Home  Prev  cOS Stream 4.00.03 Administration Guide  Next

Chapter 11: Internet Access

This chapter describes setting up access to the public Internet using the CLI using static IP addresses supplied by an ISP.

Assumptions

It is assumed in this section that the hardware platform has two Ethernet interfaces available: interface if1 and interface if2. The if2 interface will be used for connection to the public Internet and the if1 interface will be used for connection to a protected, local network.

Required IP Address Objects

It is first necessary to set or create a number of IP address objects. It is assumed here that the interface used for Internet connection is if2, the ISP gateway IPv4 address is 10.5.4.1, the IPv4 address for the connecting interface will be 10.5.4.35 and the network to which they belong is 10.5.4.0/24.

[Note] Note: Private IPv4 addresses are used for example only

Each installation's IP addresses will be different from these IP addresses but they are used here only to illustrate how setup is done. Also, these addresses are private IPv4 addresses and in reality an ISP would use public IP addresses instead.

It is also necessary to add the gateway IP address object which will be called wan_gw: 

System:/> add Address IPAddress wan_gw Address=10.5.4.1

This is the address of the ISP's gateway which is the first router hop towards the public Internet. If this IP object already exists, it can be given the IP address with the command: 

System:/> set Address IPAddress wan_gw Address=10.5.4.1

Defining Routes

A route must now be defined which specifies that the Internet can be found on the if2 interface along with the IP address of the default gateway which is the ISP's router. First, change the context to be the main routing table: 
System:/> cc RoutingTable main
The prompt changes to indicate the context has changed. 
System:/RoutingTable/main>
Now add the route to the Internet: 
System:/RoutingTable/main> add Route
			Interface=if2
			Network=all-nets-ip4
			Gateway=wan_gw
Once the route is added, the context is changed back to the original with the command: 
System:/> cc

Next, set the IP object if2_ip which will be the IP address of the interface connected to the ISP: 

System:/> set IPAddress if2_ip Address=10.5.4.35

On initial startup, cOS Stream automatically creates and fills the address book with the all interface related IP address objects.

Now set the IP object if2_net which will be the IP network of the connecting interface: 

System:/> set IPAddress if2_net Address=10.5.4.0/24

It is recommended to verify the properties of the if2 interface with the command: 

System:/> show Interface EthernetInterface if2

The typical output from this will be similar to the following: 

                     Property  Value
 ----------------------------  --------------------------
                        Name:  if2
             EthernetAddress:  0:<empty>  1:<empty>
       HAEthernetAddressMode:  PrivateSharedMAC
                      HAType:  Critical
              MonitorTargets:  <empty>
                   Backplane:  No
              EthernetDevice:  0:if2  1:if2
            VLANOutboundPrio:  0
      VLANOutboundPrioPolicy:  Set (Set priority)
                   PrivateIP:  0:<empty>  1:<empty>
  RouterAdvertisementProfile:  DefaultProfile
                         MTU:  1500
                   IPAddress:  if2_ip
                IP4Broadcast:  <empty>
      RoutingTableMembership:  <all>
                 DHCPEnabled:  <empty>
SecurityEquivalentInterfaces:  <empty>
    IPv6AddressConfiguration:  Static
                        Zone:  <empty>
                    Comments:  <empty>

Defining IP Rules

Even though an all-nets-ip4 route is automatically added, no traffic can flow without the addition of an IP rule which explicitly allows the flow. Let us assume we want to allow web surfing from the protected network if1_net on the interface if2. A simple rule to do this would have an Action of Allow and would be defined with the following commands.

First, in order to be able to add or modify rules, it is necessary to change the current CLI context to the main IP rule set using the command: 

System:/> cc RuleSet IPRuleSet main

Notice that the CLI prompt changes to reflect the current context: 

System:/main>

Now add an IP rule called lan_to_wan that allows the traffic through to the public Internet: 

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=http
			Name=lan_to_wan

Since the protected network is likely to consist of private IPv4 addresses. It is more likely that a NAT rule is required to share the public IP address of if2. The CLI command for defining this would be: 

System:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=if2
			DestinationInterface=all-nets-ip4
			Service=http
			SourceTranslation=NAT 
			Name=lan_to_wan

The service used in the IP rule is http which will allow most web surfing but does not include the DNS protocol to resolve URLs into IP addresses. To solve this problem, a custom service could be used in the above rule which combines http with the dns service. However, the recommended method which provides the most clarity to a configuration is to create a separate IP rule for DNS: 

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=dns-all
			SourceTranslation=NAT 
			Name=lan_to_wan_dns

Activating and Committing Changes

After any changes are made to a configuration, they will be saved as a new configuration but will not yet be activated. To activate all the configuration changes made since the last activation of a new configuration, the following command must be issued: 
System:/> activate
Although the new configuration is now activated, it does not become permanently activated until the following command is issued within 30 seconds following the activate: 
System:/> commit
The reason for two commands is to prevent a configuration accidentally locking out the administrator. If a lock-out occurs then the second command will not be received and cOS Stream will revert back to the original configuration after the 30 second time period. This time period is a setting that can be changed as shown in the example below.

Example 11.1. Changing the Activation Revert Timeout

This example shows how the default revert timeout after a configuration is activated can be changed to 120 seconds from the default.

Command-Line Interface

System:/> set Settings RemoteMgmtSettings BiDirTimeout=120

Allowing ICMP Ping Requests

It can be useful to allow ICMP Ping requests to be sent out to external hosts on the Internet. As discussed earlier, the system will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal if1_net network. The commands to allow this are as follows.

First, the current CLI context must be changed to be the IPRuleSet called main using the command: 

System:/> cc RuleSet IPRuleSet main

Now add an IP rule called allow_ping_outbound to allow ICMP pings to pass: 

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=ping-outbound-ip4
			SourceTranslation=NAT
			Name=allow_ping_outbound

Home  Prev   Next