #save WAN Static IP Address If you have a static IP address for your WAN (Internet) interface, you would use these two commands in configure mode: set system gateway-address your.wan.gw.ip set interfaces ethernet eth0 address your.exter.nal.ip/mask

Port Forwarding (Destination NAT)

Please note that the NAT happens before the firewall, so you have to open the firewall for the destination.

You can use service names from /etc/services or you can use port numbers, or you can even mix names and numbers. set service nat rule 2 description "Ports Forwarded to the Mail Server" set service nat rule 2 destination address your.exter.nal.ip set service nat rule 2 destination port smtp,ssmtp,http,https,pop3s,imaps set service nat rule 2 inside-address address mail.svr.internal.ip set service nat rule 2 protocol tcp set service nat rule 2 type destination set firewall name FROM-EXTERNAL rule 20 action accept set firewall name FROM-EXTERNAL rule 20 description "Accept Authorized Services for Mail Server" set firewall name FROM-EXTERNAL rule 20 destination mail.svr.internal.ip set firewall name FROM-EXTERNAL rule 20 destination port

9 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

smtp,ssmtp,http,https,pop3s,imaps set firewall name FROM-EXTERNAL rule 20 log disable set firewall name FROM-EXTERNAL rule 20 protocol tcp

Troubleshooting

This command will report what Linux sees on the PCI bus. Check that it correctly identifies any add-in cards. Here is an example showing a Sangoma ADSL card: lspci 00:08.0 Network controller: Globespan Semiconductor Inc. Pulsar [PCI ADSL Card] (rev 01) This command will show you which kernel modules (drivers) are loaded. If the proper modules (drivers) aren't loaded, Vyatta didn't find your hardware device. Try removing and reapplying power (not just a reboot) and/or reseating any PCI cards. Maybe even try a different slot or IRQ. This is an example showing Wanpipe drivers for an ADSL card: lsmod wanec 326456 0 wanpipe_lip 103300 0 af_wanpipe 34496 0 wanpipe 435356 0 wanpipe_syncppp 27864 1 wanpipe wanrouter 39528 5 wanec,wanpipe_lip,af_wanpipe,wanpipe,wanpipe_syncppp sdladrv 65152 2 wanpipe,wanrouter Caching DNS Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups. It can result in a snappier browsing experience.

Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.

You may edit the /etc/dnsmasq.conf file and specify which interface to listen on. Since the firewall in the example above blocks outside access, I'll skip this.

10 / 11

Vyatta Internet Gateway Router Howto - DHCP Written by Gene Cooper Friday, 24 October 2008 11:02 - Last Updated Monday, 31 January 2011 12:53

You may also want to increase the cache size from the default of 150. It may improve the performance at the cost of some memory. cache-size=2000 The integrated dnsmasq DHCP server is disabled by default...good. We already use the Vyatta DHCP server function.

Beep When Fully Booted

wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-24_i386.deb sudo dpkg -i beep_1.2.2-24_i386.deb rm beep_1.2.2-24_i386.deb echo "beep -l 200 -f 750 -n -l 200 -f 1000" | sudo tee -a /etc/init.d/rc.local

11 / 11