NOTICE: This wiki will be RETIRED after 01/01/2012. If you want to preserve articles, please contact the wiki administrator.
VYATTA Linux Router - Part 1
From Johns Hopkins Linux Users Group
Updated Mar 16, 2011: Vyatta 6.2 is the current release
Verified that the links on this page still work and the proceedure is still reasonably functional.
ajs
Contents |
Introduction
|
|
"The Dawn of Open Source Networking" |
Let's get this straight up front: I'm not affiliated with Vyatta and I am not brown-nosing them for stuff. Also, I am not a Networking or Linux Expert. However, I am a Vyatta 514 customer that likes the engineering of the 514 appliance and the concepts they have implemented in the Vyatta Linux distribution. Because I like the product and it survived my abuse so far, I am writing this article. If I honestly didn't like the product or the company, you wouldn't be reading this.
Rather than try to write an introduction to Vyatta myself, I'll just quote their own introduction here:
"Vyatta is using open hardware and software technologies to revolutionize the network infrastructure market place, delivering incredible performance at unbelievable price points. Using the Vyatta system, you can create networking solutions for your business that can scale from the branch office to the service provider edge for a fraction of the cost of proprietary alternatives."
This article is a compilation of my entry level experience from initial review to final production deployment of a Vyatta 514 appliance. Vyatta also provides a free VYATTA Community Edition and VYATTA Appliance for VMPlayer. Hopefully this article will help reduce the "barrier to entry" for using LINUX for routing and firewall applictions in general and introduce people to a decent Open Source router implementation.
The Review Process
The first step of this project was a review what we need in a routing and firewall solution, what we are already using, and what we want to do.
Starting Point
Our existing routing and firewall system is strange. It might even be like yours? B-)
WAN T1 Internet Connection Netopia Router installed and supported by our ISP WAN IP Space of 69.17.nnn.128/27. i.e. 30 usable public IP addresses.
DMZ PIX Firewall; our main LAN/WAN Gateway Assorted consumer routers
LAN 192.168.xxx.nnn subnets
Desired Final Configuration
We want to replace our current DMZ devices with a single Vyatta 514 appliance. If we really get good at it: replace the WAN and DMZ devices with the Vyatta 514 appliance.
Requirements and Options
I shopped until I dropped. I wanted a routing and firewall solution that would provide the following features:
* Routing * Firewall, NAT, Port Forwarding, etc. * QoS - Quality of Service and Traffic Control * VLAN support * No product life cycle constraints (no "activation schemes", etc.) * Logging for diagnostics and snooping * Programmability (so I can automate certain changes) * Security would be nice too
I've been trying to solve the QoS and Traffic Control problem for a few years now in our organization. You can guess that with a T1 Internet connection and 50 employees - bandwidth is a constraint. I've been discouraged by the lack of good documentation for entry level "dummies" to get a decent QoS/TC solution. Of course, hiring an outside consultant (my former career) is out of the question! I did discover that a lot of telecom companies that regularly ping me, would be very happy to solve my QoS problem -- as long as I have their VoIP service, etc.
LINUX FireRouting
Currently there are some inexpensive consumer routers that now include QoS settings and bandwidth control. I have implemented an assortment of them! However, this is not a cool solution. What would be a cool solution?
Debuntu! - My first attempts to build a Linux FireRouter were affectionately called "Debuntu" because it was a hybrid of Debian and Ubuntu Linux. I needed Debian because my target system was an available Dell PE2450. If anyone has tried installing Linux on a PE2450, you eventually come to the conclusion that the only distro that is compatible with the IDE/SCSI CDROM drive and the hard drive controller is Debian. Debian, however (especially at the time) sometimes lags significantly behind in updates. So after installing Debian, I would apt-get updates from Ubuntu; which fortunately did not destroy the system. Don't try this at home now! In later experiments, I used either Debian or Ubuntu Server (which I like better).
The results of my first Linux FireRouter experiments proved that the requirements I needed were conceptually possible. The efforts required proved that it is NOT EASY. See also: Debian Linux Router
VYATTA
Pronounced vee-AH-tah: ancient Sanskrit and means "open."
Definition above is quoted from the Vyatta.com website
For me: VYATTA means "practical"
Supported and Community Editions
Vyatta is a Debian based Linux distribution. I don't think I've ever seen it in the top 100 of DistroWatch.com however, when a new release comes out it does show in the main listing page.
My understanding of the Vyatta distribution is that it is a "fuse" command layer that simplifies the iptables and other Linux commands commonly used to configure Linux routing and firewall services. The nice thing about this approach is that after running a simple Vyatta command, you can run the standard Linux commands to review, verify, and still change the settings using the traditional Linux commands.
Vyatta has a "Community Edition" available for people like me who are financially challenged when it comes to funding R&D homework projects. To overcome the entry barrier, I downloaded the Vyatta Community Edition and installed it in a VMware VMServer virtual machine (see Linux On XP Using VMPlayer for the basics for doing this). I used the VMServer version instead of VMPlayer so I could easily configure multiple interfaces. I have also tested Vyatta in VMPlayer and it works. One quirk I notice is that if I run the Vyatta Supported Edition under VMPlayer, I have to disable VMPlayer's serial port or the console will use that as the default (and not respond to the VMPlayer GUI.
Vyatta provides 4 training videos to get started with. These videos really reduce the learning curve to get a functional router and firewall up and running quickly. The documentation is relatively complete in listing all the commands and parameters, but although it provides some examples, I think it could really use a lot more practical examples.
My impression is that the Community Edition is probably better for R&D and fun projects than the Supported Edition for advanced features; but it may not be as secure and stable. I think the divergence is similar to Fedora Community and Red Hat Supported.
The Negotiation
Buying the 514 appliance was easy; except how do you negotiate when there are not competitor vendors? I did my best William Shatner immitation and called Vyatta sales. The sales technician was both friendly and definitely had more technical knowledge about Linux routing and their products than I do. I got a good core feeling about the product and negotiated a nice 20% discount of the web site price and option to return the unit if not happy with it. I also got the cheapest one year software updates subscription. I'll post the price when I find the receipt.
OK, I'll confess; because the sales person actually just read this article and I better come clean... I didn't get a chance to negotiate. The Vyatta sales person was ahead of me and gave me the 20% incentive before I had a chance to ask for it! I think they had a promotion going on. My point is, don't be afraid to Negotiate!
Vyatta 514 Appliance
|
|
1GHz VIA C7 CPU |
Hardware First Impressions
The 514 appliance was sexy enough that I just had to get under the covers. It is a single board computer that boots and runs Vyatta Linux from compact flash.
|
|
|
This is a really nice piece of hardware! There is an on-board IDE controller and available mounting room for a 2-1/2" hard drive. There is room for a full height PCI card ... hmm, I wonder if I could add a video card, hard disk, and load other distros in it?
OK, so I shouldn't have read the documentation that came with it! Here I have now learned to ALWAYS download and read the LATEST documentation. When I was performing the entry level procedures for configuring the device, I ran across a friendly command: apt-get upgrade. DO NOT DO THIS COMMAND ON THE 514 APPLIANCE! As you can guess, this is not the best command to run on a new embedded appliance. At least NOT by a Linux novice, late at night, and alone in the operations center... It seemed to work fine, until I rebooted the device and got a nice "B" displayed on the serial console and nothing else!
I went to the Vyatta support page and openned a case, explaining my foolish behavior. Since I didn't pay for Support (only update subscription); and it was late at night, I wasn't expecting a response until next business day; and then maybe just an automated reply at first. I was surprised that about 5 minutes after submitting the case, I got a call on my bat-phone from Vyatta technical support! The tech politely told me that he called quickly because he thought I definitely needed a "Life Line" (from "Who Wants to be a Millionaire"). He told me that it should be no problem to download the distro live CD, plug a USB CDROM drive into the device's USB port, boot the live CD and re-install the Vyatta distro, then download the latest documentation.
One problem: I didn't have a USB CDROM drive. So out I went to the nearest late night Staples... all they had were expensive, all frills, external DVD-RW Burners with light-scribe and Blue-Ray drives. Ok, I was desparate, so I bought a Memorex DVD Burner. What are the chances that a turnkey router appliance will boot and work with a fancy Windows [only] Certified DVD Burner? I figured I could always use it to rebuild the PE2450s with non-Debian Linux if it would work with Linux at all.
Sure enough, I downloaded and burned the latest Vyata distro version, then downloaded and read the latest documentation and was able to rebuild the appliance. COOL! If I can cook and rebuild a Vyatta router appliance - You can too! Now, I dare you to try THAT with a Cisco device!
What a way to get comfortable with my new router!
Getting Started
Vyatta has 4 great free training videos to get you started. The documentation is also easy to read. Between the training videos and the main documentation, it is easy to get started right away with the basics.
In Part 2, the documentation was very helpful and the examples were easy to modify for my purposes.
Although it is very easy to get started with Vyatta, intermediate and advanced implementation is not as easy. Although Vyatta provides comprehnesive and clear documentation for their software, it is mostly reference material, not examples. It would really be great to have more "complete scenario" configuration examples for intermediate and advanced setups. I will of course submit this to their suggestion box B-)
In Part 3, I will push the boundaries of the documention and video scenarios and try to implement the additional features I require in my own facility. Where I fall short or get stuck, I will ask Vyatta for support and use the Vyatta community resources. Hopefully my final scenarios and tests (and mistakes) in Part 3 will be of value to others configuring Linux Routing. One thing I really like about Vyatta's is that I can use the easy to understand and remember Vyatta commands and then review and modify the configuration using the Linux iptables and other commands.
In Part 4, if I survive Part 3, I want to try software development on the Vyatta platform for automating traffic control changes at schedule intervals, dynamic firewall rules changes depending on monitored conditions, etc.
In Part 5 ...
Mar 16, 2011 Note: Part 1 above is verified to work with Vyatta 6.2, Community Edition
Continued in VYATTA Linux Router - Part 2
Credits
The Vyatta logo and photos are included in this article with the consent of their publishers.
I actually asked and got their permission.
About the Author - Arnold
The author is an entry level Vyatta end user and Linux novice who thinks the product will be a viable component for his work place datacenter of 14 servers supporting 50 users.