Solved

SEG AR-601 users ahoy!

Posted on 2004-08-10
27
253 Views
Last Modified: 2010-03-18
The above ADSL Ethernet router looks like a good piece of kit that I have just found on site somewhere and it's down to me to use it. Its chief advantage seems to be that it can support a hub without the need for a dedicated routing, DHCP-serving etc. machine.

But I want to dedicate a Debian box to provide these services and wonder if anyone can advise me on the best way to configure it together with the SEG router  for this purpose.
0
Comment
Question by:CEHJ
  • 10
  • 9
  • 2
  • +2
27 Comments
 
LVL 2

Expert Comment

by:xscousr
ID: 11775299
check out Smoothwall at http://smoothwall.org

this will give you you router/dhcp/ids/proxy/dynamic dns etc etc

very slick
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11775756
I know about Smoothwall, but that's not exactly relevant to the substance of the question
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11777627
Hmm....?? Not exactly sure what you are trying to achieve here?...but here goes:

Personally, If I'd got the router, I'd stick with it....I may decide to insert a second firewall:

                              ________                 _______  
Internal Network----| Firewall |------------| Router |---------{The internet                                      }              
                              -----------                  ---------

The only reason I can think of for trying to do what you are suggesting is in case of the Router failing, then you want to be able to provide an immediate replacement.

Therefore:

1.     Identify a suitable ADSL card for your box:

Probably, Connexant or Pulsar? - Check these carefully as they don't all have linux drivers!

2.      Any old PCI ethernet cards should be fine.

3.      Install Debian!

4.      decide on the services that you want this box to provide. The usual ones are:

Firewall/Routing - Use iptables/chains
Intrusion detection - Use Snort
dhcp
DNS - Bind
VPN - FreeSwan or other IPsec solution (Warning  may require kernel patch)
Remote access - sshd
Proxy services/Content filtering - Squidl
Mail spam/virus filtering etc.

All these and others are often provided by dedicated software solutions such as smoothwall/ipcop/devil linux/astaro etc

The commercial versions normally charge for the more advanced capabilities such as VPN or mail/virus filtering, and will be finely tuned to be more secure. They also tend to have fairly nice web based interfaces. To get an idea of the tricks used, download the home version of astaro, and you'll see that it consists of many of the above capabilities each chrooted to avaoid an exploit in one feature causing problems with another feature.

If the above information is not what you are after, then please can you clarify the question.

HTH:)

0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11777680
Sorry - I understand now - I forgot to engage brain;)

You want to disable the DNS and DHCP etc on the router and carry out that function on a Debian system:)

In which case, I strongly recommend downloading and installing webmin. It's a graphical web tool that runs on port 10000, which enables you to configure dhcp/DNS etc in a very intuitive manner.

http://www.webmin.com/

It consists of loads of modules that all install really easily..and then you start it up:

/etc/init.d/webmin start

and then browse to localhose:10000

It'll change your view of configuring linux boxes:)
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11781613
>>You want to disable the DNS and DHCP etc on the router and carry out that function on a Debian system:)

Exactly, but i'm not clear on how that should be done. This will give you a bit more of the picture:

http://www.experts-exchange.com/Operating_Systems/Linux/Q_21090173.html

OTHERS OF YOU MAY WANT TO LOOK AT THE ABOVE LINK
0
 
LVL 20

Expert Comment

by:Gns
ID: 11782463
Ok and what part is it you find is a stumbling block? Linux side or router side config?
For example, according to the docs you pointed out (this is a straight cut'n'paste) you do this to disable DHCP:
---------------------------------------
AR601> adsl down
AR601> dhcpserver config flush
AR601> dhcpserver config confirm
AR601> config save
AR601> restart

The DHCP server configuration is now blank. If you want DHCP disabled, then that's all you have to do and you can now reconnect the ADSL line cable.
---------------------------------------
... then you'd need install a DHCP server and config that ... hm, Debian you say... How about
apt-get install dhcpcd
... then "/etc/init.d/dhcp stop", edit /etc/dhcpd.conf, then "/etc/init.d/dhcp start" (this is basically the instructions "on screen" from the agt-get install ;-).
Just make sure you have a grip on any "special" dhcp config before destroying it;-).

I'm sure every other service would be similarily easy to accomodate.

You'll also have a routing/topology issue to handle... Is that what you need help with?

You could (perversely:-) leave the DHCP of the router on, config your "router-network-interface" to use DHCP, and the "lanside-interface" to provide DHCP by "limiting" dhcpd to that IF (via the commandline option). Slight shudder:-)

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11782482
Sorry, the following
apt-get install dhcpcd
... should read
apt-get install dhcpd

(the former is the dhcp Client daemon... not what you'd want:-)

-- Glenn
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11782574
Thanks Glenn

>>You'll also have a routing/topology issue to handle... Is that what you need help with?

Kind of. In a way it's rather difficult to say what the problem is - i guess it's a kind of 'conceptual' problem ;-)

But it's good that you quoted from the docs, as it starts to concretize what's a bit abstract to me still. I wonder if you could firm up the following points with me?

a. So - taking down the network services one by one from the router, should leave it as a 'passive vessel' through which Ethernet tcp/ip passes?
b. Then the Linux box will get plugged into the hub *with its single Ethernet card*
c. The clients' net config will simply be pointed at the Linux box

Of course, the further complication is that the Linux box will be a Samba server too ;-)

0
 
LVL 20

Accepted Solution

by:
Gns earned 250 total points
ID: 11782845
> a. So - taking down the network services one by one from the router, should leave it as a 'passive vessel' through which Ethernet tcp/ip passes?
That would turn it into a straghtforward router yes... An ethernet->ADSL converter if you like (ethernet and ADSL are "carriers" or "link layer" in this case... It's the tcp/ip packets moving through the router;).

> b. Then the Linux box will get plugged into the hub *with its single Ethernet card*
Ah, this clears a bit of the confusion... We've all been looking at this like "OK, he wants to insert a linux firewall between himself and the internet"... Something like
[LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]
but in actuality you'd like to stay with
[LAN (everything connecting to the HUB, including Linux box] <---> [router] <---> [internet]
This would mean that the router would still be you internet gateway...
Sure, you can do it like that. I'm not really sure _why_ you'd like to, but it's possible to do;-).

> c. The clients' net config will simply be pointed at the Linux box
Eh, not really. The clients would get their DHCP leases from the linux box, yes. But they'd still need route packets destined for the internet via the router... You could have the linux box as an "extra router" but there would be little->no point in that.
So if you migrate DNS services to your linux boxm, then yes, that'd need be changed in the DHCP scope too (beware long leasetimes when finetuning/configuring DHCP) etc.

> Of course, the further complication is that the Linux box will be a Samba server too ;-)
As far as I can see, that wouldn't come into the equation at all. It could be used for any number of services parallell to the ones you plan to migrate:-).

-- Glenn
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11783678
a. Yes - let's call it an ADSL<->Ethernet Converter (let us use 'AEC')

b. No - you haven't quite got this - and this is the bit i'm having a conceptual difficulty with:
at the moment, the AEC is the gateway. What i want to do is to *only* use the converting facilities of the AEC and use the Linux box as the gateway, so this:

>>LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]

is more or less what i want to do

LAN (everything connecting to the HUB, including gateway Linux box)] <---> [AEC] <---> [internet]

the trouble is, and this is where the conceptual difficulty arises, can the Linux 'gateway' *be* a gateway? ;-)
0
 
LVL 20

Expert Comment

by:Gns
ID: 11784071
Well, aec will be _A router_. No matter what, that is what it is.

Can the linux box be a router?
Yes.
With just one NIC?
Yes, but this is rather pointless:-).
For this you need two address spaces, and although you only have one interface on the linux box, you can "multi-home" it... That is, define IP aliases on the eth0:0 and eth0:1 that are for the two address spaces. You'd need configure the AEC and the linux to be on one, and the LAN to be on the other, then you'd need enable forwarding... Perhaps firewalling too.
Essentially you'd treat it like you had
>>LAN (everything connecting to the HUB] <---> [Linux box] <---> [router] <---> [internet]
while in reality (wire-wise so to speak:-) you only have
>>LAN (everything connecting to the HUB, including gateway Linux box)] <---> [AEC] <---> [internet]

Only difference with a true routed solution would be that you save a couple of bucks on the NIC you don't get, and live with the onus of two networks on the same wire. I'd definitely disable the DHCP of the AEC in this case:-).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
ID: 11784163
Mind you, I've not used this kind of setup for a while (and then just to "fake" things in a lab environment), so there might be caveats.

-- Glenn
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 20

Expert Comment

by:Gns
ID: 11784168
What the last means is that it is safer to make it a true router with dual NICs.

-- Glenn
0
 
LVL 11

Assisted Solution

by:lbertacco
lbertacco earned 250 total points
ID: 11786102
This seem to be a router only, not configurable as an adsl ethernet modem.
Let's me describe the difference:
both have a WAN interface (adsl) and a lan interface (ethernet)
Modems (eg dlink-300) don't need any IP address (except eventually to configure the modem itself), they let you the (usually) public IP address to the PC lan interface attached to the modem.
Routers keep the public IP for themselves and usually assing a private IP ar anyway other IPs on the lan interface. The lan interface must be on a different subnetwork than the wan interface.

You still can configure your network as something like:
internet - adsl line -adsl router - linux server - hub - your lan
then the adsl router will keep the public ip for itself, the segment adslrouter-linux must be on some private addressed  subnetwork (unless you have additional static public ips), and your lan on still another subnetwork.
This can work great (you just won't be able to get public IPs to your linux box).

Simply make a linux box with 2 NICs
give one nic, towards the adl router, e.g. the IP 192.168.0.2 (assuming the adsl routerhas IP 192.168.0.1)
give the other nic, towards internal lan, IP 192.168.1.1
than configure the pc on your lan to use gateway 192.168.1.1, and the linux box to use a default route of 192.168.0.1.
On the linux box you can install firewall, dhcp, dns without problems.
For any service that you want to be reachable from the internet (http, ssh,...) you will have to configure the adsl router to do some port forwarding towards the linux box
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11791649
OK guys, i'm going to have to digest this a bit, but so far i think we can say you're in agreement on the fact that 2 NICs would be better can we not?
0
 
LVL 20

Expert Comment

by:Gns
ID: 11791749
We agree about most things, actually... Just different ways of expressing it:-). As noted: AEC _is_ a router;-).

A dual-NIC solution will be cleaner in every respect.
And fairly good NICs are *cheap* these days. Especially with the limitation of the ADSL bandwidth in mind (meaning you could probably reuse some fairly old piece of HW, if you have one ... "to spare"...:-).

Or are expansion slots a tight sector in the linux box?

-- Glenn
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11808223
>>Or are expansion slots a tight sector in the linux box?

Well - that's unknown so far, as i haven't got the box yet ;-)

I'm just now wrestling with the concept of having the AEC taking the gateway public address, when i really want the Linux box (LB) to do that. How can you put my mind at rest guys? ;-)

(Really i just want the LB to have maximum control)
0
 
LVL 11

Expert Comment

by:lbertacco
ID: 11808471
I think the most common situation where you would really want the LB to own the public IP is to implement a VPN. Otherwise you can live happy with port forwarding. Anyway I don't think there is a solution to this (unless SEG provides new firmware). It's probably easier to just buy a new and cheap adsl modem.
0
 
LVL 20

Expert Comment

by:Gns
ID: 11808637
Nod. ... With at least some IPSEC VPN implementations (commercial AFAICS) you can set up NAT traversals (mainly through "UDP encapsulation" ... or similar).

-- Glenn
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11808657
>>It's probably easier to just buy a new and cheap adsl modem.

How cheap do they get?
0
 
LVL 20

Expert Comment

by:Gns
ID: 11808692
Don't know your location, but... you could get as cheap as below 400 SEK where I'm at (Sweden:-) (below $40-$50 USD)....

-- Glenn
0
 
LVL 86

Author Comment

by:CEHJ
ID: 11808724
That sounds good. Although we regularly get ripped off in the UK ;-)

Guys, you're each going to get 50/50 points, but i'm going to keep it open for a while in case i need extra (moral?) support and finally double the points
0
 
LVL 86

Author Comment

by:CEHJ
ID: 15817923
I won't go against that recommendation but should like to increase the points as promised
0
 
LVL 86

Author Comment

by:CEHJ
ID: 15818654
>>You should be able to increase the points yourself.

I've done that. I'm happy for you to close it per your recommendation
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now