| View previous topic :: View next topic |
| Author |
Message |
Akkara
Bodhisattva
Joined: 28 Mar 2006
Posts: 6702
Location: &akkara
|
 Posted: Thu Jan 29, 2009 2:44 am Post subject: Getting a printer on 192.168.* to work on a static-ip net |
 |
|
Hi! This is probably a simple question, except I'm not a networking guru so I'm not even sure what question to be asking.
Here's the situation: The ISP provides a set of static IP's. The computers are connected through a switch and statically configured. So far so good. Except now I want to talk to a printer. The printer wants to be on a 192.168.* network. So the problem is to configure the computer (running Gentoo of course) to both talk on the ISP's given net, and also on the 192.168 network, both off the same physical interface?
I can manually type | Code: | ifconfig eth0 add 192.168.0.2
ifconfig eth0:0 netmask 255.255.255.0 |
and it works. (With the printer hanging off the same switch as the computers are on.)
What should be put into /etc/conf.d/net to get this to happen automatically on boot? Currently it looks like this: | Code: | config_eth0=( "999.999.999.X netmask 255.255.255.X brd 999.999.999.X" )
routes_eth0=( "default gw 999.999.999.X" )
dns_servers_eth0="999.999.999.X" |
Thanks! |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Thu Jan 29, 2009 7:48 am Post subject: |
|
|
| /etc/conf.d/net.example wrote: | # If you need more than one address, you can use something like this
# NOTE: ifconfig creates an aliased device for each extra IPv4 address
# (eth0:1, eth0:2, etc)
# iproute2 does not do this as there is no need to
#config_eth0=(
# "192.168.0.2/24"
# "192.168.0.3/24"
# "192.168.0.4/24"
#) |
so something like this should do the trick for you | Quote: | | config_eth0=( "999.999.999.X netmask 255.255.255.X brd 999.999.999.X" "192.168.x.y/24" ) |
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23097
|
| Posted: Fri Jan 30, 2009 4:13 am Post subject: |
|
|
| Assuming this is a residential or commercial ISP, I would not do this. Hanging a printer off a switch attached to an ISP relies on their routing rules to prevent anything bad from reaching your printer. If you have a second NIC in the Gentoo system, I highly recommend having the printer on a LAN subnet, shielded from ISP traffic. |
|
| Back to top |
|
|
Akkara
Bodhisattva
Joined: 28 Mar 2006
Posts: 6702
Location: &akkara
|
| Posted: Fri Jan 30, 2009 5:15 am Post subject: |
|
|
Thanks for the replies!
| Think4UrS11 wrote: | | config_eth0=( "999.999.999.X netmask 255.255.255.X brd 999.999.999.X" "192.168.x.y/24" ) |
Ah!, so *that* is what I missed, thanks!
So the rule, then, is to put a full network configuration in a single quote-delimited string, and any additional configurations in a subsequent string.
| Hu wrote: | | Assuming this is a residential or commercial ISP, I would not do this. Hanging a printer off a switch attached to an ISP relies on their routing rules to prevent anything bad from reaching your printer. |
Hmmm. Thanks for the heads-up. This opens a number of questions:
1) How do switches work? My limited understanding was that they watch for addresses on their ports, and then forward traffic to the port that has the address it has seen. But my understanding can't be right since you're saying that 192.128.*.* would get forwarded to the port with the modem. What would be needed to block this? (Currently using this switch, if it matters.)
2) Getting a 2nd NIC in the machine isn't easy because the on-board nic doesn't work so already using a PCI card, and all other slots are already filled. If I manage to find something that works (perhaps there's a good dual-nic card I can use), what's the recommened reading to learn about how to set up such a network? It would need to forward printer-bound packets from computers on the main net to the 192-one, in addition to routing its own packets.
3) Is there a way to use regular router to achieve the required isolation? This is the current topology:
| Code: | <computer> --- <switch> --- <modem (bridging)> --- isp
... | |
<computer> ------+ |
|
<printer> ----------+ |
Thanks agains! |
|
| Back to top |
|
|
pgf
Tux's lil' helper
Joined: 26 Dec 2004
Posts: 121
Location: Toronto, Ontario
|
| Posted: Fri Jan 30, 2009 7:47 pm Post subject: |
|
|
| Akkara wrote: |
1) How do switches work? My limited understanding was that they watch for addresses on their ports, and then forward traffic to the port that has the address it has seen. But my understanding can't be right since you're saying that 192.128.*.* would get forwarded to the port with the modem. What would be needed to block this? (Currently using this switch, if it matters.)
|
Generally switches are "layer 2" devices and work on MAC addresses, not IP. Your computer maintains a table of MAC addresses with which it is communicating - you can see this using the command
If you try to communicate with a device that your computer recognizes as being on the same IP subnet (via IP address and netmask) then it will "arp" for it - sending a "who has this address?" broadcast. After that it will send packets to the MAC address it received. The switch maintains a MAC address to switch port mapping table and thus knows which port to send the packet out.
If the address you are sending to is not on the same subnet then your computer will send the packet to the default gateway, which can be seen by running The router is supposed to know how to get the packet closer to its destination (ie. "route" it).
I've run out of time, but I might address the other questions later if I get a chance. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23097
|
| Posted: Sat Jan 31, 2009 4:29 am Post subject: |
|
|
pgf provides a good answer for #1. The potential risk relates to how your ISP handles your connection and those of your neighbors. In a good setup, each home should be its own little network and need to go through the ISP router to reach anything outside that home. The ISP's router would hopefully be configured to disallow sending to reserved addresses, like the one you put on the printer. These are two conditions where you are counting on an ISP to do the right thing.  They may have done the first one for simplicity of their own design. I doubt they would bother with the second, since that requires them to filter traffic that is not a direct threat to their operations.
A basic switch is not designed to provide the filtering you need. It only filters traffic for the sake of not flooding attached nodes with packets they will not use.
Any consumer grade router will probably have the desired filtering behavior as a side effect. Many non-savvy users rely on consumer grade routers doing NAT without any DNAT rules as a crude form of firewall. The internal systems are protected by virtue of the router being unable to decide which of them should receive incoming traffic.
Overall, I would say that you are, at most, at risk from your fellow subscribers. Depending on ISP topology, you may not be at any risk at all. I prefer not to rely on the happenstance of someone else's network to assure the security of mine, which is what led to my initial cautionary comment. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
