We help IT Professionals succeed at work.

How to configure small linux/windows network with one linux box as a router.

parkhensley asked
Medium Priority
Last Modified: 2010-03-18
I administer 7 computers - 2 Linux and 5 Windows - inside a network of about 25 computers (I don't manage the others) connected to a HW router (which I also don't administer). My question is what is the best free (no more purchases) Linux way to provide access to each other and to the internet for those I do manage and separation from the computers I don't manage? Should I make one of my Linux boxes a second router before the HW router? If so, how do I set up the routing tables? Right now, all 25 machines are configured through DHCP provided by the HW router, but I can give static addresses to my 7 if that's the way to go.

Watch Question

Do you use NAT? is the router a router or a firewall?
Do you run dynamic DNS?
I'm not sure which distro of linux to use -- I use redhat//fedora -- I wouldn't get something
bleeding edge.

If you make one of the linux machines a  router, you have a single point of failure when something goes wrong -- not sure you gain anything and you may make headaches for yourself....

The routing tables really are no problem -- you just specify a "gateway" (the router) -- if your DHCP is set up right, it should be automatic...


I should have said that the hw router provides NAT and limited firewall capability. I have several distros currently under evaluation.  

The default configuration of just using the hw router as the only solution works, but when I do netstat -a, I am always finding uninvited connections ESTABLISHED or LISTENING on various ports and this bothers me because I have quite a bit of confidential material on several of the machines (and they all need internet access) and so I wanted an extra layer of protection.

Maybe treat the confidentional information on specific machines with a higher amount of security
on these machines...

Putting another firewall/router in there may cause other problems -- you have to evaluate if its worth it.

Lots of ways to go....

Perhaps, you can try http://www.smoothwall.org
It's a Firewall oriented Linux distro. (warning, it will wipe off all your harddisk data during the installation)

Put it this way.

Seperate them into few zones.

Internet zone.
DMZ zone.
LAN zone.

So meaning, you will need 3 network cards for this smoothwall.
And configure them into these 3 zone.

I suggest you:-

1. Connect the internet zone network card to your HW router/firewall.
2. Connect DMZ zone network card to your LINUX based computers. (configure every box with fixed ip address)
3. Connect LAN zone network card to your WINDOWS based computer.
And configure DHCP for this card

Hope this help.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Gabriel OrozcoSolution Architect


I think you need first to shape a more secure layout.
I would do this:

 internet --- hw router ----(all other computers you do not manage, along with one of your linux computers) --- (a sub-lan of your managed computers)

note that you need an extra ethernet card for the linux computer you choose to be the firewall/gateway of your managed computers, along with a switch/hub for them to connect.

If you do this way, all other computers you do not administer will not be able to connect to the protected computers (they will be behind a linux firewall)

you shall then configure a firewall for your linux computer, along with dhcp server for internal computers.

if you do that, you'll be set for a double firewall layout which is far more secure than what you have right now, while being easy of administer.

hope this and the previous post of kiitii can drive you on the lane to what you want to do.
there are lot's of firewall scripts (all them manage internal linux firewall, named NETFILTER) and smoothwall is a good one as I have read. I tend to use my own written scripts, however.



I have 2 ethernet cards in the linux computer that I would make the gateway for my managed computers. Let me get what kiitii and Redimido are saying.

I connect my linux gateway box into the hw router for the main network through one of the cards and a hub for my other computers to connect to.through the second card. I set static ips on the 2 cards in my machine and configure the second card to provide address for the rest of my managed computers through dhcp.

If the hw router gives the larger networked machines addresses in the range, then I could give the addresses and to eth0 and eth1 in the linux router respectively.

I would really like some help on the what the routing table should look like and the commands to create it.

Something like

Gabriel OrozcoSolution Architect


Everything is fine until the network address space.

You cannot have the same subnet on both sides of your gateway: it simply would not route anything!

You must choose a different range, say, like this:

(internet hw router) ------ |92.168.0.X (your linux machine) ---(your managed computers)

These computers would have a 192.168.1.X ip address, with netmask and as their gateway.

If the Internet hardware appliance can handle some routes, add a route to your managed network in it so the other computers know how to reach the other range. something like via gateway 192.168.0.X (external ip of your linux gateway)

and of course enable iptables to filter what you do not want to pass across the linux gateway.


I didn't mean the above to be complete. That line above should have been
"" where is the address of the card that the dhcp server service is bound to on the linux router

Just to get the routing part down I was trying to set the machines up as described above and then set the routing table on the first client and the dhcp server. #on eth1 the dhcp server
# is the hw router and default gateway to the internet for the whole network

I can ping the hw router default gw from the linux machine, but I can't ping anything on the internet and I can't ping the linux router from the other linux box.

Obviously I need some help on the routing table. The firewall part can come after that.

Gabriel OrozcoSolution Architect


you cannot have the same subnet on both sides of your linux box. to have routing, you need different subnets and a defined "gateway" that connects both.

so, if eth0 connects to the normal LAN, where your linux box connects to the hardware router, with ip address /24; then on the other card, eth1, you should have any other network but, since that one is already used. I proposed you to use, but you can easily use like here:

(internet hw router) ------ (your linux machine) ---(your managed computers)

you need to configure dhcp for the eth0 interfase and server with for your managed computers, making your own machine to be the gateway:

now, in order to tell the hardware router how to locate the network, you should tell it the gateway for that network is (your ip address on the unsafe non-manageed-by-you side)

Is it more clear now?


Sorry to be a dunce, but I'm still not getting it to work. First, I set a static route in the hw router of: Destination= (eth1) Subnet Mask= and Gateway= (eth0). Next I set  the ip of eth0 to network) and of eth1 to (internal network) both with a subnet mask of and gateway of (the eth1 interface). Now, for the DHCP server service you seemed to say that it should bind to eth0. However, when I try that in SuSE's YaST2 DHCP Server tool, it doesn't allow me to set the client range to that of my managed network (192.168.100.*), but only allows 192.168.0.*. So, it seems that I have to bind it to eth1.

I'll keep raising the points as long as I'm not getting it.


Please refer to the diagram i was mentioning about.

Feel free to ask me if you are not sure.



It's a broken link.
Gabriel OrozcoSolution Architect


You need to understand this:

no computer can see an IP Address that's not in it's address space!

so, you cannot make Gateway= on subnet!

this is why we need gateways. they are one box on our network address space that knows how to forward back and forth packets for another subnet. if it happends to be the internet, that subnet is =)

so, please refer to my diagram:

(internet hw router) ------ (your linux machine) ---(your managed computers)

here, the (internet hw router) should create a route to the network, VIA ( IS the gateway to the subnet, in the hardware router's point of view)

for the internal, managed-by-you computers, they should have default gateway to be (your linux-gateway ip on that subnet)

got it?

please review carefully what we are trying to explain you. I sense you are almost there.

Sorry for the broken link.

Try this


Sorry to take so long to reply, but I have a data recovery disaster going on on one of my servers. I will get back to this Sunday or Monday.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.