So I have a lot of hardware lying around in my home office and on occasions I have to take some of it with me to trade-shows. Now the last time I had to do this it meant some of the services on my home-network would stop working since I had the 2 setups intertwined to an extend that everything always had to be up an running. Now since this something I wanted to resolve I decided to design my own home-lab which would be separated from our “production” network. The challenge I faced that both needed to be completely isolated from each-other. So I decided to start integrating some of the OpenStack components right from the start. Below you see a little overview of the components that play a role in this part of the configuration.

I am making use of the Vyatta VM for XenServer (version 6.2-2011.02.09_i386) as well as version 5 of the Access Gateway VPX in combination with a XD5 environment hosting several desktops. Now I am not going to be explaining you how to import all of this into your XenServer environment but what I will be showing you is how to configure the Vyatta router so we are able to open a VDI desktop from the external network leveraging the Access Gateway while fully separating the external network from the lab network (i.o.w. only allowing HTTPS traffic to traverse the firewall). Now to be able to achieve this we need a few “basic” features to be configured on the Vyatta Router:

  • Firewall
  • NAT
  • DNS Forwarding
  • Webproxy

In all honesty the Webproxy part might not be mandatory but I read about it and thought I might as well include this since it gives us an easy opportunity to block out certain unwanted web content. If you don’t want to do this feel free to skip that part of the guide.

As you can see from my diagram I opted to only have 2 ports connected to my firewall

Eth0 – External

Eth1 – Internal

if you would like to add more ports do so during the deployment of your router but I thought I would keep it as simple as possible this time. After the VM has been created and you have configured your 2 NIC’s make sure you enable SSH as well.

configure
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description Outside
set interfaces ethernet eth1 address 192.168.17.254/24
set interfaces ethernet eth1 description Inside
commit

 

This will configure both NIC’s in which the external network will get it’s IP-address from the DHCP server and your internal network will be configured with the address 192.168.17.254 (this will be the default gateway for all servers on the LAB environment which will require internet access).

Next we will configure SSH so we can stop fiddling in the XenServer console view (I keep getting the error message: “INIT: Id “T0″ respawning too fast: disabled for 5 minutes” which kept interfering with my typing).

So to configure SSH we type the following:

configure
set service ssh listen-address 192.168.17.254
commit

This way we enable the ssh deamon to only listen on the internal network so if you would like to use an SSH client from now on make sure you are connected to the Internal/LAB network. Next we need to make sure we configure network-address-translation (or NAT) so all machines on the internal network can share the 1 external network address. to do so we type in

configure

set service nat rule 10 outbound-interface eth0
set service nat rule 10 source address 192.168.17.0/24
set service nat rule 10 type masquerade
commit

 

Now we are able to connect to the internet from any machine connected on the internal network as long as we have our own DNS running inside this network (which I already had as part of my XD5 deployment). If you don’t yet or you would like your router to forward all DNS queries to an external DNS provider just enable the DNS forwarding feature within Vyatta by typing the following:

set service dns forwarding listen-on eth1
set service dns forwarding name-server <ip-address of external DNS server>
commit

 

So we now have basic internet connectivity from the inside of our LAB to the outside now it’s time to achieve it the other way round. This will be a 2 way process, 1 is configuring the firewall part of Vyatta the other is to configure the port-forwarding. So first let’s create the firewall rules:

set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 destination address 192.168.17.253
set firewall name WAN_IN rule 10 destination port 443
set firewall name WAN_IN rule 10 destination protocol tcp
set firewall name WAN_IN rule 10 description Allow-Access-To-Access-Gateway
set firewall name WAN_IN rule 10 log enable
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 destination address 192.168.17.0/24
set firewall name WAN_IN rule 20 description NAT-For-LAN

 

We have now configured the firewall next up is the NAT rules. The IP-address 192.168.16.136 is the IP address of the external NIC (so the one we configured with DHCP)

set service nat rule 20 destination address 192.168.16.136
set service nat rule 20 destination port 443
set service nat rule 20 inbound-interface eth0
set service nat rule 20 inside-address address 192.168.17.253
set service nat rule 20 inside-address port 443
set service nat rule 20 type destination
set service nat rule 20 protocol tcp
commit

 

The router is now configured in a way that whenever a connection is requested on port 443 the router will forward the traffic to the Access Gateway’s port 443. The only thing left to do is to assign the firewall rule we created earlier to the NIC, we do so by typing in:

set interfaces ethernet eth0 firewall in name WAN_IN
commit

 

If all is well you should now be able to take a client on the external network, point it at the https://<router external IP> and the Access Gateway should answer by showing you the logon page of the Web Interface. However since the Access Gateway in itself forwarding your request over to the Web Interface server I found I needed to add a few more overall rules to the firewall configuration:

set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable
commit

 

Honesty dictates me to say I have not yet tried to track down which rule is the actual one which allows my scenario to work but I found these commands as a default setting somewhere so I incorporated them into my overall config. Now make sure that if you have tested your config and found it working to type enter the following

save

 

The CLI should give you the feedback where the currently running config was saved. If you do not next time your router reboots you will have to do this all over again.

 

One more thing

If you would like to block access to certain websites from your machines on the LAB network and/or would like to leverage a small proxy server enter the following commands to enable this feature from the Vyatta router as well:

set service webproxy listen-address 192.168.17.254
run update webproxy
set service webproxy url-filtering squidguard auto-update
set service webproxy url-filtering squidguard block-category malware
set service webproxy url-filtering squidguard block-category proxy
set service webproxy url-filtering squidguard block-category ads
set service webproxy url-filtering squidguard block-category <press tab to find more categories you can block>
commit

 

Anytime a user from the LAB network will try to access any of the resources blocked they will get re-directed by default to google.com. The proxy line make sure that any user trying to leverage a known proxy server to circumvent your blocking rules all there calls will get intercepted asll .

If you would like to change the default block site type the following:

set service webproxy url-filtering squidguard redirect-url <insert the page you want to use instead>

 

If you would like to add specific URL’s which might not be captured within any of the categories type:

set service webproxy url-filtering squidguard local-block <insert domain you would like to block>
set service webproxy url-filtering squidguard local-block-url <insert URL you would like to block>

 

Now if the blocking is a bit to extensive you can always open up specific domains and/or websites by making use of the following:

set service web proxy url-filtering squidguard local-ok <insert domain to allow>
set service web proxy url-filtering squidguard local-ok-url <insert URL to allow>

 

Now that was all for this time, I hope you can benefit from this post and if you have any feedback you can always contact me