Gary Gendel writes: > My hardware ethernet router is showing some signs of age and it occurred to > me that this is a great opportunity to chuck it and use my SOHO OpenSolaris > (SXCE) server to perform this function along with all the other services > (mail-server, file-server, etc.). > > Internet [nic 1] -> OpenSolaris (router services) -> Intranet [nic 2] > | > v > network services (web, mail, etc.)
Yep; that's what I do. > However, this encompasses a number of areas that are unfamiliar to me. > Specifically: > * dhcp server - How do I properly set this up and automatically add dhcp > clients to the hosts and/or DNS tables for intranet lookup? How do I pass the > appropriate gateway/dns server information to the clients? Run /usr/sadm/admin/bin/dhcpmgr and follow the instructions. It's not too hard to puzzle through (and it's been many years since I set it up), but if you need help, there's always docs.sun.com. > * crossbow - Is it better to set up this router in a zone or not? It's probably simpler to get things working first, and then figure out how to move it to a zone if that's what you want. > * port forwarding/NAT - General how to (ipf, etc.) On my system, I have this in my /etc/ipf/ipf.conf: pass in quick proto tcp from any to <thishost> port 30000 >< 31000 flags S keep state and this in /etc/ipf/ipnat.conf: map e1000g1 192.168.254.0/24 -> myhostname/32 portmap tcp/udp 10000:30000 map e1000g1 192.168.254.0/24 -> myhostname/32 ... but configuring packet filters is a much deeper topic. You'll probably want to spend some time working on that, and using 'xnmap' (or similar) to check your work. > Has anyone actually done this? I've found snippets of information on the > internet that is useful, but I don't want to put my server out of commission > for too long. I really need to put all my ducks in a row before I attempt > it. I would use another machine, but none of the ones with multiple nics are > available. I suggest doing one thing at a time. Set up DHCP and get that working. Retire your old DHCP server and make sure you can serve all the clients properly. Then figure out how to filter away the packets you don't want. Spend some time testing that and making sure that you're not accidentally dropping necessary traffic. Then, finally, enable NAT and switch the link over. > Barring that, would someone act as mentor? I could keep notes and put > together a document for anyone wanting to do something similar in the future. > I'm probably making too much out of this and it's probably much easier than > I imagined, but there are a lot of places for silly mistakes. Based on my experience, the part that's easiest to get wrong is the packet filtering. Once you cross that hurdle, all else is easy. -- James Carlson, Solaris Networking <[email protected]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ opensolaris-discuss mailing list [email protected]
