| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
Overview
One of the first things an administrator often wants to do after starting cOS Core for the first time is to set up access to the Internet. This section is a quick start guide to doing this and refers to many other sections in Chapter 3, Fundamentals as well as Chapter 4, Routing which follows. This section is designed to be a broad overview of setting up Internet access for all cOS Core platforms. Clavister provides specific Getting Started guides for different Clavister hardware models as well as other getting started guides for setup in a virtual machine environment using VMware, KVM or Hyper-V. This section is designed to be a broad overview of setting up Internet access for the RSG-400 firewall function. There is also a RSG-400 Getting Started Guide Which covers initial configuration of the RSG-400's firewall function.Getting started guides contain a comprehensive section on Internet setup which is specific to each environment and the administrator is advised to refer to them for more detailed information. The guides also explain how to set up Internet PPPoE and PPTP access.
When cOS Core is accessed for the first time through the Web Interface using a web browser, the administrator is not taken directly to the interface. Instead, a Setup Wizard runs which takes the administrator through a number of dialogs to set up the basic cOS Core configuration. A portion of the wizard deals with the setup of Internet access.By dismissing the wizard, the administrator can go straight to the Web Interface and perform setup manually, step by step. The sections below assume that setup is being performed manually but they are also useful in understanding the setup steps that the wizard automates.
Note that the setup wizard will only be displayed in the Web Interface if cOS Core is in its default state and no configuration changes have been made. This is discussed further in an article in the Clavister Knowledge Base at the following link:
https://kb.clavister.com/324735674
IP Address Options
Initially, access to the Internet will not be possible via the Clavister firewall. To achieve this, access must first be arranged with an Internet Service Provider (ISP). The ISP will probably offer two options for access:Using Static IP Addresses
Access can be set up using static IP addresses. The ISP provides the required addresses (for example, in an email) and these are manually input into the cOS Core configuration.
Using DHCP
cOS Core can act as a DHCP client and use the DHCP protocol to automatically retrieve all the IP addresses required across the connection with the ISP. No addresses need to be entered manually.
For the static IP address option, the ISP should provide:
A public IPv4 address for the Clavister firewall. This is assigned to the interface that connects to the ISP.
The IP address of the ISP's "gateway" router.
A network address for the network between the ISP and the firewall. This can be used for addressing any hosts that lie on this network aside from the ISP's gateway.
![[Note]](images/note.png) |
Note: cOS Core ignores the broadcast address |
|---|---|
|
The broadcast IP address need not be specified. It is automatically calculated by cOS Core but is not responded to. |
Creating IP Objects
Once the ISP has provided the necessary information, several IP objects in the cOS Core Address Book need to be defined. The address book provides a way to associate a text name with an IP address, IP range or IP network. Instead of retyping IP addresses, these names can then be selected throughout the Web Interface and InControl. as well as being used with CLI commands.Before defining any new addresses, the address book already contains a number of useful addresses by default. One of the most useful is the all-nets address, which corresponds to the IPv4 address 0.0.0.0/0 (all hosts and networks).
To create the IP objects necessary for Internet access, go to Objects > Address Book in the Web Interface or InControl and then select Add > IP address.
The following IP objects should be added or modified:
Create a new IP object called gw-world with the IPv4 address of the ISP gateway.
One Ethernet interface should be dedicated to connection to the ISP. We will assume here that the interface is wan. This interface will have the IP address object wan_ip as its IP address and belong to the network wan_net. Modify the object wan_ip so it is assigned the public IPv4 address of the firewall.
The object wan_net should be allocated the network address provided by the ISP. This is the network between the Clavister firewall and the ISP and both the wan and the ISP's gateway will belong to it.
Interface Naming
The Ethernet interface wan is assumed in this publication to be the default name of the interface to which the ISP is connected. Different processing platforms may have different default names and these names may be changed by the administrator. The above should therefore be adapted for the particular platforms being usedcOS Core uses certain naming conventions for particular objects, such as gw-world for the ISP gateway. These need not be followed by the administrator but if they are followed, it makes examination of a configuration by support personnel easier.
The IP addresses defined in the previous section can alternatively be retrieved automatically from the ISP using the DHCP protocol. This is done by enabling DHCP on the Ethernet interface. The address book will now be automatically populated with all relevant IP addresses as they are received from the ISP via DHCP.
See Chapter 5, DHCP Services for more information about this topic.
Example 3.60. Enabling DHCP
Assume that the wan is connected to the gateway of the ISP. The requirement is to enable DHCP on this interface.
Command-Line Interface
Device:/> set Interface Ethernet wan DHCPEnabled=YesInControl
Follow similar steps to those used for the Web Interface below.
Web Interface
An important cOS Core principle that is repeated throughout this guide and which will be stated again here, is that there are a minimum of two cOS Core configuration components required for data traffic to flow through the firewall:
A Matching Route
When traffic arrives at one cOS Core interface, it has a destination IP address. A routing table in cOS Core contains routes which specify which destination IP address or network can be found on which interface. cOS Core uses this information to forward data out through the right interface.
A Matching IP Rule Set Entry
Before any traffic can flow out through the interface decided by a route, there must be an entry in the IP rule sets that allows the traffic to flow.
IP rule set entries like IP Policy objects are a key component of the security policies defined by the administrator in the cOS Core configuration. They can block or allow traffic based on its protocol type as well as on a combination of source/destination interface and source/destination network.
Usually, no predefined IP rule set entries exist and all traffic is therefore dropped until one is defined which allows it. An exception to this is certain Clavister hardware models that use DHCP for rapid connection for internal clients and to the external Internet. In this case a small set of IP rule set entries is predefined to allow immediate client to Internet traffic flow.
The creation of the appropriate route and IP rule set entries for Internet access is discussed in the sections that follow.
Initially, no route will exist in the main routing table that allows traffic to reach the Internet so this must be defined. The routes parameters will be as follows:
| Interface | Network | Gateway |
|---|---|---|
| wan | all-nets | gw-world |
Notice that the destination network for this route is all-nets. When cOS Core needs to determine which interface the received traffic should be forwarded out from, it looks in a routing table for the "narrowest" destination network match. This all-nets route is therefore a catch-all route that will be used when no other, more specific, matching route exists. There should therefore only be one all-nets route.
The all-nets route is, in fact, created automatically by cOS Core when the gateway IPv4 address is specified for an Ethernet interface.
To create the route manually in the Web Interface or InControl, go to Routes > New Route.
The route to access wan_net via the wan interface will be automatically created when the wan_net object is edited and the gateway defined.
See Chapter 4, Routing for more information about routes.
Example 3.61. Adding an all-nets Route
This example shows how an all-nets route is added manually to the main routing table. The IP address object isp_gw_ip is the IP of the ISP's gateway.
Command-Line Interface
Change the context to be the routing table:
Device:/> cc RoutingTable mainAdd the route:
Device:/main> add Route Interface=wan
Network=all-nets
Gateway=isp_gw_ipReturn to the default CLI context:
Device:/main>ccDevice:/>
InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
Before traffic can flow to the ISP, an appropriate IP Policy object should be created to the allow the traffic.
For web browsing of the Internet, DNS and HTTP traffic should be allowed to flow. It may also be necessary to use NAT to share a single public IP address assigned to the firewall so that the internal network topology of private IPv4 addresses is hidden.
For example, if web surfing is going to be done from clients on the internal network lan_net attached to the lan interface to the Internet connected to the wan interface, then the IP rules for DNS and HTTP would be:
| Action | Src Interface | Src Network | Dest Interface | Dest Network | Service |
|---|---|---|---|---|---|
| Allow/NAT | lan | lan_net | wan | all-nets | dns-all |
| Allow/NAT | lan | lan_net | wan | all-nets | http-all |
The service http-all includes both the HTTP and HTTPS protocols but not DNS so a second rule of policy is needed. The single service all_services could have been used in a single rule but this is not recommended as this would mean connections could be opened on any port number and this can compromise security. The best approach is to define the IP rule set filter as narrowly as possible, which has been done here.
Example 3.62. Creating IP Policy Objects for Internet Access
This example creates an IP policy called surf_http that allows clients on the lan_net network to access the Internet. It is assumed that traffic is being NATed to the Internet using the public IP address of the wan interface.
A second policy is also created called surf_dns which allows DNS queries.
Note that the Source Translation property of the IP policies in this example is set to NAT. This property could also be left at the default value of Auto in which case NAT translation is performed automatically when the source IP of a connection is a private IP address and the destination is a public IP address. The Auto setting is explained further in Section 8.5, Automatic Translation.
Command-Line Interface
Create policy for the http-all service:
Device:/> add IPPolicy Name=surf_http
SourceInterface=lan
SourceNetwork=lan_net
DestinationInterface=wan
DestinationNetwork=all-nets
Service=http-all
Action=Allow
SourceAddressTranslation=NAT
NATSourceAddressAction=OutgoingInterfaceIPRepeat for the dns-all service:
Device:/> add IPPolicy Name=surf_dns
SourceInterface=lan
SourceNetwork=lan_net
DestinationInterface=wan
DestinationNetwork=all-nets
Service=dns-all
Action=Allow
SourceAddressTranslation=NAT
NATSourceAddressAction=OutgoingInterfaceIPThe Action in the above CLI definitions has not been specified. The default value is Allow.
InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
Create policy for the http-all service:
Repeat for the dns-all service:
See Section 3.6, IP Rule Sets and Section 3.6.2, Creating IP Policies for more information about rules and policies.
cOS Core needs external DNS servers to be defined in order to resolve certain FQDNs. This is particularly important for certificate handling. Up to three DNS servers can be manually specified to cOS Core and at least one should be configured for DNS lookup to function.
Example 3.63. Configuring DNS Servers
Assume that the cOS Core address book already contains the IPv4 addresses dns_server_1 and dns_server_2 for the primary and secondary DNS servers.
Command-Line Interface
Device:/> set DNS DNSServer1=dns_server_1 DNSServer2=dns_server_2InControl
Follow similar steps to those used for the Web Interface below.
Web Interface
Automatic DNS Configuration through DHCP
If connection to an ISP is done with DHCP then the ISP's DHCP server should automatically configured at least one DNS server in cOS Core at the same time all other IP addresses are configured during initial connection to the ISP.When DHCP configures the DHCP servers in cOS Core, names are automatically assigned to these servers so they can be referenced later in user interfaces. The names used are of the form <if-name>_dns1, <if-name>_dns2 and so on, where <if-name> is the interface name on which the DHCP addresses are received.
When cOS Core itself acts as a DHCP server, the DNS addresses it hands out are, by default, the same as those received through DHCP unless different DNS servers are explicitly specified.
Default DNS Server Address Names with DHCP
When cOS Core receives DNS servers through DHCP, these are automatically added to the address book with a default name that follows the pattern <interface-name>_DNS<num>. For example, the second DNS server address allocated through the wan interface would appear in the address book as wan_DNS2.When viewed in the Web Interface or InControl, these DNS addresses always have the value 0.0.0.0. To see the actual value after it has been assigned with DHCP, use the CLI command dhcp -show. For example, to see the status of the DNS servers on the wan interface, use the command:
Device:/> dhcp -show wan
See Section 3.10, DNS for more information about this topic.
