ADSL, routers firewalls etc.
(Apologies if this is already sent) Hi, I manage a small office network that we can now afford to upgrade to an ADSL internet connection. In researching ADSL support for Debian linux I am a little confused on a few issues, mainly as I only have experience with Cable Modem broadband, not DSL. I have already purchased a Hub for the network which consists of a Debian MySql and Apache server, another Debian firewall box and some Win boxes. My confusion lies in both terminology and setup. I imagined before starting that I would need to set up a firewall machine with 2 network devices. The firewall would then manage security and masquerading, where the external eth device will be allocated the static IP (Non-NAT) I have been given by my ISP. However research of the most common Ethernet DSL modems (cheapest about $100 / £ 66) suggests that 1) the modem has NAT, firewall etc all built in. 2) many manufacturers combine a network hub and modem. 3) the modem itself must be assigned an IP not the machine it is fixed to I'm assuming therefore that the firewall machine is not required. I had previously thought that a gateway machine such as a firewall was necessary for me to be able to SSH to do remote admin. Also I have already purchased a hub and the firewall machine (old box knocking around) therefore I was hoping to just get a modem. I do not have USB. Any comments welcome, and thanks in advance for reading this far! Tom Details --- Was thinking of buying Conexant AMX-CA61E (1 Port) Isp- Protocol: PPP/VC (sometimes called: PPPoA or PPP over ATM) VPI=0 VCI=38 Encapsulation method: VCMUX Modulation method: G.DMT --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: ADSL, routers firewalls etc.
My confusion lies in both terminology and setup. I imagined before starting that I would need to set up a firewall machine with 2 network devices. The firewall would then manage security and masquerading, where the external eth device will be allocated the static IP (Non-NAT) I have been given by my ISP. However research of the most common Ethernet DSL modems (cheapest about $100 / £ 66) suggests that 1) the modem has NAT, firewall etc all built in. 2) many manufacturers combine a network hub and modem. 3) the modem itself must be assigned an IP not the machine it is fixed to Whatever they tell you, I agree with your first view. You are certainly better setting up your firewall yourself, if you want to know what [not] to filter, etc. If I were you, I would keep going that way! About point 3, yes, the modem is the one who is assigned public IP, and packets are tunneled to your firewall. It is quite transparent anyway, so your firewall configuration will be straightforward once you have got it to route correctly :-) You will find ADSL-Howtos easily around to set up the modem. If you do not have USB, ask for an ethernet ADSL router. It's a bit more expensive, but anyway it is better design and more stable afaik. hope this helps Vincent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL, routers firewalls etc.
On Mon, 2002-10-14 at 21:29, Tom wrote: I have already purchased a Hub for the network which consists of a Debian MySql and Apache server, another Debian firewall box and some Win boxes. My confusion lies in both terminology and setup. I imagined before starting that I would need to set up a firewall machine with 2 network devices. The firewall would then manage security and masquerading, where the external eth device will be allocated the static IP (Non-NAT) I have been given by my ISP. However research of the most common Ethernet DSL modems (cheapest about $100 / £ 66) suggests that 1) the modem has NAT, firewall etc all built in. 2) many manufacturers combine a network hub and modem. 3) the modem itself must be assigned an IP not the machine it is fixed to I'm assuming therefore that the firewall machine is not required. I had previously thought that a gateway machine such as a firewall was necessary for me to be able to SSH to do remote admin. Also I have already purchased a hub and the firewall machine (old box knocking around) therefore I was hoping to just get a modem. I do not have USB. Any comments welcome, and thanks in advance for reading this far! It all depends on how your ISP configures your DSL. There are two ways that ADSL ethernet modems operate. One is PPPoE (PPP over Ethernet) and the other is Bridged. I always have a gateway with two Network cards. One will attach to the DSL modem via cat5, the other connects to your inside network (your hub/switch). This requires buying a DSL modem and a switch/hub (which you already have). If your ISP uses bridged mode then you'll assign the external ethernet cad your allocated IP address/netmask/gateway etc. If your ISP uses PPPoE (by far the most common) then you wont configure the external network card at all, and you will run a pppoe connection that will be assigned your IP etc via a PPP connection over the ethernet card. In both cases the modem is not assigned an IP. In PPPoE, neither is the Ethernet card. If the modem were assigned an IP (or two, one for each interface) it would be called a router (you can get DSL routers). Kind Regards Crispin Wellington signature.asc Description: This is a digitally signed message part
Re: ADSL, routers firewalls etc.
On 14 Oct 2002, Crispin Wellington wrote: On Mon, 2002-10-14 at 21:29, Tom wrote: I have already purchased a Hub for the network which consists of a Debian MySql and Apache server, another Debian firewall box and some Win boxes. snip I'm assuming therefore that the firewall machine is not required. I had previously thought that a gateway machine such as a firewall was necessary for me to be able to SSH to do remote admin. snip If your ISP uses PPPoE (by far the most common) then you wont configure the external network card at all, and you will run a pppoe connection that will be assigned your IP etc via a PPP connection over the ethernet card. In both cases the modem is not assigned an IP. In PPPoE, neither is the Ethernet card. If the modem were assigned an IP (or two, one for each interface) it would be called a router (you can get DSL routers). I share some of this confusion. If I have a PPoE DSL line, is it possible to access my machine remotely? If machines behind the machine connected to the modem connect by IP Masquerading, what access does a remote machine have to an interior machine? Can a remote connect by ssh? What security implications are there? I guess this is slightly OT, but my gateway security is strictly out-of-the-box Debian. Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL, routers firewalls etc.
Since you have a static IP, you probably have a bridged setup (by far the easiest method). If you get a modem with routing and firewall included, that will take the place of your firewall machine. In addition to what has been mentioned, you need to check with your telephone provider (as well as your ISP) to make sure that you get a modem which is compatible with the technology they use. There are differences. On Mon, Oct 14, 2002 at 09:43:55PM +0800, Crispin Wellington wrote: On Mon, 2002-10-14 at 21:29, Tom wrote: I have already purchased a Hub for the network which consists of a Debian MySql and Apache server, another Debian firewall box and some Win boxes. My confusion lies in both terminology and setup. I imagined before starting that I would need to set up a firewall machine with 2 network devices. The firewall would then manage security and masquerading, where the external eth device will be allocated the static IP (Non-NAT) I have been given by my ISP. However research of the most common Ethernet DSL modems (cheapest about $100 / £ 66) suggests that 1) the modem has NAT, firewall etc all built in. 2) many manufacturers combine a network hub and modem. 3) the modem itself must be assigned an IP not the machine it is fixed to I'm assuming therefore that the firewall machine is not required. I had previously thought that a gateway machine such as a firewall was necessary for me to be able to SSH to do remote admin. Also I have already purchased a hub and the firewall machine (old box knocking around) therefore I was hoping to just get a modem. I do not have USB. Any comments welcome, and thanks in advance for reading this far! It all depends on how your ISP configures your DSL. There are two ways that ADSL ethernet modems operate. One is PPPoE (PPP over Ethernet) and the other is Bridged. I always have a gateway with two Network cards. One will attach to the DSL modem via cat5, the other connects to your inside network (your hub/switch). This requires buying a DSL modem and a switch/hub (which you already have). If your ISP uses bridged mode then you'll assign the external ethernet cad your allocated IP address/netmask/gateway etc. If your ISP uses PPPoE (by far the most common) then you wont configure the external network card at all, and you will run a pppoe connection that will be assigned your IP etc via a PPP connection over the ethernet card. In both cases the modem is not assigned an IP. In PPPoE, neither is the Ethernet card. If the modem were assigned an IP (or two, one for each interface) it would be called a router (you can get DSL routers). Kind Regards Crispin Wellington -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ADSL, routers firewalls etc.
Tom [EMAIL PROTECTED] [2002-10-14 14:29:04 +0100]: I manage a small office network that we can now afford to upgrade to an ADSL internet connection. In researching ADSL support for Debian linux I am a little confused on a few issues, mainly as I only have experience with Cable Modem broadband, not DSL. The concepts are very, very similar. The differences depend upon if you have a dynamic address or a static address. All else is driven behind that decision point. If you have a DSL with a dynamic address then what you end up with will be almost identical in behavior to a cable modem. This is probably the simplest route to go with DSL. If you have a static address then there are a number of configurations possible and life is more complicated. But more fun too and more capabilities possible. In this mode the options are usually routed or bridged. I prefer routed myself. But the choice is arbitrary and different preferences exist. Don't worry about this jargon for now. A question to ask is are you providing services only internal to your office? Or are you going to be serving data to the outside world outside of your firewall? If only the former then things are simple. If the latter as well then you will need to understand much and life can be more stressful and more complicated. So of course I would recommend the former. Make a list of what capabilities and services do you want. Hopefully they are all internal client services and life is simple. I have already purchased a Hub for the network which consists of a Debian MySql and Apache server, another Debian firewall box and some Win boxes. My confusion lies in both terminology and setup. I imagined before starting that I would need to set up a firewall machine with 2 network devices. A common configuration. The firewall would then manage security and masquerading, where the external eth device will be allocated the static IP (Non-NAT) I have been given by my ISP. That assumes a bridging mode to the DSL. However research of the most common Ethernet DSL modems (cheapest about $100 / ? 66) suggests that Since there are at least two common and incompatible DSL types avialable I suggest you get a recommendation from your ISP as to the acceptable modems to purchase. Otherwise you might find yourself with an incompatible model. 1) the modem has NAT, firewall etc all built in. Most have this built in which you can use or disable. I recommend that you use it. 2) many manufacturers combine a network hub and modem. I prefer the modular approach. Build your internal network without relying upon the specific model of modem. Then if you decide to upgrade to a fiber(!) connection later you just unplug your modem from your hub and plug you hub into your new connection and you can upgrade without too much disruption to your internal installation. 3) the modem itself must be assigned an IP not the machine it is fixed to Depends. Bridging or routed. Hold on, I will say more in a moment. I'm assuming therefore that the firewall machine is not required. Correct for the former case described above. I had previously thought that a gateway machine such as a firewall was necessary for me to be able to SSH to do remote admin. Having an administration machine that can be remotely logged into is very convenient. You will almost certainly put that machine to work. Details --- Was thinking of buying Conexant AMX-CA61E (1 Port) Isp- Protocol: PPP/VC (sometimes called: PPPoA or PPP over ATM) VPI=0 VCI=38 Recommendation. Since it sounds like you are just starting out I will suggest that you start small and work up up the complexity as you need it. Therefore don't run your own servers, web, mail, etc. Just use the DSL for network clients in your office to connect to the Internet. Use your ISP for those server applications if you need them. This is very easy to set up and hard to break so it will be robust and everyone will stay happy. All of your hosts are wired to the network hub. The hub is wired to the DSL modem. The modem to the Internet. Using PPP mode your modem will negotiate an address from your ISP. You are only using it for client side access and you don't care what IP address you get. Let the modem do NAT for the internal network. Anything that does NAT makes a good firewall therefore you won't _need_ a separate firewall machine. You might want one for the highest level of protection but generally it is not strictly required. The modem doing NAT will also provide a DHCP server for your internal network. Set your internal hosts to DHCP an address. This configuration is generally the default for DSL modems so no special configuration is required. Doing it this way everything pretty much runs out of the box. This is a good way to initiall wire things up and test that everything is working. But having the model do internal DHCP serving has some issues. You will never really know what
