2,187
edits
Difference between revisions of "Vyatta"
Jump to navigation
Jump to search
Added Google Ad
(→Configuration: Added "User Accounts") |
(Added Google Ad) |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{#widget:Widget:GoogleAdSenseSkyscraper}} | |||
Unix based Open Source firewall router that sees itself in competition with Cisco. The firewall module is not on by default, so once interfaces are defined it will pass traffic freely. All configuration is done via the CLI <ref>There was a web interface available with the free version (which was just a pretty version of the CLI anyway), but this now only available via the paid-for version due to its use of the [[Acronyms#R|REST]] [[Acronyms#A|API]] (which is a premium feature).</ref>. | |||
== Set-up == | |||
[http://www.vyatta.com/downloads/index.php Vyatta Download] | [http://www.vyatta.com/downloads/index.php Vyatta Download] | ||
=== Installation (ISO Install) === | === Installation (ISO Install) === | ||
# Download the LiveOS ISO | # Download the LiveOS ISO | ||
| Line 32: | Line 33: | ||
# Enable remote ssh access | # Enable remote ssh access | ||
#* <code> set service ssh </code> | #* <code> set service ssh </code> | ||
# Enable/config NTP | # Enable/config NTP (optional, out of the box the router will sync to Vyatta's NTP server pool) | ||
#* <code> set system time-zone Europe/London </code> | #* <code> set system time-zone Europe/London </code> | ||
#* <code> set system ntp server 192.168.1.50 </code> | #* <code> set system ntp server 192.168.1.50 </code> | ||
#* <code> delete system ntp server 0.vyatta.pool.ntp.org </code> | |||
#* <code> delete system ntp server 1.vyatta.pool.ntp.org </code> | |||
#* <code> delete system ntp server 2.vyatta.pool.ntp.org </code> | |||
# Commit changes and save | # Commit changes and save | ||
#* <code> commit </code> | #* <code> commit </code> | ||
| Line 48: | Line 52: | ||
#* <code> show system name-server </code> | #* <code> show system name-server </code> | ||
#* <code> show system domain-search </code> | #* <code> show system domain-search </code> | ||
=== SNMP Server === | |||
To set up the SNMP service and allow a polling server to interact with (for example perform SNMP Gets, etc) with the router | |||
# Go into configuration mode | |||
#* <code> configure </code> | |||
# Create a SNMP community (don't use public!) | |||
#* <code> set service snmp community public </code> | |||
# Create a SNMP client that's allowed to make SNMP requests | |||
#* <code> set service snmp community public client 192.168.1.25 </code> | |||
# Apply changes and move back up to top-level part of config | |||
#* <code> commit </code> | |||
To set up SNMP trapping (assumes you're already in config mode) | |||
# Configure a trap destination (repeat for further destinations) | |||
#* <code> set service snmp trap‐target 192.168.10.199 </code> | |||
# Apply changes | |||
#* <code> commit </code> | |||
If you have the firewall enabled, you'll need to allow SNMP traffic in, eg | |||
<pre> | |||
set firewall name eth0-local rule 70 description 'VYATTA SNMP' | |||
set firewall name eth0-local rule 70 action 'accept' | |||
set firewall name eth0-local rule 70 destination port '161' | |||
set firewall name eth0-local rule 70 protocol 'udp' | |||
set firewall name eth0-local rule 70 source address '192.168.1.25' | |||
</pre> | |||
== Configuration == | == Configuration == | ||
| Line 53: | Line 83: | ||
In similar fashion to Cisco IOS, configuration has to be entered in config mode, and the configuration can only be viewed in Operator mode. | In similar fashion to Cisco IOS, configuration has to be entered in config mode, and the configuration can only be viewed in Operator mode. | ||
{| | {| class="vwikitable" | ||
|- | |- | ||
! Command !! Description | ! Command !! Description | ||
| Line 67: | Line 97: | ||
=== User Accounts === | === User Accounts === | ||
{| | {| class="vwikitable" | ||
|- | |- | ||
! Command !! Description | ! Command !! Description | ||
| Line 76: | Line 106: | ||
|- | |- | ||
| <code> set system login user <user> level admin </code> || Change users authorisation level | | <code> set system login user <user> level admin </code> || Change users authorisation level | ||
|- | |||
| <code> delete system login user <user> </code> || Delete user | |||
|} | |} | ||
=== Firewall === | === Firewall === | ||
If an interface has no firewall config, then it passes all traffic. Once any firewall config is applied then that interface acts as a firewall. | If an interface has no firewall config, then it passes all traffic. Once any firewall config is applied then that interface acts as a firewall. | ||
* http://www.carbonwind.net/VyattaOFR/Firewall/Firewall.htm - | * http://www.carbonwind.net/VyattaOFR/Firewall/Firewall.htm - A bit old, but a useful page to learn from | ||
{| | {| class="vwikitable" | ||
|- | |- | ||
! Command !! Description | ! Command !! Description | ||
| Line 148: | Line 179: | ||
=== NAT === | === NAT === | ||
To allow masquerade NAT, out through eth0, from multiple inside addresses out through the router's outside interface address | For full details see http://www.vyatta.com/sites/vyatta.com/files/pdfs/Vyatta_NATRef_R6.2_v01.pdf | ||
To allow '''masquerade NAT''', out through eth0, from multiple inside addresses out through the router's outside interface address | |||
<pre> | <pre> | ||
set service nat rule 10 type masquerade | set service nat rule 10 type masquerade | ||
| Line 156: | Line 189: | ||
</pre> | </pre> | ||
To allow destination NAT, into the router, presenting machines on the inside, to the outside world | To allow '''destination NAT''', into the router, presenting machines on the inside, to the outside world | ||
<pre> | <pre> | ||
set interfaces ethernet eth0 address 192.168.1.20/24 | set interfaces ethernet eth0 address 192.168.1.20/24 | ||
| Line 168: | Line 201: | ||
</pre> | </pre> | ||
== Troubleshooting == | To allow '''source NAT''', going out from the router, so that machines on the inside, pick up external addresses as they communicate to the outside world | ||
{| | <pre> | ||
|- | set service nat | ||
! Command !! Comments | set service nat rule 1020 description InsideServerName | ||
set service nat rule 1020 type source | |||
set service nat rule 1020 inbound-interface eth0 | |||
set service nat rule 1020 source address 10.1.1.20 | |||
set service nat rule 1020 outside-address address 192.168.1.20 | |||
set service nat rule 1020 protocol all | |||
</pre> | |||
To configure '''bidirectional NAT''', whereby machines on the inside appear to the outside world by the same address for traffic initiated from either outside or inside the router just combine both source and destination NAT configuration. | |||
To '''delete''' a NAT rule, use syntax similar to the following... | |||
delete service nat rule 42 | |||
== Troubleshooting and General Commands == | |||
{|class="vwikitable" | |||
|- | |||
! Command !! Comments | |||
|- | |||
|<code> reboot </code> || | |||
|- | |||
|<code> shutdown </code> || | |||
|- | |- | ||
|<code> show arp </code> || | |<code> show arp </code> || | ||
| Line 184: | Line 237: | ||
|- | |- | ||
|<code> set system flow-accounting interface eth0 </code> || Enable flow accounting | |<code> set system flow-accounting interface eth0 </code> || Enable flow accounting | ||
|- | |||
|<code> delete system flow-accounting </code> || Disable flow accounting | |||
|- | |- | ||
|<code> show flow-accounting interface eth0 </code> || Show flow accounting for <code> eth0 </code> | |<code> show flow-accounting interface eth0 </code> || Show flow accounting for <code> eth0 </code> | ||
| Line 189: | Line 244: | ||
|<code> show flow-accounting interface eth0 host 10.1.1.1 </code> || Show flow accounting for specific IP through <code> eth0 </code> | |<code> show flow-accounting interface eth0 host 10.1.1.1 </code> || Show flow accounting for specific IP through <code> eth0 </code> | ||
|} | |} | ||
=== Unable to Commit Interface Change (RTNETLINK) === | |||
When trying to commit interface changes you receive an error like... | |||
<pre>admin@router# commit | |||
[ interfaces ethernet eth1 address ] | |||
RTNETLINK answers: File exists | |||
Commit failed</pre> | |||
A <code> show interfaces </code> shows the config to be correct, but a <code> show configuration </code> shows that the config hasn't been saved properly. | |||
To resolve - restart the router (<code>reboot</code>). | |||
On restart the conflicted part of the configuration is lost (so can no longer be seen via <code> show interfaces </code>). However it can be reapplied, and shouldn't generate an error this time around. | |||
=== TCPdump === | |||
TCPdump can only be run as root, therefore you may need to set the root password first... | |||
sudo passwd root | |||
...then you'll be elevate to be the super user, from where you can run TCPdump... | |||
su - | |||
Some basic TCPdump examples... | |||
{|class="vwikitable" | |||
|- | |||
! Command !! Comments | |||
|- | |||
|<code> tcpdump -i eth0 port 80 </code> || Anything on port 80 through eth0 | |||
|- | |||
|<code> tcpdump -i eth0 dst 10.10.0.10 and port 80 </code> || Anything going to 10.10.0.10:80 through eth0 | |||
|- | |||
|<code> tcpdump -w capture.pcap -i eth0 port 80 </code> || Write capture to capture.pcap | |||
|} | |||
For more info see the TCPdump man page - http://www.tcpdump.org/tcpdump_man.html | |||
== Notes == | |||
<references /> | |||
[[Category:Vyatta]] | |||