CentOS

Vyatta 6.0: Firewall,NAT,VLAN,WebProxy,WebFilter, QoS

Ical RedHat2 Komentar

Sedikit tutorial mengenai jaringan yang dibangun untuk akses Internet(NAT, VLAN,WebProxy,WebFilter,Qos) memanfaatkan Vyatta core 6.0.

Skenario seperti gambar di bawah ini:

vyatta

Interface: fa0/0=118.98.176.209/29 ; eth0=118.98.176.210/29; eth1=192.168.1.1/24;

eth1.201=192.168.201.1/24; eth1.202=192.168.202.1/24; eth1.203=192.168.203.1/24; eth1.204=192.168.204.1/24;

eth2=192.168.3.1/24; eth2.101=192.168.101.1/24; eth2.102=192.168.102.1/24; eth2.103=192.168.103.1/24;

DNS: 118.98.176.211

Konfigurasi Vyatta:

Setting Interface(eth0) yang ke Internet:

vyatta@vyatta$ configure
vyatta@vyatta# set interfaces ethernet eth0 address 118.98.176.210/29

Setting Interface(eth1, eth2) yang ke LAN:

vyatta@vyatta# set interfaces ethernet eth1 address 192.168.1.1/24
vyatta@vyatta# set interfaces ethernet eth2 address 192.168.3.1/24

Setting Interface(vlan 101,102,103 pada eth2 dan vlan 201,202,203,204 pada eth1:

vyatta@vyatta# set interfaces ethernet eth1 vif 201 address 192.168.201.1/24
vyatta@vyatta# set interfaces ethernet eth1 vif 202 address 192.168.202.1/24
vyatta@vyatta# set interfaces ethernet eth1 vif 203 address 192.168.203.1/24
vyatta@vyatta# set interfaces ethernet eth1 vif 204 address 192.168.204.1/24

vyatta@vyatta# set interfaces ethernet eth2 vif 101 address 192.168.101.1/24
vyatta@vyatta# set interfaces ethernet eth2 vif 102 address 192.168.102.1/24
vyatta@vyatta# set interfaces ethernet eth2 vif 103 address 192.168.103.1/24

Setting system gateway dan dns:

vyatta@vyatta# set system gateway-address 118.98.176.209
vyatta@vyatta# set system name-server 118.98.176.211

vyatta@vyatta# commit

Setting dns forwarding untuk LAN:

vyatta@vyatta# set service dns forwarding system
vyatta@vyatta# set service dns forwarding listen-on eth1.201
vyatta@vyatta# set service dns forwarding listen-on eth1.202
vyatta@vyatta# set service dns forwarding listen-on eth1.203
vyatta@vyatta# set service dns forwarding listen-on eth1.204
vyatta@vyatta# set service dns forwarding listen-on eth2
vyatta@vyatta# set service dns forwarding listen-on eth2.101
vyatta@vyatta# set service dns forwarding listen-on eth2.102
vyatta@vyatta# set service dns forwarding listen-on eth2.103

vyatta@vyatta# commit

Setting dhcp untuk LAN:

vyatta@vyatta# set service dhcp-server shared-network-name net3
vyatta@vyatta# set service dhcp-server shared-network-name net3 subnet 192.168.3.0/24
vyatta@vyatta# set service dhcp-server shared-network-name net3 subnet 192.168.3.0/24 start 192.168.3.50 stop 192.168.3.200
vyatta@vyatta# set service dhcp-server shared-network-name net3 subnet 192.168.3.0/24 default-router 192.168.3.1
vyatta@vyatta# set service dhcp-server shared-network-name net3 subnet 192.168.3.0/24 dns-server 192.168.3.1
vyatta@vyatta# set service dhcp-server shared-network-name net3 subnet 192.168.3.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan101
vyatta@vyatta# set service dhcp-server shared-network-name vlan101 subnet 192.168.101.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan101 subnet 192.168.101.0/24 start 192.168.101.50 stop 192.168.101.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan101 subnet 192.168.101.0/24 default-router 192.168.101.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan101 subnet 192.168.101.0/24 dns-server 192.168.101.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan101 subnet 192.168.101.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan102
vyatta@vyatta# set service dhcp-server shared-network-name vlan102 subnet 192.168.102.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan102 subnet 192.168.102.0/24 start 192.168.102.50 stop 192.168.102.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan102 subnet 192.168.102.0/24 default-router 192.168.102.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan102 subnet 192.168.102.0/24 dns-server 192.168.102.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan102 subnet 192.168.102.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan103
vyatta@vyatta# set service dhcp-server shared-network-name vlan103 subnet 192.168.103.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan103 subnet 192.168.103.0/24 start 192.168.103.50 stop 192.168.103.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan103 subnet 192.168.103.0/24 default-router 192.168.103.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan103 subnet 192.168.103.0/24 dns-server 192.168.103.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan103 subnet 192.168.103.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan201
vyatta@vyatta# set service dhcp-server shared-network-name vlan201 subnet 192.168.201.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan201 subnet 192.168.201.0/24 start 192.168.201.50 stop 192.168.201.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan201 subnet 192.168.201.0/24 default-router 192.168.201.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan201 subnet 192.168.201.0/24 dns-server 192.168.201.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan201 subnet 192.168.201.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan202
vyatta@vyatta# set service dhcp-server shared-network-name vlan202 subnet 192.168.202.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan202 subnet 192.168.202.0/24 start 192.168.202.50 stop 192.168.202.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan202 subnet 192.168.202.0/24 default-router 192.168.202.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan202 subnet 192.168.202.0/24 dns-server 192.168.202.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan202 subnet 192.168.202.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan203
vyatta@vyatta# set service dhcp-server shared-network-name vlan203 subnet 192.168.203.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan203 subnet 192.168.203.0/24 start 192.168.203.50 stop 192.168.203.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan203 subnet 192.168.203.0/24 default-router 192.168.203.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan203 subnet 192.168.203.0/24 dns-server 192.168.203.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan203 subnet 192.168.203.0/24 lease 14400

vyatta@vyatta# set service dhcp-server shared-network-name vlan204
vyatta@vyatta# set service dhcp-server shared-network-name vlan204 subnet 192.168.204.0/24
vyatta@vyatta# set service dhcp-server shared-network-name vlan204 subnet 192.168.204.0/24 start 192.168.204.50 stop 192.168.204.200
vyatta@vyatta# set service dhcp-server shared-network-name vlan204 subnet 192.168.204.0/24 default-router 192.168.204.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan204 subnet 192.168.204.0/24 dns-server 192.168.204.1
vyatta@vyatta# set service dhcp-server shared-network-name vlan204 subnet 192.168.204.0/24 lease 14400

vyatta@vyatta# commit

Setting NAT dengan type masquerade untuk setiap interface:

vyatta@vyatta# set service nat rule 10
vyatta@vyatta# set service nat rule 10 outbound-interface eth0
vyatta@vyatta# set service nat rule 10 protocol all
vyatta@vyatta# set service nat rule 10 source address 192.168.3.0/24
vyatta@vyatta# set service nat rule 10 type masquerade

vyatta@vyatta# set service nat rule 11
vyatta@vyatta# set service nat rule 11 outbound-interface eth0
vyatta@vyatta# set service nat rule 11 protocol all
vyatta@vyatta# set service nat rule 11 source address 192.168.101.0/24
vyatta@vyatta# set service nat rule 11 type masquerade

vyatta@vyatta# set service nat rule 12
vyatta@vyatta# set service nat rule 12 outbound-interface eth0
vyatta@vyatta# set service nat rule 12 protocol all
vyatta@vyatta# set service nat rule 12 source address 192.168.102.0/24
vyatta@vyatta# set service nat rule 12 type masquerade

vyatta@vyatta# set service nat rule 13
vyatta@vyatta# set service nat rule 13 outbound-interface eth0
vyatta@vyatta# set service nat rule 13 protocol all
vyatta@vyatta# set service nat rule 13 source address 192.168.103.0/24
vyatta@vyatta# set service nat rule 13 type masquerade

vyatta@vyatta# set service nat rule 14
vyatta@vyatta# set service nat rule 14 outbound-interface eth0
vyatta@vyatta# set service nat rule 14 protocol all
vyatta@vyatta# set service nat rule 14 source address 192.168.201.0/24
vyatta@vyatta# set service nat rule 14 type masquerade

vyatta@vyatta# set service nat rule 15
vyatta@vyatta# set service nat rule 15 outbound-interface eth0
vyatta@vyatta# set service nat rule 15 protocol all
vyatta@vyatta# set service nat rule 15 source address 192.168.202.0/24
vyatta@vyatta# set service nat rule 15 type masquerade

vyatta@vyatta# set service nat rule 16
vyatta@vyatta# set service nat rule 16 outbound-interface eth0
vyatta@vyatta# set service nat rule 16 protocol all
vyatta@vyatta# set service nat rule 16 source address 192.168.203.0/24
vyatta@vyatta# set service nat rule 16 type masquerade

vyatta@vyatta# set service nat rule 17
vyatta@vyatta# set service nat rule 17 outbound-interface eth0
vyatta@vyatta# set service nat rule 17 protocol all
vyatta@vyatta# set service nat rule 17 source address 192.168.204.0/24
vyatta@vyatta# set service nat rule 17 type masquerade

vyatta@vyatta# commit

Setting WebProxy:

vyatta@vyatta# set service webproxy cache-size 5120
vyatta@vyatta# set service webproxy listen-address 192.168.3.1
vyatta@vyatta# set service webproxy listen-address 192.168.101.1
vyatta@vyatta# set service webproxy listen-address 192.168.102.1
vyatta@vyatta# set service webproxy listen-address 192.168.103.1
vyatta@vyatta# set service webproxy listen-address 192.168.201.1
vyatta@vyatta# set service webproxy listen-address 192.168.202.1
vyatta@vyatta# set service webproxy listen-address 192.168.203.1
vyatta@vyatta# set service webproxy listen-address 192.168.204.1

vyatta@vyatta# commit

Setting WebFiltering:

vyatta@vyatta# save
vyatta@vyatta# exit
vyatta@vyatta$ update webproxy blacklists
vyatta@vyatta$ configure
vyatta@vyatta# set service webproxy url-filtering squidguard allow-ipaddr-url
vyatta@vyatta# set service webproxy url-filtering squidquard block-category adult
vyatta@vyatta# set service webproxy url-filtering squidguard block-category proxy
vyatta@vyatta# set service webproxy url-filtering squidguard block-category malware
vyatta@vyatta# set service webproxy url-filtering squidguard block-category violence
vyatta@vyatta# set service webproxy url-filtering squidguard block-category warez
vyatta@vyatta# set service webproxy url-filtering squidguard enable-safe-search

vyatta@vyatta# commit

Setting Firewall:

vyatta@vyatta# set firewall name allow_established
vaytta@vyatta# set firewall name allow_established rule 10
vyatta@vyatta# set firewall name allow_established rule 10 action accept
vyatta@vyatta# set firewall name allow_estbalished rule 10 state established enable

vyatta@vyatta# commit

berikutnya implementasikan firewall tersebut pada interface yg terhubung ke Internet(eth0):

vyatta@vyatta# set interfaces ethernet eth0 firewall in name allow_established
vyatta@vyatta# set interfaces ethernet eth0 firewall local name allow_established

vyatta@vyatta# commit

Setting QoS(Traffic Shaper):
Di asumsikan bandwidth yang disediakan oleh ISP sebesar 8Mbps, dimana network 192.168.3.0/24(eth2) kita berikan sebesar 70% dan sisanya buat yang lain.

vyatta@vyatta# set qos-policy traffic-shaper Campus
vyatta@vyatta# set qos-policy traffic-shaper Campus bandwidth 8mbit
vyatta@vyatta# set qos-policy traffic-shaper Campus class 10
vyatta@vyatta# set qos-policy traffic-shaper Campus class 10 bandwidth 70%
vyatta@vyatta# set qos-policy traffic-shaper Campus class 10 ceiling 100%
vyatta@vyatta# set qos-policy traffic-shaper Campus class 10 match net3 interface eth2
vyatta@vyatta# set qos-policy traffic-shaper Campus default bandwidth 30%
vyatta@vyatta# set qos-policy traffic-shaper Campus default ceiling 100%

Selanjutnya implementasikan qos-policy tersebut ke interface yang terhubung ke Internet(eth0):

vyatta@vyatta# set interfaces ethernet eth0 qos-policy out Campus
vyatta@vyatta# commit
vyatta@vyatta# save

Iklan

2 pemikiran pada “Vyatta 6.0: Firewall,NAT,VLAN,WebProxy,WebFilter, QoS

  1. Bagus artikelnya…..
    tapi bisa kasih contoh sederhana gak, Misalnya cara management bandwith sebuah warnet (contoh 10 client, inet 1mb) menggunakan vyatta di virtual (contoh oracle vm virtualbox / vmware).
    thank sebelumnya ya …….
    keep open source….

    ferry0606@gmail.com

    Balas

  2. Idem sama mas Ferry, artikelnya sangat bagus,,
    terus untuk implementasinya dengan switch manageable gimana ya? saya udah bikin vlan seperti tutorial di atas, dan bikin vlan juga di switch, tapi kok yang vlan gak jalan? gak bisa dapet dhcp dan akses inet?
    tapi untuk yang eth1(lan) bisa dapet dhcp dan akses inet nya.

    thanks sebelumnya buat tanggapannya…

    Balas

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Gravatar
Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Batal

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.