Solved

Linux as a router setup Q

Posted on 1998-06-02
14
313 Views
Last Modified: 2010-03-18
I want to use my linux box as a gateway between a LAN and
the ethernet backbone:
                                           IP0
=======10baseT Ethernet backbone=====University Gateway===>
  |     ____________
  |    |            |
  |____| eth0 (IP1) |
       |            |
       |linux box 1 |
       |            |
  _____| eth1 (IP2) |
 |     |____________|
 |
 | Thinnet coax ethernet LAN
 |_____________________________________________
           |                |                 |
       ____|____        ____|____         ____|____
       |        |       |        |        |        |
       |  IP3   |       |  IP4   |        |  IP5   |
       |________|       |________|        |________|
       Linux box 2      Linux box 3       Linux box 4

I have 2 IP addresses for linux box 1, one for each ethernet
card. I also have an IP address for each of the linux boxes
on the LAN and don't need to do masquerading. The University gateway IP is IP0.

Question 1: What deamons do I need to run on linux box 1,
and what parameters do I need to use on the commandline to invoke them? Do I need gated, routed, etc?

Question 2: what are the correct command line arguments for
route and ifconfig on each linux box to make the system work? I don't need a firewall, just want to use Linux box 1
as a router/gateway for the Linux boxen 2-4. I basically want to route all TCP/IP traffic for the box 2-4 through a
linux box.

Question 3: What features do I need to enable in the kernel to make this work?

I need someone to take me through this step by step. Thanks for any help!

0
Comment
Question by:demeler
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 3

Expert Comment

by:mhomann
ID: 1584439
Answer 1: no daemons...
Answer 2: follow these steps:

- on LinuxBox1, have IP Gatewaying/Firewalling compiled in your kernel
- on Linux-boxes 2-x, have the address of eth1 @ LinuxBox 1 as default gateway
- on LinuxBox 1, have your Backbone Defailt gateway as default gateway
- on LinuxBox 1, add the following lines to your rc.local or whereelse you want it done
  (presumeably after the setup of eth0 & eth1 & routing)

--- cut here ---
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -F -f
ipfwadm -F -a -b -S IP2/Mask -D 0/0 -w eth0
--- cut here ---

with the following substitutions in the last line: IP2/Mask would be the network adress of eth1 with the netmask, 192.168.1/24 for example...


should be up and running in < 5 minutes...

have fun
              Mathias

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584440
mhomann, didn't demeler say that he *did not* need a firewall and masquerading?
0
 

Author Comment

by:demeler
ID: 1584441
ahoffman is correct, why would I need to use ipfwadm if I don't need (more correctly: don't want) a firewall? Also, I have IP
addresses for each computer, so I don't have to do masquerading.

Also, what is the answer to question2 (command line arguments
for route and ifconfig).

Thanks.
0
 
LVL 3

Accepted Solution

by:
marcelofr earned 600 total points
ID: 1584442
1) No daemons, just ip routing configured
2) say IP1 has netmask NM1, broadcast BC1 and it's network is N1:

on Linux box 1:

#ifconfig eth0 IP1 netmask NM1 broadcast BC1
#ifconfig eth1 IP2 netmask NM1 broadcast BC2
#echo 1 > /proc/sys/net/ipv4/ip_forward

at this point if you can't ping IP1 (depends on your kernel version), do:
#route add -net N1;route add -net N2

then:
#route add -net default gw IP0

on Linux boxes 2...

#ifconfig eth0 IP3 netmask NM3 broadcast BC3

again if you can't ping IP3:
#route add -net N3

then:
#route add -net default gw IP2

3) The only features you need are IP routing linked in the kernel AND the "echo" command above to enable routing...

I think you know how to get BC1 and N1 from IP1 and NM1... anyway, if you use a C class ip without subnetting, say 200.200.200.xxx, NM1 would be 255.255.255.0, N1 would be 200.200.200.0 and BC1 would be 200.200.200.255.

Good luck.

Marcelo
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584443
linux box 1 also needs IP_FORWARDING in the kernel
0
 

Author Comment

by:demeler
ID: 1584444
OK, this sounds good so far, I just have one more clarification question:

Is it necessary to have a complete subnet IP set for linux boxes 2-4? Can I use IP numbers from different subnet groups for each of the machines?

Example in my case:

on linux box 1 I have:
eth0: 129.111.5.44 netmask 255.255.0.0 gateway 129.111.1.13
eth1: 129.111.231.13

on linux box 2 I have:
etho: 129.111.1.233

linux box 3:
eth0: 129.111.17.74

linux box 4:
eth0: 129.111.231.12

Does that change the route and ifconfig commands?

Thanks!
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584445
as long as the subnet IP1 (129.111.0.0) is different to IP0 it's ok.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:demeler
ID: 1584446
OK, I tried your recommendations, but so far this doesn't work.
I must be missing something - here is what I have right now:

ip0 (University Gateway) = 129.111.1.13
Broadcast = 255.255.0.0
ip1 = 129.111.5.44
ip2 = 129.111.231.13
ip3 = 129.111.231.12
ip4 = 129.111.17.74



Here is what ifconfig returns on Linux box 1:

ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:439 errors:0 dropped:0 overruns:0 frame:0
          TX packets:439 errors:0 dropped:0 overruns:0 carrier:0 coll:0

eth0      Link encap:Ethernet  HWaddr 00:60:08:27:37:17
          inet addr:129.111.5.44  Bcast:129.111.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:851 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:10 Base address:0xee80

eth1      Link encap:Ethernet  HWaddr 00:80:AD:B7:66:C0
          inet addr:129.111.231.13  Bcast:129.111.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 coll:0
          Interrupt:5 Base address:0x300

and here is my current route setup for linux box 1:


localnet        *               255.255.0.0     U     0      0        7 eth0
loopback        *               255.0.0.0       U     0      0        2 lo
default         129.111.1.13    0.0.0.0         UG    0      0        1 eth0

For linux box 2 I have:

Destination     Gateway         Genmask         Flags MSS    Window Use Iface
localnet        *               255.255.0.0     U     1500   0        3 eth0
loopback        *               255.0.0.0       U     3584   0        1 lo
default         crdcci.uthscsa. *               UG    1500   0        0 eth0

and:
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST LOOPBACK RUNNING  MTU:3584  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0
          TX packets:45 errors:0 dropped:0 overruns:0

eth0      Link encap:10Mbps Ethernet  HWaddr 00:80:AD:B7:6B:8B
          inet addr:129.111.231.12  Bcast:129.111.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:248327 errors:0 dropped:0 overruns:0
          TX packets:12415 errors:0 dropped:0 overruns:0
          Interrupt:10 Base address:0x300


From linux box 1 I can't ping either ip2 nor ip3 or ip4.
When I set everything up as a bridge, it works ok, but I want
linux box 1 to be router.
I increase the points to 600 if you can answer me how to set it
up with the route and ifconfig commands for each box that will get this to work.
Thanks, -b.d-

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584447
You're using Netmask 255.255.0.0  so all you boxes are in the same subnet:  129.111.0.0
This is the reason why it won't work with routing but with bridgeing.
Do you want to have them in the same subnet?
0
 

Author Comment

by:demeler
ID: 1584448
The problem is that I can only use pre-assigned IP addresses,
and they may or may not be in one particular subnet. How do I tell? Do they have to be on the same subnet? excuse my ignorance on this and the terminology, but that is the half the reason I am asking this question here. Are you telling me that I cannot go the routing option? What do I need in order for the routing to work, please give me an example of what constitutes a valid subnet, and how I tell what a subnet is, if that's whats required to get routing to work, then I may be able to get the appropriate IP addresses allocated. It would help me if I knew what to ask for. Thanks for your effort trying to help me out...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 1584449
If it is a subnet or not depends on the netmask:

for example netmask 255.255.0.0 defines that the net is 129.111.0.0, and therefor your IPs all belong to the same subnet.
You just need bridging for this.

If you change the netmask to 255.255.255.0, the IPs 129.111.5.44 and 129.111.231.12 belong to different subnets. These must be routed.

So in your situation, I recommend using a bridge instead of a router. I one of you comments you said you still have tested a bridge.
0
 

Author Comment

by:demeler
ID: 1584450
I did set it up as a bridge before, and that works just fine,
even with IP addresses assigned to eth0 and eth1 on Linux box 1.
Trouble is, I couldn't communicate between linux box 1 and box 2,
unless I go over a third computer outside the bridged network.
In that case I might as well use a network switch. So I am still confused: If I use a netmask of 255.255.255.0 (on box 1?) instead of 255.255.0.0 I would have to route the IP's ...5.44 and 231.12
because they belong to different subnets. So how do I route them properly, or is that not possible? What IP numbers do I need for that to work, some IP addresses that have the same number in the first through third position of the IP address? Forget for a moment that I could use a switch or use my linux box as a bridge.
What do I need here to make it work as a "router"?
Given the IP addresses I shoewd above, what commands do I need to enter to make these boxes talk to eachother, or do I need different IP numbers? If so, what would work given that my netmask is 255.255.0.0 and my primary address (eth0) on linux box 1 is 129.111.5.44, and the gateway for box 1 is 129.111.1.13. Those numbers cannot be changed. The IP's for eth1 on box 1
as well as the IP's for box 2-4 can be probably be changed, if they have to be.

If nothing else, I would like to understand how this router business works...

Thanks!
0
 
LVL 3

Expert Comment

by:marcelofr
ID: 1584451
Ok. I'll use your IPs: First of all you need to provide a route to packets outgoing BUT also to packet returning. So all machines involved have to know how to deliver packets. Second, when a machine has a packet for one of the subnets it knows of, it sends the packet directly, but if the packet is for and address that doesn't match any known interface, it will ask the routing table for a router, first looking for a route to host, then a route to the subnet/network and, if all fails, it sends the packet to the default router.  This are the basics of routing.

Now, for the details. [If you read carefully the above paragraph, you are guessing you CAN'T do what you want with a router and without masquerading]

Suppose box 2 tries to connect to 200.209.212.113. Its IP is 129.111.231.12 which lets it access network 129.111.x.x, so it needs a router. It finds no route to host, neither to network, so the packet is delivered to the default router.

box 1 receives the packet and makes the same analisis, and delivers it to the default router: University Gateway.

The packet gets to the Net, and the answer comes back to the University Gateway. Then the Gateway, looks at the destination address and finds that it belongs to the local network, and says: "Ok, the packet is for 129.111.231.12, and I have an interface 129.111.1.13 with netmask 255.255.0.0, so any address begginig with 129.111 MUST be on its cable, so let's send the packet DIRECTLY, no need for a router"

If box 1 were a bridge, when it sees a packet on one cable to a machine that sits on the other cable, it "COPIES" the packet AS IS to the other interface (in any direction) and solves the problem.

If box 1 were a masquerading router (replacing ORIGINATING host address, whith its own) the packet from box 2 would reach the Gateway as it were coming from box 1, Gateway would return the answer packet to box 1 which would replace DESTINATION address with box 2 addrress. Gateway doesn't have any notice about the existence of box 2, and box 2 thinks that it's conecting directly to the Net.

Finally, if I made myself clear, if you subnet, you need to subnet your Univerisity Gateway also (I think you can't), and if you don't, there's no way to use a non-masquerading router.

Good Luck,

-- Marcelo
0
 

Author Comment

by:demeler
ID: 1584452
Thanks - I see how this works now. I also got me a book (TCP/IP
admin by O'Reilley) that helpd explain these concepts.


0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now