diff options
| -rw-r--r-- | docs/nat.rst | 154 | ||||
| -rw-r--r-- | docs/services/pppoe-server.rst | 39 | ||||
| -rw-r--r-- | docs/system/system-users.rst | 15 |
3 files changed, 196 insertions, 12 deletions
diff --git a/docs/nat.rst b/docs/nat.rst index 6951a6b1..33e1efc4 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -55,8 +55,8 @@ reserving an average of 200-300 sessions per host system. Example: For an ~8,000 host network a source NAT pool of 32 IP addresses is recommended. -A pool of addresses can be defined by using a **-** in the `set nat source -rule [n] translation address` statement. +A pool of addresses can be defined by using a **-** in the +`set nat source rule [n] translation address` statement. .. code-block:: sh @@ -182,8 +182,8 @@ Which would generate the following NAT destination configuration: } .. note:: If forwarding traffic to a different port than it is arriving on, - you may also configure the translation port using `set nat destination rule - [n] translation port`. + you may also configure the translation port using + `set nat destination rule [n] translation port`. This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. @@ -270,7 +270,7 @@ NPTv6 stands for Network Prefix Translation. It's a form of NAT for IPv6. It's described in RFC6296_. NPTv6 is supported in linux kernel since version 3.13. Usage ------ +^^^^^ NPTv6 is very useful for IPv6 multihoming. Let's assume the following network configuration: @@ -295,7 +295,7 @@ their address to the right subnet when going through your router. * eth2 addr : 2001:db8:e2::1/48 VyOS Support ------------- +^^^^^^^^^^^^ NPTv6 support has been added in VyOS 1.2 (Crux) and is available through `nat nptv6` configuration nodes. @@ -324,5 +324,147 @@ Resulting in the following ip6tables rules: 0 0 SNPT all any eth2 fc00:dead:beef::/48 anywhere src-pfx fc00:dead:beef::/48 dst-pfx 2001:db8:e2::/48 0 0 RETURN all any any anywhere anywhere + +NAT before VPN +-------------- + +Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, +and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP. + +Example Network +^^^^^^^^^^^^^^^ + +Here's one example of a network environment for an ASP. +The ASP requests that all connections from this company should come from 172.29.41.89 - an address that is assigned by the ASP and not in use at the customer site. + +.. figure:: _static/images/nat_befor_vpn_topology.png + :scale: 100 % + :alt: NAT before VPN Topology + + NAT before VPN Topology + + +Configuration +^^^^^^^^^^^^^ + +The required configuration can be broken down into 4 major pieces: + +* A dummy interface for the provider-assigned IP; +* NAT (specifically, Source NAT); +* IPSec IKE and ESP Groups; +* IPSec VPN tunnels. + + +Dummy interface +*************** + +The dummy interface allows us to have an equivalent of the Cisco IOS Loopback interface - a router-internal interface we can use for IP addresses the router must know about, +but which are not actually assigned to a real network. + +We only need a single step for this interface: + +.. code-block:: sh + + set interfaces dummy dum0 address '172.29.41.89/32' + +NAT Configuration +***************** + +.. code-block:: sh + + set nat source rule 110 description 'Internal to ASP' + set nat source rule 110 destination address '172.27.1.0/24' + set nat source rule 110 outbound-interface 'any' + set nat source rule 110 source address '192.168.43.0/24' + set nat source rule 110 translation address '172.29.41.89' + set nat source rule 120 description 'Internal to ASP' + set nat source rule 120 destination address '10.125.0.0/16' + set nat source rule 120 outbound-interface 'any' + set nat source rule 120 source address '192.168.43.0/24' + set nat source rule 120 translation address '172.29.41.89' + +IPSec IKE and ESP +***************** + + +The ASP has documented their IPSec requirements: + +* IKE Phase: + + * aes256 Encryption + * sha256 Hashes + +* ESP Phase: + + * aes256 Encryption + * sha256 Hashes + * DH Group 14 + + +Additionally, we want to use VPNs only on our eth1 interface (the external interface in the image above) + +.. code-block:: sh + + set vpn ipsec ike-group my-ike ikev2-reauth 'no' + set vpn ipsec ike-group my-ike key-exchange 'ikev1' + set vpn ipsec ike-group my-ike lifetime '7800' + set vpn ipsec ike-group my-ike proposal 1 dh-group '14' + set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256' + set vpn ipsec ike-group my-ike proposal 1 hash 'sha256' + + set vpn ipsec esp-group my-esp compression 'disable' + set vpn ipsec esp-group my-esp lifetime '3600' + set vpn ipsec esp-group my-esp mode 'tunnel' + set vpn ipsec esp-group my-esp pfs 'disable' + set vpn ipsec esp-group my-esp proposal 1 encryption 'aes256' + set vpn ipsec esp-group my-esp proposal 1 hash 'sha256' + + set vpn ipsec ipsec-interfaces interface 'eth1' + +IPSec VPN Tunnels +***************** + +We'll use the IKE and ESP groups created above for this VPN. +Because we need access to 2 different subnets on the far side, we will need two different tunnels. +If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too. + +.. code-block:: sh + + set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' + set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate' + set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp' + set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike' + set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46' + set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24' + set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' + +Testing and Validation +^^^^^^^^^^^^^^^^^^^^^^ + +If you've completed all the above steps you no doubt want to see if it's all working. + +Start by checking for IPSec SAs (Security Associations) with: + +.. code-block:: sh + + $ show vpn ipsec sa + + Peer ID / IP Local ID / IP + ------------ ------------- + 198.51.100.243 203.0.113.46 + + Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto + ------ ----- ------------- ------- ---- ----- ------ ------ ----- + 0 up 0.0/0.0 aes256 sha256 no 1647 3600 all + 1 up 0.0/0.0 aes256 sha256 no 865 3600 all + +That looks good - we defined 2 tunnels and they're both up and running. + + + .. _RFC6296: https://tools.ietf.org/html/rfc6296 .. _ULAs: http://en.wikipedia.org/wiki/Unique_local_address diff --git a/docs/services/pppoe-server.rst b/docs/services/pppoe-server.rst index fa61eb14..f34d5fef 100644 --- a/docs/services/pppoe-server.rst +++ b/docs/services/pppoe-server.rst @@ -4,7 +4,7 @@ PPPoE server VyOS utilizes `accel-ppp`_ to provide PPPoE server functionality. It can be used with local authentication or a connected RADIUS server. -.. note:: Please be aware, due to an upstream bug, config changes/commits +.. note:: **Please be aware, due to an upstream bug, config changes/commits will restart the ppp daemon and will reset existing PPPoE connections from connected users, in order to become effective.** @@ -38,6 +38,33 @@ Connections can be locally checked via the command ppp0 | foo | 10.1.1.100 | 08:00:27:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B +Client IP address pools +======================= + +To automatically assign the client an IP address as tunnel endpoint, a client IP pool is needed. The source can be either RADIUS or a local suhbnet or IP range defintion. + +Once the local tunnel endpoint ``set service pppoe-server local-ip '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. +If the CIDR notation is used, multiple subnets can be setup which are used sequentially. + +**Client IP address via IP range defintion** + +.. code-block:: sh + + set service pppoe-server client-ip-pool start '10.1.1.100' + set service pppoe-server client-ip-pool stop '10.1.1.111' + + +**Client IP subnets via CIDR notation** + +.. code-block:: sh + + set service pppoe-server client-ip-pool subnet '10.1.1.0/24' + set service pppoe-server client-ip-pool subnet '10.1.2.0/24' + set service pppoe-server client-ip-pool subnet '10.1.3.0/24' + + + +**RADIUS based IP pools (Framed-IP-Address)** To use a radius server, you need to switch to authentication mode radius and of course need to specify an IP for the server. You can have multiple RADIUS @@ -54,12 +81,12 @@ server configured, if you wish to achieve redundancy. RADIUS provides the IP addresses in the example above via Framed-IP-Address. Bandwidth Shaping -================= +^^^^^^^^^^^^^^^^^ Bandwidth rate limits can be set for local users or RADIUS based attributes. -Local user setup -================ +Bandwidth Shaping for local users +================================= The rate-limit is set in kbit/sec. @@ -88,8 +115,8 @@ Once the user is connected, the user session is using the set limits and can be ppp0 | foo | 10.1.1.100 | 08:00:27:ba:db:15 | 20480/10240 | active | 00:00:11 | 214 B | 76 B -RADIUS shaper setup -=================== +RADIUS based shaper setup +========================= The current attribute 'Filter-Id' is being used as default and can be setup within RADIUS: diff --git a/docs/system/system-users.rst b/docs/system/system-users.rst index acffb974..a2e62024 100644 --- a/docs/system/system-users.rst +++ b/docs/system/system-users.rst @@ -108,3 +108,18 @@ networks when a link fails. .. code-block:: sh set system login radius-source-address 192.168.1.254 + +Login Banner +^^^^^^^^^^^^ + +You are able to set post-login or pre-login messages with the following lines: + +.. code-block:: sh + + set system login banner pre-login "UNAUTHORIZED USE OF THIS SYSTEM IS PROHIBITED\n" + set system login banner post-login "Welcome to VyOS" + +the **\\n** create a newline. + + + |