Dear Vyatta Users:
I thought I had a working system with my Vyatta router, where firewall rules
were configured inbound and outbound, but noticed that my statically
configured hosts would be able to access the internet for a period of time,
but then drop their connection. 50% of the time doing a network repair
would bring the host back online, but after streaming binary content for a
few minutes via usenet, youtube, or wherever, the connection would drop. I
removed all my firewall rules and the problem went away, so I gather that I
have not configured them correctly.
Now I have reconfigured inbound firewall rules only, and I can serve up port
80, 443, and 22 traffic from another subnet no problems. Unfortunately, I
am afraid I am not certain how to configure getting out without the
instability I created before.
For starters. eth0 faces my lan, while eth1 faces the wan. After NAT, I
have my inbound firewall rules "wan2lan" are applied to the out for eth0.
My original thought was to create another rule set named "lan2wan" and would
be applied to the in of eth0, something like accept all from source
192.168.xxx.0/24, destination 0.0.0.0/0.
Here is my current config (please excuse the length):
protocols {
static {
route 0.0.0.0/0 {
next-hop: 75.145.xxx.190
}
}
}
policy {
}
interfaces {
loopback lo {
}
ethernet eth0 {
description: "lan"
hw-id: 00:40:63:ef:c3:1c
address 192.168.xxx.10 {
prefix-length: 24
}
firewall {
out {
name: "wan2lan"
}
}
}
ethernet eth1 {
description: "wan"
hw-id: 00:40:63:ef:c3:19
address 75.145.xxx.185 {
prefix-length: 29
}
address 75.145.xxx.186 {
prefix-length: 29
}
address 75.145.xxx.187 {
prefix-length: 29
}
vrrp {
vrrp-group: 99
virtual-address: 192.168.xxx.1
priority: 150
}
}
}
service {
nat {
rule 10 {
type: "masquerade"
outbound-interface: "eth1"
protocols: "all"
source {
network: "192.168.xxx.0/24"
}
destination {
network: "0.0.0.0/0"
}
}
rule 20 {
type: "destination"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.185"
}
inside-address {
address: 192.168.xxx.185
}
}
rule 21 {
type: "destination"
inbound-interface: "eth1"
protocols: "tcp"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.186"
}
inside-address {
address: 192.168.xxx.186
}
}
rule 22 {
type: "destination"
inbound-interface: "eth1"
source {
network: "0.0.0.0/0"
}
destination {
address: "75.145.xxx.187"
}
inside-address {
address: 192.168.xxx.187
}
}
}
ssh {
}
webgui {
}
}
firewall {
name wan2lan {
rule 10 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 80
}
}
rule 11 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 443
}
}
rule 12 {
description: "accept ssh"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.185"
port-number 22
}
}
rule 20 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 80
}
}
rule 21 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 443
}
}
rule 22 {
description: "accept ssh"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.186"
port-number 443
}
}
rule 30 {
description: "accept http"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.187"
port-number 80
}
}
rule 31 {
description: "accept https"
protocol: "tcp"
action: "accept"
log: "enable"
source {
network: "75.145.xxx.190/29"
}
destination {
address: "192.168.xxx.187"
port-number 443
}
}
}
}
system {
host-name: "isz-router01"
domain-name: "web-wired.com"
name-server 68.87.73.242
name-server 68.87.71.226
ntp-server "69.59.150.135"
gateway-address: 75.145.xxx.190
login {
user root {
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
user vyatta {
authentication {
encrypted-password: "$1$$Ht7gBYnxI1xCdO/JOnodh."
}
}
}
package {
repository community {
component: "main"
url: "http://archive.vyatta.com/vyatta";
}
repository debian {
component: "main"
url: "http://mirrors.kernel.org/debian/";
}
}
}
Any tips on better routing would be appreciated! Thoughts on how to setup
the outbound traffic?
Thanks!
Todd Worden
Web-Wired, LLC
434.906.0420
[EMAIL PROTECTED]
www.web-wired.com <http://www.web-wired.com/>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
