The diagram shows our example network. Your application will no doubt be different. Hopefully, you can use this example to save some time in designing your own application. Note that in this subnetted example the Internet access router needs a route to the subnetted network pointing to the Vyata router. We'll be implementing the following features: * 4-Port Ethernet Router o Internet o Two Private Internal Networks o Another Internal Router with Its Own Static IP Address * Internet Access * NAT o Private Networks Using 192.168.x.x Addresses * Firewall o Stateful - Allows Only Established Related Traffic In o Private Networks Protected From Each Other o Allows Forwarded Port Traffic * Port Forwarding (Destination NAT) o SMTP, HTTP, HTTPS and RDP o Forwarded to Internal Servers on Private Network * DHCP Server o Private Networks * NTP Time Synchronization o Using Free Public Time Servers (ntp.org) * Remote Management o SSH, HTTP and HTTPS o Using Non-Standard Ports for HTTP and HTTPS o Allows Standard HTTP and HTTPS to Be Forwarded to Internal Servers * Subnetting o Optional o For Certain Applications The NTP time server and the DNS servers are free public servers and you can leave them as they are if you wish. There is no need to change them. The following configuration file can be copied and then edited in place for your configuration. /opt/vyatta/etc/config/config.boot /*XORP Configuration File, v1.0*/ protocols { static { disable: false route 0.0.0.0/0 { next-hop: 123.123.123.1 metric: 1 } } } policy { } interfaces { restore: false loopback lo { description: "Loopback" } ethernet eth0 { disable: false discard: false description: "Internet" duplex: "auto" speed: "auto" address 123.123.123.2 { prefix-length: 30 disable: false } firewall { in { name: "from-external" } local { name: "to-router" } } } ethernet eth1 { disable: false discard: false description: "Internal Network #1" duplex: "auto" speed: "auto" address 192.168.1.1 { prefix-length: 24 disable: false } firewall { in { name: "lan-to-lan" } } } ethernet eth2 { disable: false discard: false description: "Internal Network #2" duplex: "auto" speed: "auto" address 192.168.2.1 { prefix-length: 24 disable: false } firewall { in { name: "lan-to-lan" } } } ethernet eth3 { disable: false discard: false description: "Internal Subnetted Network" duplex: "auto" speed: "auto" address 123.123.123.5 { prefix-length: 30 disable: false } firewall { in { name: "lan-to-lan" } } } } service { dhcp-server { shared-network-name "eth1_pool" { subnet 192.168.1.0/24 { start 192.168.1.65 { stop: 192.168.1.199 } client-prefix-length: 24 dns-server 209.218.76.2 dns-server 208.67.220.220 default-router: 192.168.1.1 lease: 86400 authoritative: "disable" } } shared-network-name "eth2_pool" { subnet 192.168.2.0/24 { start 192.168.2.65 { stop: 192.168.2.199 } client-prefix-length: 24 dns-server 209.218.76.2 dns-server 208.67.220.220 default-router: 192.168.2.1 lease: 86400 authoritative: "disable" } } } nat { rule 2 { type: "destination" protocols: "tcp" destination { address: "123.123.123.2" port-name smtp } inside-address { address: 192.168.1.2 } } rule 4 { type: "destination" protocols: "tcp" destination { address: "123.123.123.2" port-name http } inside-address { address: 192.168.1.2 } } rule 6 { type: "destination" protocols: "tcp" destination { address: "123.123.123.2" port-name https } inside-address { address: 192.168.1.2 } } rule 8 { type: "destination" protocols: "tcp" destination { address: "123.123.123.2" port-number 3389 } inside-address { address: 192.168.1.2 } } rule 10 { type: "masquerade" outbound-interface: "eth0" source { network: "192.168.1.0/24" } } rule 20 { type: "masquerade" outbound-interface: "eth0" source { network: "192.168.2.0/24" } } } ssh { port: 22 protocol-version: "v2" } webgui { http-port: 81 https-port: 444 } } firewall { log-martians: "enable" send-redirects: "disable" receive-redirects: "disable" ip-src-route: "disable" broadcast-ping: "disable" syn-cookies: "enable" name "lan-to-lan" { description: "Block Internal LAN Interaction" rule 10 { description: "Block 192.168.x.x Networks" protocol: "all" action: "reject" log: "disable" source { network: "192.168.0.0/16" } destination { network: "192.168.0.0/16" } } rule 20 { description: "Block 172.16.x.x Networks" protocol: "all" action: "reject" log: "disable" source { network: "192.168.0.0/16" } destination { network: "172.16.0.0/12" } } rule 30 { description: "Block 10.x.x.x Networks" protocol: "all" action: "reject" log: "disable" source { network: "192.168.0.0/16" } destination { network: "10.0.0.0/8" } } rule 40 { description: "Allow All Traffic Not Previously Blocked" protocol: "all" action: "accept" log: "disable" source { network: "0.0.0.0/0" } destination { network: "0.0.0.0/0" } } } name "from-external" { description: "Block Unwanted Internet Traffic" rule 10 { description: "Accept Established-Related Connections" protocol: "all" state { established: "enable" new: "disable" related: "enable" invalid: "disable" } action: "accept" log: "disable" } rule 20 { description: "Pass Subnet Traffic" protocol: "all" action: "accept" log: "disable" source { network: "0.0.0.0/0" } destination { network: "123.123.123.4/30" } pt" log: "disable" source { network: "200.200.200.0/29" } destination { port-number 81 } } rule 40 { description: "Secure WebGUI Access" protocol: "tcp" action: "accept" log: "disable" source { network: "200.200.200.0/29" } destination { port-number 444 } } rule 60 { description: "Accept ICMP Unreachable" protocol: "icmp" icmp { type: "3" } action: "accept" log: "disable" } rule 70 { description: "Accept ICMP Echo Request" protocol: "icmp" icmp { type: "8" } action: "accept" log: "disable" } rule 80 { description: "Accept ICMP Time-Exceeded" protocol: "icmp" icmp { type: "11" } action: "accept" log: "disable" } } } system { host-name: "router" domain-name: "yourdomain.com" name-server 208.67.222.222 name-server 208.67.220.220 time-zone: "GMT" ntp-server "pool.ntp.org" login { user root { full-name: "" authentication { plaintext-password: "vyatta" } } user vyatta { full-name: "" authentication { plaintext-password: "vyatta" } } } package { auto-sync: 1 repository community { component: "main" url: "http://archive.vyatta.com/vyatta" } } }