Just for info, when using a 255.255.255.128 netmask, the valid address
ranges are
192.168.1.0 Network Address
192.168.1.1-126 Host Address
192.168.1.127 Broadcast Address
192.168.1.128 Network Address
192.168.1.129-254 Host Address
192.168.1.255 Broadcast Address
Basically in setting 192.126.1.128, you are using an invalid address.
Regards
Gareth
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Nathan Callahan
Sent: 12 July 2001 12:12
To: Darcy Brodie
Cc: [EMAIL PROTECTED]
Subject: Re: [expert] Multiple network cards in a Mandrake
firewall/switch combination
Hi... This is probably all my fault for confusing the issue, so I guess
that I will have to try and help clean it up :-)
If you are using something resembling my silly little setup, BOTH nics
need to be set up with 255.255.255.128 netmasks.
If you are using something more like what the wise civileme wrote, is to
use a completely different network for the 10baseT hosts. Something in
the 172.16.*.* range (as he suggested) or the 10.*.*.* would be
appropriate (I believe these are the IP ranges, along with 192.168.*.*,
researved for private networks)
Hope this helps, sorry for making muddying the waters.
On Thursday, July 12, 2001, at 12:46 PM, Darcy Brodie wrote:
> I have added the additional nic into the firewall / masqurading
> machine, and
> configured it to 192.168.1.128/255.255.255.128
> I can ping the address from the 100mhz network(both from the server,
> and from
> remote workstations). However, I connected a workstation to the new
> nic
> card (eth2) through a 10mhz hub, and I can not ping either the eth2
> card from
> the remote 10mhz workstation, or the remote workstation from the
> server. I
> have verified that the hub and the cables are working. I have even
> used a
> cross over cable from the workstation to the server, but I still can
> not ping
> the eth2 card
>
> Darcy
>
> Nathan Callahan wrote:
>
>> There is another option. You could set the machine up as an ethernet
>> bridge as I am doing here so that I can use my powerbook on our local
>> coax network, and get to the masquerading host easily and so that the
>> other people on the network don't need to change their settings to see
>> my machine. It means that hosts on two subnets can see each other as
>> though they were on the same subnet, basically like a switch (only
>> cheaper).
>>
>> Although this is much easier to do on a 2.4 kernel, it can be done
>> under
>> 2.2, I just can't remember how at the moment, but I remember that it
>> does require a special utility (and there is a howto)
>>
>> If you _are_ running 2.4... here's how to do it.
>>
>> configure one card to have an address in the range 192.168.2.1 through
>> .127,
>> and the other in 192.168.128 through .254 and give both a
>> 255.255.255.128 netmask.
>> All machines on the 1-127 side need to have ip addresses in this range,
>> all machines on the other side, ip addresses in 128-254
>>
>> then issue the commands... (assuming that the cable modem is on eth0,
>> the local cards being eth1 and 2)
>> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
>> echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
>>
>> and turn on forwarding between the interfaces...
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> The proxy arp bit basically make the machine transparent as far as the
>> local network is concerned all machines can carry on having
>> 255.255.255.0 netmasks.
>>
>> The other thing is that if you do have a firewall set up on that box,
>> and as civileme has suggested, the forward policy is DENY, you will
>> probably need something along the lines of.
>>
>> ipchains -A forward -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
>>
>> I make no guarantees as to the completeness or robustness of this
>> solution, it works for me, YMMV. Hey, even if this doesn't help you a
>> bit, I think it's pretty cool and felt like showing it off anyway :-)
>> Plus, it may help someone else.
>>
>> Regards,
>> Nathan Callahan
>>
>> On Tuesday, July 10, 2001, at 04:18 PM, Darcy Brodie wrote:
>>
>> and in his usual, amazingly helpful style...
>>> civileme wrote:
>>>
>>>> On Tuesday 10 July 2001 04:47, Darcy Brodie wrote:
>>>>> Hello
>>>>> I hope that this can be done. I currently have a LM7.2 box as a
>>>>> firewall for our internet access. Cable modem from ISP is going to
>>>>> eth0. eth1 (100baseT) is going to the internal network. What I
>>>>> need
>>>>> to
>>>>> do, is add a 3rd network card to allow me to also have a 10baseT
>>>>> network
>>>>> within the local netwok. Can this be done with Linux? Have not
>>>>> been
>>>>> able to find any information in the how-to's on this configuration.
>>>>> I also, if need be, have access to a second Linux file server,
>>>>> that
>>>>> I could add additional network cards into (it currently only has 1
>>>>> card
>>>>> in it)
>>>>> I am currently using class C IP 's in the 192.168.1.X range, but
>>>>> this is flexible if required.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Darcy
>>>>
>>>> Just add the card and setup adaptor. If you are making this a
>>>> different
>>>> network and want the two to talk, you will need to setup a route and
>>>> make
>>>> sure your internet masquerading rules apply only to forwards pointed
>>>> at the
>>>> internet interface. Since the first instruction in many masquerading
>>>> setups
>>>> is
>>>>
>>>> ipchains -P forward DENY
>>>>
>>>> you will need to write a series of rules in terms of -i ethx -o ethy
>>>> to cover
>>>> all possible combos. Of course if you set up netmasks so they are
>>>> effectively on the same network, then the route does not need to be
>>>> added,
>>>> but you still need the rules for forwarding.
>>>>
>>>> Another approach, using your other box, is to make it a masquerading
>>>> gayeway
>>>> from the 10baseT net to the 192.168 net, and use some other schem for
>>>> the
>>>> others like 172.16.x.y This permits both local net and internet
>>>> access and
>>>> keeps the networks separated without a lot of rules complexity.
>>>> internet
>>>> _________|____________
>>>> | Gateway |
>>>> | Current |
>>>> | Local |
>>>> |_____________________|
>>>> |
>>>> _____|___________________________
>>>> | |
>>>> |_________________ ______|________
>>>> | | | | | | Other
>>>> box |
>>>> (current local net) | Interface to |
>>>> |
>>>> other |
>>>> |______________|
>>>> |
>>>> ______|________
>>>> | |
>>>> |
>>>> |
>>>> (new local net)
>>>>
>>>> In the ASCIIgram above, the boxes shown both use masquerading and the
>>>> one
>>>> handling the 10MHz net is 100MHz on the main net, something like a
>>>> data
>>>> compression switch. It can also be peered with the other local net
>>>> computers.
>>>>
>>>> Finally, how about just using one port off a switch to a switch for
>>>> the
>>>> 10BaseT machines? If you do not need a separate network, it will
>>>> slow
>>>> things
>>>> only at choke points like your internet gateway/file server.
>>>>
>>>> Civileme
>>>
>>> Thanks.
>>> I know that a switch would be the easiest way to get this to work,
>>> however, I
>>> have a tight (almost non-existant) budget to work with. I will try
>>> this probably
>>> Tues evening
>>>
>>> Darcy
>>>
>>>
>
>
