In previous post https://www.wojcieh.net/vyatta-router-running-on-vmware-workstation-part-1/ we configured basic network connectivity between two networks. Today we will enable NAT, Firewall and DNS.
NAT
Configuring NAT on Vyatta is quite simple. To do it type following commands:
- set nat source rule 10 outbound-interface eth0
- set nat source rule 10 source address 10.0.0.0/24
- set nat source rule 10 translation address masquerade
- set nat source rule 10 description “LAN to WAN”
Firewall
In my case I decided to use simple firewall rules based on zones. At the beginning it might be difficult to understand but if you will spend a while it should be crystal clear.
First part is to create firewall rules - I used WAN-TO-LAN and LAN-TO-WAN rules.
WAN-TO-LAN
- set firewall name WAN-TO-LAN
- set firewall name WAN-TO-LAN default-action drop
- set firewall name WAN-TO-LAN rule 10 action accept
- set firewall name WAN-TO-LAN rule 10 protocol all
- set firewall name WAN-TO-LAN rule 10 state established enable
- set firewall name WAN-TO-LAN rule 10 state related enable
Here you see how rule WAN-TO-LAN should look like in configuration.
|
|
LAN-TO-WAN
- set firewall name LAN-TO-WAN
- set firewall name LAN-TO-WAN default-action drop
- set firewall name LAN-TO-WAN rule 10 action accept
Here you see how rule LAN-TO-WAN should look like in configuration.
|
|
Zone policies
Now we will create zones - in my case WAN and LAN and we will assign them to apriopriate ethernet interfaces.
- set zone-policy zone WAN
- set zone-policy zone WAN description “WAN”
- set zone-policy zone WAN default-action drop
- set zone-policy zone WAN interface eth0
- set zone-policy zone LAN
- set zone-policy zone LAN description “LAN”
- set zone-policy zone LAN default-action drop
- set zone-policy zone LAN interface eth1
Assign firewall to zones
This one is tricky - read carefully syntax of commands.
WAN firewall - set zone-policy zone WAN from LAN firewall name LAN-TO-WAN
LAN firewall - set zone-policy zone LAN from WAN firewall name WAN-TO-LAN
Here you see how zone WAN should look like.
|
|
interface eth0
Here you see how zone LAN should look like.
|
|
DNS configuration
DNS configuration is quite simple. In order to make it work enter following commands:
- set service dns forwarding name-server **IP **(In my case it is 192.168.255.254)
- set service dns forwarding listen-on eth1
In order to really test it from Domain Controller I set forwarded to Vyatta LAN IP - 10.0.0.1 and I deleted all root hints.
EOT
Wow - this was really long post. I hope you will find it really usefull and all will work in you environment as well.