Re: Routing with iproute2

Will Kemp wrote:

On Tue, 11 Mar 2008 12:44:19 +0000, Geoffrey Clements wrote:

Spurred on folks on this ng (Nix mostly!) saying that the iproute2
package is the way to go and that the ifconfig and route commands are
deprecated I've spent a little time reading the book at
http://www.policyrouting.org. It's been a good read and I feel like a
caveman who's seeing a bronze axe for the first time. But reading this
is also a lttle brain melting so I'd like to ask the following question
to anyone who knows something about routing using the iproute2 tools.

At home I have a single logical network, part wired and part wireless.
My ISP has given me 8 IP addresses on network x.x.x.200/29 and I connect
via an ADSL modem/router that is acting like a router (not a bridge).

I assume these x.x.x.0 subnet addresses are internet-routable?

Yes.

The IP allocation looks like this:
x.x.x.201 - router LAN side

Why would you want to use internet-routable IP addresses on your LAN?
Doesn't your router do NAT? It's not completely foolproof, but you get a
certain amount of added security from having all your local machines on a
non internet routable subnet. It means if the firewall on your laptop or
whatever isn't configured properly, and you've got open ports, anyone
from anywhere in the world can get access to those ports. With a non-
internet routable subnet, they can't (normally).

Yes the router does NAT but I intend to put more than one internet facing
server on the LAN in the future. The router will do port forwarding but
only to one IP address. Actually that's not totally true, my previous
router died last week and this is a new, more modern, router with new
capabilities but I haven't explored them all yet.
My home LAN serves two purposes: an internet connection (obviously) and a
learning tool. It suits my purposes at present to not have NAT. Both my PCs
are secured with iptables rules. I know NAT would add another layer of
protection but I'm making a compromise so that I can learn a bit more by
doing, I've got plans to try out some VPN stuff and I'm not sure how NAT
would fit in with that.

x.x.x.202 - wireless access point admin interface x.x.x.203 - my main PC
x.x.x.204 - server (does a number of things but also is a web-server
onto t'internet)
x.x.x.205 - used for configuring other PCs (i.e. setting up linux on
friends' PCs)
x.x.x.206 - under DHCP control for when my children visit with their
wireless enabled windows laptops

So your children's laptops are open to port scans and potential security
compromises?

Yes, I have explained this to them and recommended they get Zone Alarm or
something similar but i the end it's their choice.

x.x.x.207 - broadcast address

What I would really like is to have more addresses under DHCP control so
that more laptops can be brought into use at the same time.

If you use NAT, you can have more than 65786 addresses available for any
use you like! (That's only counting 10.0.0.0/8 and 192.168.0.0/16 - cos i
can never remember what the other block is!)

As I said, NAT is not something I want to do right now.

Now that I've been enlightened on the use of the ip command, addresses,
routes and rules I'm considering putting the router and wireless
accesspoints on a different netmask such as:

x.x.x.201 - my main PC
x.x.x.202 - server
x.x.x.203 to x.x.x.x.206 - under DHCP control 192.168.0.1 - router LAN
side
192.168.0.2- wireless access point admin interface

All these being on the same logic network as before. The interface on
the main PC will need two different IP address and I'll need to think
about the routing but from what I've read this should be possible, I
think. Is this correct or am I smoking the wrong stuff?

I'm afraid i can't see the point of what you want to do. Maybe if you
explain what exactly you're trying to achieve by using an internet
routable subnet, it might be easier to answer your question.

Actually I don't think the above is possible, at least not with the router
moving to a private IP as there would be no route back from the internet.
However I still /think/ that moving the access point onto a private IP
might work and has the added benefit of being invisible to all machines on
the internet routable subnet unless their interfaces are set up to run on
the two subnets which won't be the case for any visitors. At least this
will free up one IP.

Thanks for the reply.
--
Geoff Registered Linux user 196308
Replace bitbucket with geoff to mail me.
.

Relevant Pages

  • Re: moved a working network, now it doesnt work
    ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
    (comp.dcom.sys.cisco)
  • Re: moved a working network, now it doesnt work
    ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
    (comp.dcom.sys.cisco)
  • Re: router help needed ....urgent
    ... now what i need is that all my traffic for internet ... >> routing or PBR on cisco, ... If both links are to the same ISP router then you can use BGP ... Why not just put the 2 internet feeds into a hub/switch and connect the router by 1 ethernet port and use IP routing and NAT to determine the best route to use. ...
    (comp.dcom.sys.cisco)
  • Re: Cable Vs. DSL
    ... Well, its likely that he is using a Linksys or D-link NAT enabled router, ... >>is what the clients are seen to have from the internet. ... >security measure, it's merely a way to broaden the available address ...
    (Security-Basics)
  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)