Vyatta – Forwarding traffic to Squid

Oct 24

Ben KingBusiness, Internet, Networks, Vyatta , 8 Comments

If you are using Vyatta and want to transparently forward traffic at the router level to a separate Squid proxy you will find that the standard firewall configuration in Vyatta just isn’t up to the job (yet!).

The workaround is to use the /etc/rc.local file to make IPTables do the job for you, heres how we did it:

#!/bin/sh -e
#
# rc.local
#
# Modified to forward to squid cache
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#

IPTABLES=”/sbin/iptables”
IP=”/sbin/ip”
SQUID=”10.1.1.1″      # Internal address of our squid box

# Webcache jump to cache
echo Setting up jump to webcache

# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Don’t mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 10.0.0.0/8     #Don’t cache internal

# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache

# Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren’t using vifs simply use eth1 or whatever you are using
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 80
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.103 -p tcp –dport 80

# Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2

# set the default route for table 2, change eth2 for the interface you are on
$IP route add default via $SQUID dev eth2 table 2

# Make sure we exit
exit 0

Vyatta – Cisco on a shoestring?

Oct 24

Ben KingBusiness, Internet, Networks, Vyatta , , 2 Comments

We use Linux extensively at bit10, for DNS, front line mail handling, proxying, web hosting, development platforms, you name it we probably do it in Linux or have at least had a good go…

Probably the most important job it does for us though is for our firewalling, core network routing and traffic management for both bit10s internal systems and for the ISP hosting side of the business.

Our implementation is a highly bespoke customisation of Debian using things like iptables, IMQ, vconfig, etc. all good stuff and happily handles the routing and traffic management for our entire colocation and ISP services, however we would be the first to admit it isn’t the easiest to maintain and look after. The options in the commercial club (Cisco/Juniper) are simply way to expensive and don’t offer the flexibility we require.

A couple of months a go a client came to me needing some fairly significant network reorganisation. They had multiple offices around the world, at each site they had a very unsegmented ‘flat’ network, between the offices they had a mixture of MPLS and VPN tunnel solutions, and a number of single points of failure.

What we needed to do was to segment up each site into sensible subnets and bring additional resilience to the firewalls and routers.

Our initial reaction was to simply do another custom Linux configuration similiar to our own setup, however we were concerned about the time to get this right and the implications of future maintenance, so we look off the shelf and very quickly discovered Vyatta.

Vyatta for the uninitiated of you punts itself as ‘ The dawn of open-source networking’, personally I think this is a bit of pessimistic afterall we have been doing routing and firewalling with Linux as long as I can remember, its more of a ‘The late afternoon after a good siesta of open-source networking’.

However here at bit10 ‘Loving Doing Digital’ headquarters we can’t really criticise people on their taglines… :)

So why is Vyatta different?

The answer is simply its relatively easy to get to up and running, has a pretty web interface for those who have command line fear, and above all fantastic support.

Vyatta comes in two flavours, the fully open-source free ‘community edition’ and the ‘supported edition’. The community edition will suit you down to the ground if you have relatively simple requirements, basic routing/firewalling/etc., however if you have pushing the envelope you are going to the need the supported edition, which comes in two flavours ‘$647/£325′ for web only support, and ‘$897/£450′ for full telephone support, both supported flavours include free updates with the lastest fixes.

The telephone support is superb.

Vyatta does have limitations, especially if you are used to getting under the hood and having the full flexibility of Linux based routing, however the payback is a solution thats far simpler to manage.

Things we didn’t like:

  1. We couldn’t configure the built in firewall to transparently push traffic to a Squid proxy server. We got around this by going under the hood and having a custom rc.local file that tag and forwarded the traffic (I will post our script on followup blog).
  2. VRRP over VIFs. Vyatta supports VRRP (Virtual Router Redundancy Protocol) and VLANs out of the box, however you can only run VRRP on real ethernet inferfaces, which is troublesome if you are doing a ‘router on a stick’ solution. We have spoken to Vyatta about this and they have pencilled the functionality in for an upcoming build – good stuff!
  3. The CLI, in a nutshell the CLI isn’t like IOS, its good and fulfill its job, its just that mental switch you have to make from IOS mode to something different.

Things we really liked:

  1. VRRP (Virtual Router Redundancy Protocol) out of the box… VRRP was so simple to set up (on real ethernet interfaces), the village idiots really stupid cousin could have done it.
  2. The separation of configuration from installation. Take a clean server, insert Vyatta CD, one line to install it to the local hard drive, copy your configuration onto it. Job done.
  3. Support. The Vyatta team are passionate about their product, both on the telephone and on the web, and they know its limitations and will tell you so, so you don’t waste any time trying to make it do something it won’t.

Top Tips:

  1. Unless you are doing something dead basic, go for the supported package, this ensures you get the latest version, you get the support and frankly you support Vyatta.
  2. Don’t mess around trying to deploy it on that 5 yr old bodge of a server you have sat in the corner gathering dust, your firewall/routers will be business critical, so splash out on some decent hardware, we deployed on Dell 860s (<£1,000 each), which is all supported hardware and had no hardware related issues.
  3. Think about what you are trying to achieve, plan it first.
  4. Make sure you actually know a little about networking, while making life as simple as possible for the user, its not dumbed down to the level of a £50 ADSL router from PCWorld. If you don’t know the basics about routing, firewalling, etc. get someone to help you.

Performance:

I haven’t done any formal performance testing on Vyatta, however we have deployed it in bandwidth heavy environments, with upwards of 200 of LAN users across 10 network segments, and a single processor Dell 860 is running well under 10% load…
So is Vyatta Cisco on Shoestring… in my opinion if Vyatta can do the job you want, its definitely preferable to the Cisco option, probably the strongest reason beyond just price, is that Vyatta abstracts the software from the hardware, i.e. within reason you can redeploy a Vyatta configuration on any server with enough interfaces.

All in all well worth looking at.

Being pigeonholed…

Oct 22

Ben KingBusiness , , , , No Comments

Talking about: http://www.jobs.ac.uk/blogs/simply-better

Andrew has quite rightly identified one of bit10‘s recurring problems, people often fail to understand everything we do. Mostly they pigeonhole us into being experts in the thing they use us for…

Of course this is entirely our fault, we start by hiding behind ‘Full service digital agency’ who ‘Loves doing digital’, but few people realise what this means, then we somehow fail to make the effort to communicate to our customers what we actually do.

This problem is exacerpated by the fact that our customer research has told us that current bit10 customers NEVER look at our website (hence our site now is firmly targeted at new customers).

The solution is frankly simply down to plain old conversation, take the time to chat to your customers to identify their current and future business needs and then point our where you can help them! As per usual everyones enemy… ‘Time’ gets in the way.

For the record, bit10 do:

  • Internet, intranet, digital marketing strategy and consultancy
  • Creative web design
  • Web application development
  • Accessibility testing
  • Usability testing
  • Web analytics
  • Online marketing (dm, adword and affiliate marketing management)
  • Hosting
  • Internet connectivity (University of Warwick Science Park only)

Basically everything Internet! :) You can see the full blurb here.

And thanks Andrew for giving me an excuse to list bit10s services on my blog! :)

BT Invests In Renewable Energy…

Oct 19

Ben KingBusiness, Life , , , No Comments

Commenting on: http://www.theregister.co.uk/2007/10/19/bt_wind_farms/

In a nutshell BT (which accounts for 0.7% of the UK power usage), is investing £250m in building its own windfarms which it estimates will generate 25% of its power needs, or enough to power a city the size of Coventry) .

Firstly good work BT, good to see a corporate taking its responsibility seriously.

The numbers however lead to some interesting thoughts, and it all seems soo cheap, that why aren’t we doing it… over simplified argument coming up.

We are based in Coventry and as of the last Census theres about 300,000 of us living here. If £250m buys you enough power for a city the size of Coventry… unless I have got the zeros wrong on my calculator that equates to £833 per person… I reckon I spend half that per year on power at home… so where do I sign up?

Take this up to a national scale and it equates to £143b, which while not a trivial sum of money still only equates to £2380 per person… so I wonder what the ROI on a wind turbine is?

British Politeness vs The Highway Code

Oct 03

Ben KingLife , 3 Comments

On the way to work at the moment there are some roadworks in Canley while Coventry City Council adds yet more bus lanes… this has led to a 400m length of dual carriageway (passed the graveyard) that filters down to one lane at the end just before hitting the roundabout with the roadworks.

Everyday there is a queue in the left hand lane (usually backing up and blocking/slowing down the feeder roads) with a completely empty right hand lane…

… and everyday I simply jump into the right hand land and merge in at the front of the queue, much to the disgust of everyone else queuing patiently in the left.

This beautifully exemplifies:

  • ‘Never Underestimate the Power of Human Stupidity’ – It doesn’t take a genius to work out that if we split the traffic evenly between the two lanes that would mean less congestion on the surrounding roads.
  • ‘British Politeness’ – Frankly the British love queuing and are just too polite to use sense.
  • ‘No one reads the Highway Code’ – The Highway Code says here ‘where lanes are restricted due to road works, merge in turn’.

Nuff said!