Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Linux as a router setup Q

Posted on 1998-06-02
Medium Priority
Last Modified: 2010-03-18
I want to use my linux box as a gateway between a LAN and
the ethernet backbone:
=======10baseT Ethernet backbone=====University Gateway===>
  |     ____________
  |    |            |
  |____| eth0 (IP1) |
       |            |
       |linux box 1 |
       |            |
  _____| eth1 (IP2) |
 |     |____________|
 | Thinnet coax ethernet LAN
           |                |                 |
       ____|____        ____|____         ____|____
       |        |       |        |        |        |
       |  IP3   |       |  IP4   |        |  IP5   |
       |________|       |________|        |________|
       Linux box 2      Linux box 3       Linux box 4

I have 2 IP addresses for linux box 1, one for each ethernet
card. I also have an IP address for each of the linux boxes
on the LAN and don't need to do masquerading. The University gateway IP is IP0.

Question 1: What deamons do I need to run on linux box 1,
and what parameters do I need to use on the commandline to invoke them? Do I need gated, routed, etc?

Question 2: what are the correct command line arguments for
route and ifconfig on each linux box to make the system work? I don't need a firewall, just want to use Linux box 1
as a router/gateway for the Linux boxen 2-4. I basically want to route all TCP/IP traffic for the box 2-4 through a
linux box.

Question 3: What features do I need to enable in the kernel to make this work?

I need someone to take me through this step by step. Thanks for any help!

Question by:demeler
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1

Expert Comment

ID: 1584439
Answer 1: no daemons...
Answer 2: follow these steps:

- on LinuxBox1, have IP Gatewaying/Firewalling compiled in your kernel
- on Linux-boxes 2-x, have the address of eth1 @ LinuxBox 1 as default gateway
- on LinuxBox 1, have your Backbone Defailt gateway as default gateway
- on LinuxBox 1, add the following lines to your rc.local or whereelse you want it done
  (presumeably after the setup of eth0 & eth1 & routing)

--- cut here ---
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -F -a -b -S IP2/Mask -D 0/0 -w eth0
--- cut here ---

with the following substitutions in the last line: IP2/Mask would be the network adress of eth1 with the netmask, 192.168.1/24 for example...

should be up and running in < 5 minutes...

have fun

LVL 51

Expert Comment

ID: 1584440
mhomann, didn't demeler say that he *did not* need a firewall and masquerading?

Author Comment

ID: 1584441
ahoffman is correct, why would I need to use ipfwadm if I don't need (more correctly: don't want) a firewall? Also, I have IP
addresses for each computer, so I don't have to do masquerading.

Also, what is the answer to question2 (command line arguments
for route and ifconfig).

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Accepted Solution

marcelofr earned 2400 total points
ID: 1584442
1) No daemons, just ip routing configured
2) say IP1 has netmask NM1, broadcast BC1 and it's network is N1:

on Linux box 1:

#ifconfig eth0 IP1 netmask NM1 broadcast BC1
#ifconfig eth1 IP2 netmask NM1 broadcast BC2
#echo 1 > /proc/sys/net/ipv4/ip_forward

at this point if you can't ping IP1 (depends on your kernel version), do:
#route add -net N1;route add -net N2

#route add -net default gw IP0

on Linux boxes 2...

#ifconfig eth0 IP3 netmask NM3 broadcast BC3

again if you can't ping IP3:
#route add -net N3

#route add -net default gw IP2

3) The only features you need are IP routing linked in the kernel AND the "echo" command above to enable routing...

I think you know how to get BC1 and N1 from IP1 and NM1... anyway, if you use a C class ip without subnetting, say 200.200.200.xxx, NM1 would be, N1 would be and BC1 would be

Good luck.

LVL 51

Expert Comment

ID: 1584443
linux box 1 also needs IP_FORWARDING in the kernel

Author Comment

ID: 1584444
OK, this sounds good so far, I just have one more clarification question:

Is it necessary to have a complete subnet IP set for linux boxes 2-4? Can I use IP numbers from different subnet groups for each of the machines?

Example in my case:

on linux box 1 I have:
eth0: netmask gateway

on linux box 2 I have:

linux box 3:

linux box 4:

Does that change the route and ifconfig commands?

LVL 51

Expert Comment

ID: 1584445
as long as the subnet IP1 ( is different to IP0 it's ok.

Author Comment

ID: 1584446
OK, I tried your recommendations, but so far this doesn't work.
I must be missing something - here is what I have right now:

ip0 (University Gateway) =
Broadcast =
ip1 =
ip2 =
ip3 =
ip4 =

Here is what ifconfig returns on Linux box 1:

lo        Link encap:Local Loopback  
          inet addr:  Bcast:  Mask:
          RX packets:439 errors:0 dropped:0 overruns:0 frame:0
          TX packets:439 errors:0 dropped:0 overruns:0 carrier:0 coll:0

eth0      Link encap:Ethernet  HWaddr 00:60:08:27:37:17
          inet addr:  Bcast:  Mask:
          RX packets:38273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:851 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:10 Base address:0xee80

eth1      Link encap:Ethernet  HWaddr 00:80:AD:B7:66:C0
          inet addr:  Bcast:  Mask:
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:5 Base address:0x300

and here is my current route setup for linux box 1:

localnet        *          U     0      0        7 eth0
loopback        *            U     0      0        2 lo
default         UG    0      0        1 eth0

For linux box 2 I have:

Destination     Gateway         Genmask         Flags MSS    Window Use Iface
localnet        *          U     1500   0        3 eth0
loopback        *            U     3584   0        1 lo
default         crdcci.uthscsa. *               UG    1500   0        0 eth0

lo        Link encap:Local Loopback  
          inet addr:  Bcast:  Mask:
          RX packets:45 errors:0 dropped:0 overruns:0
          TX packets:45 errors:0 dropped:0 overruns:0

eth0      Link encap:10Mbps Ethernet  HWaddr 00:80:AD:B7:6B:8B
          inet addr:  Bcast:  Mask:
          RX packets:248327 errors:0 dropped:0 overruns:0
          TX packets:12415 errors:0 dropped:0 overruns:0
          Interrupt:10 Base address:0x300

From linux box 1 I can't ping either ip2 nor ip3 or ip4.
When I set everything up as a bridge, it works ok, but I want
linux box 1 to be router.
I increase the points to 600 if you can answer me how to set it
up with the route and ifconfig commands for each box that will get this to work.
Thanks, -b.d-

LVL 51

Expert Comment

ID: 1584447
You're using Netmask  so all you boxes are in the same subnet:
This is the reason why it won't work with routing but with bridgeing.
Do you want to have them in the same subnet?

Author Comment

ID: 1584448
The problem is that I can only use pre-assigned IP addresses,
and they may or may not be in one particular subnet. How do I tell? Do they have to be on the same subnet? excuse my ignorance on this and the terminology, but that is the half the reason I am asking this question here. Are you telling me that I cannot go the routing option? What do I need in order for the routing to work, please give me an example of what constitutes a valid subnet, and how I tell what a subnet is, if that's whats required to get routing to work, then I may be able to get the appropriate IP addresses allocated. It would help me if I knew what to ask for. Thanks for your effort trying to help me out...
LVL 51

Expert Comment

ID: 1584449
If it is a subnet or not depends on the netmask:

for example netmask defines that the net is, and therefor your IPs all belong to the same subnet.
You just need bridging for this.

If you change the netmask to, the IPs and belong to different subnets. These must be routed.

So in your situation, I recommend using a bridge instead of a router. I one of you comments you said you still have tested a bridge.

Author Comment

ID: 1584450
I did set it up as a bridge before, and that works just fine,
even with IP addresses assigned to eth0 and eth1 on Linux box 1.
Trouble is, I couldn't communicate between linux box 1 and box 2,
unless I go over a third computer outside the bridged network.
In that case I might as well use a network switch. So I am still confused: If I use a netmask of (on box 1?) instead of I would have to route the IP's ...5.44 and 231.12
because they belong to different subnets. So how do I route them properly, or is that not possible? What IP numbers do I need for that to work, some IP addresses that have the same number in the first through third position of the IP address? Forget for a moment that I could use a switch or use my linux box as a bridge.
What do I need here to make it work as a "router"?
Given the IP addresses I shoewd above, what commands do I need to enter to make these boxes talk to eachother, or do I need different IP numbers? If so, what would work given that my netmask is and my primary address (eth0) on linux box 1 is, and the gateway for box 1 is Those numbers cannot be changed. The IP's for eth1 on box 1
as well as the IP's for box 2-4 can be probably be changed, if they have to be.

If nothing else, I would like to understand how this router business works...


Expert Comment

ID: 1584451
Ok. I'll use your IPs: First of all you need to provide a route to packets outgoing BUT also to packet returning. So all machines involved have to know how to deliver packets. Second, when a machine has a packet for one of the subnets it knows of, it sends the packet directly, but if the packet is for and address that doesn't match any known interface, it will ask the routing table for a router, first looking for a route to host, then a route to the subnet/network and, if all fails, it sends the packet to the default router.  This are the basics of routing.

Now, for the details. [If you read carefully the above paragraph, you are guessing you CAN'T do what you want with a router and without masquerading]

Suppose box 2 tries to connect to Its IP is which lets it access network 129.111.x.x, so it needs a router. It finds no route to host, neither to network, so the packet is delivered to the default router.

box 1 receives the packet and makes the same analisis, and delivers it to the default router: University Gateway.

The packet gets to the Net, and the answer comes back to the University Gateway. Then the Gateway, looks at the destination address and finds that it belongs to the local network, and says: "Ok, the packet is for, and I have an interface with netmask, so any address begginig with 129.111 MUST be on its cable, so let's send the packet DIRECTLY, no need for a router"

If box 1 were a bridge, when it sees a packet on one cable to a machine that sits on the other cable, it "COPIES" the packet AS IS to the other interface (in any direction) and solves the problem.

If box 1 were a masquerading router (replacing ORIGINATING host address, whith its own) the packet from box 2 would reach the Gateway as it were coming from box 1, Gateway would return the answer packet to box 1 which would replace DESTINATION address with box 2 addrress. Gateway doesn't have any notice about the existence of box 2, and box 2 thinks that it's conecting directly to the Net.

Finally, if I made myself clear, if you subnet, you need to subnet your Univerisity Gateway also (I think you can't), and if you don't, there's no way to use a non-masquerading router.

Good Luck,

-- Marcelo

Author Comment

ID: 1584452
Thanks - I see how this works now. I also got me a book (TCP/IP
admin by O'Reilley) that helpd explain these concepts.


Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question