การ limit traffic การใช้งานของ Vyatta
shaper = outbount
limiter = inbound
ตัวอย่าง
set traffic-policy limiter 15m default bandwidth '15mbit'
set traffic-policy shaper 20m default bandwidth '20mbit'
commit
set interfaces ethernet eth0 traffic-policy in '15m'
set interfaces ethernet eth0 traffic-policy out '20m'
commit
ตรวจสอบ config
ruamit@core-bkk01# show traffic-policy limiter
15m {
default {
bandwidth 15mbit
}
}
[edit]
ruamit@core-bkk01# show traffic-policy shaper
20m {
default {
bandwidth 20mbit
}
}
[edit]
ruamit@core-bkk01# show interfaces ethernet eth0
address 192.168.1.100/24
address 172.16.0.1/24
hw-id 00:1c:23:00:69:4b
traffic-policy {
in 15m
out 20m
}
การตรวสอบว่า ตรงหรือไม่อาจจะต้องใช้ program STG เพื่อจับ traffic หรือ ลง iptraf เพื่อ monitor traffic อีกที เนื่องจาก กรณี show interface จะไม่บอก bitrate ที่วิ่ง จะแสดงเฉพาะ packet เนื่องจากเป็น base linux
Thursday, December 30, 2010
Wednesday, December 29, 2010
port forword on juniper SRX with adsl
ตัวอย่างการ set port fwd สำหรับ adsl เช่น remote เข้ามาที่ wan pp0.0 port 23ให้ forword ไปที่ 172.16.0.99 port 23
set security nat destination pool telnet-host address 172.16.0.99/32
set security nat destination pool telnet-host address port 23
set security nat destination rule-set nat-static from interface pp0.0
set security nat destination rule-set nat-static rule port-forword match destination-address 0.0.0.0/0
set security nat destination rule-set nat-static rule port-forword match destination-port 23
set security nat destination rule-set nat-static rule port-forword then destination-nat pool telnet-host
หมายเหตุ destination-address 0.0.0.0/0 เนื่องจาก adsl เป็น dynamic ip จึงไม่สามารถระบุ ip ที่แน่นอนได้ จึงระบุเป็น class ใหญ่
อย่าลืม allow zone policy ด้วยน่ะครับ
set security policies from-zone untrust to-zone trust policy port-fwd match source-address any
set security policies from-zone untrust to-zone trust policy port-fwd match destination-address ip_172.16.0.99
set security policies from-zone untrust to-zone trust policy port-fwd match application junos-telnet
set security policies from-zone untrust to-zone trust policy port-fwd then permit
set security nat destination pool telnet-host address 172.16.0.99/32
set security nat destination pool telnet-host address port 23
set security nat destination rule-set nat-static from interface pp0.0
set security nat destination rule-set nat-static rule port-forword match destination-address 0.0.0.0/0
set security nat destination rule-set nat-static rule port-forword match destination-port 23
set security nat destination rule-set nat-static rule port-forword then destination-nat pool telnet-host
หมายเหตุ destination-address 0.0.0.0/0 เนื่องจาก adsl เป็น dynamic ip จึงไม่สามารถระบุ ip ที่แน่นอนได้ จึงระบุเป็น class ใหญ่
อย่าลืม allow zone policy ด้วยน่ะครับ
set security policies from-zone untrust to-zone trust policy port-fwd match source-address any
set security policies from-zone untrust to-zone trust policy port-fwd match destination-address ip_172.16.0.99
set security policies from-zone untrust to-zone trust policy port-fwd match application junos-telnet
set security policies from-zone untrust to-zone trust policy port-fwd then permit
Tuesday, December 28, 2010
Juniper and tacac+
config บน Juniper เพื่อคุยกับ tacacs+ server
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 192.168.26.4 port 49
set system tacplus-server 192.168.26.4 secret "$9$G-Uqf3nC0BEz3A0O1rlxNds4ZjHmQ39"
set system tacplus-server 192.168.26.4 single-connection
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
account สำหรับ tacacs+ คุยกับ router
set system login user view full-name TACACS_ACCOUNT_OPERATOR
set system login user view uid 2002
set system login user view class operator
set system login user admin full-name TACACS_ACCOUNT_ADMIN
set system login user admin uid 2001
set system login user admin class super-user
ตัวอย่าง config บน tacac+ server เพื่อคุยกับ juniper หมายเหตุ version tacacs+ F4.0.4.19 บน linux
# Group Account
group = admin {
default service = permit
service = junos-exec {
local-user-name = admin
allow-commands = "all"
}
group = viewer {
default service = deny
service = junos-exec {
local-user-name = view
deny-commands = "clear|rquest|restart|"
}
}
#user admin
user = nmc {
login = cleartext "nmc1234"
member = admin
}
#user operator
user = test01 {
login = cleartext "test1234"
member = viewer
}
set system authentication-order tacplus
set system authentication-order password
set system tacplus-server 192.168.26.4 port 49
set system tacplus-server 192.168.26.4 secret "$9$G-Uqf3nC0BEz3A0O1rlxNds4ZjHmQ39"
set system tacplus-server 192.168.26.4 single-connection
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus
account สำหรับ tacacs+ คุยกับ router
set system login user view full-name TACACS_ACCOUNT_OPERATOR
set system login user view uid 2002
set system login user view class operator
set system login user admin full-name TACACS_ACCOUNT_ADMIN
set system login user admin uid 2001
set system login user admin class super-user
ตัวอย่าง config บน tacac+ server เพื่อคุยกับ juniper หมายเหตุ version tacacs+ F4.0.4.19 บน linux
# Group Account
group = admin {
default service = permit
service = junos-exec {
local-user-name = admin
allow-commands = "all"
}
group = viewer {
default service = deny
service = junos-exec {
local-user-name = view
deny-commands = "clear|rquest|restart|"
}
}
#user admin
user = nmc {
login = cleartext "nmc1234"
member = admin
}
#user operator
user = test01 {
login = cleartext "test1234"
member = viewer
}
PPPOE on Juniper SRX
การ set PPPoE บน juniper SRX
interface ge-0/0/1 ผมเลือกเป็น uplink เชื่อมกับ modem โดยให้ modem เป็น bridge
set interfaces ge-0/0/1 description PPPOE_INTERFACE
set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
กำ profile ppp และ interface ppp เพื่อเชื่อมต่อกับ DSLAM
set access profile ppp authentication-order password
set interfaces pp0 unit 0 description PPP_TO_TRUE_ADSL
set interfaces pp0 unit 0 ppp-options pap access-profile ppp
set interfaces pp0 unit 0 ppp-options pap local-name "adslaccout@truehisp"
set interfaces pp0 unit 0 ppp-options pap local-password "$9$P5T3CA0EclFnEy"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 30
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet no-redirects
set interfaces pp0 unit 0 family inet negotiate-address
เปิด ping กับ telnet สำหรับ ทดสอบและ remote หรือจะ on service ssh ก็ได้ตามสะดวก แต่ว่า WAN อยู่ใน zone untrust น่ะครับ
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ping
หลัง config เสร็จ interface pp0.0 ได้รับ IP แต่ทำไม default route ไม่มา แก้ไขโดย กำหนด default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0
หลังจากปรับ เสร็จ พบว่า เปิดเว็บไม่ได้บางเว็บ งง สิหล่ะงานนี้ แก้ไขโดย ปรับ tcp adjust mss สูตร mtu ลบ header 40 byte
set security flow tcp-mss all-tcp mss 1452
ตัวอย่าง show config บางส่วนข้างต้น
test@srx# show interface ge-0/0/1
description PPPOE_INTERFACE;
unit 0 {
encapsulation ppp-over-ether;
}
}
test@srx# show interface pp0
unit 0 {
description PPP_TO_TRUE_ADSL;
ppp-options {
pap {
access-profile ppp;
local-name "adslaccout@truehisp";
local-password "$9$P5T3CA0EclFnEy"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
auto-reconnect 30;
client;
}
family inet {
mtu 1492;
no-redirects;
negotiate-address;
}
}
}
test@srx# show security-zone untrust
screen untrust-screen;
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
test@srx# show routing-options
static {
route 0.0.0.0/0 {
next-hop pp0.0;
}
}
}
test@srx# show security flow
tcp-mss {
all-tcp {
mss 1452;
}
}
interface ge-0/0/1 ผมเลือกเป็น uplink เชื่อมกับ modem โดยให้ modem เป็น bridge
set interfaces ge-0/0/1 description PPPOE_INTERFACE
set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
กำ profile ppp และ interface ppp เพื่อเชื่อมต่อกับ DSLAM
set access profile ppp authentication-order password
set interfaces pp0 unit 0 description PPP_TO_TRUE_ADSL
set interfaces pp0 unit 0 ppp-options pap access-profile ppp
set interfaces pp0 unit 0 ppp-options pap local-name "adslaccout@truehisp"
set interfaces pp0 unit 0 ppp-options pap local-password "$9$P5T3CA0EclFnEy"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 30
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet no-redirects
set interfaces pp0 unit 0 family inet negotiate-address
เปิด ping กับ telnet สำหรับ ทดสอบและ remote หรือจะ on service ssh ก็ได้ตามสะดวก แต่ว่า WAN อยู่ใน zone untrust น่ะครับ
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces pp0.0 host-inbound-traffic system-services ping
หลัง config เสร็จ interface pp0.0 ได้รับ IP แต่ทำไม default route ไม่มา แก้ไขโดย กำหนด default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0
หลังจากปรับ เสร็จ พบว่า เปิดเว็บไม่ได้บางเว็บ งง สิหล่ะงานนี้ แก้ไขโดย ปรับ tcp adjust mss สูตร mtu ลบ header 40 byte
set security flow tcp-mss all-tcp mss 1452
ตัวอย่าง show config บางส่วนข้างต้น
test@srx# show interface ge-0/0/1
description PPPOE_INTERFACE;
unit 0 {
encapsulation ppp-over-ether;
}
}
test@srx# show interface pp0
unit 0 {
description PPP_TO_TRUE_ADSL;
ppp-options {
pap {
access-profile ppp;
local-name "adslaccout@truehisp";
local-password "$9$P5T3CA0EclFnEy"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
auto-reconnect 30;
client;
}
family inet {
mtu 1492;
no-redirects;
negotiate-address;
}
}
}
test@srx# show security-zone untrust
screen untrust-screen;
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
}
}
}
test@srx# show routing-options
static {
route 0.0.0.0/0 {
next-hop pp0.0;
}
}
}
test@srx# show security flow
tcp-mss {
all-tcp {
mss 1452;
}
}
Zone policy Vyatta
zone policy ของ Vyatta คล้ายๆ กับของ juniper SRX แฮะ 555
ruamit@vyatta# show zone-policy
zone DMZ {
interface eth3
}
zone local {
default-action drop
from trust {
firewall {
name from_internal
}
}
from untrust {
firewall {
name to-router
}
}
local-zone
}
zone trust {
default-action drop
description LAN_interface
interface eth2
}
zone untrust {
default-action drop
description WAN
from trust {
firewall {
name tcp-out
}
}
interface eth0
}
[edit]
ruamit@vyatta# show zone-policy
zone DMZ {
interface eth3
}
zone local {
default-action drop
from trust {
firewall {
name from_internal
}
}
from untrust {
firewall {
name to-router
}
}
local-zone
}
zone trust {
default-action drop
description LAN_interface
interface eth2
}
zone untrust {
default-action drop
description WAN
from trust {
firewall {
name tcp-out
}
}
interface eth0
}
[edit]
Sunday, December 26, 2010
Vyatta PPPOE VPN and NAT with firewall protect wan
PPPOE interface WAN to internet
set interfaces ethernet eth0 address '192.168.1.100/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:1c:23:00:69:4b'
set interfaces ethernet eth0 pppoe 0 default-route 'auto'
set interfaces ethernet eth0 pppoe 0 mtu '1492'
set interfaces ethernet eth0 pppoe 0 name-server 'auto'
set interfaces ethernet eth0 pppoe 0 password 'admintest'
set interfaces ethernet eth0 pppoe 0 user-id 'testpppoe@truehisp'
ruamit@vyatta# show interfaces
ethernet eth0 {
address 192.168.1.100/24
hw-id 00:1c:23:00:69:4b
pppoe 0 {
default-route auto
password admintest
user-id testpppoe@truehisp
}
NAT
set service nat rule 2 outbound-interface 'pppoe0'
set service nat rule 2 source address '172.16.0.0/24'
set service nat rule 2 type 'masquerade'
set service nat rule 20 description 'Port-Forword-PPTP_1723'
set service nat rule 20 destination port '1723'
set service nat rule 20 inbound-interface 'pppoe0'
set service nat rule 20 inside-address address '172.16.0.1'
set service nat rule 20 inside-address port '1723'
set service nat rule 20 protocol 'tcp_udp'
set service nat rule 20 type 'destination'
ruamit@vyatta# show service nat
nat {
rule 2 {
description NAT_POOL
outbound-interface pppoe0
source {
address 172.16.0.0/24
}
type masquerade
}
rule 20 {
description Port-Forword-PPTP_1723
destination {
port 1723
}
inbound-interface pppoe0
inside-address {
address 172.16.0.1
port 1723
}
protocol tcp_udp
type destination
}
}
Limit Bandwidth
set traffic-policy shaper 10m default bandwidth 10mbit
set traffic-policy limiter 5m default bandwidth 5mbit
set interfaces ethernet eth1 traffic-policy out 10m
set interfaces ethernet eth1 traffic-policy in 5m
ruamit@vyatta# show traffic-policy
limiter 5m {
default {
bandwidth 5mbit
}
}
shaper 10m {
default {
bandwidth 10mbit
}
}
[edit]
ruamit@vyatta# show interfaces ethernet eth1
address 172.16.0.1/24
description internal_network
hw-id 00:0c:29:00:9e:07
traffic-policy {
in 5m
out 10m
}
[edit]
ruamit@vyatta#
VPN PPTP
set vpn pptp remote-access authentication local-users username vyattaadmin password 'cisco123'
set vpn pptp remote-access authentication mode 'local'
set vpn pptp remote-access client-ip-pool start '172.16.0.100'
set vpn pptp remote-access client-ip-pool stop '172.16.0.110'
set vpn pptp remote-access dns-servers server-1 '203.144.207.49'
set vpn pptp remote-access outside-address '172.16.0.1'
ruamit@vyatta# show vpn
pptp {
remote-access {
authentication {
local-users {
username vyattaadmin {
password cisco123
}
}
mode local
}
client-ip-pool {
start 172.16.0.100
stop 172.16.0.110
}
dns-servers {
server-1 203.144.207.49
}
outside-address 172.16.0.1
}
}
}
set snmp
set service snmp community public authorization 'ro'
set service snmp community public client 172.16.0.100
ruamit@vyatta# show service snmp
snmp {
community public {
authorization ro
client 172.16.0.100
}
telnet ssh
ruamit@vyatta# set service telnet
ruamit@vyatta# set service ssh
login
set system login user nmc authentication plaintext-password nmc1234
set system login user nmc level 'operator'
set system login user ruamit authentication plaintext-password admin1234
set system login user ruamit level 'admin'
ruamit@vyatta# show system login
user nmc {
authentication {
encrypted-password $1$uaLO3jod$Dnzwb7CeYPvviNnjZTNgV0
plaintext-password ""
}
level operator
}
user ruamit {
authentication {
encrypted-password $1$KeWhiX1f$s2bnIdWba6bYDT8X8eVEa0
plaintext-password ""
}
}
NTP & timezone
set system time-zone 'Asia/Bangkok'
set system ntp-server 'time.navy.mi.th'
set system name-server '8.8.8.8'
set system name-server '8.8.4.4'
webproxy (only cache no filter)
set service webproxy cache-size '200'
set service webproxy default-port '8080'
set service webproxy 'disable-access-log'
set service webproxy listen-address '172.16.0.1'
ruamit@vyatta# show service webproxy
cache-size 200
default-port 8080
disable-access-log
listen-address 172.16.0.1 {
}
dynamic dns
set service dns dynamic interface pppoe0 service dyndns host-name 'ssl-vpn.dyndns-ip.com'
set service dns dynamic interface pppoe0 service dyndns login 'abcsd'
set service dns dynamic interface pppoe0 service dyndns password 'xxxxxx'
ruamit@vyatta# show service dns
dynamic {
interface pppoe0 {
service dyndns {
host-name ssl-vpn.dyndns-ip.com
login adscd
password xxxxx
}
}
}
firewall filter on wan PPPOE
set firewall name to-external default-action 'accept'
set firewall name to-external rule 1 action 'drop'
set firewall name to-external rule 1 destination port '600-65535'
set firewall name to-external rule 1 protocol 'udp'
set firewall name to-external rule 1 source address '0.0.0.0/0'
set firewall name to-external rule 2 action 'drop'
set firewall name to-external rule 2 destination port '135,137-139,445'
set firewall name to-external rule 2 protocol 'tcp_udp'
set firewall name to-router default-action 'drop'
set firewall name to-router rule 1 action 'accept'
set firewall name to-router rule 1 destination port '22'
set firewall name to-router rule 1 protocol 'tcp'
set firewall name to-router rule 1 source address '117.121.208.0/24'
set firewall name to-router rule 2 action 'accept'
set firewall name to-router rule 2 description 'SSH'
set firewall name to-router rule 2 destination address '0.0.0.0/0'
set firewall name to-router rule 2 protocol 'icmp'
set firewall name to-router rule 2 source address '0.0.0.0/0'
set firewall name to-router rule 3 action 'accept'
set firewall name to-router rule 3 log 'disable'
set firewall name to-router rule 3 protocol 'all'
set firewall name to-router rule 3 state established 'enable'
set firewall name to-router rule 3 state invalid 'disable'
set firewall name to-router rule 3 state new 'disable'
set firewall name to-router rule 3 state related 'enable'
set firewall name to-router rule 4 action 'accept'
set firewall name to-router rule 4 description 'SNMP'
set firewall name to-router rule 4 destination port '161-162'
set firewall name to-router rule 4 protocol 'udp'
set firewall name to-router rule 4 source address '0.0.0.0/0'
set firewall name to-router rule 5 action 'accept'
set firewall name to-router rule 5 description 'PPTP'
set firewall name to-router rule 5 destination port '1723'
set firewall name to-router rule 5 protocol 'tcp_udp'
set interfaces ethernet eth0 pppoe 0 firewall local name 'to-router'
set interfaces ethernet eth0 pppoe 0 firewall out name 'to-external'
ruamit@vyatta# show firewall
name to-external {
default-action accept
rule 1 {
action drop
destination {
port 600-65535
}
protocol udp
source {
address 0.0.0.0/0
}
}
rule 2 {
action drop
destination {
port 135,137-139,445
}
protocol tcp_udp
}
}
name to-router {
rule 1 {
action accept
destination {
port 22
}
protocol tcp
source {
address 117.121.208.0/24
}
}
rule 2 {
action accept
description SSH
destination {
address 0.0.0.0/0
}
protocol icmp
source {
address 0.0.0.0/0
}
}
rule 3 {
action accept
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 4 {
action accept
description SNMP
destination {
port 161-162
}
protocol udp
source {
address 0.0.0.0/0
}
}
rule 5 {
action accept
description PPTP
destination {
port 1723
}
protocol tcp_udp
}
}
send-redirects disable
syn-cookies disable
}
ruamit@vyatta# show interfaces ethernet eth0
address 192.168.1.100/24
hw-id 00:1c:23:00:69:4b
pppoe 0 {
default-route auto
firewall {
local {
name to-router
}
out {
name to-external
}
}
password admintest
user-id testpppoe@truehisp
}
Subscribe to:
Posts (Atom)