There is another option. You could set the machine up as an ethernet
bridge as I am doing here so that I can use my powerbook on our local
coax network, and get to the masquerading host easily and so that the
other people on the network don't need to change their settings to see
my machine. It means that hosts on two subnets can see each other as
though they were on the same subnet, basically like a switch (only
cheaper).
Although this is much easier to do on a 2.4 kernel, it can be done under
2.2, I just can't remember how at the moment, but I remember that it
does require a special utility (and there is a howto)
If you _are_ running 2.4... here's how to do it.
configure one card to have an address in the range 192.168.2.1 through
.127,
and the other in 192.168.128 through .254 and give both a
255.255.255.128 netmask.
All machines on the 1-127 side need to have ip addresses in this range,
all machines on the other side, ip addresses in 128-254
then issue the commands... (assuming that the cable modem is on eth0,
the local cards being eth1 and 2)
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
and turn on forwarding between the interfaces...
echo 1 > /proc/sys/net/ipv4/ip_forward
The proxy arp bit basically make the machine transparent as far as the
local network is concerned all machines can carry on having
255.255.255.0 netmasks.
The other thing is that if you do have a firewall set up on that box,
and as civileme has suggested, the forward policy is DENY, you will
probably need something along the lines of.
ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
I make no guarantees as to the completeness or robustness of this
solution, it works for me, YMMV. Hey, even if this doesn't help you a
bit, I think it's pretty cool and felt like showing it off anyway :-)
Plus, it may help someone else.
Regards,
Nathan Callahan
On Tuesday, July 10, 2001, at 04:18 PM, Darcy Brodie wrote:
and in his usual, amazingly helpful style...
> civileme wrote:
>
>> On Tuesday 10 July 2001 04:47, Darcy Brodie wrote:
>>> Hello
>>> I hope that this can be done. I currently have a LM7.2 box as a
>>> firewall for our internet access. Cable modem from ISP is going to
>>> eth0. eth1 (100baseT) is going to the internal network. What I need
>>> to
>>> do, is add a 3rd network card to allow me to also have a 10baseT
>>> network
>>> within the local netwok. Can this be done with Linux? Have not been
>>> able to find any information in the how-to's on this configuration.
>>> I also, if need be, have access to a second Linux file server,
>>> that
>>> I could add additional network cards into (it currently only has 1
>>> card
>>> in it)
>>> I am currently using class C IP 's in the 192.168.1.X range, but
>>> this is flexible if required.
>>>
>>> Thanks
>>>
>>> Darcy
>>
>> Just add the card and setup adaptor. If you are making this a
>> different
>> network and want the two to talk, you will need to setup a route and
>> make
>> sure your internet masquerading rules apply only to forwards pointed
>> at the
>> internet interface. Since the first instruction in many masquerading
>> setups
>> is
>>
>> ipchains -P forward DENY
>>
>> you will need to write a series of rules in terms of -i ethx -o ethy
>> to cover
>> all possible combos. Of course if you set up netmasks so they are
>> effectively on the same network, then the route does not need to be
>> added,
>> but you still need the rules for forwarding.
>>
>> Another approach, using your other box, is to make it a masquerading
>> gayeway
>> from the 10baseT net to the 192.168 net, and use some other schem for
>> the
>> others like 172.16.x.y This permits both local net and internet
>> access and
>> keeps the networks separated without a lot of rules complexity.
>> internet
>> _________|____________
>> | Gateway |
>> | Current |
>> | Local |
>> |_____________________|
>> |
>> _____|___________________________
>> | |
>> |_________________ ______|________
>> | | | | | | Other
>> box |
>> (current local net) | Interface to |
>> |
>> other |
>> |______________|
>> |
>> ______|________
>> | | |
>> |
>> (new local net)
>>
>> In the ASCIIgram above, the boxes shown both use masquerading and the
>> one
>> handling the 10MHz net is 100MHz on the main net, something like a data
>> compression switch. It can also be peered with the other local net
>> computers.
>>
>> Finally, how about just using one port off a switch to a switch for the
>> 10BaseT machines? If you do not need a separate network, it will slow
>> things
>> only at choke points like your internet gateway/file server.
>>
>> Civileme
>
> Thanks.
> I know that a switch would be the easiest way to get this to work,
> however, I
> have a tight (almost non-existant) budget to work with. I will try
> this probably
> Tues evening
>
> Darcy
>
>
