Configure Vyatta Router with NAT

Network Address Translation, an Internet standard that enables the LAN to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. The NAT is located where the LAN meets the Internet and is responsible to make all necessary IP address translations. There are basically two types of NAT. The dynamic and the static.

**NAT can protect the network by hiding internal IP addresses.

You can configure Vyatta with different types of NAT depending on your network's needs. 
  

• Source NAT (One-to-One) : forward packets from one inside to one outside
• Source NAT (Many-to-One) : forward packets from many inside to one outside
• Source NAT (Many-to-Many) : forward packets from many inside to many outside
• Source NAT (One-to-Many) : forward packet from one inside to many outside
• Destination NAT (One-to-One) : froward packets from one outside to one inside ( this type of  NAT is important if you want the source to receive “reply packet”)
• Destination NAT (One-to-Many) : forward packets from one outside to many inside

 1) Configuring NAT one-to-one.  

 Configurations

configure
set service nat rule 1 type source
set service nat rule 1 source address 192.168.0.2/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 outside-address address 141.45.85.10
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1


2) Configuring NAT many-to-one.

Configurations

configure
set service nat rule 1 type source
set service nat rule 1 source address 192.168.0.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 outside-address address 141.45.85.10
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1


3) Configuring NAT many-to-many.

Configurations

configure
set service nat rule 1 type source
set service nat rule 1 source address 192.168.0.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 outside-address address 141.45.85.10 - 141.45.85.20
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1

  4) Configuring NAT one-to-many.  
                                                                                         

Configurations

configure
set service nat rule 1 type source
set service nat rule 1 source address 192.168.0.2/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 outside-address address 141.45.85.10 - 141.45.85.20
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1


  5) Configuring destination NAT one-to-one. 

Configurations

configure
set service nat rule 1 type destination
set service nat rule 1 inbound-interface eth0
set service nat rule 1 destination address 141.45.85.10
set service nat rule 1 protocols tcp
set service nat rule 1 destination port http
set service nat rule 1 inside-address 192.168.0.2
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1



6) Configuring destination NAT one-to-one. 




Configurations

configure
set service nat rule 1 type destination
set service nat rule 1 inbound-interface eth0
set service nat rule 1 destination address 141.45.85.10
set service nat rule 1 protocols tcp
set service nat rule 1 destination port http
set service nat rule 1 inside-address 192.168.0.2
commit
save


**If you want to check the NAT rules use the command :

show service nat rule 1

Backup Vyatta Router Configuration's File

It is very important to know how to backup your configurations file in case of emergency or in case you want to test something in your current configurations. Before you start doing any new configurations on your Vyatta router keep a backup.

Procedure

1) You need to setup a tftp server on a client of your network. I am suggesting you the tftpd32 for Windows Users , TftpServer for Mac OS X users and tftpd for Linux Users.

• Tftpd32 is a free, opensource IPv6 ready application which includes DHCP, TFTP, DNS, SNTP and Syslog servers as well as a TFTP client and you can download it from here:  http://tftpd32.jounin.net/tftpd32_download.html 

•  TftpServer is a utility which helps you to utilize and configure the TFTP server shipped with the standard Mac OSX distribution and you can download it from here: https://www.macupdate.com/app/mac/11116/tftpserver/ 

•  tftpd is a server for the Trivial File Transfer Protocol. The TFTP protocol is extensively used to support remote booting of diskless devices or loading operating systems. Debian or Ubuntu can use  the HPA's tftp server. To donwload the hpa tftp server you need these commands : 

     sudo apt-get install tftpd-hpa 
         or
         apt-get install tftpd-hpa



 2) To backup the configuration :

   configure
   save tftp://192.168.1.2/R1-config.boot (The tftp Server's IP address)
   exit

**In case you want to edit/open your config.boot file you can use one of the following text editors.

   Windows
   Notepad++
   Notepad

  Linux
  gEdit
  Nano

  Mac OS X
  Brackets
  TextMate 2

Network with Vyatta router and DHCP server.

As you can see from the diagram , Vyatta router has 3 Ethernet ports : 1 external to provide the network with internet and 2 internal for the clients.  On the network 192.168.1.0/24 there is a DHCP server which is going to provide with IP addresses the network 192.168.2.0/24. If you want to use less equipments you can use Vyatta router as the DHCP server.

**Servers always using STATIC IP addresses for many reasons:

1. Easy identifying the server.
2. Able to get access to the server  any time using the same IPaddress.
3. Able to apply any firewall rules related with your server's ipaddress.
4. You don't want your servers to changing IPaddress all the time because many configurations have to change along with that. 

External
1) eth0 : (DHCP's IP Address)

Internal
2) eth1 : IP address : 192.168.1.1/24
3) eth2 : IP address : 192.168.2.1/24

Configuring Vyatta

1) Now i will configure both external and internal ports in which the external network  will get  it's IPaddress from the DHCP server (ISP modem) and the internal networks will be configured with  the address 192.168.1.1/24 and 192.168.2.1/24 (This addresses are the default gateway) . Also i am going to allow the DHCP requests/responses from the clients and server to pass through Vyatta router and allow the clients to get its IP addresses.


configure
set  interfaces ethernet  eth0 address dhcp
source nat rule 10
source nat rule 10 outbound-interface eth0
source nat rule 10 translation address masqurade
set  interfaces ethernet eth0 description Outside (optional)
set  interfaces ethernet  eth1 address  192.168.1.1/24 
set  interfaces ethernet eth1 description Servers (optional)
set  interfaces ethernet  eth2 address  192.168.2.1/24
set  interfaces ethernet eth2 description Clients (optional)
edit service dhcp-relay
set server 192.168.1.2
set service dhcp-relay interface eth1
set service dhcp-relay interface eth2
commit
save
exit 

2) Now i will check if the Ethernet ports and the relay configured correct.

show interfaces
show configuration all

**In case that you want to execute the operational mode show command(s) inside the configuration mode, just add run in front of it. 

run show interfaces

3) Assigned the appropriate ranges of IP address on DHCP Server and check if your clients are getting IP address automatically.  Check if the clients can ping each other and get access to the internet.

4) If you want to configuring or checking your Vyatta router remotely you can enable SSH access.

Before you allowing the SSH access, you have to enable the SSH service on the router. Also it is recommended to change the SSH's default port from 22 to 2222 for security reason.

set service ssh
set service ssh port 2222
commit
save 
show service ssh

5) To get access to Vyatta router through the SSH ,  use your root credentials.

Configure Vyatta Router With SSH/DHCP client

As you can see from the diagram , Vyatta router has 3 Ethernet ports : 1 external to provide the network with internet and 2 internal for the clients. 

External
1) eth0 : (DHCP's IP Address)

Internal
2) eth1 : IP address : 192.168.1.1/24
3) eth2 : IP address : 192.168.2.1/24

Configuring Vyatta

1) Now i will configure both external and internal ports in which the external network  will get  it's IPaddress from the DHCP server and the internal networks will be configured with  the address 192.168.1.1/24 and 192.168.2.1/24 (This addresses are the default gateway)


configure
set  interfaces ethernet  eth0 address dhcp
source nat rule 10
source nat rule 10 outbound-interface eth0
source nat rule 10 translation address masqurade
set  interfaces ethernet eth0 description Outside (optional)
set  interfaces ethernet  eth1 address  192.168.1.1/24 
set  interfaces ethernet  eth2 address  192.168.2.1/24
commit
save
exit 

2) Now i will check if the Ethernet ports configured correct.

show interfaces

**In case that you want to execute the operational mode show command(s) inside the configuration mode, just add run in front of it. 

run show interfaces

3) Assigned the appropriate IP addresses on each client and try if both the networks can ping each other and get access to the internet.

4) If you want to configuring or checking your Vyatta router remotely you can enable SSH access.

Before you allowing the SSH access, you have to enable the SSH service on the router. Also it is recommended to change the SSH's default port from 22 to 2222 for security reason.

set service ssh
set service ssh port 2222
commit
save 
show service ssh

5) To get access to Vyatta router through the SSH , use your root credentials.








 

Installing Vyatta

To run from hard disk, you must install to the hard disk from a LiveCD. The software image on the LiveCD includes an installation script for installing the Vyatta system software onto the persistent device.

 

You can download the Vyatta LiveCD from here : http://www.vyatta.org/downloads

1)To install the operating system and Vyatta system software, you need a minimum of 450 MB of free space on your hard drive for a root partition.

2)After the startup messages complete, the login prompt appears:

 

vyatta login:

 

3) Log on to the system as root with the password :  vyatta 

4) At the system command prompt enter the following to start the installation of the Vyatta Router:

 

install-system

 

5) The installer launches.

 6) After completed the previews steps for the installation you are ready to start configuring Vyatta.

Notes

1. You have to assigned the appropriate ethernet ports that you want to use on your router before you start installing Vyatta.
2. Make backups of Vyatta's configuration files. 
3. When you are running Vyatta from Virtual Machine you can't transfer the image to a different computer. Vyatta is sensible with the MAC addresses of the default Ethernet ports and when you copy/transfer the image the configurations and the default ports are going to changed .