Nathan Callahan wrote:
Nathan, excuse me for nit-picking; but... I just can't help myself... :^)
> There is another option. You could set the machine up as an ethernet
> bridge as I am doing here so that I can use my powerbook on our local
^^^^^^
What you describe below is a router...
> coax network, and get to the masquerading host easily and so that the
> other people on the network don't need to change their settings to see
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
but the addresses you suggest would require changes throughout Darcy's
machines...
> my machine. It means that hosts on two subnets can see each other as
> though they were on the same subnet, basically like a switch (only
> cheaper).
Two subnets can't "see each other as though they were on the same subnet"; a
router isolates N [sub]nets, and it is possible for *hosts* to treat 2 or more
of those [sub]nets as one by using a shorter netmask than the router uses on the
interface connected to the host. A host could treat the entire Internet as a
single flat LAN with a netmask of 0.0.0.0 as long as there is at least one
proxyARP router available to manage the off-real-LAN remotes (notwithstanding
issues of getting to 127.0.0.1)
> Although this is much easier to do on a 2.4 kernel, it can be done under
> 2.2, I just can't remember how at the moment, but I remember that it
> does require a special utility (and there is a howto)
>
> If you _are_ running 2.4... here's how to do it.
>
> configure one card to have an address in the range 192.168.2.1 through
> .127,
> and the other in 192.168.128 through .254 and give both a
> 255.255.255.128 netmask.
> All machines on the 1-127 side need to have ip addresses in this range,
> all machines on the other side, ip addresses in 128-254
Rather than change addresses in all hosts, this can be accomplished by using the
two ranges 192.168.1.[1-126] and 192.168.1.[129-254] and a netmask of
255.255.255.128 (aka: /25) on the "router" *and* the hosts for full routing,
*or* 255.255.255.0 (aka: /24) (or shorter) on the hosts for
looks-like-a-single-[sub]net-proxy-ARP routing...
> then issue the commands... (assuming that the cable modem is on eth0,
> the local cards being eth1 and 2)
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
For... tada! "proxy ARP" routing. :^)
> and turn on forwarding between the interfaces...
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
Definitely not what a "bridge" would need... MAC(L2) vs IP(L3)
> The proxy arp bit basically make the machine transparent as far as the
> local network is concerned all machines can carry on having
> 255.255.255.0 netmasks.
True. For clarity, a host (regardless of network topology) sends an ARP packet
in an attempt to obtain the MAC address of the target. If the host gets an ARP
reply, there is no way to tell at this point if the acquired MAC address belongs
to the real target, or to a local router; this means that just because an IP
address resolves to a MAC, it does not mean that the target exists, only that a
router knows how to get to the target's [sub]net...
> The other thing is that if you do have a firewall set up on that box,
> and as civileme has suggested, the forward policy is DENY, you will
> probably need something along the lines of.
>
> ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
This does not match the 192.168.2.x and 192.168.128.y subnets you suggested
above...
A true "bridge" (aka: "switch" in 'modern terminology') can not be controlled
with ipchains or any other Layer-3 method since bridging is done at Layer-2
unless one gets into cross-layer spaghetti...
> I make no guarantees as to the completeness or robustness of this
> solution, it works for me, YMMV. Hey, even if this doesn't help you a
> bit, I think it's pretty cool and felt like showing it off anyway :-)
> Plus, it may help someone else.
You may want to revisit your own setup (unless you merely miscommunicated
it)... you may have a "time-bomb" ticking away in your network...
Best regards,
Pierre
> Regards,
> Nathan Callahan
>
> On Tuesday, July 10, 2001, at 04:18 PM, Darcy Brodie wrote:
>
> and in his usual, amazingly helpful style...
> > civileme wrote:
> >
> >> On Tuesday 10 July 2001 04:47, Darcy Brodie wrote:
> >>> Hello
> >>> I hope that this can be done. I currently have a LM7.2 box as a
> >>> firewall for our internet access. Cable modem from ISP is going to
> >>> eth0. eth1 (100baseT) is going to the internal network. What I need
> >>> to
> >>> do, is add a 3rd network card to allow me to also have a 10baseT
> >>> network
> >>> within the local netwok. Can this be done with Linux? Have not been
> >>> able to find any information in the how-to's on this configuration.
> >>> I also, if need be, have access to a second Linux file server,
> >>> that
> >>> I could add additional network cards into (it currently only has 1
> >>> card
> >>> in it)
> >>> I am currently using class C IP 's in the 192.168.1.X range, but
> >>> this is flexible if required.
> >>>
> >>> Thanks
> >>>
> >>> Darcy
> >>
> >> Just add the card and setup adaptor. If you are making this a
> >> different
> >> network and want the two to talk, you will need to setup a route and
> >> make
> >> sure your internet masquerading rules apply only to forwards pointed
> >> at the
> >> internet interface. Since the first instruction in many masquerading
> >> setups
> >> is
> >>
> >> ipchains -P forward DENY
> >>
> >> you will need to write a series of rules in terms of -i ethx -o ethy
> >> to cover
> >> all possible combos. Of course if you set up netmasks so they are
> >> effectively on the same network, then the route does not need to be
> >> added,
> >> but you still need the rules for forwarding.
> >>
> >> Another approach, using your other box, is to make it a masquerading
> >> gayeway
> >> from the 10baseT net to the 192.168 net, and use some other schem for
> >> the
> >> others like 172.16.x.y This permits both local net and internet
> >> access and
> >> keeps the networks separated without a lot of rules complexity.
> >> internet
> >> _________|____________
> >> | Gateway |
> >> | Current |
> >> | Local |
> >> |_____________________|
> >> |
> >> _____|___________________________
> >> | |
> >> |_________________ ______|________
> >> | | | | | | Other
> >> box |
> >> (current local net) | Interface to |
> >> |
> >> other |
> >> |______________|
> >> |
> >> ______|________
> >> | | |
> >> |
> >> (new local net)
PS to Civileme: fixed width fonts make for better diagrams... but you probably
realized that after seeing the above... :^)
> >> In the ASCIIgram above, the boxes shown both use masquerading and the
> >> one
> >> handling the 10MHz net is 100MHz on the main net, something like a data
> >> compression switch. It can also be peered with the other local net
> >> computers.
> >>
> >> Finally, how about just using one port off a switch to a switch for the
> >> 10BaseT machines? If you do not need a separate network, it will slow
> >> things
> >> only at choke points like your internet gateway/file server.
> >>
> >> Civileme
> >
> > Thanks.
> > I know that a switch would be the easiest way to get this to work,
> > however, I
> > have a tight (almost non-existant) budget to work with. I will try
> > this probably
> > Tues evening
> >
> > Darcy
