Vyatta small ISP Border router

Vyatta винаги ми е била слабост, признавам си. А и идеята да събереш различните инструменти в един функционален шел е повече от добра. Навсякъде където може да се вземе мрежово решение с Линукс мисля първо за нея. И не защото съм предал другите дистрибуции а защото найстина се убедих в нейната функционалност и лекота на работа. Като се замисли човек първо получаваш един добре оптимизиран рутер с шел ала Juniper а после можеш да ползваш всяко хранилище на Debian и да си инсталираш каквото пожелаеш от света на Линукс. Също мисля, че на много места я подценяват но ако проекта върви така за бъдеще може да се превърне и в нещо като стандарт при Линукс рутерите. В долната конфигурация имах нужда от граничен маршрутизатор който замених от Debian към Vyatta и въпреки, че самата vyatta е дериват на Debian се държа доста различно главно поради различния подход към конфигуриране на мрежата. Например всички маршрути в Vyatta се изпълняват от демона зебра или пък мрежовите интерфейси се конфигурират с ip address а не с ifconfig и така нататък. Определено операцията която извърших имаше смисъл и усетих удовлетворение когато видях колко малко ресурси харчи и с каква лекота работи новият маршрутизатор …

Commands CLI …………………………………………..

set firewall conntrack-table-size 50000000
 
set interfaces ethernet eth0 vif 100 address 93.155.131.1/28
set interfaces ethernet eth0 vif 100 address 93.155.162.1/24
set interfaces ethernet eth0 vif 100 address 93.155.169.1/24
set interfaces ethernet eth0 vif 100 address 93.155.130.17/28
set interfaces ethernet eth0 vif 100 address 93.155.130.65/26
set interfaces ethernet eth0 vif 100 address 93.155.130.129/25
set interfaces ethernet eth0 vif 100 address 93.155.131.25/29
set interfaces ethernet eth0 vif 100 address 93.155.131.33/27
set interfaces ethernet eth0 vif 100 address 93.155.131.65/26
set interfaces ethernet eth0 vif 100 address 93.155.131.129/25
 
set interfaces ethernet eth0 vif 523 address 93.155.131.17/29
 
set interfaces ethernet eth1 vif 149 address 212.70.158.90/30
 
set interfaces ethernet eth1 address 93.155.130.1/28
 
set interfaces tunnel tun1 address 93.155.130.33/30
set interfaces tunnel tun1 encapsulation gre
set interfaces tunnel tun1 local-ip 93.155.131.1
set interfaces tunnel tun1 multicast enable
set interfaces tunnel tun1 remote-ip 10.18.9.2
set interfaces tunnel tun1 ttl 255
 
set interfaces tunnel tun2 address 93.155.130.37/30
set interfaces tunnel tun2 encapsulation gre
set interfaces tunnel tun2 local-ip 93.155.131.1
set interfaces tunnel tun2 multicast enable
set interfaces tunnel tun2 remote-ip 10.18.9.3
set interfaces tunnel tun2 ttl 255
 
set policy prefix-list GCN rule 1 action permit
set policy prefix-list GCN rule 1 prefix 93.155.130.0/24
set policy prefix-list GCN rule 2 action permit
set policy prefix-list GCN rule 2 prefix 93.155.131.0/24
set policy prefix-list GCN rule 3 action permit
set policy prefix-list GCN rule 3 prefix 93.155.162.0/24
set policy prefix-list GCN rule 4 action permit
set policy prefix-list GCN rule 4 prefix 93.155.169.0/24
 
set protocols bgp 47453 aggregate-address 93.155.130.0/24
set protocols bgp 47453 aggregate-address 93.155.131.0/24
set protocols bgp 47453 aggregate-address 93.155.162.0/24
set protocols bgp 47453 aggregate-address 93.155.169.0/24
set protocols bgp 47453 neighbor 212.70.158.89 nexthop-self
set protocols bgp 47453 neighbor 212.70.158.89 prefix-list export GCN
set protocols bgp 47453 neighbor 212.70.158.89 remote-as 12615
set protocols bgp 47453 neighbor 212.70.158.89 soft-reconfiguration inbound
set protocols bgp 47453 network 93.155.130.0/24
set protocols bgp 47453 network 93.155.131.0/24
set protocols bgp 47453 network 93.155.162.0/24
set protocols bgp 47453 network 93.155.169.0/24
set protocols bgp 47453 parameters router-id 212.70.158.89
set protocols bgp 47453 redistribute connected
set protocols bgp 47453 redistribute static
 
set protocols static route 10.18.1.0/24 next-hop 93.155.131.11
set protocols static route 10.18.7.0/24 next-hop 93.155.131.7
set protocols static route 10.18.8.0/24 next-hop 93.155.131.8
set protocols static route 10.18.9.0/24 next-hop 93.155.131.9
set protocols static route 10.122.0.0/16 next-hop 93.155.131.11
set protocols static route 10.123.0.0/16 next-hop 93.155.131.11
set protocols static route 10.124.0.0/16 next-hop 93.155.131.11
set protocols static route 10.125.0.0/16 next-hop 93.155.131.11
set protocols static route 10.126.0.0/16 next-hop 93.155.131.11
set protocols static route 10.127.0.0/16 next-hop 93.155.131.11
set protocols static route 194.141.67.0/24 next-hop 93.155.131.19
set protocols static route 194.141.68.0/24 next-hop 93.155.131.19
set protocols static route 194.141.69.0/24 next-hop 93.155.131.19
 
set service dns forwarding cache-size 2000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth0.100
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 208.67.220.220
set service dns forwarding system
 
set service snmp community public authorization ro
set service snmp contact support@itservice-bg.net
set service snmp listen-address 93.155.130.1 port 161
set service snmp location Bulgaria
 
set service ssh port 22
 
set system time-zone Europe/Sofia

set firewall conntrack-table-size 50000000 set interfaces ethernet eth0 vif 100 address 93.155.131.1/28 set interfaces ethernet eth0 vif 100 address 93.155.162.1/24 set interfaces ethernet eth0 vif 100 address 93.155.169.1/24 set interfaces ethernet eth0 vif 100 address 93.155.130.17/28 set interfaces ethernet eth0 vif 100 address 93.155.130.65/26 set interfaces ethernet eth0 vif 100 address 93.155.130.129/25 set interfaces ethernet eth0 vif 100 address 93.155.131.25/29 set interfaces ethernet eth0 vif 100 address 93.155.131.33/27 set interfaces ethernet eth0 vif 100 address 93.155.131.65/26 set interfaces ethernet eth0 vif 100 address 93.155.131.129/25 set interfaces ethernet eth0 vif 523 address 93.155.131.17/29 set interfaces ethernet eth1 vif 149 address 212.70.158.90/30 set interfaces ethernet eth1 address 93.155.130.1/28 set interfaces tunnel tun1 address 93.155.130.33/30 set interfaces tunnel tun1 encapsulation gre set interfaces tunnel tun1 local-ip 93.155.131.1 set interfaces tunnel tun1 multicast enable set interfaces tunnel tun1 remote-ip 10.18.9.2 set interfaces tunnel tun1 ttl 255 set interfaces tunnel tun2 address 93.155.130.37/30 set interfaces tunnel tun2 encapsulation gre set interfaces tunnel tun2 local-ip 93.155.131.1 set interfaces tunnel tun2 multicast enable set interfaces tunnel tun2 remote-ip 10.18.9.3 set interfaces tunnel tun2 ttl 255 set policy prefix-list GCN rule 1 action permit set policy prefix-list GCN rule 1 prefix 93.155.130.0/24 set policy prefix-list GCN rule 2 action permit set policy prefix-list GCN rule 2 prefix 93.155.131.0/24 set policy prefix-list GCN rule 3 action permit set policy prefix-list GCN rule 3 prefix 93.155.162.0/24 set policy prefix-list GCN rule 4 action permit set policy prefix-list GCN rule 4 prefix 93.155.169.0/24 set protocols bgp 47453 aggregate-address 93.155.130.0/24 set protocols bgp 47453 aggregate-address 93.155.131.0/24 set protocols bgp 47453 aggregate-address 93.155.162.0/24 set protocols bgp 47453 aggregate-address 93.155.169.0/24 set protocols bgp 47453 neighbor 212.70.158.89 nexthop-self set protocols bgp 47453 neighbor 212.70.158.89 prefix-list export GCN set protocols bgp 47453 neighbor 212.70.158.89 remote-as 12615 set protocols bgp 47453 neighbor 212.70.158.89 soft-reconfiguration inbound set protocols bgp 47453 network 93.155.130.0/24 set protocols bgp 47453 network 93.155.131.0/24 set protocols bgp 47453 network 93.155.162.0/24 set protocols bgp 47453 network 93.155.169.0/24 set protocols bgp 47453 parameters router-id 212.70.158.89 set protocols bgp 47453 redistribute connected set protocols bgp 47453 redistribute static set protocols static route 10.18.1.0/24 next-hop 93.155.131.11 set protocols static route 10.18.7.0/24 next-hop 93.155.131.7 set protocols static route 10.18.8.0/24 next-hop 93.155.131.8 set protocols static route 10.18.9.0/24 next-hop 93.155.131.9 set protocols static route 10.122.0.0/16 next-hop 93.155.131.11 set protocols static route 10.123.0.0/16 next-hop 93.155.131.11 set protocols static route 10.124.0.0/16 next-hop 93.155.131.11 set protocols static route 10.125.0.0/16 next-hop 93.155.131.11 set protocols static route 10.126.0.0/16 next-hop 93.155.131.11 set protocols static route 10.127.0.0/16 next-hop 93.155.131.11 set protocols static route 194.141.67.0/24 next-hop 93.155.131.19 set protocols static route 194.141.68.0/24 next-hop 93.155.131.19 set protocols static route 194.141.69.0/24 next-hop 93.155.131.19 set service dns forwarding cache-size 2000 set service dns forwarding listen-on eth3 set service dns forwarding listen-on eth0.100 set service dns forwarding name-server 208.67.222.222 set service dns forwarding name-server 208.67.220.220 set service dns forwarding system set service snmp community public authorization ro set service snmp contact support@itservice-bg.net set service snmp listen-address 93.155.130.1 port 161 set service snmp location Bulgaria set service ssh port 22 set system time-zone Europe/Sofia

Show config file …………………………………………………..

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 50000000
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 00:13:72:52:92:bf
        smp_affinity auto
        speed auto
        vif 100 {
            address 93.155.131.1/28
            address 93.155.162.1/24
            address 93.155.169.1/24
            address 93.155.130.17/28
            address 93.155.130.65/26
            address 93.155.130.129/25
            address 93.155.131.25/29
            address 93.155.131.33/27
            address 93.155.131.65/26
            address 93.155.131.129/25
        }
        vif 523 {
            address 93.155.131.17/29
        }
    }
    ethernet eth1 {
        duplex auto
        hw-id 00:13:72:52:92:c0
        smp_affinity auto
        speed auto
        vif 149 {
            address 212.70.158.90/30
        }
    }
    ethernet eth2 {
        address 93.155.130.1/28
        duplex auto
        hw-id 00:04:23:ab:7d:7a
        smp_affinity auto
        speed auto
    }
    ethernet eth3 {
        address 192.168.1.200/24
        duplex auto
        hw-id 00:04:23:ab:7d:7b
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun1 {
        address 93.155.130.33/30
        description IordanSpasov
        encapsulation gre
        local-ip 93.155.131.1
        multicast enable
        remote-ip 10.18.9.2
        ttl 255
    }
    tunnel tun2 {
        address 93.155.130.37/30
        description Filipov
        encapsulation gre
        local-ip 93.155.131.1
        multicast enable
        remote-ip 10.18.9.3
        ttl 255
    }
}
policy {
    prefix-list GCN {
        rule 1 {
            action permit
            prefix 93.155.130.0/24
        }
        rule 2 {
            action permit
            prefix 93.155.131.0/24
        }
        rule 3 {
            action permit
            prefix 93.155.162.0/24
        }
        rule 4 {
            action permit
            prefix 93.155.169.0/24
        }
    }
}
protocols {
    bgp 47453 {
        aggregate-address 93.155.130.0/24 {
        }
        aggregate-address 93.155.131.0/24 {
        }
        aggregate-address 93.155.162.0/24 {
        }
        aggregate-address 93.155.169.0/24 {
        }
        neighbor 212.70.158.89 {
            nexthop-self
            prefix-list {
                export GCN
            }
            remote-as 12615
            soft-reconfiguration {
                inbound
            }
        }
        network 93.155.130.0/24 {
        }
        network 93.155.131.0/24 {
        }
        network 93.155.162.0/24 {
        }
        network 93.155.169.0/24 {
        }
        parameters {
            router-id 212.70.158.89
        }
        redistribute {
            connected {
            }
            static {
            }
        }
    }
    static {
        route 10.18.1.0/24 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.18.7.0/24 {
            next-hop 93.155.131.7 {
            }
        }
        route 10.18.8.0/24 {
            next-hop 93.155.131.8 {
            }
        }
        route 10.18.9.0/24 {
            next-hop 93.155.131.9 {
            }
        }
        route 10.122.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.123.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.124.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.125.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.126.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.127.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 194.141.67.0/24 {
            next-hop 93.155.131.19 {
            }
        }
        route 194.141.68.0/24 {
            next-hop 93.155.131.19 {
            }
        }
        route 194.141.69.0/24 {
            next-hop 93.155.131.19 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 2000
            listen-on eth3
            listen-on eth0.100
            name-server 208.67.222.222
            name-server 208.67.220.220
            system
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact support@itservice-bg.net
        listen-address 93.155.130.14 {
            port 161
        }
        location Bulgaria
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name core2
    login {
        user vyatta {
            authentication {
                encrypted-password $1$ZohN7ZE.$2Ho4fiOy4AHpfhFS9/
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Sofia
}
 
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:system@3:dhcp-server@4:ipsec@2:webgui@1:wanloadbalance@2:dhcp-relay@1:quagga@2:qos@1:firewall@3:vrrp@1:nat@3:webproxy@1:conntrack-sync@1" === */

firewall { all-ping enable broadcast-ping disable conntrack-expect-table-size 4096 conntrack-hash-size 4096 conntrack-table-size 50000000 conntrack-tcp-loose enable ip-src-route disable ipv6-receive-redirects disable ipv6-src-route disable log-martians enable receive-redirects disable send-redirects enable source-validation disable syn-cookies enable } interfaces { ethernet eth0 { duplex auto hw-id 00:13:72:52:92:bf smp_affinity auto speed auto vif 100 { address 93.155.131.1/28 address 93.155.162.1/24 address 93.155.169.1/24 address 93.155.130.17/28 address 93.155.130.65/26 address 93.155.130.129/25 address 93.155.131.25/29 address 93.155.131.33/27 address 93.155.131.65/26 address 93.155.131.129/25 } vif 523 { address 93.155.131.17/29 } } ethernet eth1 { duplex auto hw-id 00:13:72:52:92:c0 smp_affinity auto speed auto vif 149 { address 212.70.158.90/30 } } ethernet eth2 { address 93.155.130.1/28 duplex auto hw-id 00:04:23:ab:7d:7a smp_affinity auto speed auto } ethernet eth3 { address 192.168.1.200/24 duplex auto hw-id 00:04:23:ab:7d:7b smp_affinity auto speed auto } loopback lo { } tunnel tun1 { address 93.155.130.33/30 description IordanSpasov encapsulation gre local-ip 93.155.131.1 multicast enable remote-ip 10.18.9.2 ttl 255 } tunnel tun2 { address 93.155.130.37/30 description Filipov encapsulation gre local-ip 93.155.131.1 multicast enable remote-ip 10.18.9.3 ttl 255 } } policy { prefix-list GCN { rule 1 { action permit prefix 93.155.130.0/24 } rule 2 { action permit prefix 93.155.131.0/24 } rule 3 { action permit prefix 93.155.162.0/24 } rule 4 { action permit prefix 93.155.169.0/24 } } } protocols { bgp 47453 { aggregate-address 93.155.130.0/24 { } aggregate-address 93.155.131.0/24 { } aggregate-address 93.155.162.0/24 { } aggregate-address 93.155.169.0/24 { } neighbor 212.70.158.89 { nexthop-self prefix-list { export GCN } remote-as 12615 soft-reconfiguration { inbound } } network 93.155.130.0/24 { } network 93.155.131.0/24 { } network 93.155.162.0/24 { } network 93.155.169.0/24 { } parameters { router-id 212.70.158.89 } redistribute { connected { } static { } } } static { route 10.18.1.0/24 { next-hop 93.155.131.11 { } } route 10.18.7.0/24 { next-hop 93.155.131.7 { } } route 10.18.8.0/24 { next-hop 93.155.131.8 { } } route 10.18.9.0/24 { next-hop 93.155.131.9 { } } route 10.122.0.0/16 { next-hop 93.155.131.11 { } } route 10.123.0.0/16 { next-hop 93.155.131.11 { } } route 10.124.0.0/16 { next-hop 93.155.131.11 { } } route 10.125.0.0/16 { next-hop 93.155.131.11 { } } route 10.126.0.0/16 { next-hop 93.155.131.11 { } } route 10.127.0.0/16 { next-hop 93.155.131.11 { } } route 194.141.67.0/24 { next-hop 93.155.131.19 { } } route 194.141.68.0/24 { next-hop 93.155.131.19 { } } route 194.141.69.0/24 { next-hop 93.155.131.19 { } } } } service { dns { forwarding { cache-size 2000 listen-on eth3 listen-on eth0.100 name-server 208.67.222.222 name-server 208.67.220.220 system } } snmp { community public { authorization ro } contact support@itservice-bg.net listen-address 93.155.130.14 { port 161 } location Bulgaria } ssh { port 22 protocol-version v2 } } system { host-name core2 login { user vyatta { authentication { encrypted-password $1$ZohN7ZE.$2Ho4fiOy4AHpfhFS9/ } level admin } } ntp-server 0.vyatta.pool.ntp.org package { auto-sync 1 repository community { components main distribution stable password "" url http://packages.vyatta.com/vyatta username "" } } syslog { global { facility all { level notice } facility protocols { level debug } } } time-zone Europe/Sofia } /* Warning: Do not remove the following line. */ /* === vyatta-config-version: "cluster@1:system@3:dhcp-server@4:ipsec@2:webgui@1:wanloadbalance@2:dhcp-relay@1:quagga@2:qos@1:firewall@3:vrrp@1:nat@3:webproxy@1:conntrack-sync@1" === */

This site uses Akismet to reduce spam. Learn how your comment data is processed.

vmware on Как работи if и then в bash скриптинга ?February 18, 2024
Интересен сугестопедичен подход, за начинаещ найстина е много логично.
Operator on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTJanuary 10, 2024
ПОНЕЖЕ ПОСТОННО МЕ ПИТАТ: Срокът на валидност на ключовете на WireGuard зависи от начина, по който са конфигурирани. В WireGuard,…
Inkas on Как работи if и then в bash скриптинга ?January 3, 2024
Браво! Перфектно написан пост, както винаги!
SysTech on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 31, 2023
Аз гарантирам за 20Mbits OpenVPN срещу над 100Mbits за WireGuard което е може пи пет пъти по висока скорост но…
ViperXXX on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 31, 2023
Ха, много добро хау-ту :) Съдържанието е много професионално, събирам смелост за миграция. Може ли някой да гарантира "перформънса" пред…
Unicat on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Ако добре съм разбрал схемата в Микротик е генерирания публичен ключ на рутер1 се поставя в рутер2 на таба peer…
DEVOPS on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Изглежда че нещата вървят доста добре в рамките на проекта WireGuard, защо разработчиците поеха ангажимента да прехвърлят част от кода…
vesuvius on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 28, 2023
Аз като придобил вече малко опит да кажа няколко неща основно за мобилните устройства (лаптопи, телефони, таблети). За разлика от…
Румен Йорданов on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 26, 2023
Много професионално написана статия, вече почти няма такива, обикновенно са 50-60 реда на лош Индо-Английски с прикачено клипче на мякащ…
Unicat on Инсталация и конфигурация на WireGuard crypto VPN в MikroTik, Linux, Android, Windows и OpenWRTDecember 26, 2023
Много добре е обяснено всичко, само малко са ми дребни снимките на Микротика но е супер всичко.