Brace Yourself - Firewal and NAT is coming

In previous post https://wojcieh.net/vyatta-router-running-on-vmware-workstation-part-1/ we configured basic network connectivity between two networks. Today we will enable NAT, Firewall and DNS.

NAT

Configuring NAT on Vyatta is quite simple. To do it type following commands:

  • set nat source rule 10 outbound-interface eth0
  • set nat source rule 10 source address 10.0.0.0/24
  • set nat source rule 10 translation address masquerade
  • set nat source rule 10 description “LAN to WAN”

Firewall

In my case I decided to use simple firewall rules based on zones. At the beginning it might be difficult to understand but if you will spend a while it should be crystal clear.

First part is to create firewall rules – I used WAN_TO_LAN and LAN_TO_WAN rules.

 WAN_TO_LAN

  • set firewall name WAN_TO_LAN
  • set firewall name WAN_TO_LAN default-action drop
  • set firewall name WAN_TO_LAN rule 10 action accept
  • set firewall name WAN_TO_LAN rule 10 protocol all
  • set firewall name WAN_TO_LAN rule 10 state established enable
  • set firewall name WAN_TO_LAN rule 10 state related enable

Here you see how rule WAN_TO_LAN should look like in configuration.

name WAN_TO_LAN {
default-action drop
rule 10 {
action accept
protocol all
}
}

LAN_TO_WAN

  • set firewall name LAN_TO_WAN
  • set firewall name LAN_TO_WAN default-action drop
  • set firewall name LAN_TO_WAN rule 10 action accept

Here you see how rule LAN_TO_WAN should look like in configuration.

name LAN_TO_WAN {
default-action drop
rule 10 {
action accept
}
}

Zone policies

Now we will create zones – in my case WAN and LAN and we will assign them to apriopriate ethernet interfaces.

  • set zone-policy zone WAN
  • set zone-policy zone WAN description “WAN”
  • set zone-policy zone WAN default-action drop
  • set zone-policy zone WAN interface eth0
  • set zone-policy zone LAN
  • set zone-policy zone LAN description “LAN”
  • set zone-policy zone LAN default-action drop
  • set zone-policy zone LAN interface eth1

Assign firewall to zones

This one is tricky – read carefully syntax of commands.

WAN firewall – set zone-policy zone WAN from LAN firewall name LAN_TO_WAN

LAN firewall – set zone-policy zone LAN from WAN firewall name WAN_TO_LAN

Here you see how zone WAN should look like.

default-action drop
description WAN
from LAN {
firewall {
name LAN_TO_WAN
}
}
interface eth0

Here you see how zone LAN should look like.

default-action drop
description LAN
from WAN {
firewall {
name WAN_TO_LAN
}
}
interface eth1

DNS configuration

DNS configuration is quite simple. In order to make it work enter following commands:

  • set service dns forwarding name-server IP (In my case it is 192.168.255.254)
  • set service dns forwarding listen-on eth1

In order to really test it from Domain Controller I set forwarded to Vyatta LAN IP – 10.0.0.1 and I deleted all root hints.

EOT

Wow – this was really long post. I hope you will find it really usefull and all will work in you environment as well.

Vyatta – Router running on VMware Workstation – Part 2 DNS, Firewall and NAT
5 (100%) 1 vote
Wojciech Marusiak
Social Media

Wojciech Marusiak

Senior Consultant at VMware Global, Inc.
I am innovative and experienced VMware and Windows Server Engineer with over 10 years in the IT industry specializing in VMware virtualization and Microsoft Server environment.

My experience and skills has been proven by leading vendor certifications like VMware Certified Implementation Expert 6 – Data Center Virtualization, VMware Certified Advanced Professional 6 – Data Center Virtualization Design, VMware Certified Professional 6 - Data Center Virtualization, VMware Certified Professional 6 - Network Virtualization, Microsoft MCITP Server Administrator, ITIL V3, VMware vExpert 2014 - 2017 and VMware vExpert NSX 2017 Award.

My blog wojcieh.net - was voted #43 in Top vBlog 2017 contest!
Wojciech Marusiak
Social Media

Latest posts by Wojciech Marusiak (see all)