Vyatta Router running on VMware

Workstation Part 1 basic networking

by Wojciech Marusiak | Jul 13, 2013 | VMware | 16 comments
Hae you eer thou!ht o" usin! your own router in your irtual lab# $ %i% an% &reiously $
was usin! '() with *isco $+) ima!es but with new lab $ woul% like to use Vyatta as router
an% "irewall, *on"i!uration o" '() with VMware Workstation was not as easy as is Vyatta,
What is Vyatta?
Vyatta - as Wiki&e%ia says is .ebian base% so"tware/base% irtual router, "irewall, &n, $ "in%
it ery &ower"ul 0althou!h $ will not use more than 12 o" its ca&abilities3 an% &eo&le "amiliar
with *isco an% Juni&er will "eel like home, +ne "eature which mi!ht be use"ul 0Web '4$3
was remoe% in ersion 6,3 - shame on them
+k let5s %o it6
Basic Networking
1, $n or%er to %ownloa% Vyatta "ree ersion "ollow this link
htt&788www,yatta,or!8%ownloa%s an% sim&ly %ownloa% $)+ "ile,
2, 9"ter %ownloa%in! $)+ create Virtual Machine %e&loy VM 0$ use% 1 *:4, 112M;
<9M an% 3'; o" )tora!e3 with .ebian as +&eratin! )ystem, $ use% two network
a%a&ters - one will be connecte% to =9( 0+4>?< (etwork, we can call it &ublic3
network 1@2,16A,211,0 8 2B 0to access Vyatta ia ))H3 an% secon% one to VM(et1
which is network "or Virtual Machines 0$((?< (etwork3, Vyatta will %o routin! an%
"irewall between networks,
3, 9"ter boot screen hit enter an% lo!in to yatta usin! "ollowin! cre%entials7
4sername7 yatta
:asswor%7 yatta
B, (eCt ste& is really sim&le - installation o" Vyatta on local %isk, $n or%er to %o that
sim&ly eCecute comman%7 install system an% con"irm it,
1, $ went with %e"ault settin!s "or &artitions but you can ali!n them as you wish,
6, )et yatta user &asswor%,
D, <eboot Vyatta by eCecutin! comman%7 reboot,
A, =o!in a!ain to yatta an% we will start with settin! hostname, ?nter con"i!uration
mo%e by ty&in! configure an% ty&e set system host-name your hostname,
@, (ow we will setu& network inter"aces7
o set inter"aces ethernet eth0 a%%ress 1@2,16A,211,21082B01@2,16A,121,03
o set inter"aces ethernet eth1 a%%ress 10,0,0,182B 01@2,16A,2B0,082B3
*ommit chan!es by eCecutin! comman% commit an% sae chan!es sae,
10, (ow when we hae both inter"aces u& an% runnin! we will enable ))H, $n or%er to %o
it eCecute "ollowin! comman%s7 set serice ssh, *ommit an% sae,
11, ;e"ore you will be able to connect to $((?< (etwork you nee% to a%% route on your
:* or een on your &hysical router, $n my case $ a%%e% "ollowin! route usin!
comman%0$ am runnin! Win%ows3 route a!! 1"#"#"#"$1@2,16A,2B0,03 mask
%&&#%&&#%&&#" 1'%#1()#%&&#%&"01@2,16A,121,03 -*,
12, (ow you shoul% be able to reach VM5s in $((?< (etwork - in my case subnet
10,0,0,082B01@2,16A,2B0,03,
>his is my current network %ia!ram
Vyatta Router running on VMware
Workstation Part % +N,- .irewall an!
N/0
by Wojciech Marusiak | Jul 1D, 2013 | )ecurity, VMware | 0 comments
$n &reious &ost htt&788wojcieh,net8yatta/router/runnin!/on/mware/workstation/&art/18 we
con"i!ure% basic network connectiity between two networks, >o%ay we will enable (9>,
Eirewall an% .(),
N/0
*on"i!urin! (9> on Vyatta is Fuite sim&le, >o %o it ty&e "ollowin! comman%s7
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.0.0/24(1@2,16A,2B0,0)
set nat source rule 10 translation address masquerade
set nat source rule 10 description LA to !A"
.irewall
$n my case $ %eci%e% to use sim&le "irewall rules base% on Gones, 9t the be!innin! it mi!ht be
%i""icult to un%erstan% but i" you will s&en% a while it shoul% be crystal clear,
Eirst &art is to create "irewall rules - $ use% W/N10213/N an% 3/N1021W/N rules,
WAN_TO_LAN
set #re$all name !A%&'%LA
set #re$all name !A%&'%LA default-action drop
set #re$all name !A%&'%LA rule 10 action accept
set #re$all name !A%&'%LA rule 10 protocol all
set #re$all name !A%&'%LA rule 10 state established enable
set #re$all name !A%&'%LA rule 10 state related enable
Here you see how rule W9(H>+H=9( shoul% look like in con"i!uration,
name W9(H>+H=9( I
%e"ault/action %ro&
rule 10 I
action acce&t
&rotocol all
J
J
LAN_TO_WAN
set #re$all name LA%&'%!A
set #re$all name LA%&'%!A default-action drop
set #re$all name LA%&'%!A rule 10 action accept
Here you see how rule =9(H>+HW9( shoul% look like in con"i!uration,
name =9(H>+HW9( I
%e"ault/action %ro&
rule 10 I
action acce&t
J
J
Zone policies
(ow we will create Gones - in my case W/N an% 3/N an% we will assi!n them to
a&rio&riate ethernet inter"aces,
set (one-polic) (one !A
set (one-polic) (one !A description !A"
set (one-polic) (one !A default-action drop
set (one-polic) (one !A interface eth0
set (one-polic) (one LA
set (one-polic) (one LA description LA"
set (one-polic) (one LA default-action drop
set (one-polic) (one LA interface eth1
Assign frewall to zones
>his one is tricky - rea% care"ully syntaC o" comman%s,
W/N "irewall - set Gone/&olicy Gone W/N "rom 3/N "irewall name 3/N1021W/N
3/N "irewall - set Gone/&olicy Gone 3/N "rom W/N "irewall name W/N10213/N
Here you see how Gone W/N shoul% look like,
%e"ault/action %ro&
%escri&tion W9(
"rom =9( I
"irewall I
name =9(H>+HW9(
J
J
inter"ace eth0
Here you see how Gone 3/N shoul% look like,
%e"ault/action %ro&
%escri&tion =9(
"rom W9( I
"irewall I
name W9(H>+H=9(
J
J
inter"ace eth1
+N, configuration
.() con"i!uration is Fuite sim&le, $n or%er to make it work enter "ollowin! comman%s7
set ser*ice dns for$ardin+ name-ser*er IP (,n m) case it is
1-2.1./.200.20401@2,16A,121,03)
set ser*ice dns for$ardin+ listen-on eth1
$n or%er to really test it "rom .omain *ontroller $ set "orwar%e% to Vyatta =9( $: - 10,0,0,1
an% $ %elete% all root hints,
420
Wow - this was really lon! &ost, $ ho&e you will "in% it really use"ull an% all will work in you
enironment as well,
Vyatta Router running on VMware
Workstation Part 5- .irewall 6ar!ening
by Wojciech Marusiak | Jul 31, 2013 | )ecurity, VMware | 0 comments
$n &art 2 o" con"i!urin! Vyatta $ im&lemente% sim&le "irewall rules which blocke% all network
tra""ic, (eCt ste& is to im&lement "irewall rules which will allow us to connect to ?)Ki hosts
as well to *enter serer,
.irewall har!ening
$n my case $ o&ene% "ollowin! &orts7
22 - ))H
13 - .()
A0 - H>>:
@02 - *enter )erer 8 VMware $n"rastructure *lient - 4.: "or ?)K8?)Ki Heartbeat
@03 - <emote *onsole
BB3 - Web 9ccess
33A@ - <.:
$ %i%n5t o&en any eCtra &ort so "ar but o&enin! "irewall &ort is relatiely easy, $n or%er to %o it
ty&e on Vyatta7
set "irewall name W9(H>+H=9( rule 3@
set "irewall name W9(H>+H=9( rule 3@ action acce&t
set "irewall name W9(H>+H=9( rule 3@ %escri&tion L<.: to .omain *ontrollerM
set "irewall name W9(H>+H=9( rule 3@ %estination a%%ress 10,0,0,11
set "irewall name W9(H>+H=9( rule 3@ %estination &ort 33A@
set "irewall name W9(H>+H=9( rule 3@ source a%%ress 1@2,16A,211,101
set "irewall name W9(H>+H=9( rule 3@ &rotocol tc&
set "irewall name W9(H>+H=9( rule 3@ lo! enable
set "irewall name W9(H>+H=9( rule 3@ state establishe% enable
set "irewall name W9(H>+H=9( rule 3@ state new enable
set "irewall name W9(H>+H=9( rule 3@ state relate% enable
$" you are "ollowin! motto - work smart not hard then $ su!!est that you use "irewall
!enerator "rom website htt&788www,ark",net8blo!8, $t will literally sae you a lot o" time to &ut
all Eirewall rules in &lace, Nou nee% to %ownloa% eCcel "ile an% &ut all &orts you nee% to o&en
in s&eci"ic rule, 9s on my eCam&le you will see rules7
Nou can also %ownloa% !enerate% "irewall rules &re&are% by mysel" usin! this link
VyattaH"irewall,Cls,
$n case you %on5t remember &orts to o&en to allow communication to ?)Ki host an% *enter
serer you can "in% it in VMware O; htt&788kb,mware,com8kb810011A@,
$n neCt &ost $ will create trunk an% =9*: so much "un is comin!