Do packets go via gateway when that route isnt shortest?

[sirlark]

Hi all,

I have an ADSL wireless router, which is presently acting as DHCP server. Obviously it supplies it's own IP as the default gateway.

What I would like to do is install a server that acts as firewall/proxy/cache. I'm intending to install dnsmasq on it, but was wondering how it would interact with machines connecting wirelessly. I would want squid to act as a transparent proxy, See diagram below ...

[UberLord]

I think you then need this kind of picture

[eyoung100]

What type of ADSL Router is it Most routers are firewalls by default as the addresses they give out are private class Addresses. See RFC 1918

[eyoung100]

[UberLord]

All SoHo ADSL wireless routers I know of throw a wobbly when back-looping the traffic, which is what will happen here. Here's the flow

wireless laptop ->> AP/router ->> server ->> AP/router ->> INTERNET
So traffic back will be
INTERNET ->> AP/router ->> server ->> AP/router ->> wireless laptop

Good luck doing that
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool

[eyoung100]

As Uberlord said, all mass produced ADSL modem routers will not allow back-looping, because it requires 2 levels of swapping private IP Addresses. This is more practical when exchanging a Class C private address for a private address of another Class Type. i.e. 192.168.0.0 for 10.0.0.0. A Class C cannot be exchanged for another Class C of the same subnet, because to a router, all packets look identical. A better solution would be to go to the configuration page of your ADSL modem and enable the firewall there, along with port forwarding. See Guide to Port Forwarding.
_________________
The Birth and Growth of Science is the Death and Atrophy of Art -- Unknown
Registerd Linux User #363735
Adopt a Post | Strip Comments| Emerge Wrapper

[sirlark]

So it looks like getting a the wireless machines connected means buying a new wireless access point then?

It's a bog standard netgear (RangeMax) ADSL wireless router, configurable to hand out whatever IP addresses I see fit, but currently handing out class C. It has four 'internal' ethernet ports.

My plan is to disable the DHCP server on the router, and have that task taken over by the server using dnsmasq. This would mean that all the workstations and laptops now have their default gateway set to be the servers IP, also a class C address. My question is, what happens to a packet, generated by a user's browser for example, that has a destination outside the class C network range.

My understanding of routing (limited, I confess) is that the user's PC checks through it's routing table and and sends the packet off to the appropriate machine, in this case the gateway, i.e. the server. Logically, this is a single hop, as the ip of the ADSL router isn't anywhere in the equation. Physically, the packet must go through the ADSL router if it originates on a wirelessly connected machine.

But, does the ADSL router's routing logic kick in at this point and analyse the packet sending it to it's ultimate destination outside the network, or does the physical layer just do it's thing, and send the wireless packet to the gateway/server silently translating from wireless protocol to ethernet protocol.

I would test all this stuff myself, but it's a live environment, and I can't risk messing things up during work hours...
_________________
Adopt an unanswered post today

[think4urs11]

What should work is to have dhcpd (not 100% sure if dnsmasq can do that) installed on 'server' and have it providing two different dhcp ranges.
To get this flying the server needs to have two NICs or at least have two different networks configured. Both networks can be handled via one physical NIC but it doesn't hurt to use a second NIC.
a) for wired clients (right of the switch in the picture), e.g. 192.168.1.0/24
b) for wireless clients e.g. 192.168.2.0/24

wireless clients will get a DHCP-Lease 192.168.2.x with default GW 'Router' and (if needed) a dedicated route 'LAN -> via Server'
wired clients will get a DHCP-Lease 192.168.1.x with default GW 'Server'

Some of those cheap routers are not able to handle traffic correct when incoming traffic from LAN side is not originating from an IP within the range the router itself has an IP in.
With the above you circumvent this issue. Additionally you've (more or less) some kind of DMZ where your wireless clients are connected to.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[eyoung100]

You may have over complicated your issue. If I understand you correctly from your last post you want to segregate the traffic so you can tell what traffic is coming from what segment, i.e. wireless and wired without disrupting internet traffic for the employees. I would do it as follows:

1. Keep DHCP active on you Modem, but reset the DHCP Server to a Class A address, i.e. 10.0.0.0
2. Connect a seperate wired router to port 1 of the modem, and set the DHCP Server to a class C Address, i.e. 192.168.0.0.
3. Connect a hub to port 1 of the router in step 2 and you have as many wired pc's as you need.
4. Connect your server, with 2 NIC's to port 2 of the modem and port 2 of the router, and use packet filtering software to monitor the traffic of both networks.
5. If traffic monitoring presents a problem, log into the physical router, of either network and configure the Router(s) to block the traffic that's offensive.

By segregating the networks at the hardware level, you cut your job in half. Notice step 2 is a bit of a trick. Your server sees a class C address swapped for a class A address, so all traffic looks like it came from the wireless network, but you will continue to see the class C address while monitoring.
_________________
The Birth and Growth of Science is the Death and Atrophy of Art -- Unknown
Registerd Linux User #363735
Adopt a Post | Strip Comments| Emerge Wrapper

[sirlark]

What I want ultimately is a per machine breakdown of bandwidth usage, to find out who is using our bandwidth. I'm doing a favour for a small non-profit organisation and they don't have a lot of money. They also don't have a need for lots of bandwidth, email and basic surfing is all they need. But they're burning through 12Gb a month, and there are only 5 people in the office. I suspected a virus, but I've checked and double checked the machines, and they are to all appearances clean. Hence the desire to determine at least the machine causing the increased bandwidth usage, and hopefully the destination/source of the traffic.
_________________
Adopt an unanswered post today