Vyatta OFR ist wie auch andere Routerdistributionen als eigenständiges Server-Betriebssystem zu verstehen. Es wird zunächst per Live-Boot-CD auf einem PC gestartet und kann später über die Konsolenschnittstelle auf z.B. Festplatte fest installiert werden. Nach wenigen Grundeinstellungen beginnt die Installation, welche die Partitionierung der Festplatte vornimmt und die Dateien überspielt. Zunächst ist eine relativ schlanke Konsolenversion verfügbar und das Netzwerk ist nicht konfiguriert. Um den Router headless betreiben zu können (d.h. Tastatur und Monitor werden nicht mehr benötigt), muss mindestens eine Netzwerkschnittstelle konfiguriert werden.
Die Hauptaufgabe von Vyatta-OFR ist, die wesentlichen Merkmale eines Routers abzubilden. Durch die flexible Nutzung eines Debian als Betriebssystembasis können nahezu alle Features der x86-Architektur genutzt werden.
Die Konfiguration der Routing-Engine erfolgt im Wesentlichen im Configure-Edit-Mode, in dem alle Änderungen in eine Config-Datei geschrieben werden. Die Besonderheit ist dabei, dass die Änderungen noch nicht sofort aktiv werden, sondern die neue Konfiguration erst mit einem dedizierten "Commit"-Befehl aktiviert wird, die zu commitende Konfiguration also vor dem Aktivieren noch mal kontrolliert werden kann. Anschließend muss ähnlich wie bei Cisco zusätzlich noch die Konfiguration auf dem Permanenten Datenspeicher (z.B. Festplatte) geschrieben werden, damit die Konfiguration rebootfest ist. Neben dem Konfigurations-Modus ist das zugrundeliegende Debian-Linux voll zugreifbar. Zugriffe auf das System erfolgen über eine serielle Console, über den Konsolenbildschirm oder u.a. über das -konfigurierbare- SSH, das in Version 3.x noch verfügbare WebGUI wird für den Spätsommer 2008 erwartet.
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
kernel.printk = 4 4 1 7
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# reset promiscous arp response
net.ipv4.conf.default.arp_filter = 1
# promote secondaries with removal of primary address
net.ipv4.conf.all.promote_secondaries = 1
# maximize netlink buffers
net.core.rmem_max = 223232
Configuring advanced features
To start configuring Vyatta Community Edition 4, you must first download it from the developer's site. You can either download it in ISO format or as a VMware appliance version. I chose the ISO format and burned it to a CD.
You can deploy Vyatta as a live CD, install it on your hard drive, or make a bootable USB. I installed Vyatta on the disk, in a VMware virtual machine with an allocated disk space of 1024MB, 512MB of RAM, and two virtual NICs which are bridged by two physical NICs. The physical hardware is an Intel Core 2 Duo with 2GB of RAM. To install the software, boot the live CD, log in, and run the command install-system. In most cases, you can choose the default Auto option, then restart your computer after the installation.
After logging in after boot-up, enter the command configure to configure the router. If you need any help with the commands, as in Cisco IOS, type ? or press Tab for auto completion. I first test to see if Vyatta detects my network interfaces by using the command show interfaces. With the network interfaces detected properly, I configure the basic setup to include the IP address setting of the interfaces, NAT, and a simple static routing. Below, is a brief list of basic settings that I used. Those familiar with Juniper OS CLI will find that Vyatta CLI commands have almost the same pattern. All changes that you make in Vyatta must be enabled with the command commit. After you configure the settings, use the command save to store the configuration permanently.
vyatta@vyatta# edit interfaces ethernet eth0
vyatta@vyatta# set description outside
vyatta@vyatta# set address 10.10.10.2/24 - IP address of eth0
vyatta@vyatta# edit interfaces ethernet eth1
vyatta@vyatta# set description internal
vyatta@vyatta# set address 192.168.30.1/24 - IP address of eth1
vyatta@vyatta# set protocols static route 0.0.0.0/0 next-hop 10.10.10.1 - static route to access outside
vyatta@vyatta# set service nat rule 1
vyatta@vyatta# edit service nat rule 1
vyatta@vyatta# set type masquerade
vyatta@vyatta# set outbound-interface eth0 - indicates that all outbound traffic will use eth0 address
vyatta@vyatta# set protocols all
vyatta@vyatta# set source network 192.168.30.0/24
vyatta@vyatta# set destination address 0.0.0.0/0
vyatta@vyatta# commit
After setting up the basic configuration, we can proceed to Vyatta's more advanced configuration. Since we're concerned with security, we must set some firewall policies. To do that, first enable the firewall with the set firewall command. We can then create a firewall rule set with the name "test," then add to it firewall policies or rules.
vyatta@vyatta# set firewall name test
vyatta@vyatta# edit firewall name test
vyatta@vyatta# set rule 1
vyatta@vyatta# edit rule 1
vyatta@vyatta# set source address 192.168.30.0/24
vyatta@vyatta# set protocol tcp
vyatta@vyatta# set destination address 0.0.0.0/0
vyatta@vyatta# set destination port ftp
vyatta@vyatta# set action reject
vyatta@vyatta# commit
vyatta@vyatta# edit firewall name test
vyatta@vyatta# set rule 2
vyatta@vyatta# edit rule 2
vyatta@vyatta# set source address 192.168.30.0/24
vyatta@vyatta# set destination address 0.0.0.0/0
vyatta@vyatta# set action accept
The commands above construct a simple firewall policy in which any traffic from source address 192.168.30.0/24, which is our internal network, to any destination (indicated by 0.0.0.0/0) is allowed, but traffic with destination protocols accessing "ftp" is blocked or rejected. The firewall policy will be useless if we do not bind it to the appropriate network interface. In this case, since it is an internal network going to an outside network, the intended direction of the policy is outbound.
vyatta@vyatta# edit interfaces ethernet eth0
vyatta@vyatta# set firewall out name test
vyatta@vyatta# commit
When testing the configuration, I tried accessing FTP sites using port 21 on the Internet -- to no avail. This means that the firewall is working properly.
Now we can set up a simple site-to-site IPSec VPN. VPN connections consist of two levels, known as Phase 1 and Phase 2. Phase 1 establishes the security parameter agreement. Phase 2 utilizes these parameters to raise the VPN tunnel. In setting up VPN connections, all parameters in Phase 1 and Phase 2 should be the same as they are at the other end of the connection. Even a single dissimilar parameter will cause the VPN connection to fail.
vyatta@vyatta# set vpn ipsec
vyatta@vyatta# edit vpn ipsec
vyatta@vyatta# set ipsec-interfaces
vyatta@vyatta#edit ipsec-interfaces
vyatta@vyatta# set interface eth0
vyatta@vyatta# set ike-group p1
vyatta@vyatta# edit ike-group p1
vyatta@vyatta# set lifetime 7200
vyatta@vyatta# set ike-group p1 proposal 1
vyatta@vyatta# edit ike-group p1 proposal 1
vyatta@vyatta# set encryption 3des
vyatta@vyatta# set hash md5
vyatta@vyatta# set dh-group 2
vyatta@vyatta# set esp-group p2
vyatta@vyatta# edit esp-group p2
vyatta@vyatta# set lifetime 1800
vyatta@vyatta# set esp-group p2 proposal 1
vyatta@vyatta# edit esp-group p2 proposal 1
vyatta@vyatta# set encryption 3des
vyatta@vyatta# set hash md5
vyatta@vyatta# set site-to-site
vyatta@vyatta# edit site-to-site
vyatta@vyatta# set peer 10.10.10.1 - public address of the remote network
vyatta@vyatta# edit peer 10.10.10.1
vyatta@vyatta# set authentification pre-shared-secret myvpn - using pre-shared key as authentication
vyatta@vyatta# set ike-group p1
vyatta@vyatta# set local-ip 10.10.10.2 - public address of Vyatta
vyatta@vyatta# set tunnel 1
vyatta@vyatta# edit tunnel 1
vyatta@vyatta# set local-subnet 192.168.30.0/24 - internal address of Vyatta
vyatta@vyatta# set remote-subnet 192.168.40.0/24 - internal address of the remote network
vyatta@vyatta# set esp-group p2
vyatta@vyatta# commit
Looking at the commands establishing IPSec VPN, the first thing to do is to configure the Phase 1 and Phase 2 parameters. To accomplish Phase 1, parameters like encryption algorithm (3des) for security, hash algorithm (md5) for integrity, and secured generation of shared secret (Diffie-Hellman Group 2) are needed. Encryption might include AES, DES, or 3DES in the case of Vyatta. Hash algorithm may be either MD5 or SHA-1. For Diffie-Hellman, group 2 and 5 are commonly used. So in this case, I used a combination of 3des-md5 dh-group2 as my Phase 1 parameters; though you could also use aes-md5 dh-group2. For more information on the whole VPN process in detail, read the National Institute of Standards and Technology's Special Publication 800-77. There are other encryption and hash algorithms available, but as the number of key bits of the algorithm you use increases, so too does the overhead, consuming more bandwidth.
In Phase 2, we use the ESP protocol. Authentication Header is another Phase 2 protocol, but it is not supported in Vyatta, since AH provides only data integrity and authentication while ESP provides data integrity, authentication, and encryption, resulting in higher confidentiality of data. Although references will not directly state that ESP is better, the added encryption capability is really a great benefit. For more on the decline of AH, please read pages 30-36 of the NIST Special Publication 800-77 and "Securing Data in Transit with IPSec" on WindowsSecurity.com.
Returning to Phase 2, we use 3des-md5 here as well. You can choose a different algorithm if you wish, but be sure the same parameters, or settings, are applied on the other end of the VPN. After we've set the parameters, we bind them to a network interface -- in most cases, to the public interface. Next, enter the peer address or the public address of the other side and configure its authentication. I chose pre-shared authentication and used the passphrase "myvpn." Lastly, we indicate the local and remote private networks that will be tunneled through in the VPN connection. Enter commit, and we now have a working VPN.
The configurations discussed in this article are fairly simple. If you want a more comprehensive configuration, Vyatta's documentation site offers a complete command reference for registered users.
Installation
Connect the new Vyatta router to your existing (test/configuration/shop) network using the first network port on the router (eth0)...usually the one on the left. We'll use the dhcp server already on our network to give the new Vyatta router access to the Internet for its updates.
Download the Vyatta 4.1.4 Live CD ISO image,burn it to a CD and boot it on the router hardware, possibly using a USB CD-ROM drive.
Login as 'root' with password 'vyatta'.
Install to the hard drive/CF/USB key with 'install-system'. You'll need a minimum 512MB storage device, but 1GB or more is recommended. A storage device larger than 512MB is needed to perform some upgrades such as VC4 to VC4.1.
Disconnect the USB CDROM, if you used one, during the reboot.
Initial Console Configuration
Configure an Internet connection to use for upgrading/updating the Vyatta installation:
configure
set interfaces ethernet eth0 address dhcp
commit
Next, we perform the update/upgrade:
full-upgrade
full-upgrade -k
exit
reboot
This leaves the router in an updated, but unconfigured state. Note that we did not 'save' the previous configuration.
At this point, you can simply enter configuration commands at the console, or you could configure SSH access to the router and use cut n' paste.
Configure SSH Access (Optional)
Choose a LAN interface to connect to. It is best to choose an interface that will be one of the internal LAN interfaces in your final configuration. We'll use 'eth1' here because that will work in most configurations.
The DSL configuration below assumes the use of eth1 and the IP address 192.168.2.1 on that port.
set interfaces ethernet eth1 address 192.168.2.1/24
set service ssh allow-root true
set service ssh protocol-version v2
commit
save
Now connect your workstation/notebook to eth1 on the Vyatta router...probably the second ethernet from the left (or top). Configure your workstation IP address to 192.168.2.
Here are sample Linux commands to configure your workstation/notebook and to connect to the router. The first command simply adds a second IP address to your eth0 interface so as not to interrup[t your existing connections. Adjust as necessary:
sudo ifconfig eth0:0 192.168.2.22
ssh -l root 192.168.2.1
Program the Router
You can cut and paste the following script, once you edit it for your application. I have commented out a few lines (such as "#configure") that are optional or that might give you an error and ruin your configuration. You can always 'discard' any uncommitted changes and redo. You can also reboot the router to discard any committed, but unsaved changes.
You must issue a 'commit' command to actuate any changes and you must issue a 'save' command for your commited changes to survive a reboot.
### configure System options
#configure
set system host-name
set system domain-name
# use tab key for time zone choices
set system time-zone
# these are free OpenDNS servers
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system login user vyatta authentication plaintext-password
set system login user root authentication plaintext-password
#
# optionally enable logging to the console
#set system syslog console
### configure Interface options
## Sangoma S518 DSL WAN interface supports PPPOE and PPPOA
set interfaces adsl adsl0 pvc auto pppoe 0 default-route auto
set interfaces adsl adsl0 pvc auto pppoe 0 user-id
set interfaces adsl adsl0 pvc auto pppoe 0 password
set interfaces adsl adsl0 pvc auto pppoe 0 firewall in name FROM-EXTERNAL
set interfaces adsl adsl0 pvc auto pppoe 0 firewall local name TO-ROUTER
#show interfaces adsl
## LAN 1 interface
set interfaces ethernet eth0 address 192.168.1.1/24
set interfaces ethernet eth0 firewall in name LAN-TO-LAN
## LAN 2 interface
# the next line is commented out as it was previously configured above
#set interfaces ethernet eth1 address 192.168.2.1/24
set interfaces ethernet eth1 firewall in name LAN-TO-LAN
#show interfaces
### configure Services options
## configure DHCP server (optional)
# DHCP serving LAN 1 on eth0 (optional)
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 start 192.168.1.65 stop 192.168.1.199
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
# if using caching DNS server use this instead of the OpenDNS servers:
#set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.1.0/24 authoritative enable
# DHCP serving LAN 2 on eth2 (optional)
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 start 192.168.2.65 stop 192.168.2.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 default-router 192.168.2.1
# if using caching DNS server use this instead of the OpenDNS servers:
#set service dhcp-server shared-network-name ETH0_POOL subnet 192.168.2.0/24 dns-server 192.168.2.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.222.222
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 dns-server 208.67.220.220
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.2.0/24 authoritative enable
#show service dhcp-server
## configure NAT
# here we NAT from all 192.168.x.x addresses and from all 10.x.x.x internal adresses by manipulationg the netmasks
set service nat rule 10 source address 192.168.0.0/16
set service nat rule 10 outbound-interface pppoe0
set service nat rule 10 type masquerade
set service nat rule 20 source address 10.0.0.0/8
set service nat rule 20 outbound-interface pppoe0
set service nat rule 20 type masquerade
#show service nat
### configure Firewall options
## FROM-EXTERNAL
set firewall name FROM-EXTERNAL description "Block Unwanted Internet Traffic"
# rule 10
set firewall name FROM-EXTERNAL rule 10 description "Accept Established-Related Connections"
set firewall name FROM-EXTERNAL rule 10 action accept
set firewall name FROM-EXTERNAL rule 10 state established enable
set firewall name FROM-EXTERNAL rule 10 state related enable
set firewall name FROM-EXTERNAL rule 10 log disable
## TO-ROUTER
set firewall name TO-ROUTER description "Traffic Destined for Router"
# rule 10
set firewall name TO-ROUTER rule 10 description "Accept Established-Related Connections"
set firewall name TO-ROUTER rule 10 action accept
set firewall name TO-ROUTER rule 10 state established enable
set firewall name TO-ROUTER rule 10 state related enable
set firewall name TO-ROUTER rule 10 log disable
# rule 20
set firewall name TO-ROUTER rule 20 description "SSH Access"
set firewall name TO-ROUTER rule 20 action accept
set firewall name TO-ROUTER rule 20 protocol tcp
# adjust the source address to your needs
set firewall name TO-ROUTER rule 20 source address 209.193.64.248/29
set firewall name TO-ROUTER rule 20 destination port ssh
set firewall name TO-ROUTER rule 20 log disable
# rule 30
set firewall name TO-ROUTER rule 30 description "Accept ICMP Unreachable"
set firewall name TO-ROUTER rule 30 action accept
set firewall name TO-ROUTER rule 30 protocol icmp
set firewall name TO-ROUTER rule 30 icmp type 3
set firewall name TO-ROUTER rule 30 log disable
# rule 32
set firewall name TO-ROUTER rule 32 description "Accept ICMP Echo Request"
set firewall name TO-ROUTER rule 32 action accept
set firewall name TO-ROUTER rule 32 protocol icmp
set firewall name TO-ROUTER rule 32 icmp type 8
set firewall name TO-ROUTER rule 32 log disable
# rule 34
set firewall name TO-ROUTER rule 34 description "Accept ICMP Time-Exceeded"
set firewall name TO-ROUTER rule 34 action accept
set firewall name TO-ROUTER rule 34 protocol icmp
set firewall name TO-ROUTER rule 34 icmp type 11
set firewall name TO-ROUTER rule 34 log disable
## LAN-TO-LAN
set firewall name LAN-TO-LAN description "Block Internal LAN Interaction"
# rule 10
set firewall name LAN-TO-LAN rule 10 description "Block 192.168.2.x From 192.168.1.x"
set firewall name LAN-TO-LAN rule 10 action reject
set firewall name LAN-TO-LAN rule 10 source address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 10 destination address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 10 log disable
# rule 20
set firewall name LAN-TO-LAN rule 20 description "Block 192.168.1.x From 192.168.2.x"
set firewall name LAN-TO-LAN rule 20 action reject
set firewall name LAN-TO-LAN rule 20 source address 192.168.1.0/24
set firewall name LAN-TO-LAN rule 20 destination address 192.168.2.0/24
set firewall name LAN-TO-LAN rule 20 log disable
# rule 30
set firewall name LAN-TO-LAN rule 30 description "Block 192.168.x.x From 10.x.x.x"
set firewall name LAN-TO-LAN rule 30 action reject
set firewall name LAN-TO-LAN rule 30 source address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 30 destination address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 30 log disable
# rule 40
set firewall name LAN-TO-LAN rule 40 description "Block 10.x.x.x From 192.168.x.x"
set firewall name LAN-TO-LAN rule 40 action reject
set firewall name LAN-TO-LAN rule 40 source address 192.168.0.0/16
set firewall name LAN-TO-LAN rule 40 destination address 10.0.0.0/8
set firewall name LAN-TO-LAN rule 40 log disable
# rule 999
set firewall name LAN-TO-LAN rule 999 description "Allow All Traffic Not Previously Blocked"
set firewall name LAN-TO-LAN rule 999 action accept
set firewall name LAN-TO-LAN rule 999 source address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 destination address 0.0.0.0/0
set firewall name LAN-TO-LAN rule 999 log disable
#commit
#save
Troubleshooting
This command will report what Linux sees on the PCI bus. Check that it correctly identifies the ADSL board.
lspci
00:08.0 Network controller: Globespan Semiconductor Inc. Pulsar [PCI ADSL Card] (rev 01)
This command will show you which kernel modules (drivers) are loaded. If the wanpipe modules aren't loaded, Vyatta didn't find your ADSL card. Try removing and reapplying power (not just a reboot) and/or reseating the ADSL card. Maybe even try a different slot.
lsmod
wanec 326456 0
wanpipe_lip 103300 0
af_wanpipe 34496 0
wanpipe 435356 0
wanpipe_syncppp 27864 1 wanpipe
wanrouter 39528 5 wanec,wanpipe_lip,af_wanpipe,wanpipe,wanpipe_syncppp
sdladrv 65152 2 wanpipe,wanrouter
Caching DNS
Using a caching DNS server on the Vyatta router will improve the performance of just one aspect of Internet access: DNS lookups. It can result in a snappier browsing experience.
Do not bother with this if you already have a DNS server on your internal network(s)...for example a domain-based windows network.
wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/dnsmasq_2.45-1_all.deb
wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/dnsmasq-base_2.45-1_i386.deb
wget http://packages.vyatta.com/vyatta-dev/pool/islavista/main/libdbus-1-3_1.2.1-3_i386.deb
dpkg -i dnsmasq_2.45-1_all.deb dnsmasq-base_2.45-1_i386.deb libdbus-1-3_1.2.1-3_i386.deb
You may edit the /etc/dnsmasq.conf file and specify which interface to listen on. Since the firewall in the example above blocks outside access, I'll skip this.
You may also want to increase the cache size from the default of 150. It may improve the performance at the cost of some memory.
cache-size=2000
The integrated dnsmasq DHCP server is disabled by default...good. We already use the Vyatta DHCP server function.
Beep When Fully Booted
wget http://http.us.debian.org/debian/pool/main/b/beep/beep_1.2.2-22_i386.deb
dpkg -i beep_1.2.2-22_i386.deb
echo "beep -l 200 -f 750 -n -l 200 -f 1000" >> /etc/init.d/rc.local
