The Advisers Group

This is a quick guide setup guide for the Vyatta open source router. This article assumes that you have already installed Vyatta either on physical hardware or in a virtual machine. For more information on creating a private network in ESXi Server see this article.

Vyatta can be downloaded from http://www.vyatta.com

Once Vyatta is installed you need to login to the Vyatta console and enter configuration mode, this is done by typing “configure” in the console.

#configure

 Next use the show interfaces command to see the network configuration of your Vyatta router.

By using the MAC address of your network card you should be able to match your network card to the correct Vyatta ethernet interface.

You must set the IP address range for the Private Network in Vyatta. Because my private network is on eth0 I will use the following command to give it a static IP address.

#set interfaces ethernet eth0 address 192.168.1.1/24

Then commit the IP address by using the commit command

#commit

If you have a PC with a statically assigned IP address on the private network, you can test if the IP address took by pinging the IP address of your router inside of a virtual machine on the private network, if not, just continue.

Give the router a hostname and domain name by entering the following commands

#set system host-name <your-router-name>
#set system domain-name <your.domain.name>

 Set up the Timzone by typing

#set system time-zone <your-time-zone>

Hit the tab key for timezone options.

#commit

Now we setup external interface to gets its address from a DHCP server. Please note, if you need PPPOE for your internet provider you will need to take other steps. My internet provider uses DHCP so I don't have the ability to test any other configuration

#set interfaces ethernet eth1 address dhcp

Now that the hostname, domain name, and IP information is set, its time to configure the private network to have a DHCP server.
The process below enables the DHCP server for the 192.168.1.0/24 network. It will distribute IP addresses at 50 and stop at 100. I also setup the outside DNS server and the default router for the DHCP server to give to clients.

This command names the network PRIVATE and sets the DHCP address range to start at 192.168.1.50

#set service dhcp-server shared-network-name PRIVATE subnet 192.168.1.0/24 start 192.168.1.50

Now we tell the DHCP server to stop handing out addresses at 100

#set service dhcp-server shared-network-name Home subnet 192.168.10.0/24 start 192.168.1.50 stop 192.168.1.100

Now setup the DNS and Default gateway. I use OpenDNS for my all of my DNS needs, it's free and allows for content filtering.

#set service dhcp-server shared-network-name PRIVATE subnet 192.168.1.0/24 dns-server 208.67.222.222
#set service dhcp-server shared-network-name PRIVATE subnet 192.168.1.0/24 dns-server 208.67.222.222
#set service dhcp-server shared-network-name PRIVATE subnet 192.168.1.0/24 default-router 192.168.1.1

The last step to setup connectivity for the private network is to setup NAT. NAT will allow you to connect to the internet from any device on the private network.

#Set service nat rule 10 type masquerade
#Set service nat rule 10 source address 192.168.1.0/24
#Set service nat rule 10 outbound-interface eth1
#commit
#save
#exit

Once you have added NAT, check to see if your private network PC can access the internet. At this point, there should be full access from the private network to anywhere on your network.

I needed a solution to create a private network for virtual machines in my ESXi server allowing only limited access to my home office network. I tried using m0n0wall and pfSense routers and although they are great gateways, they did not have the capability that I was looking for. Vyatta is an open source router that did exactly what I needed.

If you have never worked with a router before it can be a bit challenging to figure out. Fortunately, Vyatta does a good job documenting example configurations and there are plenty of other resources that can be Goggled. The main issue that I had is that many of the sites I found with examples had incorrect documentation and command syntax issues. Make sure you consult the Vyatta documentation for the version of Vyatta that you download and I suggest you write the steps down as you go. In my case, I also took snapshots as I made configuration changes. Creating the snapshots allowed me to quickly undo the mistakes I made while initially configuring the system.

The first step is to download Vyatta from http://www.vyatta.com

Once you have it downloaded and extracted to your hard drive, you will need to use VMware Converter to convert to ESXi. When using VMware Converter, make sure to select the appropriate number of network interfaces and map them appropriately. In the example in the write-up, I’m using two network interfaces: one for the private network and one for my VM Network.

Once the virtual machine is converted to your ESXi server, start the virtual machine and login to the Vyatta Console using the Virtual Infrastructure Client.

The default username and password is “vyatta”.

Once you are logged into the Vyatta console you need to enter configuration mode, this is done by typing “configure” in the console.

#configure

Next use the show interfaces command to see the network configuration of your Vyatta router.

You will see that eth0 in Vyatta should map to Network Adapter 1 and eth1 maps to Network Adapter 2 in ESXi.

Now it’s time to set the IP address for the Private Network in Vyatta. Because my private network is on eth0 I will use the following command to give it a static IP address.

#set interfaces ethernet eth0 address 192.168.10.1/24

Then commit the IP address by using the commit command

#commit

If you have a PC with a statically assigned IP address on the private network, you can test if the IP address took by pinging the IP address of your router inside of a virtual machine on the private network, if not, just continue.

Configure the hostname and domain name of the Vyatta router by using the following commands

#set system host-name <your-router-name>
#set system domain-name <your.domain.name>

Set up the Timzone by typing

#set system time-zone <your-time-zone>

Hit the tab key for timezone options.

#commit

Now we setup our VM Network card to gets its address from a DHCP server on the VM Network.

#set interfaces ethernet eth1 address dhcp

Now that the hostname, domain name, and IP information is set, its time to configure the private network to have a DHCP server.
The process below enables the DHCP server for the 192.168.10.0/24 network. It will distribute IP addresses at 50 and stops at 100. I also setup the outside DNS server and the default router for the DHCP server to give to clients.

This command names the network PRIVATE and sets the DHCP address range to start at 192.168.10.50

#set service dhcp-server shared-network-name PRIVATE subnet 192.168.10.0/24 start 192.168.10.50

Now we tell the DHCP server to stop handing out addresses at 100

#set service dhcp-server shared-network-name VTL subnet 192.168.10.0/24 start 192.168.10.50 stop 192.168.10.100

Now setup the DNS and Default gateway

#set service dhcp-server shared-network-name VLT subnet 192.168.10.0/24 dns-server <enter DNS Server here>

#set service dhcp-server shared-network-name VLT subnet 192.168.10.0/24 default-router 192.168.10.1

The last step to setup connectivity for the private network is to setup NAT. NAT will allow us to use the external IP address for all of the requests from the Private Network.

#Set service nat rule 10 type masquerade
#Set service nat rule 10 source address 192.168.1.0/24
#Set service nat rule 10 outbound-interface eth1
#commit

Once you have added NAT, check to see if your private network PC can access the internet. At this point, there should be full access from the private network to anywhere on your network. Once connectivity is verified, it will be time to set the firewall rules. If you can’t connect from your Private Network to the VM Network then you need to see if you did anything incorrectly.

Once connectivity is verified it’s time to create the firewall rules to give access only to the machines on the VM Network that you want. In my case, I want my private network to have access to DNS, a www server, and a file server. When creating firewall rules, I leave plenty of digits between rules. That way I can add rules in between if necessary. The rule name used below is PVToutFilter you can use any rule name that you would like. I use PVToutFilter for private out filter. That way I know why I created the rule.

Start by adding firewall rules to get to a DNS server (do this twice incrementing the rule number by 1 if you add a second DNS server)

#set firewall name PVToutFilter rule 10 action accept
#set firewall name PVToutFilter rule 10 source address 192.168.10.0/24
#set firewall name PVToutFilter rule 10 destination address <enter DNS IP here>
#set interfaces ethernet eth1 firewall out name PVToutFilter

Create the firewall rules to get to www server

#set firewall name PVToutFilter rule 15 action accept
#set firewall name PVToutFilter rule 15 source address 192.168.10.0/24
#set firewall name PVToutFilter rule 15 destination address <enter www server IP here>
#set interfaces ethernet eth1 firewall out name PVToutFilter

Create the firewall rules to get to file share

#set firewall name PVToutFilter rule 20 action accept
#set firewall name PVToutFilter rule 20 source address 192.168.1.0/24
#set firewall name PVToutFilter rule 20 destination address <enter share IP here>
#set interfaces ethernet eth1 firewall out name PVToutFilter

Now its time to set firewall rules to block other traffic to the VM Network

#set firewall name PVToutFilter rule 50 action drop
#set firewall name PVToutFilter rule 50 source address 192.168.1.0/24
#set firewall name PVToutFilter rule 50 destination address <enter net and mask here. example 192.168.5.0/24>
#set interfaces ethernet eth1 firewall out name PVToutFilter
#commit

Once the configuration is set you can exit configuration mode

#exit

Congratulations, you have just secured your Private Network from your VM Network. If you want to allow internet access from your Private Network, all you need to do is have a proxy server on the VM Network and create a Firewall rule for the Private Network to have access to the proxy IP address.