Vyatta Community Edition, Open Source Router

I’ve been running multiple subnets in my lab, and been dealing with the pain of having to VPN into each separate subnet when needing to make a change, test something, or deploy something.  It’s been a learning experience and I’ve configured both OpenVPN and ISA Server 2006 VPN’s and successfully bounced around the various networks as necessary, but it’s been a real pain to have to VPN into one network, grab files, and then VPN into a different network to test and deploy those files, as an example.  So I began a hunt for an open source router that would give me more control than Untangle, which is an excellent open source routing and firewall tool.  Simply put, I wanted finer grained control than Untangle is designed to supply. As an example, I wanted to be able to filter network traffic based on mac addresses instead of IP addresses.

In my search, I came across Vyatta, which is an open source networking package that likes to compare itself to Cisco in functionality and control.  I decided to check out their site and found that they offer a free ‘Community Edition’.  I looked at the features of the community edition, then checked the VMware Appliances site and found that Vyatta has a pre-built VMware appliance.  NICE!  I filled out a short registration form, downloaded the appliance and all the documentation, which is thick to say the least, and fired up the appliance in VMware Workstation.

console001

[ad#Google Adsense-1]

After a little ado, reading some of the documentation, and watching some of the Vyatta videos, I began to experiment with Vyatta in workstation, doing an initial configuration which involved setting IP addresses on the NICs (3 come connected to the appliance), enabling SSH management for the router, and enabling https (the gui) management interface.  Vyatta can be managed through a CLI similar to most managed switches, but also has a web management interface.  I personally feel like the command line gives more control, but maybe that’s just a perception and comfort thing more than anything else.

Sample-Network-Diagram-001 After reviewing the documentation and experimenting with the software in VMware Workstation, I decided to convert the virtual machine (VM) into ESX Server.  I noticed immediately that it appeared to have lost all of the settings that I configured while the system was running in Workstation.  After a little digging, I discovered that during the import from Workstation to ESX, all the NICs had been changed from the Vyatta appliance’s perspective.

TIP: eth0 – eth2 had been replaced with eth3 – eth5.  If you run into any trouble after migrating a configured Vyatta VM into ESX from Workstation, the way the import runs, the NICs will be replaced and you’ll end up having to reconfigure them.  Another reason why doing things in the console is better in my opinion, because I kept track of all the commands that I had run and didn’t have to go bouncing through a GUI trying to figure out what I might have been forgetting. 😉

I was immediately able to browse from subnet to subnet, after figuring out which NIC was which and belonged on which vSwitch of course. By default the interfaces’ firewalls, each NIC has a separate firewall for inbound, outbound, and local traffic, are set to ‘allow all’ traffic, which was great since it allowed me to confirm that everything was configured and working properly before undergoing to effort to start locking down the system.  Be sure to keep this in mind if you’re going to be using Vyatta as a public facing router.  Your system will be wide open until you configure it, so it’s best to configure the system offline, and then put it into production after you’ve completed the setup.

gui001

So far the router has worked perfectly.  It’s been a full week now of heavy testing, and I’ve not been able to ‘glitch’ it. ;)  If you’re looking for an open source router that has VERY fine-grained control and state-of-the-art features, you MUST check out Vyatta.  Start with the best, then check out the rest, if you have time.  As I mentioned, the documentation is thick, but that’s to be expected for the level of control you get.  If you’re looking for something that is highly functional and feature-rich, but do not want to get into the weeds of managing a router / switch that requires technical knowledge of networking, a product like Untangle and it’s beautiful GUI interface may be more to your liking.  Untangle also has a virtual appliance.

Quick Info:

Vyatta can run off of off-brand hardware (see their site for details), run in a VM, and also boot from a ‘LiveCD’.  The LiveCD option allows you to boot the router without ever installing it to a hard drive, however keep in mind that your configuration will exist in memory only and you will have to reconfigure if you reboot or have a power outage.

[ad#Google Adsense-1]

Commands for Initial Configuration:

Read the effin’ docs!  Ok, you’re here and still reading, and this IS ‘Read the Effin Blog’ so the quick and dirty on the initial configuration commands are:

>configure (enters configuration mode)
>set interfaces ethernet eth3 address [ip address]/[net mask] (ie. 192.168.1.0/24)
>set service ssh (enables the SSH service)
>set service https (enables the web GUI)
>show (displays configuration changes)
>commit (commits configuration changes)
>exit (exits configuration mode)

The default username and password for the appliance is: vyatta.  You can change your password using the standard linux command ‘passwd’.  Another thing to remember is that though it appears that you’re in a linux environment, you are not.  ifconfig and a few other linux commands that I tried do not work.

Instead of running:

>ifconfig

try the command:

>show interfaces system enabled

It’s a great product and definitely worth a look.  I’ll likely end up doing another post to discuss configuring the firewall, which is an effort in and of itself, but fun nonetheless. 😉

Happy Networking!

Advertisements

5 thoughts on “Vyatta Community Edition, Open Source Router”

  1. Great post. I really appreciate the initial config commands and the note about ifconfig. It does appear to use a linux kernel but I am not sure what distro it is based off of. Any ideas?
    I know it is not Redhat based.
    Regards,
    Pippin

  2. @Pippin, thank for the feedback! 🙂 I hope you checked out the other post on configuring the firewall: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/.

    After playing with it, it may have a linux kernel at the base, but commands seem to be completely different. Kinda fun to learn how to communicate with something in a new language though. 😉 If it is based off of a regular distro, I have no idea which it is.

    If you do anything really cool with it, let me know.

  3. Hello, nice write up.

    I have a question and wondered if you may be able to help.

    Currently I am just learning vyatta.

    I have a number of ip external ip addresses from my isp, I am basically trying to get vyatta to pass allow me to assign the external ip addresses on to the actual servers in the lan and just use a firewall rule set to control access, i.e not use any nat or internal ip addresses.

    what i have tried and did not work was, assign the external subnet to the wan interface eth0 then create a static interface route and point the subnet to eth1 where my servers would be located and configured with the external ip addresses but this does not work.

    I think i am missing something here, not sure.

    Cheers for your time

    Richard

  4. @Richard: I’m not sure if you can do what you’re trying to do with Vyatta. The only way I can think of you assigning your public IPs to the servers is by putting them at the same level of Vyatta (eth0), basically sitting on the Internet with nothing in between that requires an IP address. Unless your ISP gives you control of a complete subnet or is willing to add your router into their routing table, I don’t see how to make it work in that configuration.

    Why do you want to assign the public IPs on each server and not use NAT? Is this for Microsoft Direct Access or something?

    Can your ISP add your router to their routing table?

    Also, in theory, if your ISP gave you control of a complete subnet, then your router could control all routes for that subnet sending traffic to and fro but just with a block of addresses you would need a public routing entry so that Internet servers know to go through Vyatta to get to your servers.

    I don’t know for sure but a managed switch may help you as well. A switch instead of a router could allow you to monitor traffic and firewall the network the switch sits on, so an uplink port would go to the Internet while other ports would plug into your servers.

    Hope this helps. Let me know if I can clarify anything or if something I wrote didn’t make sense.

    Good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s