Vyatta.com | Online Store | Support Center
 Forum SubscriptionsForum Subscriptions   FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Notice: If you prefer the old Vyatta mailing list style you can subscribe to these forums and post/reply via e-mail.
Just click on "Forum Subscriptions" above, select the forums that you'd like to participate in and click "Subscribe"
Enabling HTTP server behind Vyatta

 
Post new topic   Reply to topic    Vyatta.org Forum Index -> Users
View previous topic :: View next topic  
Author Message
azrin.aris
Forum Newbie
Forum Newbie


Joined: 27 Mar 2008
Posts: 17
PostPosted: Wed Apr 16, 2008 5:35 pm    Post subject: Enabling HTTP server behind Vyatta Reply with quote
Hi,

I'm using VC4 Beta and trying to figure out how to do Destination NAT for my http server behind vyatta. Here is my code

Code:
 
firewall {
     name WAN_IN {
         description WAN_ACCESS
         rule 10 {
             action accept
             description HTTP_ACCESS
             destination {
                 port 80
             }
             protocol tcp
             source {
                 address 0.0.0.0/0
             }
         }
     }
 }
 interfaces {
     ethernet eth0 {
         address 10.10.10.254/24
         description "Local Port"
         hw-id xx:xx:xx:xx:xx:xx
     }
     ethernet eth1 {
         address 10.10.11.254/24
         description "DMZ Port"
         hw-id xx:xx:xx:xx:xx:xx
     }
     ethernet eth2 {
         address 172.16.6.253/16
         description "Intra Port"
         hw-id xx:xx:xx:xx:xx:xx
     }
     ethernet eth3 {
         description "WAN Port"
         firewall {
             in {
                 name WAN_IN
             }
         }
         hw-id xx:xx:xx:xx:xx:xx
         pppoe 0 {
             default-route auto
             password password
             user-id user@isp
         }
     }
     loopback lo {
         description ""
     }
 }
 protocols {
     static {
         route 10.1.0.0/16 {
             next-hop 172.16.6.1 {
             }
         }
         route 202.188.115.0/24 {
             next-hop 172.16.6.1 {
             }
         }
         route 63.51.92.0/24 {
             next-hop 172.16.6.1 {
             }
         }
         route 69.25.142.0/24 {
             next-hop 172.16.6.1 {
             }
         }
     }
 }
 service {
     dhcp-server {
         shared-network-name LOCAL_PC {
             subnet 10.10.10.0/24 {
                 default-router 10.10.10.254
                 dns-server 202.188.0.133
                 dns-server 202.188.1.5
                 start 10.10.10.101 {
                     stop 10.10.10.199
                 }
             }
         }
     }
     nat {
         rule 1 {
             destination {
                 address 172.16.0.0/16
             }
             outbound-interface eth2
             protocol all
             source {
                 address 10.10.0.0/16
             }
             type masquerade
         }
         rule 100 {
             destination {
                 address 0.0.0.0/0
             }
             outbound-interface pppoe0
             protocol all
             source {
                 address 10.10.0.0/16
             }
             type masquerade
         }
         rule 2 {
             destination {
                 address 202.188.115.0/24
             }
             outbound-interface eth2
             protocol all
             source {
                 address 10.10.0.0/16
             }
             type masquerade
         }
         rule 200 {
             destination {
                 port 80
             }
             inbound-interface eth3
             inside-address {
                 address 10.10.11.111
                 port 80
             }
             protocol tcp
             source {
                 address 0.0.0.0/0
             }
             type destination
         }
     }
 }


NAT rule 200 is suppose to forward request from internet to the http server but I got access denied when testing using telnet <address> 80
Back to top
View user's profile Send private message
unicron
Active Member
Active Member


Joined: 03 Apr 2008
Posts: 33
PostPosted: Thu Apr 17, 2008 12:03 am    Post subject: Reply with quote
try


set service nat rule 200 destination address <ip-address eth3>
set service nat rule 200 destination port 80
set service nat rule 200 inbound-interface eth3
set service nat rule 200 inside-address address 10.10.11.111
set service nat rule 200 protocol tcp
set service nat rule 200 source address 0.0.0.0/0
set service nat rule 200 type destination

this is mine
Code:

 rule 23 {
            destination {
                address 81.65.134.243
                port 80
            }
            inbound-interface eth1
            inside-address {
                address 192.168.1.90
            }
            protocol tcp
            source {
                address 0.0.0.0/0
            }
            type destination
        }

I think you only have to set your destination address to the ip-address of your eth3 interface.

Regards.
Back to top
View user's profile Send private message
azrin.aris
Forum Newbie
Forum Newbie


Joined: 27 Mar 2008
Posts: 17
PostPosted: Thu Apr 17, 2008 1:12 am    Post subject: Reply with quote
That is the main problem. I have a dynamic WAN address through pppoe. I read from this forum that VC4 support dynamic WAN port forwarding but there is no documentation of how to do it.
Back to top
View user's profile Send private message
unicron
Active Member
Active Member


Joined: 03 Apr 2008
Posts: 33
PostPosted: Thu Apr 17, 2008 2:01 am    Post subject: Reply with quote
http://www.vyatta.org/forum/viewtopic.php?t=257

this may help!!!
Back to top
View user's profile Send private message
azrin.aris
Forum Newbie
Forum Newbie


Joined: 27 Mar 2008
Posts: 17
PostPosted: Thu Apr 17, 2008 2:05 am    Post subject: Reply with quote
thanks!! it seems that I need to do a little bit of hacking myself....ouch!! Rolling Eyes
Back to top
View user's profile Send private message
XTremdreamer
Forum Newbie
Forum Newbie


Joined: 29 Sep 2008
Posts: 16
PostPosted: Thu Oct 9, 2008 7:43 am    Post subject: Reply with quote
ok I am new with this kind of interface, and I am having a time understand the syntex, of the commands.
So I will show the configurations I have and explane what I need and I can only hope someone will be so kind as to stem me throught the actual configurations process.

Code:

interfaces {
     ethernet eth0 {
            address 64.217.130.73/29
            discription outside
            hw-id 00:01:03:29:93:20
     }
     ethernet eth1 {
            address 68.93.197.89/29
            discription outside
            hw-id 00:01:03:29:97:ea
     }
     ethernet eth2 {
            address 172.16.6.4/24
            discription inside
            hw-id 00:01:02:c5:ff:cf
     }
     loopback lo {
     }
}
load-balancing {
      wan {
             interface-health eth0 {
                  nexthop 64.217.130.78
                  ping 64.217.130.78
             }
             interface-health eth1 {
                  nexthop 68.93.197.94
                  ping 68.93.197.94
             }
             rule 1 {
                  inbound-interface eth2
                  interface eth0 {
                        weight 1
                  }
                  interface eth1 {
                        weight 1
                  }
             }
       }
}
protocols {
     static  {
          route 0.0.0.0/0 {
               next-hop 64.217.130.73 {
               }
               next-hop 68.93.197.89 {
               }
          }
      }
}
system {
       host-name vyatta
       login {
            user root {
                   authentication {
                          encrypted-password $1$$Ht7gBYnxI1xCd0/JOnodh
                   }
             }
             User vyatta {
                    authentication {
                           encrypted-password $1$$Ht7gBYnxI1xCd0/JOnodh
                    }
             }
        }
        Name-server 68.94.156.1
        ntp-server 69.59.150.135
        package {
               auto-sync 1
               repository community {
                      components main
                      distribution stable
                      url http://packages.vyatta.com/vyatta
               }
         }
}
[edit]
root@vyatta#


Ok, now here is what is going on.
I have a Windows router using routing and remote access, and NAT is configured. I am building this router to enable me to use two DSL lines with load balanceing. this will also replace the curent simple firewall that is currently between the DSL lines and the Windows router. there is a single interface on the windows box for incoming internet traffic. Eth2 will only interface with the windows box directly. I have a appachie server hosting a web page that I will need access to this server from both inside and outside the firewall. I have a list of ports on the firewall that need to be open, both ways, but if I can figure out how to open one I will be able to open the rest on my own.
Thanks for the help
Back to top
View user's profile Send private message
XTremdreamer
Forum Newbie
Forum Newbie


Joined: 29 Sep 2008
Posts: 16
PostPosted: Thu Oct 9, 2008 7:47 am    Post subject: Reply with quote
sorry the appachie server, is inside the windows firewall, so external traffic will need to go through this router and the windows router, to get to the appachie server.
Back to top
View user's profile Send private message
DaveRoberts
Vyatta Employee
Vyatta Employee


Joined: 12 Feb 2008
Posts: 518
PostPosted: Thu Oct 9, 2008 9:07 am    Post subject: Reply with quote
XTremdreamer wrote:
I am building this router to enable me to use two DSL lines with load balanceing. ... I have a appachie server hosting a web page that I will need access to this server from both inside and outside the firewall.


I'll let somebody more qualified than myself answer the bigger question, but I just wanted to set your expectations on the load balancing. Currently, load balancing will only work with connections that are initiated from inside, out toward your DSL providers. To "load balance" access to the web server from outside, you'd need to set up some sort of round-robin DNS scheme for outside users where you alternatively provide one IP address or the other of your DSL lines. If you simply publish a single IP address for your server, all connections will come through just one of your providers and all packets for a single connection have to traverse the same link to correctly handle NAT and other issues.

So, I think you can do what you want to do, but just wanted to set your expectation on the combination of exposing a server to the outside world while using WAN LB at the same time.
Back to top
View user's profile Send private message
XTremdreamer
Forum Newbie
Forum Newbie


Joined: 29 Sep 2008
Posts: 16
PostPosted: Thu Oct 9, 2008 9:21 am    Post subject: Reply with quote
This part I understand. the load ballance is for outbaound traffic only. I have a large crew who need internet bandwidth, and thats what the load balance is for. inbound traffic is small but still need to have access to the server. one singel inbound rule will work for what I need inbound. so the load balance is out bound only, and one interface (eth0) will be enought for inbound traffic.
Back to top
View user's profile Send private message
XTremdreamer
Forum Newbie
Forum Newbie


Joined: 29 Sep 2008
Posts: 16
PostPosted: Fri Oct 10, 2008 8:20 am    Post subject: Reply with quote
ok, first question,
with LB set up and I want to NAT both interfaces, do I need a seperate rule for each interface? such as:

Code:


[edit]
root@vyetta# show service nat
+rule 9 {
+      destination {
+            address 0.0.0.0/0
+      }
+      outbound-interface eth0
+      outside-address {
+             address 64.217.130.73
+      }
+      source {
+            address 172.16.6.50
+      }
+      type source
+}
+rule 10 {
+      destination {
+             address 0.0.0.0/0
+      }
+      outbound-interface eth1
+      outside-address {
+             address 68.93.197.89
+      }
+      source {
+             address 172.16.6.50
+      }
+      type source
+}
[edit]
root@vyatta


I am just afraid that the rule waight will mess up the LB. so is this right?
Back to top
View user's profile Send private message
slioch
Vyatta Employee
Vyatta Employee


Joined: 27 Feb 2008
Posts: 317
PostPosted: Fri Oct 10, 2008 9:06 am    Post subject: Reply with quote
Xtremdreamer,

In community editions v4.1 (the current version). Source nat rules are applied before wan LB source nat rules. So, yes, this might be a problem with your configuration.

We've since changed that behavior so that source nat rules are applied after wan LB source nat rules. This is the correct behavior as the wan LB source nat rules only apply to packets that marked by the the wan LB rules. These code changes are not available in an updated wan LB package yet (but are available now if you download and build the package).

mike
Back to top
View user's profile Send private message
XTremdreamer
Forum Newbie
Forum Newbie


Joined: 29 Sep 2008
Posts: 16
PostPosted: Fri Oct 10, 2008 9:21 am    Post subject: Reply with quote
so there isnt a way to add multiple external interfaces to a single rule.....
compiling a building packages is not something I am good at
Back to top
View user's profile Send private message
slioch
Vyatta Employee
Vyatta Employee


Joined: 27 Feb 2008
Posts: 317
PostPosted: Fri Oct 10, 2008 9:29 am    Post subject: Reply with quote
for NAT (and firewall) standard iptables wildcards are supported. For example 'eth+' matches all your ethernet interfaces (eth*).
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Vyatta.org Forum Index -> Users All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2005 phpBB Group