INR lab 1 - Basics

###### tags: `finished` :::success # INR lab 1 - Basics ::: ## 1. Preparation: :::info a. Read the notes at the end. b. Install the needed dependencies for GNS3: QEMU/KVM, Docker, and Wireshark. c. Be sure to take a snapshot of your infrastructure before you start ::: At the very beginning of my work, I want to note that due to small problems with my workstation, I performed this lab work on my laptop in VirtualBox (Ubuntu 20.04 64-bit 4RAM is configured as a hypervisor). ## 2. Installation: :::info a. Start a new GNS3 project, configure the pre-installed Ubuntu Cloud Guest template. Check that you can start it. b. What are the different ways you can configure internet access in GNS3? Test them with a single PC and give a one-line description of each. What are the differences between them? ::: <center> ![](https://i.imgur.com/hzDLEuU.png) Picture 1 - Types of internet access </center> First type is a NAT, it uses virtual bridge via virbr0 interface. And really, I think that just GNS3 used it for pinging google's DNS in my VM (I judge by the amount of data passed through the interface). <center> ![](https://i.imgur.com/Cp6vhnP.png) Picture 2 - NAT-connection via virbr0 </center> And this is the connection via a primary network interface enp0s3. And whole trafic in my VM goes via it. <center> ![](https://i.imgur.com/YIRVyEs.png) Picture 3 - Connection via enp0s3 </center> We can use TAP to emulate the physical NIC interface so that the virtual machine (PC3) can send raw Ethernet frames. To do this, we use a bridge (br0), which is thrown between enp0s3 and tap0. The bridge sends frames between PS3 and enp0s3 as they are, thanks to tap0. You can see an ARP table of my VM on a picture below: <center> ![](https://i.imgur.com/V1gS5uU.png) Picture 4 - ARP table of VM </center> <center> ![](https://i.imgur.com/IIG6cw2.png) Picture 5 - TAP-connection via bro0 </center> ## 3. Switching: :::info a. Create the following topology in GNS3 ::: <center> ![](https://i.imgur.com/ZF0QRBx.png) Picture 6 - New topology </center> :::info b. Install OpenSSH-server on both VMs and Nginx web server on the Web VM. ::: I used the following command for install: ``` sudo apt-get install openssh-server sudo apt-get install nginx ``` :::info c. What is the IP of the mask corresponding to /28? How many machines can you configure under this subnet? ::: The mask /28 corresponds to the mask 255.255.255.240. It includes 16 IP adresses (-2 addresses for broadcast and network), and it means that we can configure 14 machines. :::info d. Configure the VMs with private static IPs under a /28 subnet. ::: For static IP we should edit file `/etc/netplan/50-cloud-init.yaml` for Admin and Web. But I’m not sure, that this is really the right decision because as this file said “This file is generated” by Cloud-init’s. And it means, if we will edit this file it can kill the servers’ network connection [3]. I’m sure because for the first time it really happened. But now it still working, I don't know how, but okey. <center> ![](https://i.imgur.com/rLlTAQK.png) Picture 7 - Admin configuration in cloud-init ![](https://i.imgur.com/Z6lVzrO.png) Picture 8 - Web configuration in cloud-init </center> :::info e. Check that you have connectivity between them. Hint: use ping, traceroute, mtr ::: <center> ![](https://i.imgur.com/cxRIzk3.png) Picture 9 - From Web to Admin ![](https://i.imgur.com/pCKDHAq.png) Picture 10 - From Admin to Web </center> :::info f. Make sure your web server is accessible from the Admin VM. Hint: use curl or wget ::: <center> ![](https://i.imgur.com/Kcsb7kC.png) Picture 11 - A result of commands </center> ## 4. Routing: :::info a. Select a virtual Routing solution (Gateway) such as Mikrotik, PfSense, VyOS, Untangle NG, OpenWrt, Cumulus VX. b. Change the topology as follows. ::: <center> ![](https://i.imgur.com/rpQgPpX.png) Picture 12 - New topology with the routing solution (Gateway) Mikrotik </center> :::info c. Connect your Gateway to the internet and to your workstation/laptop. (2.b) ::: For Internet access, I chose the NAT, just because because there is not much difference between the NAT bridge and the enp0s3 interface, which also works through the NAT of my computer. Double-NAT :^) <center> ![](https://i.imgur.com/ajWrhu4.png) Picture 13 - Upgraded my network topology </center> :::info d. Configure port forwarding for HTTP and ssh to Web and Admin respectively. ::: I spent about 10 hours on this item, because I forgot to give the IP address to the receiving port eth1. But I'm still very happy, because without these 10 hours, I would not have mastered all the basic commands in MicroTik, would not have studied the port lists on the virtual machine, would not have learned about setting up port forwarding, would not have learned how to use `nmap`. Okey, first of all - interfaces: ``` /ip address add address=192.168.122.200/24 interface=ether3 #this one for our connection with the virtual Big World /ip address add address=192.168.10.1/24 interface=ether1 #and this one for our local subnet ``` Now you need to organize a masquerade and set its rules for the internal network: ``` /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.10.1/28 ``` And now directly port forwarding: ``` #From external port 8080 to Web 80 /ip firewall nat add action=netmap chain=dstnat dst-port=8080 in-interface=ether3 protocol=tcp to-addresses=192.168.10.3 to-ports=80 #And from local subnet to Big World /ip firewall nat add action=netmap chain=dstnat dst-address=192.168.122.200 dst-port=8080 in-interface=ether3 protocol=tcp src-address=192.168.10.1/28 to-addresses=192.168.10.3 to-ports=80 #Here is a forfarding for ssh (22). First from Big World to Admin /ip firewall nat add action=netmap chain=dstnat dst-port=2222 in-interface=ether3 protocol=tcp to-addresses=192.168.10.2 to-ports=22 #And second one from Admin to World /ip firewall nat add action=netmap chain=dstnat dst-address=192.168.122.200 dst-port=2222 in-interface=ether3 protocol=tcp src-address=192.168.10.1/24 to-addresses=192.168.10.2 to-ports=22 ``` <center> ![](https://i.imgur.com/WHAZ6a5.png) Picture 14 - The result of the `/ip firewall nat print` command </center> :::info e. Check that you can ssh to the Admin and access your web page from your workstation/laptop ::: <center> ![](https://i.imgur.com/T1cqjoz.png) Picture 15 - The result of Web access ![](https://i.imgur.com/HAoRAz6.png) Picture 16 - The result of ssh connection to Admin </center> ## References: 1. [Tap Interfaces and Linux Bridge](https://cloudbuilder.in/blogs/2013/12/08/tap-interfaces-linux-bridge/#tap-interfaces---why-do-we-need-them) 2. [Linux TAP interface user access](https://gns3.com/community/featured/linux-tap-interface-user-access) 3. [How to setup a static IP on Ubuntu Server 18.04](https://askubuntu.com/questions/1029531/how-to-setup-a-static-ip-on-ubuntu-server-18-04) 4. [Port forwarding in the MikroTik router (ru)](https://www.technotrade.com.ua/Articles/mikrotik-port-forwarding.php)