vyatta

1. 从www.vyatta.org下载相应的VC版本，我使用的是ESX平台的VC6.1；
2. 直接用ESX导入下载的模板，默认是两个网卡，用户名密码都是vyatta；
3. 设置eth0作为ADSL拨号的网卡，只需设置pppoe的用户名和密码，其他默认：
    set interface ethernet eth0 pppoe 1 user-id ad12345678
    set interface ethernet eth0 pppoe 1 password xxxxxx
4. 设置eth1作为LAN的网关，只设置IP地址，其他默认：
    set interface ethernet eth1 address 192.168.1.1/24
5. 在ESX上给虚机添加一个网卡，作为管理接口，并添加静态路由：
    set interface ethernet eth2 address 10.x.x.99/25
    set protocols static route 10.x.x.x/24 next-hop 10.x.x.xx
6. 设置NAT
    set service nat rule 1 outbound-interface pppoe1
    set service nat rule 1 protocol all
    set service nat rule 1 type masquerade

7. 设置DHCP
   set service dhcp-server
   set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.101 stop 192.168.1.150
   set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
   set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 202.96.209.133
   set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 208.67.222.222
   set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 lease 86400  

8. 定时重启，

     添加root用户，只能在console以root用户登录，编辑/etc/crontab。如下设置每天1点reboot。
   0 1  * * *   root    /sbin/reboot

9. 重新拨号
   disconnect interface pppoe1
   connect interface pppoe1
10. 设置flow counting, 查看用show

set system flow-accounting interface eth1

show flow-accounting

11.设置snmp

set service snmp community public authorization ro
 

12. disable/enable interface

set interfaces ethernet eth1 disable
delete interfaces ethernet eth1 disable
 

13. firewall, 只允许特定IP访问vyatta的PPPoE接口.

 set firewall name FWTEST rule 1 action accept
set firewall name FWTEST rule 1 source address 210.xxx.xxx.x/25

set firewall name FWTEST rule 1 protocol all
 set interfaces ethernet eth0 pppoe 1 firewall local name FWTEST

14.deny大流量IP

Vyatta的ACL就是用firewall实现，如下是deny  192.168.1.101访问Internet。

 set firewall name DENY_BigTraffic

set firewall name DENY_BigTraffic rule 1 action accept

 set firewall name DENY_BigTraffic rule 1 source address !192.168.1.101

 set interfaces ethernet eth1 firewall in name DENY_BigTraffic

 

删除deny的IP

 delete firewall name DENY_BigTraffic rule 1 source address !192.168.1.101

 

转载于:https://blog.51cto.com/18567/397433