Vyatta small ISP Border router

Vyatta винаги ми е била слабост, признавам си. А и идеята да събереш различните инструменти в един функционален шел е повече от добра. Навсякъде където може да се вземе мрежово решение с Линукс мисля първо за нея. И не защото съм предал другите дистрибуции а защото найстина се убедих в нейната функционалност и лекота на работа. Като се замисли човек първо получаваш един добре оптимизиран рутер с шел ала Juniper а после можеш да ползваш всяко хранилище на Debian и да си инсталираш каквото пожелаеш от света на Линукс. Също мисля, че на много места я подценяват но ако проекта върви така за бъдеще може да се превърне и в нещо като стандарт при Линукс рутерите. В долната конфигурация имах нужда от граничен маршрутизатор който замених от Debian към Vyatta и въпреки, че самата vyatta е дериват на Debian се държа доста различно главно поради различния подход към конфигуриране на мрежата. Например всички маршрути в Vyatta се изпълняват от демона зебра или пък мрежовите интерфейси се конфигурират с ip address а не с ifconfig и така нататък. Определено операцията която извърших имаше смисъл и усетих удовлетворение когато видях колко малко ресурси харчи и с каква лекота работи новият маршрутизатор …

Commands CLI …………………………………………..

set firewall conntrack-table-size 50000000
 
set interfaces ethernet eth0 vif 100 address 93.155.131.1/28
set interfaces ethernet eth0 vif 100 address 93.155.162.1/24
set interfaces ethernet eth0 vif 100 address 93.155.169.1/24
set interfaces ethernet eth0 vif 100 address 93.155.130.17/28
set interfaces ethernet eth0 vif 100 address 93.155.130.65/26
set interfaces ethernet eth0 vif 100 address 93.155.130.129/25
set interfaces ethernet eth0 vif 100 address 93.155.131.25/29
set interfaces ethernet eth0 vif 100 address 93.155.131.33/27
set interfaces ethernet eth0 vif 100 address 93.155.131.65/26
set interfaces ethernet eth0 vif 100 address 93.155.131.129/25
 
set interfaces ethernet eth0 vif 523 address 93.155.131.17/29
 
set interfaces ethernet eth1 vif 149 address 212.70.158.90/30
 
set interfaces ethernet eth1 address 93.155.130.1/28
 
set interfaces tunnel tun1 address 93.155.130.33/30
set interfaces tunnel tun1 encapsulation gre
set interfaces tunnel tun1 local-ip 93.155.131.1
set interfaces tunnel tun1 multicast enable
set interfaces tunnel tun1 remote-ip 10.18.9.2
set interfaces tunnel tun1 ttl 255
 
set interfaces tunnel tun2 address 93.155.130.37/30
set interfaces tunnel tun2 encapsulation gre
set interfaces tunnel tun2 local-ip 93.155.131.1
set interfaces tunnel tun2 multicast enable
set interfaces tunnel tun2 remote-ip 10.18.9.3
set interfaces tunnel tun2 ttl 255
 
set policy prefix-list GCN rule 1 action permit
set policy prefix-list GCN rule 1 prefix 93.155.130.0/24
set policy prefix-list GCN rule 2 action permit
set policy prefix-list GCN rule 2 prefix 93.155.131.0/24
set policy prefix-list GCN rule 3 action permit
set policy prefix-list GCN rule 3 prefix 93.155.162.0/24
set policy prefix-list GCN rule 4 action permit
set policy prefix-list GCN rule 4 prefix 93.155.169.0/24
 
set protocols bgp 47453 aggregate-address 93.155.130.0/24
set protocols bgp 47453 aggregate-address 93.155.131.0/24
set protocols bgp 47453 aggregate-address 93.155.162.0/24
set protocols bgp 47453 aggregate-address 93.155.169.0/24
set protocols bgp 47453 neighbor 212.70.158.89 nexthop-self
set protocols bgp 47453 neighbor 212.70.158.89 prefix-list export GCN
set protocols bgp 47453 neighbor 212.70.158.89 remote-as 12615
set protocols bgp 47453 neighbor 212.70.158.89 soft-reconfiguration inbound
set protocols bgp 47453 network 93.155.130.0/24
set protocols bgp 47453 network 93.155.131.0/24
set protocols bgp 47453 network 93.155.162.0/24
set protocols bgp 47453 network 93.155.169.0/24
set protocols bgp 47453 parameters router-id 212.70.158.89
set protocols bgp 47453 redistribute connected
set protocols bgp 47453 redistribute static
 
set protocols static route 10.18.1.0/24 next-hop 93.155.131.11
set protocols static route 10.18.7.0/24 next-hop 93.155.131.7
set protocols static route 10.18.8.0/24 next-hop 93.155.131.8
set protocols static route 10.18.9.0/24 next-hop 93.155.131.9
set protocols static route 10.122.0.0/16 next-hop 93.155.131.11
set protocols static route 10.123.0.0/16 next-hop 93.155.131.11
set protocols static route 10.124.0.0/16 next-hop 93.155.131.11
set protocols static route 10.125.0.0/16 next-hop 93.155.131.11
set protocols static route 10.126.0.0/16 next-hop 93.155.131.11
set protocols static route 10.127.0.0/16 next-hop 93.155.131.11
set protocols static route 194.141.67.0/24 next-hop 93.155.131.19
set protocols static route 194.141.68.0/24 next-hop 93.155.131.19
set protocols static route 194.141.69.0/24 next-hop 93.155.131.19
 
set service dns forwarding cache-size 2000
set service dns forwarding listen-on eth3
set service dns forwarding listen-on eth0.100
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 208.67.220.220
set service dns forwarding system
 
set service snmp community public authorization ro
set service snmp contact support@itservice-bg.net
set service snmp listen-address 93.155.130.1 port 161
set service snmp location Bulgaria
 
set service ssh port 22
 
set system time-zone Europe/Sofia

Show config file …………………………………………………..

firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 50000000
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        duplex auto
        hw-id 00:13:72:52:92:bf
        smp_affinity auto
        speed auto
        vif 100 {
            address 93.155.131.1/28
            address 93.155.162.1/24
            address 93.155.169.1/24
            address 93.155.130.17/28
            address 93.155.130.65/26
            address 93.155.130.129/25
            address 93.155.131.25/29
            address 93.155.131.33/27
            address 93.155.131.65/26
            address 93.155.131.129/25
        }
        vif 523 {
            address 93.155.131.17/29
        }
    }
    ethernet eth1 {
        duplex auto
        hw-id 00:13:72:52:92:c0
        smp_affinity auto
        speed auto
        vif 149 {
            address 212.70.158.90/30
        }
    }
    ethernet eth2 {
        address 93.155.130.1/28
        duplex auto
        hw-id 00:04:23:ab:7d:7a
        smp_affinity auto
        speed auto
    }
    ethernet eth3 {
        address 192.168.1.200/24
        duplex auto
        hw-id 00:04:23:ab:7d:7b
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun1 {
        address 93.155.130.33/30
        description IordanSpasov
        encapsulation gre
        local-ip 93.155.131.1
        multicast enable
        remote-ip 10.18.9.2
        ttl 255
    }
    tunnel tun2 {
        address 93.155.130.37/30
        description Filipov
        encapsulation gre
        local-ip 93.155.131.1
        multicast enable
        remote-ip 10.18.9.3
        ttl 255
    }
}
policy {
    prefix-list GCN {
        rule 1 {
            action permit
            prefix 93.155.130.0/24
        }
        rule 2 {
            action permit
            prefix 93.155.131.0/24
        }
        rule 3 {
            action permit
            prefix 93.155.162.0/24
        }
        rule 4 {
            action permit
            prefix 93.155.169.0/24
        }
    }
}
protocols {
    bgp 47453 {
        aggregate-address 93.155.130.0/24 {
        }
        aggregate-address 93.155.131.0/24 {
        }
        aggregate-address 93.155.162.0/24 {
        }
        aggregate-address 93.155.169.0/24 {
        }
        neighbor 212.70.158.89 {
            nexthop-self
            prefix-list {
                export GCN
            }
            remote-as 12615
            soft-reconfiguration {
                inbound
            }
        }
        network 93.155.130.0/24 {
        }
        network 93.155.131.0/24 {
        }
        network 93.155.162.0/24 {
        }
        network 93.155.169.0/24 {
        }
        parameters {
            router-id 212.70.158.89
        }
        redistribute {
            connected {
            }
            static {
            }
        }
    }
    static {
        route 10.18.1.0/24 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.18.7.0/24 {
            next-hop 93.155.131.7 {
            }
        }
        route 10.18.8.0/24 {
            next-hop 93.155.131.8 {
            }
        }
        route 10.18.9.0/24 {
            next-hop 93.155.131.9 {
            }
        }
        route 10.122.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.123.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.124.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.125.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.126.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 10.127.0.0/16 {
            next-hop 93.155.131.11 {
            }
        }
        route 194.141.67.0/24 {
            next-hop 93.155.131.19 {
            }
        }
        route 194.141.68.0/24 {
            next-hop 93.155.131.19 {
            }
        }
        route 194.141.69.0/24 {
            next-hop 93.155.131.19 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 2000
            listen-on eth3
            listen-on eth0.100
            name-server 208.67.222.222
            name-server 208.67.220.220
            system
        }
    }
    snmp {
        community public {
            authorization ro
        }
        contact support@itservice-bg.net
        listen-address 93.155.130.14 {
            port 161
        }
        location Bulgaria
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name core2
    login {
        user vyatta {
            authentication {
                encrypted-password $1$ZohN7ZE.$2Ho4fiOy4AHpfhFS9/
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Sofia
}
 
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:system@3:dhcp-server@4:ipsec@2:webgui@1:wanloadbalance@2:dhcp-relay@1:quagga@2:qos@1:firewall@3:vrrp@1:nat@3:webproxy@1:conntrack-sync@1" === */

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.