Vyatta
Vyatta (http://www.vyatta.com) is an open source software project enabling administrators to build firewall, VPN and routing appliances on x86-based hardware of their choice.
Vyatta also develop their own hardware appliances available for purchase.
Features
IP and Routing Protocols
- BGPv4
- OSPFv3
- RIPv2
- Static Routes
IPv6
- BGP
- OSPFv3
- IPv6 Firewalling
IP Address Management
- Static
- DHCP Server
- DHCP Client
- DHCP Relay
- Dynamic DNS
- DNS Forwarding
Encapsulations
- Ethernet
- 802.1Q VLANs
- PPP
- PPPoE
- IP in IP
- Frame Relay
- MLPPP
- HDLC
- GRE
Firewall
- Stateful Inspection Firewall
- Zone-based Firewall
- P2P Filtering
VPN
- SSL-based OpenVPN
- Site-to-Site VPN (IPSec)
- Remote VPN (PPTP, L2TP, IPSec)
- DES, 3DES, AES Encryption
Additional Security
- Network Address Translation
- Intrusion Prevention
- URL Filtering
- MD5 and SHA-1 Authentication
Performance Optimisation
- WAN Link Load Balancing
- Ethernet Link Bonding
- MLPPP
- ECMP
- Bandwidth Management
- Web Caching
QoS Policies
- Policy Queuing
- Classful Queuing
- Round Robin
- Weighted Random
- Network Emulator
Logging and Monitoring
- Syslog
- SNMPv2c
High Availability
- VRRP
- IPSec VPN Clustering
- Protocol Fault Isolation
Administration
- Integrated CLI
- Web GUI
- Single Configuration File
- Telnet
- SSHv2
Diagnostics & Packet Sniffing
- tcpdump
- Wireshark Packet Capture
- BGP MD5 Support
- Serial Loopback Commands
Virtualisation Readiness
- Integrated XenServer Tools
- Integrated VM Tools
- Xen Para-virtualisation
The Vyatta software can be run from a LiveCD, hard drive, USB drive, CompactFlash drive or can be downloaded as a pre-compiled Virtual Machine from the Vyatta web site.
The solution can be administered at the command line via either Telnet or SSH, or equally from a web browser via a Graphical User Interface which can be optionally secured by SSL.
The entire configuration of the appliance is stored in a single text-based configuration file that can be backed up and restored quickly and easily.
Multiple administrative user accounts can be configured as well as administrative roles. Support for RADIUS authentication is also included.
Installation and Configuration
The Vyatta software can be used to fulfil a number of roles, but as a low-cost Internet Gateway and Firewall appliance, the installation and configuration process takes only a few minutes.
To install the software to a physical host, boot from the LiveCD and login at the prompt using a username and password of 'vyatta'. Then simply type in
install-system
and follow the on-screen instructions. You will need to have created a hard drive partition and know its 'name', ie /dev/sda1
The required system files will then be copied to the hard drive automatically. All present network interfaces will be detected automatically.
To configure the appliance's networking, run the following commands:
configure
Sets the unit to configuration mode
set system host-name FW1 commit
Sets the appliance's hostname
set system domain-name mydomain.com commit
Completes the appliance's full DNS name (FW1.mydomain.com)
set interfaces ethernet eth0 address 192.0.2.2/24 commit
Sets the first network interface to the external network provided by your ISP (where the external IP address assigned to you by the ISP is 192.0.2.2/255.255.255.0)
set interfaces ethernet eth1 address 192.168.1.254/24 commit
Sets the second network interface to the internal LAN, with an internal address of 192.168.1.254/255.255.255.0
set system gateway-address 192.0.2.1 commit
Sets the default gateway address of the unit to the external IP address of your ISP's router or broadband modem
set system name-server 8.8.8.8 commit
Sets the primary external DNS server to that provided by your ISP. This command can be repeated to define secondary and tertiary DNS servers
set service https commit
Enables HTTPS access to the Vyatta web GUI. This step will create a certificate to be sued by the web GUI automatically
set service ssh commit
Enables SSH access to the Vyatta command line interface. This step will create an OpenSSL-based key for the appliance automatically
set system login user vyatta authentication plaintext-password PASSWORD commit
This changes the default 'vyatta' user account password to whatever you specify in place of 'PASSWORD'
set date MMDDhhCCYY commit
Sets the correct date and time on the unit. This can also be done by specifying the IP address of an NTP server.
The 'commit' command can be run at the end of each command, or you can enter all commands and run commit once you have finished.
You will now be able to connect to the Vyatta appliance from a host on the same network via the web interface:
Should you want to use the Vyatta appliance as a DHCP server on the local interface, this is also easily configurable:
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.254 set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 8.8.8.8
This configures a DHCP pool with 100 client addresses and defines the gateway and DNS server information that will be pushed to clients. NOTE - on the LAN an internal DNS server would probably be specified, such as a Microsoft Active Directory Domain Controller.
To configure Network Address Translation, so that requests to the Internet from hosts on the LAN appear as coming from the 'masquerade' or 'hide' address of the external interface of the Vyatta appliance, run the following commands:
set service nat rule 1 source address 192.168.1.0/24 set service nat rule 1 outbound-interface eth0 set service nat rule 1 type masquerade commit
You have now configured Vyatta as an Internet Gateway. By default Vyatta will not restrict any traffic on any of the network interfaces. Firewall policy rules can be configured both at the command line or via the web interface. For each interface, three types of rules can be defined:
- In - packets entering the interface
- Out - packets leaving the interface
- Local - packets destined for the system itself
A normal approach would be to block all incoming traffic from the Internet. This is accomplished by an implicit "deny all" rule. However doing this will prevent outbound connections from completing properly as response packets from outbound-initiated requests will be blocked also. To rectify this we must explicitly allow response packets from "established connections". The commands to accomplish this are as follows:
set firewall name ALLOW_ESTABLISHED set firewall name ALLOW_ESTABLISHED rule 10 set firewall name ALLOW_ESTABLISHED rule 10 action accept set firewall name ALLOW_ESTABLISHED rule 10 state established enable commit
This has created a firewall rule, with a name of "Allow Established", number 10 in the rulebase, to allow incoming packets that are response packets to already established outbound connections.
To apply this rule to a specific interface, use the command:
set interfaces ethernet eth0 firewall in name ALLOW_ESTABLISHED set interface ethernet eth0 firewall local name ALLOW_ESTABLISHED commit
You have configured an Internet Gateway and Firewall appliance. Vyatta is capable of being used in much more complicated scenarios and fulfilling a wide range of networking roles. For more information visit the Vyatta web site.