| View previous topic :: View next topic |
| Author |
Message |
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
 Posted: Fri Oct 15, 2010 9:04 pm Post subject: Building a router/firewall... |
 |
|
I'm about to take a stab at building my own home router with gentoo. Here's my ideal setup:
Cable modem to eth3 (WAN)
old router (AP and switch) to eth2 (LAN)
roommate's switch to eth1 (LAN)
I want to have four subnets. One for myself, one for my roommate, one for common areas, and one for wireless. I'd also like an VLAN or something for isolated guest wireless access. The issue here is that my wireless device is a linksys router, running in switch/ap mode.
My question is: is it possible to route two different subnets through the same device? Specifically, can iptables or something differenciate traffic from a switch vs an AP? My room is wired through the switch on the Linksys router, and I want my room to be assigned different IPs from that of the wireless.
Is that doable?
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
 |
kpsyran
n00b
Joined: 09 Mar 2005
Posts: 7
|
| Posted: Fri Oct 15, 2010 9:18 pm Post subject: |
|
|
| If you can get the Linksys router to support VLANs, you can do it. If you can't get it to support it, you probably will not. If you have a cpl bucks, maybe install a cheap gigE switch for your stuff, and forgo the inter-switch vlanning. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54831
Location: 56N 3W
|
| Posted: Fri Oct 15, 2010 9:23 pm Post subject: |
|
|
FcukThisGame,
Try Smoothwall - it does what you want out of the box and does not provide a toolchain.
I use in in 4 nic mode.
It has a fork (a long time ago) called IPCop, which I only know because I was a Smoothwall user at the time of the fork. That may well be worth looking at too.
Be warned that both of these are complete distros in their own right and will take over any machine you install them on.
To answer your original question, you can have several subnets on the same physical wire if you want to but you don't get the physical separation then.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Fri Oct 15, 2010 10:28 pm Post subject: |
|
|
| kpsyran wrote: | | If you can get the Linksys router to support VLANs, you can do it. |
I'm running dd-wrt on it. That should support them, right?
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Sat Oct 16, 2010 6:35 pm Post subject: |
|
|
The router box has four NICs. One is only 10/100, the other 3 are gigabit.
I have a NAS box (10/100) that will connect to the slower NIC on the router. Although it's not gigabit, it can support jumbo frame MTUs. I'd like to take advantage of that, if possible.
I'm a bit lost as to how my /etc/conf.d/net file is supposed to look. I'm pretty sure this is completely wrong, but hopefully you can see what I'm trying to do:
| Code: | # eth3: WAN
config_eth3=( "dhcp" )
# eth2: To Chris's room, 10.10.2.X
config_eth2=("10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" )
# eth1 To Miguel's room, 10.10.1.X
config_eth1=( "10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" )
# eth0 Server subnet (to NAS) , 10.10.0.X (INCREASE MTU)
config_eth0=( "10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" ) |
I want all eth0, eth1, and eth2 to be on separate subnets, but still able to communicate. As such, am I right to set the IP to the same address for all three?
EDIT: Next question, as my network stands right now, I'm behind the linksys router, which is 10.10.10.1. Is there any way I can still set it up behind my router somehow? Should I change it to a 192.168.x.x network first and then change it back later?
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Sat Oct 16, 2010 8:04 pm Post subject: |
|
|
erm you said different subnets - this means they cannot have the same ip-address. put the each interface in its own subnet (like below).
| Code: | # eth3: WAN
config_eth3=( "dhcp" )
# eth2: To Chris's room, 10.10.2.X
config_eth2=("10.10.2.1 broadcast 10.10.2.255 netmask 255.255.255.0" )
# eth1 To Miguel's room, 10.10.1.X
config_eth1=( "10.10.1.1 broadcast 10.10.1.255 netmask 255.255.255.0" )
# eth0 Server subnet (to NAS) , 10.10.0.X (INCREASE MTU)
config_eth0=( "10.10.0.1 broadcast 10.10.0.255 netmask 255.255.255.0" ) |
next you need ip forwarding active (and built) to get routing working, and iptables setup that they allow forwarding.
| Quote: | | EDIT: Next question, as my network stands right now, I'm behind the linksys router, which is 10.10.10.1. Is there any way I can still set it up behind my router somehow? Should I change it to a 192.168.x.x network first and then change it back later? |
This is completely up to you how you want to segment your network. I suggest you start with pen and paper and draw the setup first - including all specified ip addresses.
It might make sense to used different private address ranges for different types of your network - e.g 10.10.1.0/24 and 10.10.2.0/24 for the LAN (i.e both rooms), 192.168.10.0/24 for WLAN, and 172.16.10.0/24 for the NAS network. (but as said before this is up to you.) |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Sun Oct 17, 2010 1:18 am Post subject: |
|
|
| Veldrin wrote: | | erm you said different subnets - this means they cannot have the same ip-address. |
My knowledge of networking isn't much better than basic, but I'm trying to learn... At work we have a class B subnet, and the router is at the same IP address no matter which subnet you're on. Am I correct to assume that would not work like that if I use the IPs you gave?
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Sun Oct 17, 2010 8:26 am Post subject: |
|
|
| Quote: | | At work we have a class B subnet, and the router is at the same IP address no matter which subnet you're on. |
Recheck that one - this cannot be - unless there is a misunderstanding of what a subnet is.
no - exactly the other way round. what you trying to achieve requires network segmentation. For simplicity, assume that you have 4 Class-C networks available (192.168.1.0/24, 192.168.3.0/24, 192.168.3.0/24, 192.168.4.0/24 - for simplicity call them segments 1-4).
you assign a segment to each of your nets (eg. segment1 to you net, segment2 to your friends, 3 to NAS, 4 to WLAN)
The Router/Firewalls tasks is to act as connection between those nets. (In other words: the Router/Firewall is the Crossroad, the LAN is the street in from of your house, you house is the PC, and the IP Address it you Address (number+street)).
For a crossroad to e connected to a street, it must have an address in the street, for simplicity just take the 1. Router/Firewall address for you Net would be 192.168.1.1, for the NAS Net 192.168.3.1.
I am still assuming that you Router/Firewall has 5 Interface (one for each Net + 1 for the "internet"). If you have less, you could do the same segmentation with VLAN and virtual interfaces on the Router/Firewall. But to get this working properly a smart switch over a generic one is preferred.
just my input
V.
I am currently thinking about more simple solution to your network issue.... |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Sun Oct 17, 2010 7:08 pm Post subject: |
|
|
| Veldrin wrote: | | Recheck that one - this cannot be - unless there is a misunderstanding of what a subnet is. |
I could definitely be misunderstood. At the least, I know that our gateway is one set address (our router is the gateway I believe)
At the very least, so long as the different subnets can communicate, I don't care.
Also, Veldrin, to answer your question, unfortunately I only have four NICs on the box (ran out of PCI slots). One of them is going to have to use VLANs to distinguish wireless (two different SSIDs, separate from each other, guest wireless being isolated from the rest of the network.) from wired (to my room).
I think I'm going to draw a diagram and upload it... I'm pretty sure explaining it in words does nothing but confuse 
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Sun Oct 17, 2010 7:41 pm Post subject: |
|
|
Diagram Here
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Sun Oct 17, 2010 10:09 pm Post subject: |
|
|
nice - that definitely helps
(what software are you using?)
eth0, eth1 and eth3 should no be a problem - interface with a single subnet attached.
eth3 OTOH could cause some problems.
for starters, if would ignore the isolated wlan, and attach wlan to you mates lan - that way you can proceed, and do some testing. (in addition, i am not that familiar with dd-wrt)
next create an additional vlan (virtual lan) on eth2, and get the wlan router talk to it, but keep it talking to your mates switch (or more precisely to the attached computers behind).
I assume that you broadband router assigns a public IP to your firewall. In that case you have to configure NAT too.
As alternative, the NATting could be done on the router, that work, if the router assigns a private IP address.
HTH
V. |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Mon Oct 18, 2010 12:31 am Post subject: |
|
|
| Veldrin wrote: | eth0, eth1 and eth3 should no be a problem - interface with a single subnet attached.
eth3 OTOH could cause some problems. |
You mean eth2?
Made the diagram on gliffy.com. It seems like a web-2.0 version of Visio.
On another note, let's see if I understand subnets correctly. Let's imagine just the subnets for eth0 and eth1 (10.10.0.X and 10.10.1.X). In that case, the router would have internal IPs of 10.10.0.1 and 10.10.1.1. NAS at 10.10.0.2. My computer on the eth1 subnet would have an IP of say 10.10.1.5. If I wanted to access the NAS, I could do that by connecting to 10.10.0.2, right?
My subnet mask for this is 255.255.0.0, correct?
Also, I think I might have an idea about my network at work. I think it's actually a class A subnet, but the routable addresses are within a class B.
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Mon Oct 18, 2010 12:37 am Post subject: |
|
|
Just thought of another question. Will I gain any performance boost if I set the MTU on eth0 to 9000 along with the NAS (it supports up to 9000)? Being as it's only a 10/100, can the router convert 100MBit/9000MTU to gigabit/1500?
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland
|
| Posted: Mon Oct 18, 2010 1:44 pm Post subject: |
|
|
Indeed - I thought, that I correct that 
| Quote: | | My subnet mask for this is 255.255.0.0, correct? |
No, you would need a /24 subnetmask, or 255.255.255.0. this bothered my before, but i seems to have forgotten to mention it.
Basically you take a Class A Network, and segment it into Class C networks. Since CIDR those classes are not longer hard contraints. (i.e you could use smaller (or larger subnets), but /24 seems reasonable for a average access net)
cheers
V. |
|
| Back to top |
|
|
FcukThisGame
l33t
Joined: 20 Apr 2005
Posts: 776
Location: /lost+found
|
| Posted: Mon Oct 18, 2010 3:42 pm Post subject: |
|
|
Is my subnet mask 255.255.0.0 anywhere?
EDIT: I realized the NAS has gigabit ethernet. Unless I would see a performance boost by increasing the MTU, we can forget about that. Also, we can eliminate eth0 and its subnet as it's only 10/100.
I think I've pretty much got this about right. I've added a vlan for the living room, and some addresses have changed, so let me post my current configs (everything is explained as 10.1.X.Y but written as 192.168.X.Y because I'm currently on a 10.1 network... it will be changed once the router is in place):
| Code: | # /etc/conf.d/net
# eth3: WAN
config_eth3=( "dhcp" )
# eth2: To AP(10.1.4.X and 10.1.5.X) , then Roommate's room (10.1.2.X) and Living Room (10.1.3.X)
vlans_eth2="1 2 3 4"
vconfig_eth2=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
#vlan1: Roommate's Room (10.1.2.X)
vconfig_vlan1=( "192.168.2.1 broadcast 192.168.255.255 netmask 255.255.0.0" )
#vlan2: Living Room (10.1.3.X)
vconfig_vlan2=( "192.168.3.1 broadcast 192.168.255.255 netmask 255.255.0.0" )
#vlan3: Home Wireless (10.1.4.X)
vconfig_vlan3=( "192.168.4.1 broadcast 192.168.255.255 netmask 255.255.0.0" )
#vlan4: Guest Wireless (isolated, 10.1.5.X)
vconfig_vlan4=( "192.168.5.1 broadcast 192.168.255.255 netmask 255.255.0.0" )
# eth1: To my room, 10.1.1.X
config_eth1=( "192.168.1.1 broadcast 192.168.255.255 netmask 255.255.0.0" ) |
| Code: | # /etc/dhcp/dhcpd.conf
authoritative;
ddns-update-style interim;
#My subnet, eth1
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
}
#Roommate's subnet, eth2 vlan1
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
}
#Living Room subnet, eth2 vlan2
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.50 192.168.3.250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
option domain-name-servers 192.168.3.1;
}
#Trusted Wireless, eth2 vlan3
subnet 192.168.4.0 netmask 255.255.255.0 {
range 192.168.4.50 192.168.4.250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.4.255;
option routers 192.168.4.1;
option domain-name-servers 192.168.4.1;
}
#Guest Wireless, eth2 vlan4
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.1 192.168.5.250;
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.5.255;
option routers 192.168.5.1;
option domain-name-servers 192.168.5.1;
}
|
| Code: | #!/bin/bash
# /etc/scripts/reset-iptables-rules.sh
# This script flushes current iptables rules, creates new ones as specified below, then saves them.
# First we flush our current rules
iptables -F
iptables -t nat -F
# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Set variables
export LAN1=eth1
export LAN2=eth2
export WAN=eth3
# Lock services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN1} -j ACCEPT
iptables -I INPUT 1 -i ${LAN2} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN1} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN1} -j REJECT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN2} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN2} -j REJECT
# Allow access to ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
# Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP ! -i ${LAN1} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN1} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p TCP ! -i ${LAN2} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN2} -d 0/0 --dport 0:1023 -j DROP
# Add the rules for NAT
iptables -I FORWARD -i ${LAN1} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN1} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -I FORWARD -i ${LAN2} -d 192.168.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN2} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# Port forwarding
#(nothing set up yet)
# Save
/etc/init.d/iptables save |
Updated Diagram
Current questions:
1) EDIT: The NAS supports gigabit ethernet. Forget crazy MTUs. It goes on the 10.1.3.X subnet.
2) All gig-e ports do auto-switching, right? I shouldn't need a crossover cable for anything, should I?
3) What do I have to do to isolate vlan4 (guest wireless) from the rest of the network but still give internet access?
4) Is port forwarding over a vlan any different from regular port forwarding?
5) Do my iptables rules look right? Any dhcp client i've hooked up hasn't had internet access.
_________________
Sysadmin by trade, geek by choice
DESKTOP:
i7-3770K|8800GTS-512|32GB|1x256GB SSD|4x1TB|HD/BDROM|1920x1200+1680x1050
Win8 Pro w/ Hyper-V|Server 2012 VM|Ubuntu VM|Gentoo VM
TABLET: Samsung Ativ 700t
i5-3317U|4GB|128GB SSD|1920x1080 Touch
Win8 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
