[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 269
  • Last Modified:

SEG AR-601 users ahoy!

The above ADSL Ethernet router looks like a good piece of kit that I have just found on site somewhere and it's down to me to use it. Its chief advantage seems to be that it can support a hub without the need for a dedicated routing, DHCP-serving etc. machine.

But I want to dedicate a Debian box to provide these services and wonder if anyone can advise me on the best way to configure it together with the SEG router  for this purpose.
0
CEHJ
Asked:
CEHJ
  • 10
  • 9
  • 2
  • +2
2 Solutions
 
xscousrCommented:
check out Smoothwall at http://smoothwall.org

this will give you you router/dhcp/ids/proxy/dynamic dns etc etc

very slick
0
 
CEHJAuthor Commented:
I know about Smoothwall, but that's not exactly relevant to the substance of the question
0
 
pjedmondCommented:
Hmm....?? Not exactly sure what you are trying to achieve here?...but here goes:

Personally, If I'd got the router, I'd stick with it....I may decide to insert a second firewall:

                              ________                 _______  
Internal Network----| Firewall |------------| Router |---------{The internet                                      }              
                              -----------                  ---------

The only reason I can think of for trying to do what you are suggesting is in case of the Router failing, then you want to be able to provide an immediate replacement.

Therefore:

1.     Identify a suitable ADSL card for your box:

Probably, Connexant or Pulsar? - Check these carefully as they don't all have linux drivers!

2.      Any old PCI ethernet cards should be fine.

3.      Install Debian!

4.      decide on the services that you want this box to provide. The usual ones are:

Firewall/Routing - Use iptables/chains
Intrusion detection - Use Snort
dhcp
DNS - Bind
VPN - FreeSwan or other IPsec solution (Warning  may require kernel patch)
Remote access - sshd
Proxy services/Content filtering - Squidl
Mail spam/virus filtering etc.

All these and others are often provided by dedicated software solutions such as smoothwall/ipcop/devil linux/astaro etc

The commercial versions normally charge for the more advanced capabilities such as VPN or mail/virus filtering, and will be finely tuned to be more secure. They also tend to have fairly nice web based interfaces. To get an idea of the tricks used, download the home version of astaro, and you'll see that it consists of many of the above capabilities each chrooted to avaoid an exploit in one feature causing problems with another feature.

If the above information is not what you are after, then please can you clarify the question.

HTH:)

0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
pjedmondCommented:
Sorry - I understand now - I forgot to engage brain;)

You want to disable the DNS and DHCP etc on the router and carry out that function on a Debian system:)

In which case, I strongly recommend downloading and installing webmin. It's a graphical web tool that runs on port 10000, which enables you to configure dhcp/DNS etc in a very intuitive manner.

http://www.webmin.com/

It consists of loads of modules that all install really easily..and then you start it up:

/etc/init.d/webmin start

and then browse to localhose:10000

It'll change your view of configuring linux boxes:)
0
 
CEHJAuthor Commented:
>>You want to disable the DNS and DHCP etc on the router and carry out that function on a Debian system:)

Exactly, but i'm not clear on how that should be done. This will give you a bit more of the picture:

http://www.experts-exchange.com/Operating_Systems/Linux/Q_21090173.html

OTHERS OF YOU MAY WANT TO LOOK AT THE ABOVE LINK
0
 
GnsCommented:
Ok and what part is it you find is a stumbling block? Linux side or router side config?
For example, according to the docs you pointed out (this is a straight cut'n'paste) you do this to disable DHCP:
---------------------------------------
AR601> adsl down
AR601> dhcpserver config flush
AR601> dhcpserver config confirm
AR601> config save
AR601> restart

The DHCP server configuration is now blank. If you want DHCP disabled, then that's all you have to do and you can now reconnect the ADSL line cable.
---------------------------------------
... then you'd need install a DHCP server and config that ... hm, Debian you say... How about
apt-get install dhcpcd
... then "/etc/init.d/dhcp stop", edit /etc/dhcpd.conf, then "/etc/init.d/dhcp start" (this is basically the instructions "on screen" from the agt-get install ;-).
Just make sure you have a grip on any "special" dhcp config before destroying it;-).

I'm sure every other service would be similarily easy to accomodate.

You'll also have a routing/topology issue to handle... Is that what you need help with?

You could (perversely:-) leave the DHCP of the router on, config your "router-network-interface" to use DHCP, and the "lanside-interface" to provide DHCP by "limiting" dhcpd to that IF (via the commandline option). Slight shudder:-)

-- Glenn
0
 
GnsCommented:
Sorry, the following
apt-get install dhcpcd
... should read
apt-get install dhcpd

(the former is the dhcp Client daemon... not what you'd want:-)

-- Glenn
0
 
CEHJAuthor Commented:
Thanks Glenn

>>You'll also have a routing/topology issue to handle... Is that what you need help with?

Kind of. In a way it's rather difficult to say what the problem is - i guess it's a kind of 'conceptual' problem ;-)

But it's good that you quoted from the docs, as it starts to concretize what's a bit abstract to me still. I wonder if you could firm up the following points with me?

a. So - taking down the network services one by one from the router, should leave it as a 'passive vessel' through which Ethernet tcp/ip passes?
b. Then the Linux box will get plugged into the hub *with its single Ethernet card*
c. The clients' net config will simply be pointed at the Linux box

Of course, the further complication is that the Linux box will be a Samba server too ;-)

0
 
GnsCommented:
> a. So - taking down the network services one by one from the router, should leave it as a 'passive vessel' through which Ethernet tcp/ip passes?
That would turn it into a straghtforward router yes... An ethernet->ADSL converter if you like (ethernet and ADSL are "carriers" or "link layer" in this case... It's the tcp/ip packets moving through the router;).

> b. Then the Linux box will get plugged into the hub *with its single Ethernet card*
Ah, this clears a bit of the confusion... We've all been looking at this like "OK, he wants to insert a linux firewall between himself and the internet"... Something like
[LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]
but in actuality you'd like to stay with
[LAN (everything connecting to the HUB, including Linux box] <---> [router] <---> [internet]
This would mean that the router would still be you internet gateway...
Sure, you can do it like that. I'm not really sure _why_ you'd like to, but it's possible to do;-).

> c. The clients' net config will simply be pointed at the Linux box
Eh, not really. The clients would get their DHCP leases from the linux box, yes. But they'd still need route packets destined for the internet via the router... You could have the linux box as an "extra router" but there would be little->no point in that.
So if you migrate DNS services to your linux boxm, then yes, that'd need be changed in the DHCP scope too (beware long leasetimes when finetuning/configuring DHCP) etc.

> Of course, the further complication is that the Linux box will be a Samba server too ;-)
As far as I can see, that wouldn't come into the equation at all. It could be used for any number of services parallell to the ones you plan to migrate:-).

-- Glenn
0
 
CEHJAuthor Commented:
a. Yes - let's call it an ADSL<->Ethernet Converter (let us use 'AEC')

b. No - you haven't quite got this - and this is the bit i'm having a conceptual difficulty with:
at the moment, the AEC is the gateway. What i want to do is to *only* use the converting facilities of the AEC and use the Linux box as the gateway, so this:

>>LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]

is more or less what i want to do

LAN (everything connecting to the HUB, including gateway Linux box)] <---> [AEC] <---> [internet]

the trouble is, and this is where the conceptual difficulty arises, can the Linux 'gateway' *be* a gateway? ;-)
0
 
GnsCommented:
Well, aec will be _A router_. No matter what, that is what it is.

Can the linux box be a router?
Yes.
With just one NIC?
Yes, but this is rather pointless:-).
For this you need two address spaces, and although you only have one interface on the linux box, you can "multi-home" it... That is, define IP aliases on the eth0:0 and eth0:1 that are for the two address spaces. You'd need configure the AEC and the linux to be on one, and the LAN to be on the other, then you'd need enable forwarding... Perhaps firewalling too.
Essentially you'd treat it like you had
>>LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]
while in reality (wire-wise so to speak:-) you only have
>>LAN (everything connecting to the HUB, including gateway Linux box)] <---> [AEC] <---> [internet]

Only difference with a true routed solution would be that you save a couple of bucks on the NIC you don't get, and live with the onus of two networks on the same wire. I'd definitely disable the DHCP of the AEC in this case:-).

-- Glenn
0
 
GnsCommented:
Mind you, I've not used this kind of setup for a while (and then just to "fake" things in a lab environment), so there might be caveats.

-- Glenn
0
 
GnsCommented:
What the last means is that it is safer to make it a true router with dual NICs.

-- Glenn
0
 
lbertaccoCommented:
This seem to be a router only, not configurable as an adsl ethernet modem.
Let's me describe the difference:
both have a WAN interface (adsl) and a lan interface (ethernet)
Modems (eg dlink-300) don't need any IP address (except eventually to configure the modem itself), they let you the (usually) public IP address to the PC lan interface attached to the modem.
Routers keep the public IP for themselves and usually assing a private IP ar anyway other IPs on the lan interface. The lan interface must be on a different subnetwork than the wan interface.

You still can configure your network as something like:
internet - adsl line -adsl router - linux server - hub - your lan
then the adsl router will keep the public ip for itself, the segment adslrouter-linux must be on some private addressed  subnetwork (unless you have additional static public ips), and your lan on still another subnetwork.
This can work great (you just won't be able to get public IPs to your linux box).

Simply make a linux box with 2 NICs
give one nic, towards the adl router, e.g. the IP 192.168.0.2 (assuming the adsl routerhas IP 192.168.0.1)
give the other nic, towards internal lan, IP 192.168.1.1
than configure the pc on your lan to use gateway 192.168.1.1, and the linux box to use a default route of 192.168.0.1.
On the linux box you can install firewall, dhcp, dns without problems.
For any service that you want to be reachable from the internet (http, ssh,...) you will have to configure the adsl router to do some port forwarding towards the linux box
0
 
CEHJAuthor Commented:
OK guys, i'm going to have to digest this a bit, but so far i think we can say you're in agreement on the fact that 2 NICs would be better can we not?
0
 
GnsCommented:
We agree about most things, actually... Just different ways of expressing it:-). As noted: AEC _is_ a router;-).

A dual-NIC solution will be cleaner in every respect.
And fairly good NICs are *cheap* these days. Especially with the limitation of the ADSL bandwidth in mind (meaning you could probably reuse some fairly old piece of HW, if you have one ... "to spare"...:-).

Or are expansion slots a tight sector in the linux box?

-- Glenn
0
 
CEHJAuthor Commented:
>>Or are expansion slots a tight sector in the linux box?

Well - that's unknown so far, as i haven't got the box yet ;-)

I'm just now wrestling with the concept of having the AEC taking the gateway public address, when i really want the Linux box (LB) to do that. How can you put my mind at rest guys? ;-)

(Really i just want the LB to have maximum control)
0
 
lbertaccoCommented:
I think the most common situation where you would really want the LB to own the public IP is to implement a VPN. Otherwise you can live happy with port forwarding. Anyway I don't think there is a solution to this (unless SEG provides new firmware). It's probably easier to just buy a new and cheap adsl modem.
0
 
GnsCommented:
Nod. ... With at least some IPSEC VPN implementations (commercial AFAICS) you can set up NAT traversals (mainly through "UDP encapsulation" ... or similar).

-- Glenn
0
 
CEHJAuthor Commented:
>>It's probably easier to just buy a new and cheap adsl modem.

How cheap do they get?
0
 
GnsCommented:
Don't know your location, but... you could get as cheap as below 400 SEK where I'm at (Sweden:-) (below $40-$50 USD)....

-- Glenn
0
 
CEHJAuthor Commented:
That sounds good. Although we regularly get ripped off in the UK ;-)

Guys, you're each going to get 50/50 points, but i'm going to keep it open for a while in case i need extra (moral?) support and finally double the points
0
 
CEHJAuthor Commented:
I won't go against that recommendation but should like to increase the points as promised
0
 
CEHJAuthor Commented:
>>You should be able to increase the points yourself.

I've done that. I'm happy for you to close it per your recommendation
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 9
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now