Vyatta CLI commands reference guide…

Below I list a CLI Command reference for the Vyatta Router.

# Configure Interfaces

configure
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description "Internet-Connection"
set interfaces ethernet eth1 address 192.168.1.1/24
set interfaces ethernet eth1 description "LAN-Connection"
commit
save

# Configure DHCP

configure
set service dhcp-server
set service dhcp-server shared-network-name LAN-01
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 start 192.168.1.10
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 start 192.168.1.10 stop 192.168.1.20
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 domain-name test.local
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 dns-server 192.168.1.1
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 dns-server 8.8.8.8
set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 dns-server 8.8.4.4
commit
save

Adding Static Mappings for IP to MAC/PC

set service dhcp-server shared-network-name LAN-01 subnet 192.168.1.0/24 static-mapping <PCNAME/HOSTNAME> ip-address 192.168.1.10

# Configure system DNS

configure
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system name-server 208.67.222.222
set system name-server 208.67.220.220
commit
save

# Conigure LAN DNS Forwarding

configure
set service dns forwarding listen-on eth1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 208.67.220.220
commit
save

# Configure Wifi
First Create Bridge between eth1 and wlan0 called br0

set interfaces bridge br0 address 192.168.88.1 / 24 
set interfaces bridge br0 LAN Description

Add eth1 to the bridge

set eth1 Ethernet interfaces bridge br0 bridge-Group
set eth1 interfaces Ethernet LAN Description

Configure the Wifi Settings

set interfaces wireless wlan0 bridge-group bridge br0
set interfaces wireless wlan0 channel 2
set interfaces wireless wlan0 description LAN
set interfaces wireless wlan0 mode g
set interfaces wireless wlan0 security wpa mode wpa2
set interfaces wireless wlan0 security wpa passphrase 12345678
set interfaces wireless wlan0 ssid vyatta
set interfaces wireless wlan0 type access-point

# Configure default routes

configure
set protocol static route 0.0.0.0/0 next-hop 192.168.1.1 <IP Of Next Hop Router> 
commit
save

You could also use this option to route different IP Addresses to different routers etc…

# Configure NAT

configure
set nat source rule 1
set nat source rule 1 translation address masquerade
set nat source rule 1 outbound-interface eth0
set nat source rule 1 protocol all
set nat source rule 1 source address 192.168.1.0/24
set nat source rule 1 destination address 0.0.0.0/0
commit
save

# Configuring a sample NAT Rule

configure
set nat destination rule 10
set nat destination rule 10 inbound-interface eth0 
set nat destination rule 10 destination port 1723 
set nat destination rule 10 translation address 192.168.1.3 
set nat destination rule 10 translation port 1723 
set nat destination rule 10 protocol tcp
commit
save

Some Simple commands to check NAT

show nat rules
show nat translations

# Configure SSH

configure
set service ssh
set service ssh listen-address 192.168.1.1
set service ssh port 22 <Can be set to another port number>
set service ssh protocol-version v2
commit
save

# Configure IPSEC Site-to-Site

set vpn ipsec 
set vpn ipsec ipsec-interfaces interface eth0 <Interface connected to Internet>
set vpn ipsec ike-group IKE
set vpn ipsec ike-group IKE proposal 1 encryption 3des 
set vpn ipsec ike-group IKE proposal 1 hash md5 
set vpn ipsec ike-group IKE proposal 1 dh-group 2
set vpn ipsec esp-group ESP proposal 1 encryption 3des 
set vpn ipsec esp-group ESP proposal 1 hash md5 
set vpn ipsec site-to-site peer <IP OF REMOTE WAN END> ike-group IKE
set vpn ipsec site-to-site peer <IP OF REMOTE WAN END> local-ip <Local WAN Address>
set vpn ipsec site-to-site peer <IP OF REMOTE WAN END> tunnel 1 local subnet 192.168.1.0/24
set vpn ipsec site-to-site peer <IP OF REMOTE WAN END> tunnel 1 remote subnet 192.168.2.0/24
set vpn ipsec site-to-site peer <IP OF REMOTE WAN END> tunnel 1 esp-group ESP

# Conigure system user envoroments

configure
set system host-name router
set system domain-name test.local
set system time-zone europe/London
commit
save

# Rip Configuration

configure
set protocols rip interface ethX
set interfaces ethernet ethX ip rip authentication md5 23
set interfaces ethernet ethX ip rip authentication md5 23 password <<PASSWORD>>
commit
save
run show ip route
run show ip route rip

# OSPF Configuration

set protocols ospf parameters router-id 192.168.1.1 <IP OF Router>
set protocols ospf area 0.0.0.0 network 192.168.1.0/24 <Subnet of connected networks>
set protocols ospf area 0.0.0.0 network 192.168.2.0/24 <Subnet of connected networks>
set protocols ospf area 0.0.0.0 authentication md5
set protocols ospf redistribute connected
set interfaces ethernet eth0 ip ospf authentication md5
set interfaces ethernet eth0 ip ospf authentication md5 key-id 25
set interfaces ethernet eth0 ip ospf authentication md5 key-id 25 md5-key PASSWORD
commit
save

# BGP Configuration

configure
set protocols bgp <AS Number>
set protocols bgp <AS Number> neighbor <IP of Other router>
set protocols bgp <AS Number> neighbor <IP of Other router> remote-as <AS Number>
set protocols bgp <AS Number> network <Local networks>
set protocols bgp <AS Number> redistribute connected
set protocols bgp <AS Number> neighbor <IP of Other router> password <password>
set protocols bgp <AS Number> parameters router-id <IP of local router>
commit
save

# Configure GRE <No Encryption>

configure
set interfaces tunnel tun0 address 172.14.1.1/30 <Simple 2 IP Addresses used>
set interfaces tunnel tun0 local-ip <Local WAN IP>
set interfaces tunnel tun0 remote-ip <Remote WAN IP>
set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 description "GRE Tunnel To Remote site"
commit
save

Local Lan Address 192.168.1.0/24
Remote Lan Address 192.168.2.0/24

set protocols static route 192.168.2.0/24 next-hop 172.14.1.2

# Firewall Configuration

configure
set zone-policy zone private description "Private zone inside firewall"
set zone-policy zone public description "Public zone outside firewall"
set zone-policy zone public interface eth0
set zone-policy zone private interface eth1
set firewall name to-public description "Allow authorized traffic to Public Zone"
set firewall name to-public rule 1 action accept
set firewall name to-public rule 1 state established enable
set firewall name to-public rule 1 state related enable
set firewall name to-public rule 10 action accept
set firewall name to-public rule 10 destination port 80,443
set firewall name to-public rule 10 protocol tcp
set firewall name to-private description "Allow established to Private zone"
set firewall name to-private rule 1 action accept
set firewall name to-private rule 1 state established enable
set firewall name to-private rule 1 state related enable
set zone-policy zone private from public firewall name to-private
set zone-policy zone public from private firewall name to-public
commit
save

# VRRP Virtual Router Redundancy Protocol Configuration

set interfaces ethernet eth2 vrrp vrrp-group 10 priority 150
set interfaces ethernet eth2 vrrp vrrp-group 10 virtual-address 192.168.1.254
set interfaces ethernet eth2 vrrp vrrp-group 10 description "LAN VRRP"
set interfaces ethernet eth2 vrrp vrrp-group 10 advertise-interval 1
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication type ah
set interfaces ethernet eth2 vrrp vrrp-group 10 authentication password PASSWORD
commit
save

OpenVPN on Vyatta
OpenVPN Server Setup

configure
su
cd /var/share/doc/openvpn/examples/easy-rsa
cp -r 2.0/ /etc/openvpn/easy-rsa
source ~/vars
./clean-all
./build-ca
./build-key-server server
./build-key <KEY>
./build-dh

For additional Routers

cd /etc/openvpn/
source ./vars
./build-key <Site Name>

Vyatta Config

set interfaces openvpn vtun0
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 192.168.1.0/24
set interfaces openvpn vtun0 tls ca-cert-file /root/OpenVPN_CA.crt
set interfaces openvpn vtun0 tls cert-file /root/openvpnsrv_cert.crt
set interfaces openvpn vtun0 tls key-file /root/openvpnsrv_key.key
set interfaces openvpn vtun0 tls dh-file /root/dh2048.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 server push-route 192.168.2.0/24
commit
save

# Factory Reset Vyatta

configure
load /opt/vyatta/etc/config.boot.default 
save

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
This entry was posted in Little Guides, Usefully Found Stuff and tagged , , , , . Bookmark the permalink.

Comments are closed.