Open Source NetworkingAn introduction to using open source in the network.

John SouthworthFebruary 26, 2009

Why would anyone want to use open source at the network layer?

Chances are, you already do!

- Vyatta is a replacement for enterprise level routing and security platforms.

- It can be used easily almost anywhere.

- It's a software package (linux distribution) that runs on standard x86 hardware.

How does Vyatta benefit users?

Home users:StableSecurePowerfulFlexibleRuns on just about anythingFree and Open!Good community support

Enterprise users:StableSecurePowerfulFlexibleVirtualizable Subscription release availableCommercial supportCommand line interface similar to Cisco or Juniper

So what does Vyatta do?

Routing (Static, RIP, OSPF, and BGP)NATVPN ( IPSEC, PPTP, OpenVPN, and L2TP )FirewallIDSWebproxyInterfaces DSL, T1, T3, Ethernet (up to 10Gb),

wireless modem, tunnel

Its flexibility comes from the fact that Debian GNU/Linux is underneath it all:if you need another service running on the router, just install it.

Why Vyatta over standard Linux?

First, a set-up for a home userCommunity edition is available at http://vyatta.org/downloads

Grab it, put it on an old pc, and play with it!

I use a single board computer as my routing platform:ALIX 2D3AMD Geode 500MHz256MB RAM3 10/100 Ethernet NICS

It is configured for NAT, Firewall, OpenVPN, and OSPF.Works great, <$200 for a decent router.

These are similar specs to a Cisco ASA5505With the same software capabilities that Vyatta has, it costs over $600

Configuring an internet gateway with Vyatta: Demo

Services for standard home router:DHCP Wan InterfaceDHCP server for LANDNS ForwardingFirewallNAT

firewall { broadcast-ping disable conntrack-tcp-loose enable ip-src-route disable log-martians enable name wanwall { rule 999 { action accept description "Allow all established connections" state { established enable invalid disable related enable } } } name wan-in { rule 999 { action accept description "Allow all established connections" state { established enable invalid disable related enable } } } receive-redirects disable send-redirects disable syn-cookies enable}interfaces { ethernet eth0 { address dhcp description "WAN side NIC" duplex auto firewall { local { name wanwall } in { name wan-in } } hw-id 00:50:8b:a1:d5:e5 speed auto }

ethernet eth1 { address 192.168.1.1/24 description "LAN side NIC" duplex auto hw-id 00:04:5a:5b:a8:ac speed auto } loopback lo { }}service { dhcp-server { disabled false shared-network-name my-net { authoritative disable subnet 192.168.1.0/24 { client-prefix-length 24 default-router 192.168.1.1 dns-server 192.168.1.1 lease 86400 start 192.168.1.10 { stop 192.168.1.45 } } } } dns { forwarding { cache-size 150 dhcp eth0 listen-on eth1 } } nat { rule 10 { outbound-interface eth0 protocol all type masquerade } } ssh { allow-root false port 22 protocol-version v2 }}

system { host-name roto-router5000 login { user root { authentication { encrypted-password *************** level admin } user vyatta { authentication { encrypted-password *************** } level admin } } ntp-server 69.59.150.135 package { auto-sync 1 repository community { components main distribution stable password "" url http://packages.vyatta.com/vyatta username "" } } time-zone GMT}

Now for something a little more fun! OpenVPN

For the home users:Easy connection between friends, share files and information with your friends and family.OSPF does the route configuring work for you.

For the working guys: OpenVPN tunnels for site to site vpns, runs OSPF for dynamic updates.

I have 2 nodes setup for this, and we will configure the third link.

There are 4 OSPF areas, one backbone and one area behind each router.

More functions, mainly for the enterprise guys.

Got a branch office that needs a lot of equipment?Virtualize everything, even the router/firewall. This is the so called “Branch-in-a-Box”.

Perhaps you need a lot of routers for point-to-point links or something similar.

That's virtualizable too.

Virtualizing routing is a very flexible idea; having your routing platform as softwareinstead of being locked into a hardware solution gives this flexibility.

There is so much more this platform can do.

There is a learning curve for the CLI for home users, but a web-ui is on the way.