Vyatta – Router running on VMware Workstation – Part 2 DNS, Firewall and NAT

Brace Yourself - Firewal and NAT is coming

In previous post https://www.wojcieh.net/vyatta-router-running-on-vmware-workstation-part-1/ we configured basic network connectivity between two networks. Today we will enable NAT, Firewall and DNS.

NAT

Configuring NAT on Vyatta is quite simple. To do it type following commands:

  • set nat source rule 10 outbound-interface eth0
  • set nat source rule 10 source address 10.0.0.0/24
  • set nat source rule 10 translation address masquerade
  • set nat source rule 10 description “LAN to WAN”

Firewall

In my case I decided to use simple firewall rules based on zones. At the beginning it might be difficult to understand but if you will spend a while it should be crystal clear.

First part is to create firewall rules - I used WAN-TO-LAN and LAN-TO-WAN rules.

 WAN-TO-LAN

  • set firewall name WAN-TO-LAN
    • set firewall name WAN-TO-LAN default-action drop
    • set firewall name WAN-TO-LAN rule 10 action accept
    • set firewall name WAN-TO-LAN rule 10 protocol all
    • set firewall name WAN-TO-LAN rule 10 state established enable
    • set firewall name WAN-TO-LAN rule 10 state related enable

Here you see how rule WAN-TO-LAN should look like in configuration.

name WAN-TO-LAN {
  default-action drop
    rule 10 {
            action accept  
            protocol all
            }
}

LAN-TO-WAN

  • set firewall name LAN-TO-WAN
  • set firewall name LAN-TO-WAN default-action drop
  • set firewall name LAN-TO-WAN rule 10 action accept

Here you see how rule LAN-TO-WAN should look like in configuration.

name LAN-TO-WAN
{
  default-action drop
    rule 10 {
            action accept
          }
}

Zone policies

Now we will create zones - in my case WAN and LAN and we will assign them to apriopriate ethernet interfaces.

  • set zone-policy zone WAN
  • set zone-policy zone WAN description “WAN”
  • set zone-policy zone WAN default-action drop
  • set zone-policy zone WAN interface eth0
  • set zone-policy zone LAN
  • set zone-policy zone LAN description “LAN”
  • set zone-policy zone LAN default-action drop
  • set zone-policy zone LAN interface eth1

Assign firewall to zones

This one is tricky - read carefully syntax of commands.

WAN firewall - set zone-policy zone WAN from LAN firewall name LAN-TO-WAN

LAN firewall - set zone-policy zone LAN from WAN firewall name WAN-TO-LAN

Here you see how zone WAN should look like.

default-action drop
description WAN
  from LAN {
firewall {
  name LAN-TO-WAN
  }
}

interface eth0

Here you see how zone LAN should look like.

default-action drop
description LAN
from WAN {
firewall {
name WAN-TO-LAN
}
} 
interface eth1

DNS configuration

DNS configuration is quite simple. In order to make it work enter following commands:

  • set service dns forwarding name-server **IP **(In my case it is 192.168.255.254)
  • set service dns forwarding listen-on eth1

In order to really test it from Domain Controller I set forwarded to Vyatta LAN IP - 10.0.0.1 and I deleted all root hints.

EOT

Wow - this was really long post. I hope you will find it really usefull and all will work in you environment as well.