Note: This is part one of two; the second part will be posted next week.
No matter what your position in IT might be, you're probably pretty darn familiar with IPv4. You can't configure the first thing on a network today without at least having some basic idea how subnet masks, default gateways, and DNS allow the network to function. If you're tasked with day-to-day management of a larger network, you may be very familiar with a whole slew of deeper info, such as how to set up DHCP to autonumber workstations, perform more complex subnetting, and configure dynamic routing protocols.
For better or for worse, everything you've learned about IP throughout your career is about to change.
[ Don't forget to check out Matt Prigge's IPv6 checklist and get your Windows networks IPv6-ready while you still can. | Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report. | Keep up on the latest networking news with our Technology: Networking newsletter. ]
The IANA issued its last /8 block of IPv4 addresses earlier this month. The Regional Internet Registries are on pace to run out of smaller blocks to assign to ISPs and corporations within a year or so. Many ISPs have done a good job planning ahead and have a lot of space on hand, but it can't last forever. It's not an issue of whether IPv4 address space exhaustion will force you to get on the IPv6 bandwagon, but when.
Getting Vyatta installed
In my case, getting Vyatta installed was a bit more complicated than it might be for most. Vyatta is distributed in a few different formats, including a Live CD image that you can burn to a disc and a ready-made VMware appliance. Unfortunately, I'm not using VMware, and the box I wanted to install Vyatta on doesn't have a CD-ROM.
However, it's fairly easy to slap together an installer that will run off a USB thumb drive. If you're in that boat, there are some old but still accurate instructions on the Vyatta forums (a great resource if you get stuck).
Once you have your boot media -- either a CD-ROM or a flash drive -- ready to go, you can boot up your machine and get started. It's important to realize that what you're actually booting isn't strictly an installer -- it's a fully functional Vyatta environment. To burn that environment onto permanent storage, such as a hard drive or a CompactFlash card, so that you can save your configuration easily, you'll need to log in (both the username and password are "vyatta") and run the
That will run you through a few basic options about whether to enable software RAID (if you have more than one hard drive you want to mirror) and what disk configuration to use. If you're not sure, you can generally accept the defaults on just about everything. Once the installer has done its job, you can shut down the machine, remove the media, and turn it back on. If all went well, you should be presented with another login prompt.
I also wanted to enable SSH (console) and access to the HTTPS Web interface:
set service 'https'
set service ssh port '22'
set service ssh protocol-version 'v2'
And set a hostname for the system:
set system host-name 'ipv6-test-router'
set system domain-name '<your domain name>'
As I was attaching this router to its own switch, I also needed to configure a DHCP server so that I'd be able to get an IP when I plugged a laptop in. This block will turn on the IPv4 DHCP service on the inside interface and configure it to advertise itself as the default router and DNS server:
If you choose this route, make sure you understand what every command I use here does so that you know the implications of setting them. Vyatta is tremendously flexible, allowing you to set firewall rules that only trigger at certain times of day, perform traffic shaping, and support fairly complex zone-based firewalling configurations. This config reflects the simplest of the simple. If you want to learn more about what you can do, check out the Vyatta documentation.
First is a rule set that will allow return traffic initiated from the router itself to return to it. It will also allow ICMP ping requests to come into the router's outside interface (you'll need that ability later when you configure an IPv6 tunnel):
set firewall name out-local default-action 'drop'
set firewall name out-local description 'IPv4 Traffic To Router'
set firewall name out-local rule 10 action 'accept'
set firewall name out-local rule 10 description 'Accept Established-Related'
set firewall name out-local rule 10 state established 'enable'
set firewall name out-local rule 10 state related 'enable'
set firewall name out-local rule 15 action 'accept'
set firewall name out-local rule 15 description 'Accept ICMP Echo'
set firewall name out-local rule 15 icmp type '8'
set firewall name out-local rule 15 protocol 'icmp'
Next, pretty much the same rule that will apply to return traffic that originated from the inside network:
set firewall name out-in default-action 'drop'
set firewall name out-in description 'IPv4 Traffic To Internal'
set firewall name out-in rule 10 action 'accept'
set firewall name out-in rule 10 description 'Accept Established-Related'
set firewall name out-in rule 10 state established 'enable'
set firewall name out-in rule 10 state related 'enable'
Then configure NAT to translate the inside addresses on the eth1 interface to the interface address of the outside interface:
set service nat rule 10 outbound-interface 'eth0'
set service nat rule 10 source address '192.168.1.0/24'
set service nat rule 10 type 'masquerade'
Next up, configure the router to proxy DNS requests to an internet-based DNS server (in this case, I've used Google Public DNS services because my ISP fiddles with their DNS servers to deliver ads more than I like, but you can use any public DNS service, such as OpenDNS, if you're not a fan of Google):
set service dns forwarding cache-size '150'
set service dns forwarding listen-on 'eth1'
set service dns forwarding name-server '184.108.40.206'
set service dns forwarding name-server '220.127.116.11'
Configure DNS for the router itself (so that you can ping things by name):