1. Open Source Networking
An introduction to using open source in the network.
John Southworth
February 26, 2009
2. Why would anyone want to use open source at the network layer?
Chances are, you already do!
- Vyatta is a replacement for enterprise level routing and security platforms.
- It can be used easily almost anywhere.
- It's a software package (linux distribution) that runs on standard x86
hardware.
3. How does Vyatta benefit users?
Home users:
Stable
Secure
Powerful
Flexible
Runs on just about anything
Free and Open!
Good community support
Enterprise users:
Stable
Secure
Powerful
Flexible
Virtualizable
Subscription release available
Commercial support
Command line interface similar to Cisco or Juniper
4. So what does Vyatta do?
Routing (Static, RIP, OSPF, and BGP)
NAT
VPN ( IPSEC, PPTP, OpenVPN, and L2TP )
Firewall
IDS
Webproxy
Interfaces DSL, T1, T3, Ethernet (up to 10Gb),
wireless modem, tunnel
Its flexibility comes from the fact that Debian GNU/Linux is underneath it all:
if you need another service running on the router, just install it.
6. First, a set-up for a home user
Community edition is available at http://vyatta.org/downloads
Grab it, put it on an old pc, and play with it!
I use a single board computer as my routing platform:
ALIX 2D3
AMD Geode 500MHz
256MB RAM
3 10/100 Ethernet NICS
It is configured for NAT, Firewall, OpenVPN, and OSPF.
Works great, <$200 for a decent router.
These are similar specs to a Cisco ASA5505
With the same software capabilities that Vyatta has, it costs over $600
7. Configuring an internet gateway with Vyatta: Demo
Services for standard home router:
DHCP Wan Interface
DHCP server for LAN
DNS Forwarding
Firewall
NAT
8. firewall { ethernet eth1 { system {
broadcast-ping disable address 192.168.1.1/24 host-name roto-router5000
conntrack-tcp-loose enable description quot;LAN side NICquot; login {
ip-src-route disable duplex auto user root {
log-martians enable hw-id 00:04:5a:5b:a8:ac authentication {
name wanwall { speed auto encrypted-password ***************
rule 999 { } level admin
action accept loopback lo { }
description quot;Allow all established connectionsquot; } user vyatta {
state { } authentication {
established enable service { encrypted-password ***************
invalid disable dhcp-server { }
related enable disabled false level admin
} shared-network-name my-net { }
} authoritative disable }
} subnet 192.168.1.0/24 { ntp-server 69.59.150.135
name wan-in { client-prefix-length 24 package {
rule 999 { default-router 192.168.1.1 auto-sync 1
action accept dns-server 192.168.1.1 repository community {
description quot;Allow all established connectionsquot; lease 86400 components main
state { start 192.168.1.10 { distribution stable
established enable stop 192.168.1.45 password quot;quot;
invalid disable } url http://packages.vyatta.com/vyatta
related enable } username quot;quot;
} } }
} } }
} dns { time-zone GMT
receive-redirects disable forwarding { }
send-redirects disable cache-size 150
syn-cookies enable dhcp eth0
} listen-on eth1
interfaces { }
ethernet eth0 { }
address dhcp nat {
description quot;WAN side NICquot; rule 10 {
duplex auto outbound-interface eth0
firewall { protocol all
local { type masquerade
name wanwall }
} }
in { ssh {
name wan-in allow-root false
} port 22
} protocol-version v2
hw-id 00:50:8b:a1:d5:e5 }
speed auto }
}
9. Now for something a little more fun! OpenVPN
For the home users:
Easy connection between friends,
share files and information with your friends and family.
OSPF does the route configuring work for you.
For the working guys:
OpenVPN tunnels for site to site vpns,
runs OSPF for dynamic updates.
I have 2 nodes setup for this, and we will configure the third link.
There are 4 OSPF areas, one backbone and one area behind each router.
10.
11. More functions, mainly for the enterprise guys.
Got a branch office that needs a lot of equipment?
Virtualize everything, even the router/firewall.
This is the so called “Branch-in-a-Box”.
Perhaps you need a lot of routers for
point-to-point links or something similar.
That's virtualizable too.
Virtualizing routing is a very flexible idea; having your routing platform as software
instead of being locked into a hardware solution gives this flexibility.
12. There is so much more this platform can do.
There is a learning curve for the CLI for home users, but a web-ui is on the way.