Web server behind Vyatta Browse Issue

[Joseph]

Hello,

Using Vyatta 5 Beta

I have a test web server and a laptop configured behind Vyatta.
I have opened Ports 80 and 21 for FTP on the server
I have configred a Source NAT for the Laptop to surf the Internet.

The issue that I have is I can access the target FTP and Web HTML test page from another network. But I cannot see the web page or the FTP from the laptop that is also behind Vyatta.


Thanks
Joseph

[conceptcoders]

At a stab at a guess, chances are your trying to access the server via the external IP.

If that's the case then you need to add an extra NAT rule.

e.g.
You've probably got something like:

rule 1 {
destination {
address 1.1.1.1
}
inbound-interface eth0
inside-address {
address 10.0.0.1
}
protocol all
type destination
}

However, I'm assuming your internal network is on a different interface from eth0. The above rule only works if inbound traffic originates from eth0.
Assuming your internal network is on eth1, you'd need to add

rule 2 {
destination {
address 1.1.1.1
}
inbound-interface eth1
inside-address {
address 10.0.0.1
}
protocol all
type destination
}

It would help if you could post a little more about your network layout though.

[conceptcoders]

In fact, we've got a bit of an issue with this ourselves. Currently Vyatta forces you to setup rules like this for each inbound interface.
We have around 50 vlans, and if we want all of them to be able to access a server, then we have to add 50 rules to our setup!
Which is a pain to say the least.
IMO, It would be much better to able to say inbound-interface any
Since there is a limit of 1024 rules for NAT, this is a problem if you have a sizeable number of interfaces virtual or otherwise.
The same goes for outbound rules!

rule 1 {
destination {
address 1.1.1.1
}
inbound-interface any
inside-address {
address 10.0.0.1
}
protocol all
type destination
}

[Joseph]

Thanks for the info,

I am going to post my config and then see what is going on. I am not in the office now just replying to your message. Good to hear that I am not the only one.

Thanks
Joseph

[robyn]

Regarding the 'inbound interface any' option, you can use "inbound-interface eth+". That should match any interface name that begins with eth (in other words, all VLANS). I have not tested this with VLANS but I know it works well with multiple Ethernet interfaces.

Thanks,

Robyn

[Joseph]

[Joseph]

I have tried this method posted and I am not having any luck at all.

I can browse the server via the internal ip just not the public IP

If the server is nated in 75.147.211.17 to 10.10.111.200

and the Laptop is nated to 75.147.211.20 to 10.10.111.10

How do these rule apply> Is the "inbound-interface any" for the laptop or the server? Or both?


Thanks
Joseph

[stig]

[Joseph]

Hey Stig thanks for jumping in

I can surf the net fine just can't hit the server that is on Vyatta network from the laptop on the external IP. Here is all my new configs

[Joseph]

[stig]

If the only thing not working is going from the private address of the laptop to the private address of the websever using the public network, then you'd need nat hairpinning. Can't you set up an internal dns to give you the private address for the webserver instead of trying to use the public?

[Joseph]

Hello Stig,

Yes I can do that But why? I don't need this with a firebox? Why with Vyatta....?

That makes little sense that you put a whole set of servers behind a network routed and protected by Vyatta and you cannot even login to the Cpanels on the web?

Strange


Thanks for the help I definitley needed it (Still do

[stig]

[Joseph]

Hello Stig,

Thanks very much I like Vyatta a lot I want to use it. I will vote
and thank you very much for your help!

[conceptcoders]

I struggled with this a lot when I first started configuring NAT rules, so I'll try and give an explaination as to how I worked the right rules out for me.

You first need understand what nat rules actually do, by the sounds of it you're 95% the way there already,

When you setup a destination NAT rule such as,

rule 10 {
description WEB208nat
destination {
address 75.147.211.17
port 21,80
}
inbound-interface eth0
inside-address {
address 10.10.111.200
}
protocol tcp
source {
address 0.0.0.0/0
}
type destination
}

There are actually three things being specified.
The first is essentially a packet matching statement.
i.e.
destination {
address 75.147.211.17
port 21,80
}
inbound-interface eth0 // the interface packets arrive on!
protocol tcp
source {
address 0.0.0.0/0
}

The second part
type destination

is the rule type (source or destination) - i.e. what do to when we find a match, are we going to change the destination address or change the source address


and finally the third part, (in the case of a destination rule, change the destination to 10.10.111.200)

inside-address {
address 10.10.111.200
}


So if a computer from the internet attempts to access your webserver on port 80,
You are saying in the above rule that your are expecting packets will arrive at your interface eth0 with destination address set as 75.147.211.17 port 80, and that Vyatta should change the packets destination address to 10.10.111.200 so it can access your webserver.
Your Vyatta box will then route the packet (assuming it won't get blocked by any firewall rules) and will pass the packet out of the interface that contains 10.10.111.200
(eth1) having modified the destination address to 10.10.111.200.


Hopefully you're with me so far...

Now, when you try and make a request from your laptop to the internet using the rule:

rule 200 {
description LAPTOP1:1
destination {
address 0.0.0.0/0
}
outbound-interface eth0
outside-address {
address 75.147.211.20
}
protocol all
source {
address 10.10.111.10
}
type source
}

The matching parts of the rule are:
destination {
address 0.0.0.0/0
}
outbound-interface eth0 // The interface packets will leave on
protocol all
source {
address 10.10.111.10
}

the rule type is
type source (change the source address of the packet)

and finally you're asking it to change the source address to 75.147.211.20

outside-address {
address 75.147.211.20
}


Tells Vyatta that if it sees any traffic from the IP address 10.10.111.10 that is to exit eth0 it should change the source address of the packet from 10.10.111.10 to 75.147.211.20

However, in the case of you wanting to access 75.147.211.17 from your laptop the traffic will enter eth1, and actually leave eth1!

But your web nat rule 10 specifies inbound-interface eth0

So your rule never gets matched and therefore the packet never gets modified.
That's why the laptop can't access your webserver using the public IP.

So, to get this working you just need to make sure that you have a rule that matches the packets coming from your laptop which changes the destination address.
From the earlier posting by robyn, he's saying that if you change
rule 10 from

inbound-interface eth0
to
inbound-interface eth+

it will match packets arriving from all ethernet interfaces, which should mean that packets arriving at eth1 from your laptop will match the rule, and will therefore have the destination address changed to 10.10.111.200

If you want your webserver to see the request from your laptop as coming from your internal IP address, then there's no further changes.
However, if you want your webserver to see the request coming from 75.147.211.20 (the IP address you specified for your laptop's public IP)
Then you can also use the eth+ change on your laptops source nat rule as well.

Hopefully the above makes sense to you.

Whilst products like the firebox hide some of above complexities from you, once you understand how NAT works, you'll realise that actually it's not that complicated after all and that Vyatta has actually been designed to be quite flexible to work in lots of different scenarios.