I’ve got several computers lying around, and so I think its high time that I begin to make good use of them. More recently, I’ve been working with Vyatta’s operating system a lot more for my routing and security purposes. My previous project in getting Vyatta on the cloud has been successful. And so, this post will be about getting that same powerful enterprise network at the office… home.
In my Cisco days, we followed a certain model that is similar to the 3-tier architecture. I won’t go into too much detail here, but it divides up your network into three levels; Core, Distribution, and Access. You must be wondering how we’re going to apply this concept to the home? Below is a visual representation of what I’ve got in mind. We’ll break this down piece by piece and build each part as we go along.
Typically, the Access Layer can be either switches or routers, depending on your setup. Just so my home network doesn’t get overly complicated, I’m going to leave that later as switches. Also, because this is being implemented in a home, you will notice that there are no redundant links here, ie, dual wan connections, etc.
Setting up the Core Router
For the Core Router, I’m using a computer with two network interfaces. We’re going to
- configure the external interface
- configure the internal interface
- configure ssh access so we can connect to this router later
- configure dhcp (you can skip this and set the distribution router with a static external)
- configure name servers as well as dynamic dns
- configure network address translation
At this stage, I assume you would have already installed Vyatta. Once you’ve got it up and running, you should be able to logged in and see the main list of options. To begin configuring the router, type
Configuring the External Interface (eth0)
We’ll start by configuring the external address. Because most homes don’t have a static ip address assigned to them for their internet connection, we’re going to configure our external interface with a dhcp address.
set interfaces ethernet eth0 address dhcp commit
If you happen to have a static ip, and know your subnet mask, you can enter it as follows
set interfaces ethernet eth0 address 18.104.22.168/24 commit
Configuring the Internal Interface (eth1)
We can now configure the internal address in the same way. However, this time we’ll have to assign an address ourselves.
set interfaces ethernet eth1 address 10.0.0.1/29 commit
So, from here we’ve set our internal network to be 10.0.0.0 with a subnet address of 255.255.255.248. Our core router has the .1 address, and so our distribution router will more than likely get a .2 address. This really isn’t set in stone. But if you feel you want to make it .3 or .6, go right ahead. Basically, all we’re doing here is using a convention that will be easy to remember.
Configuring SSH access
Configuring SSH will allow us to have secure shell access to the router externally. I would set this up instead of Telnet for security purposes. It’s relatively simple. Basically, we want to change the port we connect to from the default (22) to something random, like 30000. Also, I’m going to deny root access to the system. If you wish to have root access, set it to true.
set service ssh set service ssh port 30000 set service ssh allow-root false set service ssh protocol-version all commit
Technically speaking, you want to skip this section all-together. For your core router, you want it to strictly stay on the ball when it comes to doing its job, and this is forwarding packets between the distribution layer to the external network. However, because this is my home network, I’m not overly concerned.
Here, we’ll setup the DHCP server, give it a name (like the pool in Cisco), and the other characteristics.
set service dhcp-server set service dhcp-server shared-network-name Pool1 set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 default-router 10.0.0.1 set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 start 10.0.0.2 end 10.0.0.6 set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 exclude 10.0.0.1 set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 dns-server 22.214.171.124 set service dhcp-server shared-network-name Pool1 subnet 10.0.0.0 dns-server 126.96.36.199 commit
For the DNS servers, I’ve set it up here to point to OpenDNS. I setup all my routers to use their DNS servers. You don’t have to specify it here, you can set it as your router and specify the name servers in your global configuration as we will be doing in the next step.
This is pretty straight forward. We’ll go ahead and plug in the OpenDNS servers in here. Vyatta supports several DDNS service providers right out of the box. I’m going to add the configurations to connect to DynDNS for our dynamic dns updates.
set system name-server 188.8.131.52 set system name-server 184.108.40.206 set service dns dynamic interface eth0 service dyndns set service dns dynamic interface eth0 service dyndns login your-login-name set service dns dynamic interface eth0 service dyndns password your-password set service dns dynamic interface eth0 service dyndns host-name your-hostname.domain.com commit
We’re using network address translation so that all our internal computers can talk to the outside world as though they are the router itself. Or, to break it down even further, we don’t have enough public ip address to pass around, but the private ip addresses are endless. You and your neighbor could have 10 or more computers and have the exact same private addresses, but you both have one unique public address. The outside world only talks to public addresses, and this is where NAT kicks in. Your router will basically facilitate that communication for you.
There are several types of NAT. We won’t get complicated here. So, we’ll just setup an SNAT (source nat).
set service nat rule 100 type masquerade set service nat rule 100 type source address 10.0.0.0/29 set service nat rule 100 type source outbound-interface eth0 commit
Wrapping things up
We’ve now finished configuring the core router. Save all your configurations by typing (save). In the next post, we’ll look at configuring the distribution router.