Mikkel L. Ellertson wrote:
Lanman wrote:
Well Folks, the Lanman has finally met his Waterloo! I'm trying to regain control over a network for a friend, but this thing has to be every SysAdmins nightmare come alive!I take it you are running a DHCP server on the Linux box. For the upstairs system, things will be fairly simple. But the downstairs system, the one that uses its own ADSL connection, it gets harder. This is because it will try and send anything that is not on the 192.168.0.0 network through the ADSL modem. It will be able to talk to the Linux box, but not the machines behind it. You can solve some of this by having the Linux box masquarde (spelling) the connection to the lower floor, as well as the dns connection. You will also have to use a non-standard netmask for the ADSL modem connection - 255.255.255.255 I think, so that only trafic to the ADSL modem uses that NIC. (192.168.0.1 for the gateway?)
My friend (Peter) has a small home network in a two-story house. 2 Macs, 3 Windows PC's (Don't ask, I'm working on that!), and a new Mandrake10.0 (Official)-Powered server that we just built to share files (Using Samba back and forth between all the systems as well as to firewall his systems and to handle Dynamic DNS, and also an ADSL connection.
Here's where it gets interesting. While Peter had the Internet connection installed 18 months ago and he's been paying for it, he hasn't been using it.
Instead, he's been connected to his brother's network and Internet service. I should mention that the brother lives on the first floor, while Peter is on the second floor. Both use the same ISP, and the same ADSL modems which have barely got any configuration options at all, and this is where the problems start.
Since both modems run a DHCP server by default, I'm constantly running into problems. It's not possible to disable the DHCP server on either modem, or to reconfigure the modems to server IP addresses on different subnets.
Since Peter's brother runs only Windows, and never updates his anti-virus programs, and since the two are constantly sharing files between the two LANS (which are currently running as one LAN on the same subnet), there have been quite a few infection-related problems, which have resulted in my trying to work out a viable solution.
I should also mention that neither one wants to break their connection to the other as they have other files that need to be shared as well.
So, my solution to the problem, was to install 3 NIC's in the new server, and to use two different subnets. Since Peter has almost 400 Gigs of data stored on his brother's network, he needs access to that data. Switching Peter and his family to Linux on his PC's (and maybe the Mac's as well), is the next phase of this nightmare, but it should go a long way to solving some of the virus issues for the time being.
So, I've set up Peter's new server so that it can run his ADSL connection from eth0, his LAN runs on eth1 (using a subnet of 10.0.0.0), and the third NIC connects to his brother's subnet (using a subnet of 192.168.0.0).
Now comes the fun part. I've tried everything I could to find out how to run routing through the new server, but de-crypting the HOWTO's for IPROUTE2 is like speaking only Chinese when the book is written in Greek!
Can someone shed a bit of light on this please? I'm using IPtables in Webmin (Praise the "Powers" that be and Jamie Cameron for creating Webmin), to configure the firewall. My plan is to block traffic from the brother's subnet after the routing has been configured, while still allowing Peter to access his data on the brother's LAN. In essence I should be able to DENY, DROP or REJECT anything coming from downstairs, while allowing Samba, Netatalk and Appletalk to see the shares downstairs. I'm not expecting troubles from that aspect of the setup, but I can't get a handle on routing with this no way, no how.
I currently have a brain full of too much useless knowledge about routing because none of the documents I've found even try to provide a step-by-step process. They mostly seem to be concerned about explaining the theory, instead of the practical aspects.
Sorry this post is so long, but I wanted to explain all the things I'm facing in a clear manner. I'd appreciate any help that can be offered!
Thanks in Advance, and sorry to make your collective heads hurt on a weekend! This one has me stumped.
Lanman
You can solve a lot of this by adding a route to each machine in the lower network so that it know to use the Linux box as the gateway to the 10.0.0.0 network.
You might be better off picking up a couple of cheap firewall/routers to hook between the ADSL modems, and the network. At least one for the downstairs network. That way, you could control the network settings, and the default route for both networks. You would end up routing everything through the Linux machin, but it would let you do load ballancing between the two ADSL modems. Or you could run both ADSL modems through the Linux box.
You will also have some interesting times setting up file sharing between the two subnets, but that is for another message. Sharing the Linux box between networks will work - but Windows file sharing does not work well well accross subnets.
If you need specific routes for the Linux box, I can work them out later, and post them...
Mikkel
Mikkel; Thanks for the quick reply. I'll respond to your comments in order, so here goes.
1) I will not be running a DHCP service on the upstairs network at all. Since the LAN is small, since DHCP is partly responsible for the existing problem, and since there's no actual need for it, I'll be staying away from DHCP completely.
The ADSL modem that Peter has upstairs runs a DHCP service, but it's only connected to the first NIC (eth0) and that NIC also has a static IP address. Also, I've avoided using the same subnets anywhere, so if the downstairs ADSL modem and LAN are blocked from affecting the upstairs LAN via routing and Firewalling, they should have little or no effect on the upstairs LAN ( Fingers crossed!).
Also, the file sharing in this scenario only has to go one way where the upstairs network needs access to file shares on the downstairs network. That's why I intend to use the firewall to block all traffic from downstairs to upstairs, but to allow SMB and Appletalk from upstairs to downstairs.
The server upstairs has a dedicated NIC which is configured for the downstairs subnet (192.168.0.0), so as to provide the one-way file-sharing that Peter needs. That way he can access the shares which are downstairs from the upstairs network.
Once routing is up and running, I only need to deny everything coming from the downstairs network, and then to allow the upstairs to access the downstairs on ports 135, 137, 139 for Samba, and maybe port 548 for Appletalk.
So the overall idea is to have two active ADSL connections, two LAN's on two subnets with two separate gateways, and one LAN with one-way file-sharing access from up to down stairs. Routing and firewalling should be able to do that, if I can figure out how to configure the iproute2 software. Downstairs will not have any access whatsoever to the upstairs network, unless the connection is "related/established" by the upstairs network.
All the systems downstairs are running Windows (XP, XP Home, and NT 4.0 Server), and all have shares running on them, which we can currently see as long as one of the modems is disabled. Once they are both connected, twp dhcp servers are started and attempt to server identical IP ranges on the exact same subnets.
So, everything for the upstairs network is managed by the Linux server, and there is no access by the downstairs network to the upstairs network.
OH, One more thing,...Peter's brother is away on holidays, and we're trying to get this done before he returns. We don't have physical access to the downstairs network.
Simple, HUH?
Lanman
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
