I have added the additional nic into the firewall / masqurading machine, and
configured it to 192.168.1.128/255.255.255.128
I can ping the address from the 100mhz network(both from the server, and from
remote workstations). However, I connected a workstation to the new nic
card (eth2) through a 10mhz hub, and I can not ping either the eth2 card from
the remote 10mhz workstation, or the remote workstation from the server. I
have verified that the hub and the cables are working. I have even used a
cross over cable from the workstation to the server, but I still can not ping
the eth2 card
Darcy
Nathan Callahan wrote:
> There is another option. You could set the machine up as an ethernet
> bridge as I am doing here so that I can use my powerbook on our local
> coax network, and get to the masquerading host easily and so that the
> other people on the network don't need to change their settings to see
> my machine. It means that hosts on two subnets can see each other as
> though they were on the same subnet, basically like a switch (only
> cheaper).
>
> Although this is much easier to do on a 2.4 kernel, it can be done under
> 2.2, I just can't remember how at the moment, but I remember that it
> does require a special utility (and there is a howto)
>
> If you _are_ running 2.4... here's how to do it.
>
> configure one card to have an address in the range 192.168.2.1 through
> .127,
> and the other in 192.168.128 through .254 and give both a
> 255.255.255.128 netmask.
> All machines on the 1-127 side need to have ip addresses in this range,
> all machines on the other side, ip addresses in 128-254
>
> then issue the commands... (assuming that the cable modem is on eth0,
> the local cards being eth1 and 2)
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
> echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
>
> and turn on forwarding between the interfaces...
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> The proxy arp bit basically make the machine transparent as far as the
> local network is concerned all machines can carry on having
> 255.255.255.0 netmasks.
>
> The other thing is that if you do have a firewall set up on that box,
> and as civileme has suggested, the forward policy is DENY, you will
> probably need something along the lines of.
>
> ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
>
> I make no guarantees as to the completeness or robustness of this
> solution, it works for me, YMMV. Hey, even if this doesn't help you a
> bit, I think it's pretty cool and felt like showing it off anyway :-)
> Plus, it may help someone else.
>
> Regards,
> Nathan Callahan
>
> On Tuesday, July 10, 2001, at 04:18 PM, Darcy Brodie wrote:
>
> and in his usual, amazingly helpful style...
> > civileme wrote:
> >
> >> On Tuesday 10 July 2001 04:47, Darcy Brodie wrote:
> >>> Hello
> >>> I hope that this can be done. I currently have a LM7.2 box as a
> >>> firewall for our internet access. Cable modem from ISP is going to
> >>> eth0. eth1 (100baseT) is going to the internal network. What I need
> >>> to
> >>> do, is add a 3rd network card to allow me to also have a 10baseT
> >>> network
> >>> within the local netwok. Can this be done with Linux? Have not been
> >>> able to find any information in the how-to's on this configuration.
> >>> I also, if need be, have access to a second Linux file server,
> >>> that
> >>> I could add additional network cards into (it currently only has 1
> >>> card
> >>> in it)
> >>> I am currently using class C IP 's in the 192.168.1.X range, but
> >>> this is flexible if required.
> >>>
> >>> Thanks
> >>>
> >>> Darcy
> >>
> >> Just add the card and setup adaptor. If you are making this a
> >> different
> >> network and want the two to talk, you will need to setup a route and
> >> make
> >> sure your internet masquerading rules apply only to forwards pointed
> >> at the
> >> internet interface. Since the first instruction in many masquerading
> >> setups
> >> is
> >>
> >> ipchains -P forward DENY
> >>
> >> you will need to write a series of rules in terms of -i ethx -o ethy
> >> to cover
> >> all possible combos. Of course if you set up netmasks so they are
> >> effectively on the same network, then the route does not need to be
> >> added,
> >> but you still need the rules for forwarding.
> >>
> >> Another approach, using your other box, is to make it a masquerading
> >> gayeway
> >> from the 10baseT net to the 192.168 net, and use some other schem for
> >> the
> >> others like 172.16.x.y This permits both local net and internet
> >> access and
> >> keeps the networks separated without a lot of rules complexity.
> >> internet
> >> _________|____________
> >> | Gateway |
> >> | Current |
> >> | Local |
> >> |_____________________|
> >> |
> >> _____|___________________________
> >> | |
> >> |_________________ ______|________
> >> | | | | | | Other
> >> box |
> >> (current local net) | Interface to |
> >> |
> >> other |
> >> |______________|
> >> |
> >> ______|________
> >> | | |
> >> |
> >> (new local net)
> >>
> >> In the ASCIIgram above, the boxes shown both use masquerading and the
> >> one
> >> handling the 10MHz net is 100MHz on the main net, something like a data
> >> compression switch. It can also be peered with the other local net
> >> computers.
> >>
> >> Finally, how about just using one port off a switch to a switch for the
> >> 10BaseT machines? If you do not need a separate network, it will slow
> >> things
> >> only at choke points like your internet gateway/file server.
> >>
> >> Civileme
> >
> > Thanks.
> > I know that a switch would be the easiest way to get this to work,
> > however, I
> > have a tight (almost non-existant) budget to work with. I will try
> > this probably
> > Tues evening
> >
> > Darcy
> >
> >
