Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

how to configure Linux as router

I'm trying to set up a linux host as a router. I'm following the instruction at http://www.cyberciti.biz/tips/linux-as-router-for-dsl-t1-line-etc.html which assured me it would be a 2-minute process, but after 2 minutes, I'm stuck. Here's what I did so far, per the instructions:

The setup:

I am running Slackware distro, kernel  2.6.24.5

I currently have two NIC cards in this computer: eth0 is currently connected to a D-Link router (which, in turn, is connected to the ISP's cable modem), and eth1 is currently not connected to anything, but will be the LAN connection.

eth0 is configured in /etc/rc.d/rc.inet1.conf for DHCP.

STEPS SO FAR:

I connected eth0 to the cable mode and reset the NIC:

$ /etc/rc.d.rc.inet1 eth0_restart

That worked fine, eth0 got an IP. Then, I created the file /etc/sysctl.conf and added one line:

 net.ipv4.ip_forward = 1

Then the iptables commands for IP forwarding and Masquerading:

$ iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$ iptables --append FORWARD --in-interface eth1 -j ACCEPT

Here's where I'm stuck. How to I configure eth1 in /etc/rc.d/rc.inet1.conf? I want to give it a static IP for the LAN, but what do I put in for gateway and DNS? Won't specifying a gateway confuse eth0?

# Config information for eth1:
IPADDR[1]="192.168.0.1"
NETMASK[1]=""
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Default gateway IP address:
GATEWAY="???"

Do I use /etc/resolv.conf for DNS servers? Start named? Can I somehow specify eth0's IP as the gateway?

I'm CONFUSED!
Avatar of arnold
arnold
Flag of United States of America image

Eth0 is the gateway. IP of the dlink.  Make sure you do not double NAT the same segment.
I.e. eth0 must to be on the 192.168.0.0/24
Resolv.conf should point to the DNS server either local if you configure named as a caching server locally.

Post the output of netstat -rn.
Do you have DHCP configured to allocate IPs on the eth1 network?
Personally I'd recommend using a distro that is built with being a gateway already from the onset. For example Zentyal has this built-in, but also turnkey, ClearOS and others have this function already available. The advantage is that all these distro's have good management tools included which makes configuration very easy and straight forward.

http://distrowatch.com/table.php?distribution=zentyal
Check this (outdated but still very relevant and instructive) article:

https://wiki.archlinux.org/index.php/Router
Avatar of Mark
Mark

ASKER

I've got it sort-of working -- in fact, I'm using it as my router to post this comment -- but I still have still issues. I had a 2nd NIC that wouldn't play well in the computer (Linksys EtherFast 10/100 LNE100TX). I forget what error I was getting, something about a "tulip". I swapped out the card for one that worked, but then had to remove my /etc/udev/70-persistent-net.rules and reboot because udev was renaming my eth0 to eth2! Sheesh! My problem is some error messages I get when running `dhcpd -d eth0`. First, the messages, then I'll post the config:

When I started dhcpd I got:

Wrote 0 deleted host decls to leases file.
Wrote 0 new dynamic host decls to leases file.
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:50:da:28:3b:06/192.168.0/24
Sending on   LPF/eth0/00:50:da:28:3b:06/192.168.0/24
Sending on   Socket/fallback/fallback-net

I assume these are normal start up messages. I then connected my WIN9 laptop for which I created a DHCP reservation for 192.168.0.102 (I think). When it connected I got:

Dynamic and static leases present for 192.168.0.102.
Remove host delcaration rover or remove 192.168.0.102
from the dynamic address pool for 192.168.0/24
DHCPREQUEST for 192.168.0.102 from 44:1e:a1:c8:e8:9b via eth0
DHCPACK on 192.168.0.102 to 44:1e:a1:c8:e8:9b via eth0
DHCPINFORM from 192.168.0.102 via eth0: not authoritative for subnet 192.168.0.0
If this DHCP server is authoritative for that subnet,
please write an 'authoritative;' directive either in the
subnet declaration or in some scope that encolses the
subnet declaration - for example, write it at the top
of the dhcpd.conf file.
DHCPINFORM from 192.168.0.102 via eth0: not authoritative for subnet 192.168.0.0

Not sure what all this means, but my guess is that I should not designate reserved IPs within my DHCP range (192.168.0.100 - 192.168.0.199). Also, not sure what the 'authoritative;' directive is all about.

Next, I connected my wife's laptop for which I did *NOT* make a reservation. I got:

if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist add PC-de-Daniela.alluneedizluv.local 21600 IN A 192.168.0.101: DNS format error.
DHCPREQUEST for 192.168.0.101 from 00:13:77:d6:aa:2a via eth0
DHCPACK on 192.168.0.101 to 00:13:77:d6:aa:2a  (PC-de-Daniela) via eth0
DHCPINFORM from 192.168.0.101 via eth0: not authoritative for subnet 192.168.0.0
DHCPINFORM from 192.168.0.101 via eth0: not authoritative for subnet 192.168.0.0
if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist add PC-de-Daniela.alluneedizluv.local 21600 IN A 192.168.0.101: timed out.

The messages DHCPREQUEST, DHCPACK, DHCPINFORM, DHCPINFORM repeat themselves about every half hour (something to do with lease time?). I can't even guess what these messages are about other than something to do with DNS ... which I'm not running. Despite all these messages, both laptops appear to have connected w/o any apparent problem on the laptop end. Nevertheless, I don't want to simply ignore them.

How do I fix these?

Configuration:

/etc/dhcpd.conf:
option domain-name "alluneedizluv.local";

ddns-update-style ad-hoc;

subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.199;
    option domain-name-servers 209.18.47.61, 209.18.47.62;  # from my ISP
}

host rover {
  hardware ethernet 44:1E:A1:C8:E8:9B;
  fixed-address 192.168.0.102;
}

/etc/rc.d/rc.inet1.conf:
# Config information for eth0:
# This is the LAN interface and is the add-in card
IPADDR[0]="192.168.0.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

# Config information for eth1:
# This is the Internet interface and is the built-in NIC
IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""
GATEWAY=""

I've specified no default gateway.

/etc/rc.d/rc.firewall:
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

/etc/resolv.conf:
# Generated by dhcpcd for interface eth1
search columbus.rr.com
nameserver 209.18.47.61
nameserver 209.18.47.62

With the above, do I even need the option domain-name-servers in dhcpd.conf?

arnold, the netstat -rn info:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
76.181.64.0     0.0.0.0         255.255.224.0   U         0 0          0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         76.181.64.1     0.0.0.0         UG        0 0          0 eth1

Open in new window

vivigatt, I will also check out your link for clues.

So, what am I doing wrong?

Thanks
The non-authoritative and the timeout deals with the DNS.
You should setup a local caching + authoritative for 0.168.192.in-addr.arpa zone where your DHCP server will register the IPs it allocates. And your internal domain alluneedizluv.local.
Avatar of Mark

ASKER

according to my research, the "not authoritative for subnet" can be handled by putting the directive 'authoritative;' at the beginning of my /etc/dhcpd.conf file.

> You should setup a local caching ... for 0.168.192.in-addr.arpa zone

Do you mean running DNS (named) or are you talking about some configuration setting in dhcpd.conf?
Yes, having bind's named or any other DNS service (tinydns) depending on your comfort level.
ASKER CERTIFIED SOLUTION
Avatar of vivigatt
vivigatt
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark

ASKER

When I put the "authoritative" directive in the dhcpd.conf file I stopped getting the "not authoritative for subnet" messages, and I also stopped getting the "if PC-de-Daniela.alluneedizluv.local IN A rrset doesn't exist ... DNS format error." So, everything seems to be running just fine.

vivigatt: > DHCP leases are renewed periodically. Actually, there is a "renewal" dialog that occurs when the leases half expired. You can increase the lease time if you want.

Maybe this is too big a question for this posting, but what's the difference between max-lease-time and default-lease-time? What are the defaults if not set in dhcpd.conf? If I understand the logfile correctly, leases seem to be updated between 1 and 2 hours. This is a small, local network, so why not set lease times to e.g. a month or so?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark

ASKER

OK, I think that deals with my general router issues. Thanks. I've changed the default lease time to 1 day, as you suggested. Everything seems to be working just fine on the wired LAN

you wrote:
>The short the default lease sets a time frame within which the client must renew the lease at the end of the period if not renewed the lease expires.

I have a different question on a Linux DHCP *client* in a Windows domain and it seems to have to do with the Linux client not renewing the lease. Check out https://www.experts-exchange.com/questions/28162381/configure-DHCP-on-Linux-for-wireless-access-point-and-wired-interface-at-the-same-time.html and see if you can help me on that one.

Also, I don't know if you know anything about wireless, but I've added a wireless card into this mix that I want to be an access point. I've got it semi-configured -- client devices can see the SSID  and can connect -- but no Internet access happening. Check out https://www.experts-exchange.com/questions/28162388/wireless-access-point-not-quite-working-on-Linux.html if this is in your baliwick.
Regarding the wireless, what IPs are assigning there? If you are assigning the same IP as the wired side your issue would be what IP the wireless niC has as well as what iptables rules are set on the NIC, I.e. does a wireless traffic passes without impediment through the wireless NIC to the outside.

If you are using a different block of IPs, you have to make sure that your iptables NAT rules route traffic correctly between the wireless NIC and the outside.
Avatar of Mark

ASKER

I think I may have an issue with the iptables, but I'm no iptables guru so I'm not sure. Check out https://www.experts-exchange.com/questions/28162388/wireless-access-point-not-quite-working-on-Linux.html. All the IP assignment, hostapd, etc. info is listed. I need to get that one fixed asap as I'm being bugged to toss out this linux server idea and by a linksys or something.