Archive for July, 2010
This is a republish off my old blog … the old files are going away due to a change in hosts so please update links if you have any
I struggled with this quite a bit the first time around finding a source of information to configure Vyatta’s router solution just because examples are hard to find (not that there are any problems with it) so here is the configuration and examples that I had, I left IP addresses in there for examples but they may have to be changed depending on your home network setup
Before entering the below commands you have to be in configure mode and after commit them to memory (the commits are in there but will not put the configure in as you could do it all in one or multipule configure sessions)
Configure Outside interface for DHCP (eth0 is my outside interface)
Configure inside interface with static IP address (eth1 is my inside interface)
set interfaces ethernet eth1 address 192.168.11.1/24
Configure DHCP server for the internal network (note because of line wrap this looks funny but “set service” is the start of a new line that continues all the way to the next set service. One per line)
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 start 192.168.11.10
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 start 192.168.11.10 stop 192.168.11.50
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 dns-server 184.108.40.206
set service dhcp-server shared-network-name LAN subnet 192.168.11.0/24 default-router 192.168.11.1
This toruns on the dhcp server for the 192.168.11.0/24 network and starts handing out IP addresses at 10 and stops at 50 I also set my outside DNS server as handed out by DHCP and the default router handed out
Set NAT (genaric rule to enable nat)
set service nat rule 1 outbound-interface eth0
set service nat rule 1 source address 192.168.11.0/24
set service nat rule 1 type masquerade
Forwarding SSH (creates a rule to forward ssh from any source to any destination that comes to the outside interface eth0 , this is because I have a dynamic IP address externaly so setting the destination is not useful and do not know the IP that I will be coming from) This acts like “port forwarding” in home routers
set service nat rule 2
set service nat rule 2 type destination
set service nat rule 2 inbound-interface eth0
set service nat rule 2 protocol tcp
set service nat rule 2 destination address 0.0.0.0/0
set service nat rule 2 destination port ssh
set service nat rule 2 source address 0.0.0.0/0
set service nat rule 2 inside-address address 192.168.11.48
After watching a recent episode of HAK5 I got renewed initiative to resume using a non pre purchased appliance based device as an external router/firewall. As many of you know if you followed my old blog I have done this before with a variaty of softwares both as a hardware and as a virtual device.
In this case I wanted to use smoothwall
For those not familiar smoothwall is a very nice pre-packaged linux based operating system designed to be your edge firewall. The twist I am adding is that I want to run this as a virtual device but keep it simple enough that you would not need specialized hardware to accomplish it (things like VLAN capable switch or such which would be very doable to reduce the NIC count)
A word of warning this post really requires a working knowledge of the basics of vmware (Setting up, configuring ESX itself and a basic level of knowing how to modify virtual hardware and deal with ISO’s) if you are not up this level of knowledge there are plenty of blogs out there that will help you get started, I will also try to write some “basics” but if I miss anything please comment and let me know what I need to add to make it easy for you.
That being said I am using my standard home used tower (Dell SC440) as my virtual device … I have 3 different NIC’s in the device but I am only going to use 2 for this particular project.
As you can see from my networking diagram I have 2 virtual switches with virtual machine port groups on them the inside or green interface will be in the “VM Network” Port group the outside or red interface will be the one in the “Outside” port group
The next step is to create the virtual machine, I created a standard virtual machine marked as “Other Linux 32 bit” as the configuration with the name smoothwall, When creating it leave the default HDD size. I will show you why in a little bit.
As you can see here I created the virtual machine as “Other Linux” With 512 MB of RAM this can be scaled up later if you wish.
Now comes the tricky part, smooth wall does not detect SCSI hard drives which are the standard for ESX.
Step1 is to edit the settings of the smooth wall virtual machine
Step2 is to remove the existing hard disk
Step 3 is to add a new IDE virtual hard disk
This is the only major modification that you have to make to the virtual hardware. You will also need to add a network interface to the “inside” and “outside” port group.
After that is complete you are ready to start installing the hardware
At this point boot to the ISO/CD and follow the menu’s
We are going to want to do a RED+Green configuration for this.
The last trick that makes a virtual environment different than the physical is that we have virtual network cards that are using the same driver set. There are several ways around this but the easiest I found is that wen you do the card assignment it states what MAC address is being used after you assign it.
This MAC address is visiable in the settings of the NIC in vmware
This should point you in the right direction to find which is which. IF you assigned it to the wrong one the nice thing is you can just flip the port assignment at any time.
At this point it is like any other smoothwall deployments out there I would recommend watching HAC5′s Building a High speed Router episode