Open Informatics a An Information Technology Company Visit us on the web at www.openinformatics.net Tutorial Author: Zlatan Klebic Send Feedback: zklebic@openinformatics.net Configuring a Vyatta 4.0 release as a DSL internet connection router/gateway with basic port forwarding to an internal web server Tutorial Introduction Configure the Vyatta router for DSL internet connection sharing Configure the Vyatta router to share the internet connection across other subnets in the LAN Configure the Vyatta router with NAT service for exposing a Web Server to the outside world This tutorial introduces the configuration of Vyatta routers for sharing of an available DSL connection using the PPPoE (Point-to-Point Protocol over Ethernet) as well as sharing the DSL connection with other subnets in the LAN. Internet connection sharing with Vyatta routers provides good flexibility and scalability for small and medium size business or branch office environments since it can cost-effectively allow the creation of additional subnets within the LAN that can access the internet. Tutorial Requirements This tutorial requires the following material for its successful completion: 3 available physical or virtual machines each containing at least two Ethernet network interfaces. Each machine should have a clean installation of Vyatta with all 3 Ethernet network interfaces detected. An available DSL internet connection for testing purposes. Tutorial Notes This tutorial assumes the reader is familiar with concepts of TCP/IP networking, network routing protocols and basic Vyatta commands. The tutorial has been written in order to demonstrate the ability of Vyatta to replace proprietary DSL routers, and to demonstrate more flexible and reliable solution to implementing internet connection sharing for large LANs which consist of greater numbers of subnets. In most cases larger LANs require. The given configuration and LAN topology have been tested within a virtual machine environment using VMware Server 2.0. Tutorial For reference take a look at the simple network diagram on page 2. The network consists of four network routers, the first being used as the internet connection sharing router/internet gateway. The rest of the routers behind the gateway do not have any other functionality but to route traffic across the subnets accordingly. The sample network topology consists of four subnets as follows: Subnet 1: 192.168.0.0 Subnet 2: 192.168.5.0 Subnet 3: 192.168.10.0 Subnet 4: 192.168.15.0 All of the LAN subnets will be able to communicate with one another, as well have full access to the internet.
Internet DSL Internet Link DSL Modem eth0 PPPoE gateway.mynetwork.net LAN Subnet 1 192.168.0.0/24 eth1 192.168.0.1/24 eth0 192.168.0.2/24 router2.mynetwork.net LAN Subnet 2 192.168.5.0/24 eth1 192.168.5.1/24 eth0 192.168.5.2/24 router3.mynetwork.net LAN Subnet 3 192.168.10.0/24 eth1 192.168.10.1/24 eth0 192.168.10.2/24 router4.mynetwork.net LAN Subnet 4 192.168.15.0/24 eth1 192.168.15.1/24 Workstation A 192.168.15.44/24 Web Server 192.168.15.10/24 Workstation B 192.168.15.47/24
Configuring the 1 st router as the internet gateway gateway.mynetwork.net Configure the router host name, domain name, gateway address and the name servers: set system host-name gateway set system domain-name mynetwork.net set system gateway-address 192.168.0.1 set system name-server 4.2.2.1 set system name-server 4.2.2.2 Configure the ethernet interfaces, using ethernet interface eth0 as the WAN interface, and the ethernet interface eth1 as the LAN interface as follows: set interfaces ethernet eth1 address 192.168.0.1/24 set service ssh allow-root true set interfaces ethernet eth0 pppoe1 1 set interfaces ethernet eth0 pppoe1 1 user-id <dsl_service_username> set interfaces ethernet eth0 pppoe1 1 password <dsl_service_password> set interfaces ethernet eth0 pppoe1 1 connect-on-demand show interfaces ethernet eth0 pppoe 1 Configure the NAT service rules in order to enable the translation of internal: set service nat rule 1 source address 192.168.0.0/24 set service nat rule 1 outbound-interface pppoe1 set service nat rule 1 type masquerade show service nat Configure the RIP (Routing Information Protocol) on the LAN ethernet interface eth1. The RIP table will be distributed to the participating interfaces which also have the RIP enabled, every 60 seconds. set protocols rip interface eth1 set protocols rip redistribute connected set protocols rip timers update 60 Show the IP routing table in order to ensure RIP is functioning correctly. run show ip route Configure the NAT rules for the rest of the LAN subnets which will be allowed internet access through the internet gateway router. Configure NAT rule 2 for subnet 192.168.10.0 set service nat rule 2 set service nat rule 2 outbound-interface pppoe1 set service nat rule 2 source address 192.168.10.0/24 set service nat rule 2 type masquerade show service nat rule 2
Configure NAT rule 3 for subnet 192.168.15.0: set service nat rule 3 set service nat rule 3 outbound-interface pppoe1 set service nat rule 3 source address 192.168.15.0/24 set service nat rule 3 type masquerade show service nat rule 3 Configure NAT rule 4 for subnet 192.168.10.0: set service nat rule 4 set service nat rule 4 outbound-interface pppoe1 set service nat rule 4 source address 192.168.20.0/24 set service nat rule 4 type masquerade show service nat rule 4
Configuring the 2 nd router router2.mynetwork.net Configure the router host name, domain name, gateway address and the name servers: set system host-name router2 set system domain-name mynetwork.net set system name-server 4.2.2.1 set system name-server 4.2.2.2 set system gateway-address 192.168.0.1 Configure the LAN ethernet interfaces as follows: set interfaces ethernet eth0 address 192.168.0.2/24 set interfaces ethernet eth1 address 192.168.5.1/24 Configure the SSH server to allow root logins: set service ssh allow-root true Configure the RIP (Routing Information Protocol) on the LAN ethernet interface eth1 and LAN ethernet interface eth0. The RIP table will be distributed to the participating interfaces which also have the RIP enabled, every 60 seconds. set protocols rip interface eth0 set protocols rip interface eth1 set protocols rip redistribute connected set protocols rip timers update 60 Display the routing table in order to ensure the RIP is functioning correctly. run show ip route
Configuring the 3 rd router router3.mynetwork.net Configure the router host name, domain name, gateway address and the name servers: set system host-name router3 set system domain-name mynetwork.net set system name-server 4.2.2.1 set system name-server 4.2.2.2 set system gateway-address 192.168.5.1 Configure the LAN ethernet interfaces as follows: set interfaces ethernet eth0 address 192.168.5.2/24 set interfaces ethernet eth1 address 192.168.10.1/24 Configure the SSH server to allow root logins: set service ssh allow-root true Configure the RIP (Routing Information Protocol) on the LAN ethernet interface eth1 and LAN ethernet interface eth0. The RIP table will be distributed to the participating interfaces which also have the RIP enabled, every 60 seconds. set protocols rip interface eth0 set protocols rip interface eth1 set protocols rip redistribute connected set protocols rip timers update 60 Display the routing table in order to ensure the RIP is functioning correctly. run show ip route
Configuring the 4 th router router4.mynetwork.net Configure the router host name, domain name, gateway address and the name servers: set system host-name router4 set system domain-name mynetwork.net set system gateway-address 192.168.10.1 set system name-server 4.2.2.1 set system name-server 4.2.2.2 Configure the LAN ethernet interfaces as follows: set interfaces ethernet eth0 address 192.168.10.2/24 set interfaces ethernet eth1 address 192.168.15.1/24 Configure the RIP (Routing Information Protocol) on the LAN ethernet interface eth1 and LAN ethernet interface eth0. The RIP table will be distributed to the participating interfaces which also have the RIP enabled, every 60 seconds. set protocols rip interface eth0 set protocols rip interface eth1 set protocols rip redistribute connected set protocols rip timers update 60 Display the routing table in order to ensure the RIP is functioning correctly. run show ip route
Configuring NAT service as port forwarding to an internal Web Server To simplify the terms used in exposing the internal Web Server behind the internet gateway router to the outside world, we will refer to this NAT configuration as 'port forwarding'. This term is commonly used in the configuration of most Small-Office-Home-Office internet router devices. Refer to the simple network diagram to understand the location of the internal web server, which will be exposed to the outside world through the HTTP port 80. Login to the gateway router (192.168.0.1 gateway.mynetwork.net) and enter into the configuration mode: Create a new NAT service rule with an ID of 300: set service nat rule 300 Configure the NAT rule destination port: set service nat rule 300 destination port 80 Configure the PPPoE interface as the inbound interface from which all outside requests pass through: set service nat rule 300 inbound-interface pppoe1 Configure the address of the actual web server as the inside address: set service nat rule 300 inside-address address 192.168.15.10 Configure TCP as the protocol being used for port 80 as already defined in NAT rule 300: set service nat rule 300 protocol tcp Configure the source address as 0.0.0.0/0 since our DSL connection utilizes a single dynamically assigned public IP address by the ISP: set service nat rule 300 source address 0.0.0.0/0 Configure the rule 300 as a NAT rule destination type: set service nat rule 300 type destination Load the new configuration: Test the given configuration to ensure the web server can be accessed from outside. This concludes the tutorial. Open Informatics hopes IT professionals working in areas of computer networking will find this tutorial useful in their research and final deployment of Vyatta routers in IT environments. Any feedback on material published by Open Informatics is greatly appreciated.