We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Linux as a router setup Q

demeler asked
Medium Priority
Last Modified: 2010-03-18
I want to use my linux box as a gateway between a LAN and
the ethernet backbone:
=======10baseT Ethernet backbone=====University Gateway===>
  |     ____________
  |    |            |
  |____| eth0 (IP1) |
       |            |
       |linux box 1 |
       |            |
  _____| eth1 (IP2) |
 |     |____________|
 | Thinnet coax ethernet LAN
           |                |                 |
       ____|____        ____|____         ____|____
       |        |       |        |        |        |
       |  IP3   |       |  IP4   |        |  IP5   |
       |________|       |________|        |________|
       Linux box 2      Linux box 3       Linux box 4

I have 2 IP addresses for linux box 1, one for each ethernet
card. I also have an IP address for each of the linux boxes
on the LAN and don't need to do masquerading. The University gateway IP is IP0.

Question 1: What deamons do I need to run on linux box 1,
and what parameters do I need to use on the commandline to invoke them? Do I need gated, routed, etc?

Question 2: what are the correct command line arguments for
route and ifconfig on each linux box to make the system work? I don't need a firewall, just want to use Linux box 1
as a router/gateway for the Linux boxen 2-4. I basically want to route all TCP/IP traffic for the box 2-4 through a
linux box.

Question 3: What features do I need to enable in the kernel to make this work?

I need someone to take me through this step by step. Thanks for any help!

Watch Question

Answer 1: no daemons...
Answer 2: follow these steps:

- on LinuxBox1, have IP Gatewaying/Firewalling compiled in your kernel
- on Linux-boxes 2-x, have the address of eth1 @ LinuxBox 1 as default gateway
- on LinuxBox 1, have your Backbone Defailt gateway as default gateway
- on LinuxBox 1, add the following lines to your rc.local or whereelse you want it done
  (presumeably after the setup of eth0 & eth1 & routing)

--- cut here ---
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -F -a -b -S IP2/Mask -D 0/0 -w eth0
--- cut here ---

with the following substitutions in the last line: IP2/Mask would be the network adress of eth1 with the netmask, 192.168.1/24 for example...

should be up and running in < 5 minutes...

have fun

mhomann, didn't demeler say that he *did not* need a firewall and masquerading?


ahoffman is correct, why would I need to use ipfwadm if I don't need (more correctly: don't want) a firewall? Also, I have IP
addresses for each computer, so I don't have to do masquerading.

Also, what is the answer to question2 (command line arguments
for route and ifconfig).

Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
linux box 1 also needs IP_FORWARDING in the kernel


OK, this sounds good so far, I just have one more clarification question:

Is it necessary to have a complete subnet IP set for linux boxes 2-4? Can I use IP numbers from different subnet groups for each of the machines?

Example in my case:

on linux box 1 I have:
eth0: netmask gateway

on linux box 2 I have:

linux box 3:

linux box 4:

Does that change the route and ifconfig commands?

as long as the subnet IP1 ( is different to IP0 it's ok.


OK, I tried your recommendations, but so far this doesn't work.
I must be missing something - here is what I have right now:

ip0 (University Gateway) =
Broadcast =
ip1 =
ip2 =
ip3 =
ip4 =

Here is what ifconfig returns on Linux box 1:

lo        Link encap:Local Loopback  
          inet addr:  Bcast:  Mask:
          RX packets:439 errors:0 dropped:0 overruns:0 frame:0
          TX packets:439 errors:0 dropped:0 overruns:0 carrier:0 coll:0

eth0      Link encap:Ethernet  HWaddr 00:60:08:27:37:17
          inet addr:  Bcast:  Mask:
          RX packets:38273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:851 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:10 Base address:0xee80

eth1      Link encap:Ethernet  HWaddr 00:80:AD:B7:66:C0
          inet addr:  Bcast:  Mask:
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:5 Base address:0x300

and here is my current route setup for linux box 1:

localnet        *          U     0      0        7 eth0
loopback        *            U     0      0        2 lo
default         UG    0      0        1 eth0

For linux box 2 I have:

Destination     Gateway         Genmask         Flags MSS    Window Use Iface
localnet        *          U     1500   0        3 eth0
loopback        *            U     3584   0        1 lo
default         crdcci.uthscsa. *               UG    1500   0        0 eth0

lo        Link encap:Local Loopback  
          inet addr:  Bcast:  Mask:
          RX packets:45 errors:0 dropped:0 overruns:0
          TX packets:45 errors:0 dropped:0 overruns:0

eth0      Link encap:10Mbps Ethernet  HWaddr 00:80:AD:B7:6B:8B
          inet addr:  Bcast:  Mask:
          RX packets:248327 errors:0 dropped:0 overruns:0
          TX packets:12415 errors:0 dropped:0 overruns:0
          Interrupt:10 Base address:0x300

From linux box 1 I can't ping either ip2 nor ip3 or ip4.
When I set everything up as a bridge, it works ok, but I want
linux box 1 to be router.
I increase the points to 600 if you can answer me how to set it
up with the route and ifconfig commands for each box that will get this to work.
Thanks, -b.d-

You're using Netmask  so all you boxes are in the same subnet:
This is the reason why it won't work with routing but with bridgeing.
Do you want to have them in the same subnet?


The problem is that I can only use pre-assigned IP addresses,
and they may or may not be in one particular subnet. How do I tell? Do they have to be on the same subnet? excuse my ignorance on this and the terminology, but that is the half the reason I am asking this question here. Are you telling me that I cannot go the routing option? What do I need in order for the routing to work, please give me an example of what constitutes a valid subnet, and how I tell what a subnet is, if that's whats required to get routing to work, then I may be able to get the appropriate IP addresses allocated. It would help me if I knew what to ask for. Thanks for your effort trying to help me out...
If it is a subnet or not depends on the netmask:

for example netmask defines that the net is, and therefor your IPs all belong to the same subnet.
You just need bridging for this.

If you change the netmask to, the IPs and belong to different subnets. These must be routed.

So in your situation, I recommend using a bridge instead of a router. I one of you comments you said you still have tested a bridge.


I did set it up as a bridge before, and that works just fine,
even with IP addresses assigned to eth0 and eth1 on Linux box 1.
Trouble is, I couldn't communicate between linux box 1 and box 2,
unless I go over a third computer outside the bridged network.
In that case I might as well use a network switch. So I am still confused: If I use a netmask of (on box 1?) instead of I would have to route the IP's ...5.44 and 231.12
because they belong to different subnets. So how do I route them properly, or is that not possible? What IP numbers do I need for that to work, some IP addresses that have the same number in the first through third position of the IP address? Forget for a moment that I could use a switch or use my linux box as a bridge.
What do I need here to make it work as a "router"?
Given the IP addresses I shoewd above, what commands do I need to enter to make these boxes talk to eachother, or do I need different IP numbers? If so, what would work given that my netmask is and my primary address (eth0) on linux box 1 is, and the gateway for box 1 is Those numbers cannot be changed. The IP's for eth1 on box 1
as well as the IP's for box 2-4 can be probably be changed, if they have to be.

If nothing else, I would like to understand how this router business works...

Ok. I'll use your IPs: First of all you need to provide a route to packets outgoing BUT also to packet returning. So all machines involved have to know how to deliver packets. Second, when a machine has a packet for one of the subnets it knows of, it sends the packet directly, but if the packet is for and address that doesn't match any known interface, it will ask the routing table for a router, first looking for a route to host, then a route to the subnet/network and, if all fails, it sends the packet to the default router.  This are the basics of routing.

Now, for the details. [If you read carefully the above paragraph, you are guessing you CAN'T do what you want with a router and without masquerading]

Suppose box 2 tries to connect to Its IP is which lets it access network 129.111.x.x, so it needs a router. It finds no route to host, neither to network, so the packet is delivered to the default router.

box 1 receives the packet and makes the same analisis, and delivers it to the default router: University Gateway.

The packet gets to the Net, and the answer comes back to the University Gateway. Then the Gateway, looks at the destination address and finds that it belongs to the local network, and says: "Ok, the packet is for, and I have an interface with netmask, so any address begginig with 129.111 MUST be on its cable, so let's send the packet DIRECTLY, no need for a router"

If box 1 were a bridge, when it sees a packet on one cable to a machine that sits on the other cable, it "COPIES" the packet AS IS to the other interface (in any direction) and solves the problem.

If box 1 were a masquerading router (replacing ORIGINATING host address, whith its own) the packet from box 2 would reach the Gateway as it were coming from box 1, Gateway would return the answer packet to box 1 which would replace DESTINATION address with box 2 addrress. Gateway doesn't have any notice about the existence of box 2, and box 2 thinks that it's conecting directly to the Net.

Finally, if I made myself clear, if you subnet, you need to subnet your Univerisity Gateway also (I think you can't), and if you don't, there's no way to use a non-masquerading router.

Good Luck,

-- Marcelo


Thanks - I see how this works now. I also got me a book (TCP/IP
admin by O'Reilley) that helpd explain these concepts.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.