I’ve been running multiple subnets in my lab, and been dealing with the pain of having to VPN into each separate subnet when needing to make a change, test something, or deploy something. It’s been a learning experience and I’ve configured both OpenVPN and ISA Server 2006 VPN’s and successfully bounced around the various networks as necessary, but it’s been a real pain to have to VPN into one network, grab files, and then VPN into a different network to test and deploy those files, as an example. So I began a hunt for an open source router that would give me more control than Untangle, which is an excellent open source routing and firewall tool. Simply put, I wanted finer grained control than Untangle is designed to supply. As an example, I wanted to be able to filter network traffic based on mac addresses instead of IP addresses.
In my search, I came across Vyatta, which is an open source networking package that likes to compare itself to Cisco in functionality and control. I decided to check out their site and found that they offer a free ‘Community Edition’. I looked at the features of the community edition, then checked the VMware Appliances site and found that Vyatta has a pre-built VMware appliance. NICE! I filled out a short registration form, downloaded the appliance and all the documentation, which is thick to say the least, and fired up the appliance in VMware Workstation.
After a little ado, reading some of the documentation, and watching some of the Vyatta videos, I began to experiment with Vyatta in workstation, doing an initial configuration which involved setting IP addresses on the NICs (3 come connected to the appliance), enabling SSH management for the router, and enabling https (the gui) management interface. Vyatta can be managed through a CLI similar to most managed switches, but also has a web management interface. I personally feel like the command line gives more control, but maybe that’s just a perception and comfort thing more than anything else.
After reviewing the documentation and experimenting with the software in VMware Workstation, I decided to convert the virtual machine (VM) into ESX Server. I noticed immediately that it appeared to have lost all of the settings that I configured while the system was running in Workstation. After a little digging, I discovered that during the import from Workstation to ESX, all the NICs had been changed from the Vyatta appliance’s perspective.
TIP: eth0 – eth2 had been replaced with eth3 – eth5. If you run into any trouble after migrating a configured Vyatta VM into ESX from Workstation, the way the import runs, the NICs will be replaced and you’ll end up having to reconfigure them. Another reason why doing things in the console is better in my opinion, because I kept track of all the commands that I had run and didn’t have to go bouncing through a GUI trying to figure out what I might have been forgetting. 😉
I was immediately able to browse from subnet to subnet, after figuring out which NIC was which and belonged on which vSwitch of course. By default the interfaces’ firewalls, each NIC has a separate firewall for inbound, outbound, and local traffic, are set to ‘allow all’ traffic, which was great since it allowed me to confirm that everything was configured and working properly before undergoing to effort to start locking down the system. Be sure to keep this in mind if you’re going to be using Vyatta as a public facing router. Your system will be wide open until you configure it, so it’s best to configure the system offline, and then put it into production after you’ve completed the setup.
So far the router has worked perfectly. It’s been a full week now of heavy testing, and I’ve not been able to ‘glitch’ it. ;) If you’re looking for an open source router that has VERY fine-grained control and state-of-the-art features, you MUST check out Vyatta. Start with the best, then check out the rest, if you have time. As I mentioned, the documentation is thick, but that’s to be expected for the level of control you get. If you’re looking for something that is highly functional and feature-rich, but do not want to get into the weeds of managing a router / switch that requires technical knowledge of networking, a product like Untangle and it’s beautiful GUI interface may be more to your liking. Untangle also has a virtual appliance.
Vyatta can run off of off-brand hardware (see their site for details), run in a VM, and also boot from a ‘LiveCD’. The LiveCD option allows you to boot the router without ever installing it to a hard drive, however keep in mind that your configuration will exist in memory only and you will have to reconfigure if you reboot or have a power outage.
Commands for Initial Configuration:
Read the effin’ docs! Ok, you’re here and still reading, and this IS ‘Read the Effin Blog’ so the quick and dirty on the initial configuration commands are:
>configure (enters configuration mode)
>set interfaces ethernet eth3 address [ip address]/[net mask] (ie. 192.168.1.0/24)
>set service ssh (enables the SSH service)
>set service https (enables the web GUI)
>show (displays configuration changes)
>commit (commits configuration changes)
>exit (exits configuration mode)
The default username and password for the appliance is: vyatta. You can change your password using the standard linux command ‘passwd’. Another thing to remember is that though it appears that you’re in a linux environment, you are not. ifconfig and a few other linux commands that I tried do not work.
Instead of running:
try the command:
>show interfaces system enabled
It’s a great product and definitely worth a look. I’ll likely end up doing another post to discuss configuring the firewall, which is an effort in and of itself, but fun nonetheless. 😉