Vyatta (http://www.vyatta.com) is an open source software project enabling administrators to build firewall, VPN and routing appliances on x86-based hardware of their choice.
Vyatta also develop their own hardware appliances available for purchase.

Features

IP and Routing Protocols

• BGPv4
• OSPFv3
• RIPv2
• Static Routes

IPv6

• BGP
• OSPFv3
• IPv6 Firewalling

IP Address Management

• Static
• DHCP Server
• DHCP Client
• DHCP Relay
• Dynamic DNS
• DNS Forwarding

Encapsulations

• Ethernet
• 802.1Q VLANs
• PPP
• PPPoE
• IP in IP
• Frame Relay
• MLPPP
• HDLC
• GRE

Firewall

• Stateful Inspection Firewall
• Zone-based Firewall
• P2P Filtering

VPN

• SSL-based OpenVPN
• Site-to-Site VPN (IPSec)
• Remote VPN (PPTP, L2TP, IPSec)
• DES, 3DES, AES Encryption

Additional Security

• Network Address Translation
• Intrusion Prevention
• URL Filtering
• MD5 and SHA-1 Authentication

Performance Optimisation

• WAN Link Load Balancing
• Ethernet Link Bonding
• MLPPP
• ECMP
• Bandwidth Management
• Web Caching

QoS Policies

• Policy Queuing
• Classful Queuing
• Round Robin
• Weighted Random
• Network Emulator

Logging and Monitoring

• Syslog
• SNMPv2c

High Availability

• VRRP
• IPSec VPN Clustering
• Protocol Fault Isolation

Administration

• Integrated CLI
• Web GUI
• Single Configuration File
• Telnet
• SSHv2

Diagnostics & Packet Sniffing

• tcpdump
• Wireshark Packet Capture
• BGP MD5 Support
• Serial Loopback Commands

Virtualisation Readiness

• Integrated XenServer Tools
• Integrated VM Tools
• Xen Para-virtualisation

The Vyatta software can be run from a LiveCD, hard drive, USB drive, CompactFlash drive or can be downloaded as a pre-compiled Virtual Machine from the Vyatta web site.

The solution can be administered at the command line via either Telnet or SSH, or equally from a web browser via a Graphical User Interface which can be optionally secured by SSL.

The entire configuration of the appliance is stored in a single text-based configuration file that can be backed up and restored quickly and easily.
Multiple administrative user accounts can be configured as well as administrative roles. Support for RADIUS authentication is also included.

Installation and Configuration

The Vyatta software can be used to fulfil a number of roles, but as a low-cost Internet Gateway and Firewall appliance, the installation and configuration process takes only a few minutes.

To install the software to a physical host, boot from the LiveCD and login at the prompt using a username and password of 'vyatta'. Then simply type in

install-system

and follow the on-screen instructions. You will need to have created a hard drive partition and know its 'name', ie /dev/sda1

The required system files will then be copied to the hard drive automatically. All present network interfaces will be detected automatically.

To configure the appliance's networking, run the following commands:

configure

Sets the unit to configuration mode

set system host-name FW1
commit

Sets the appliance's hostname

set system domain-name mydomain.com
commit

Completes the appliance's full DNS name (FW1.mydomain.com)

set interfaces ethernet eth0 address 192.0.2.2/24
commit

Sets the first network interface to the external network provided by your ISP (where the external IP address assigned to you by the ISP is 192.0.2.2/255.255.255.0)

set interfaces ethernet eth1 address 192.168.1.254/24
commit

Sets the second network interface to the internal LAN, with an internal address of 192.168.1.254/255.255.255.0

set system gateway-address 192.0.2.1
commit

Sets the default gateway address of the unit to the external IP address of your ISP's router or broadband modem

set system name-server 8.8.8.8
commit

Sets the primary external DNS server to that provided by your ISP. This command can be repeated to define secondary and tertiary DNS servers

set service https
commit

Enables HTTPS access to the Vyatta web GUI. This step will create a certificate to be sued by the web GUI automatically

set service ssh
commit

Enables SSH access to the Vyatta command line interface. This step will create an OpenSSL-based key for the appliance automatically

set system login user vyatta authentication plaintext-password PASSWORD
commit

This changes the default 'vyatta' user account password to whatever you specify in place of 'PASSWORD'

set date MMDDhhCCYY
commit

Sets the correct date and time on the unit. This can also be done by specifying the IP address of an NTP server.

The 'commit' command can be run at the end of each command, or you can enter all commands and run commit once you have finished.

You will now be able to connect to the Vyatta appliance from a host on the same network via the web interface:

Should you want to use the Vyatta appliance as a DHCP server on the local interface, this is also easily configurable:

set service dhcp-server shared-network-name ETH1_POOL subnet
 192.168.1.0/24 start 192.168.1.100 stop 192.168.1.199
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24
 default-router 192.168.1.254
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24
 dns-server 8.8.8.8

This configures a DHCP pool with 100 client addresses and defines the gateway and DNS server information that will be pushed to clients. NOTE - on the LAN an internal DNS server would probably be specified, such as a Microsoft Active Directory Domain Controller.

To configure Network Address Translation, so that requests to the Internet from hosts on the LAN appear as coming from the 'masquerade' or 'hide' address of the external interface of the Vyatta appliance, run the following commands:

set service nat rule 1 source address 192.168.1.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade
commit

You have now configured Vyatta as an Internet Gateway. By default Vyatta will not restrict any traffic on any of the network interfaces. Firewall policy rules can be configured both at the command line or via the web interface. For each interface, three types of rules can be defined:

• In - packets entering the interface
• Out - packets leaving the interface
• Local - packets destined for the system itself

A normal approach would be to block all incoming traffic from the Internet. This is accomplished by an implicit "deny all" rule. However doing this will prevent outbound connections from completing properly as response packets from outbound-initiated requests will be blocked also. To rectify this we must explicitly allow response packets from "established connections". The commands to accomplish this are as follows:

set firewall name ALLOW_ESTABLISHED
set firewall name ALLOW_ESTABLISHED rule 10
set firewall name ALLOW_ESTABLISHED rule 10 action accept
set firewall name ALLOW_ESTABLISHED rule 10 state established enable
commit

This has created a firewall rule, with a name of "Allow Established", number 10 in the rulebase, to allow incoming packets that are response packets to already established outbound connections.

To apply this rule to a specific interface, use the command:

set interfaces ethernet eth0 firewall in name ALLOW_ESTABLISHED
set interface ethernet eth0 firewall local name ALLOW_ESTABLISHED
commit

You have configured an Internet Gateway and Firewall appliance. Vyatta is capable of being used in much more complicated scenarios and fulfilling a wide range of networking roles. For more information visit the Vyatta web site.