[Vyatta-users] Network connections slow...was: Restricting access to default route
Hi, Okay maybe I should tell the reason I would like to get that default route (with those restrictions) in our Vyatta router. :) As it says in the footer of my e-mail we just moved to a new office. In the old situation we had the following. Switch for the 192.168.1.0/24 network connected to the firewall (192.168.1.2 is the interface on the firewall) Switches for the 192.168.10.0/24 network (internal network) Servers who would need a connection to the internet (ie. mail servers, http proxy etc.) have an extra network card connected to the 192.168.1.0/24 switch. Servers who don't need a connection to the internet and all client PC's on the network are connected to the 192.168.10.0/24 switch. Now that we are in the new office I used a Soekris machine with 3 network interfaces. eth0 => 192.168.1.1 for the 192.168.1.0/24 network eth1 => 192.168.10.1 for the 192.168.10.0/24 network eth2 => 192.168.254.2 for the 192.168.254.0/24 network The switches are still there for the 192.168.1.0/24 network so the servers who need a direct internet connection are on that switch. Some connections in our network are very slow at the moment and the only new factor is the Vyatta router. An ssh session to a server takes a long time, when I put a default route that sets the next-hop to the firewall interface 192.168.1.2 then evertything is fast again even the windows servers seem to respond quicker. Take the default route out and everything slows down again. Even starting a VMware console on my PC is quicker with that default. Without that route starting the VMware console manager takes ages to even start up, let alone starting a virtual machine on my PC. Problem with that default route is that any PC on the 192.168.10.0/24 network can get to the firewall and that is not something we like. Hence the idea to put restrictions on the which machines can use that default route. Maybe someone has been in this situation before and could point me to a thread about this subject so I can study it more. Thnx in advance. SeeYa, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting access to default route
Hi Robert, Thnx for the answers. On Sat, 2008-02-02 at 18:01 -0800, Robert Bays wrote: > No. Policy routing is not included in the CLI right now. You must use > the ip command in the linux shell. Okay, so what's in the docs is not usable yet? > You will have to break that range into smaller ranges for your ip rule > statements. For example, the first range of 10.10 to 10.50 would be > something like this... > > ip rule add from 192.168.10.10/31 tab 1 > ip rule add from 192.168.10.12/30 tab 1 > ip rule add from 192.168.10.16/28 tab 1 > ip rule add from 192.168.10.32/28 tab 1 > ip rule add from 192.168.10.48/31 tab 1 > ip rule add from 192.168.10.50/32 tab 1 Okay I'll give that a try. > Cheers, > Robert. SeeYa, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting access to default route
Hi, Related to my question I was looking at the policies you can set in VC3. The documentation speaks of an ":" operator but when I try to apply it to a rule it is not allowed, probable because I'm doing it wrong. For instance when I try the following rule in the CLI: "set policy policy-statement FireWallTest term 1 from network4 10.0.0.10:10.0.0.30" I get an error telling me "ERROR: node "network4": argument "10.0.0.10:10.0.0.30" is not a valid "IPv4Net": value must be an IPv4 subnet in address/prefix-length form." Where in the policies can one apply the ":" operator? The documentation on page 87 says that "The following criteria allow operators" and then in the table on line Criterion line 5 : "network4 :, ==, !=, <, >, <=, >=, exact, not, shorter, longer, orshorter, orlonger" I think that if I could make a policy stating somethinglike "from x.x.x.y:x.x.x.z to 192.168.1.2 then action: accept" this would solve my problem of restricting the next hop 192.168.1.2 to pnly a few ip adresses. Probably I'm wrong. Kind regards, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Restricting access to default route
On Thu, 2008-01-31 at 10:42 -0800, Robert Bays wrote: > Michel, Hi Robert, > If you want to route differentially based on where the traffic is coming > from you need policy routing. Check out this message posted to the list > last month. > > http://mailman.vyatta.com/pipermail/vyatta-users/2008-January/002785.html Okay, thnx for the info. Thing is, those messages talk about the IP command on the shell prompt, there are also policies possible in the cli. Are those the same? Our situation is as follows: eth0: 192.168.1.0/24 interface adres is 192.168.1.1 eth1: 192.168.10.0/24 interface adres is 192.168.10.1 eth2: 192.168.254.0/24 interface adres is 192.168.254.2 (router on the other end with 192.168.254.1) The default next hop to the firewall would be 192.168.1.2 this should be restricted to a few computers in the 192.168.10.0/24 segment. What I've read so far is that the cli can't handle it and I would have to do it on the root shell with the IP command. The first rule would be: ip route add default via 192.168.1.2 dev eth0 tab 1 But then I'm stuck because the servers and a few clients who would be allowed access to that default route aren't all in a nice string of addresses. What I would like is to tell that the range from 192.168.10.10:192.168.10.50 and 192.168.10.155 etc etc wuld be allowed to go to that next hop. In the Vyatta cli there is a way but like I said the messages in the link you showed me said that it can't be done in the cli. Could you or any one else please advice me in this matter? > Cheers, > Robert. SeeYa, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Restricting access to default route
Hi, First, thanks for the Vyatta router. I have a question about the following. We have a soekris box with vyatta installed and 3 interfaces. In the network behind one of those interfaces lives a firewall. Now I want some clients and servers to be able to use the firewall if the IP adres they call is outside of the range the router knows as static/dynamic routes. I created a default route 0.0.0.0/0 with next hop -> firewall but the problem then is that any PC connected to the router can take that path. So I had to remove that static route. Is it something I should do with firewall rules? Thnx in advance. Kind regards, Michel Wij zijn verhuisd naar een pand aan het Surinameplein. Ons bezoekadres is niet langer Jacques Veltmanstraat 463, maar SURINAMEPLEIN 122, 1058 GV Amsterdam. Alle overige gegevens zoals telefoonnummers, faxnummer, postadres zijn ongewijzigd. We moved to a new office. Our visiting address changed from Jacques Veltmanstraat 463 to SURINAMEPLEIN 122, 1058 GV Amsterdam, the Netherlands. All our other contact details such as phone and fax numbers and mail address will remain the same. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users