RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?

[Michael Grant]

I have used openwrt, but not recent version of it.  I have been using Ubiquiti 
EdgeRouters running the stock EdgeOS.  Very solid routers.  I even have one 
sitting up in a tree in a Tupperware container in the snowy mountains!

I recently discovered that EdgeOS is based on Debian and you can install Debian 
packages on them.

Michael Grant

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 16:42:40 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> > 
> > My understanding - please correct me if I'm wrong - is that with those
> > types of cards, the ports are distinct and aren't actually switched in
> > hardware, so switching occurrs at the OS / kernel level. I don't know
> > how much of a load this puts on the system in practice, but my
> > understanding is that it's certainly not an ideal way to design a
> > switch.
> 
> Modern processors -- even the ones 5 years old -- are really
> fast.
> 
> Linux bridging (switching) is very efficient.

Fair enough.

> Is it "ideal"? No. But given that you want one device which acts
> as a WAP, router, firewall and switch, it should perform quite 
> well. If you hate the idea of doing that, though, an 8-port
> gigabit switch is about the same price as a used 4-port gigabit
> NIC. Not as flexible, though.
> 
> > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > > you can use it as a WAP and have nine switched/routed gigabit ports,
> > > counting one on the motherboard.  If you only need 5 ports, you only
> > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> > 
> > My understanding, although I could not find solid documentation of this,
> > is that consumer wireless chipsets designed for client use don't make
> > particularly performant APs. They'll work, but purpose built APs will
> > perform much better, especially with their AP optimized antennas. I
> > don't really know if this is true, though, and to what extent it's an
> > issue, if it really is one.
> 
> Oh, no, this is a myth. The $20-150 consumer wifi routers use
> the same wifi interface chips as good PCIe cards, for the most
> part. OpenWRT is actually a great source of information on
> these.
> 
> Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
> antenna MIMO on a consumer router, you should get equivalent
> range and performance.

Thanks. I'd love to see actual tests comparing performance of wireless
APs (consumer, enterprise, and DIY ones like we're discussing), but
they seem very hard to come by.

> > And the power usage on a five year old desktop (which I don't actually
> > have) will be much higher than a purpose-built AIO AP / switch / router.
> 
> That can be true. But then, the desktop can also be your server
> for a bunch of other things that, perhaps, you were going to
> run.

Fair enough. I'm currently using an old R210 ii as my server, so I'm
not one to talk ;) I suppose it might be fun to see if I can fit a
modern AX200 based PCIe (perhaps a low profile one) into it and see how
it performs as an AP / router ...

> > But again, I don't really disagree. If I had the hardware lying around,
> > and I determined that the power consumption wasn't a factor, it would
> > certainly be tempting to consider this route.
> 
> Everything is a tradeoff.

Yes.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> 
> My understanding - please correct me if I'm wrong - is that with those
> types of cards, the ports are distinct and aren't actually switched in
> hardware, so switching occurrs at the OS / kernel level. I don't know
> how much of a load this puts on the system in practice, but my
> understanding is that it's certainly not an ideal way to design a
> switch.

Modern processors -- even the ones 5 years old -- are really
fast.

Linux bridging (switching) is very efficient.

Is it "ideal"? No. But given that you want one device which acts
as a WAP, router, firewall and switch, it should perform quite 
well. If you hate the idea of doing that, though, an 8-port
gigabit switch is about the same price as a used 4-port gigabit
NIC. Not as flexible, though.

> > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > you can use it as a WAP and have nine switched/routed gigabit ports,
> > counting one on the motherboard.  If you only need 5 ports, you only
> > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> 
> My understanding, although I could not find solid documentation of this,
> is that consumer wireless chipsets designed for client use don't make
> particularly performant APs. They'll work, but purpose built APs will
> perform much better, especially with their AP optimized antennas. I
> don't really know if this is true, though, and to what extent it's an
> issue, if it really is one.

Oh, no, this is a myth. The $20-150 consumer wifi routers use
the same wifi interface chips as good PCIe cards, for the most
part. OpenWRT is actually a great source of information on
these.

Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
antenna MIMO on a consumer router, you should get equivalent
range and performance.

> And the power usage on a five year old desktop (which I don't actually
> have) will be much higher than a purpose-built AIO AP / switch / router.

That can be true. But then, the desktop can also be your server
for a bunch of other things that, perhaps, you were going to
run.

> But again, I don't really disagree. If I had the hardware lying around,
> and I determined that the power consumption wasn't a factor, it would
> certainly be tempting to consider this route.

Everything is a tradeoff.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 11:03:35 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > I can be glad that OpenWRT has improved their security practices
> > > and simultaneously not be interested in using it.
> > 
> > I think we are really in basic agreement. The reason I use OpenWRT is
> > that I use a residential all-in-one WAP / switch / router, which Debian
> > is unsuitable for. If I ever go the separate WAP / switch / router
> > route, I'll probably use Debian on the router for the reasons you
> > give: good support, a system I'm familiar with, etc.
> 
> Debian works well in this situation. You just need to arrange
> for enough NIC ports to meet your needs.
> 
> If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old

My understanding - please correct me if I'm wrong - is that with those
types of cards, the ports are distinct and aren't actually switched in
hardware, so switching occurrs at the OS / kernel level. I don't know
how much of a load this puts on the system in practice, but my
understanding is that it's certainly not an ideal way to design a
switch.

> desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> you can use it as a WAP and have nine switched/routed gigabit ports,
> counting one on the motherboard.  If you only need 5 ports, you only
> need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

My understanding, although I could not find solid documentation of this,
is that consumer wireless chipsets designed for client use don't make
particularly performant APs. They'll work, but purpose built APs will
perform much better, especially with their AP optimized antennas. I
don't really know if this is true, though, and to what extent it's an
issue, if it really is one.

And the power usage on a five year old desktop (which I don't actually
have) will be much higher than a purpose-built AIO AP / switch / router.

> Debian has hostapd and dnsmasq packages.

But again, I don't really disagree. If I had the hardware lying around,
and I determined that the power consumption wasn't a factor, it would
certainly be tempting to consider this route.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Here's a related datapoint:

For a couple years, I have used a Pi box as router+WAP, running
Debian (after having used "home routers" running OpenWRT for many years
before that).

I was quite happy with it software side (a bit less convenient to
configure than OpenWRT for the WAP part, but largely makes up for it for
the ease with which I could add auxiliary services and the convenience
of using the same OS as I use on all my other machines), but I was
unable to make it provide a good enough wireless signal to cover
my apartment.

So I switched to a box dedicated to WAP+router (BT HomeHub, in my case
https://openwrt.org/toh/bt/homehub_v5a), whose hardware is too limited
to run Debian.  IOW the problem for me was to find hardware which is
low-power enough to have it "always on" yet whose wifi interface is good
enough to cover my apartment: these thingies seem to be much more often
able to run OpenWRT than to run Debian :-(

W.r.t security, an important advantage of Debian is that upgrades are
much easier and smoother (so much so that they can be fully automatic)
than in OpenWRT.  But I'm a very happy user of OpenWRT (and have been
for many many years).


Stefan


PS: Another reason I went with the BT HomeHub is that it includes the
modem (and that this modem is supported by OpenWRT, tho with
a proprietary firmware), so it saves me having to have yet another box
in that corner (I still have the Pi there since the HomeHub is not
well suited to provide some of those services, which require a largish
storage which I'd rather not connect via USB).

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > I can be glad that OpenWRT has improved their security practices
> > and simultaneously not be interested in using it.
> 
> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Debian works well in this situation. You just need to arrange
for enough NIC ports to meet your needs.

If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
you can use it as a WAP and have nine switched/routed gigabit ports,
counting one on the motherboard.  If you only need 5 ports, you only
need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

Debian has hostapd and dnsmasq packages.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 09:57:13 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 08:36:34 -0500
> > Dan Ritter  wrote:
> > 
> > > OpenWRT's security process doesn't look as terrible as it used
> > > to be, but it doesn't really look good right now, just trying to
> > > be better.
> > 
> > Again, let's look at specific examples of vulnerabilities present in
> > both OpenWRT and Debian, and compare the projects' responses. I gave
> > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> > was issued about two weeks before Debian's.
> > 
> > You feel that OpenWRT's security process "doesn't look good." Based on
> > what? Can you provide a vulnerability that affects their software that
> > they dropped the ball on?
> 
> No, thanks. I don't need to poke at OpenWRT any further.
> 
> I already have a Debian firewall that has had good security
> support from Debian since 2014; I see no reason not to continue
> using it until the hardware fails. At that point, I will buy
> another relatively small fully supported Debian box, and carry
> on. Among other benefits, it means that all the machines at home
> have the same procedures and can be used as testbeds for each
> other. E.g. the music-playing machine in the living room is now
> testing out Bullseye.
> 
> I can be glad that OpenWRT has improved their security practices
> and simultaneously not be interested in using it.

I think we are really in basic agreement. The reason I use OpenWRT is
that I use a residential all-in-one WAP / switch / router, which Debian
is unsuitable for. If I ever go the separate WAP / switch / router
route, I'll probably use Debian on the router for the reasons you
give: good support, a system I'm familiar with, etc.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 08:36:34 -0500
> Dan Ritter  wrote:
> 
> > OpenWRT's security process doesn't look as terrible as it used
> > to be, but it doesn't really look good right now, just trying to
> > be better.
> 
> Again, let's look at specific examples of vulnerabilities present in
> both OpenWRT and Debian, and compare the projects' responses. I gave
> you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> was issued about two weeks before Debian's.
> 
> You feel that OpenWRT's security process "doesn't look good." Based on
> what? Can you provide a vulnerability that affects their software that
> they dropped the ball on?

No, thanks. I don't need to poke at OpenWRT any further.

I already have a Debian firewall that has had good security
support from Debian since 2014; I see no reason not to continue
using it until the hardware fails. At that point, I will buy
another relatively small fully supported Debian box, and carry
on. Among other benefits, it means that all the machines at home
have the same procedures and can be used as testbeds for each
other. E.g. the music-playing machine in the living room is now
testing out Bullseye.

I can be glad that OpenWRT has improved their security practices
and simultaneously not be interested in using it.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 08:36:34 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 06:41:23 -0500
> > Dan Ritter  wrote:
> > 
> > > Gregory Seidman wrote: 
> > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs 
> > > > on
> > 
> > ...
> > 
> > > Debian gets security updates in a timely manner (for stable).
> > > 
> > > How's OpenWRT's security team?
> > 
> > I'm not sure if this is a genuine question or a rhetorical one (sorry -
> > tone doesn't always come across well in email), but OpenWRT does have a
> > security process, with advisories, bug fixes, etc.:
> 
> Semi-rhetorical: my experience with OpenWRT and ddWRT is that
> once a device is installed, it never gets an upgrade. I'd be
> happy to learn otherwise.

Rejoice, then! If you choose never to upgrade, that's your choice, but
the project releases point releases every couple of months or so, and
new major versions every year or two:

https://downloads.openwrt.org/releases/

> > https://openwrt.org/docs/guide-developer/security
> > 
> > I suspect the process may not be as good as Debian's, but they do fix
> > at least some serious bugs fairly quickly. E.g., if I'm reading the
> > following pages correctly, the Debian DSAs for the recent serious set of
> > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> > Security Advisory on Jan. 19:
> 
> That page lists 15 advisories over the last 3 years -- let's say
> 2 years, since this year is just beginning. Four of those
> advisories are for OpenWRT-only problems.
> 
> In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
> Let's discount the desktop software -- that's 8 of them, by my
> count -- because nobody runs desktop software on a router.

I think this is a misleading comparison. It's not just a question
of desktop software - Debian includes vastly more software in general,
for which the security team is responsible, than OpenWRT does. Debian
proudly announces that it comes with "more than 59000 packages":

https://www.debian.org/intro/about

OpenWRT includes merely "several thousand packages" (I can't find an
exact number):

https://openwrt.org/packages/start

So of course Debian is going to have more SAs.

> OpenWRT's security process doesn't look as terrible as it used
> to be, but it doesn't really look good right now, just trying to
> be better.

Again, let's look at specific examples of vulnerabilities present in
both OpenWRT and Debian, and compare the projects' responses. I gave
you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
was issued about two weeks before Debian's.

You feel that OpenWRT's security process "doesn't look good." Based on
what? Can you provide a vulnerability that affects their software that
they dropped the ball on?

> This probably doesn't matter much if you just want a WAP inside
> your house, but I feel confirmed that Debian is still a much
> better choice for an Internet-facing router/firewall.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 06:41:23 -0500
> Dan Ritter  wrote:
> 
> > Gregory Seidman wrote: 
> > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> 
> ...
> 
> > Debian gets security updates in a timely manner (for stable).
> > 
> > How's OpenWRT's security team?
> 
> I'm not sure if this is a genuine question or a rhetorical one (sorry -
> tone doesn't always come across well in email), but OpenWRT does have a
> security process, with advisories, bug fixes, etc.:

Semi-rhetorical: my experience with OpenWRT and ddWRT is that
once a device is installed, it never gets an upgrade. I'd be
happy to learn otherwise.

> https://openwrt.org/docs/guide-developer/security
> 
> I suspect the process may not be as good as Debian's, but they do fix
> at least some serious bugs fairly quickly. E.g., if I'm reading the
> following pages correctly, the Debian DSAs for the recent serious set of
> dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> Security Advisory on Jan. 19:

That page lists 15 advisories over the last 3 years -- let's say
2 years, since this year is just beginning. Four of those
advisories are for OpenWRT-only problems.

In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
Let's discount the desktop software -- that's 8 of them, by my
count -- because nobody runs desktop software on a router.

OpenWRT's security process doesn't look as terrible as it used
to be, but it doesn't really look good right now, just trying to
be better.

This probably doesn't matter much if you just want a WAP inside
your house, but I feel confirmed that Debian is still a much
better choice for an Internet-facing router/firewall.

-dsr-

Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 06:41:23 -0500
Dan Ritter  wrote:

> Gregory Seidman wrote: 
> > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on

...

> Debian gets security updates in a timely manner (for stable).
> 
> How's OpenWRT's security team?

I'm not sure if this is a genuine question or a rhetorical one (sorry -
tone doesn't always come across well in email), but OpenWRT does have a
security process, with advisories, bug fixes, etc.:

https://openwrt.org/docs/guide-developer/security

I suspect the process may not be as good as Debian's, but they do fix
at least some serious bugs fairly quickly. E.g., if I'm reading the
following pages correctly, the Debian DSAs for the recent serious set of
dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
Security Advisory on Jan. 19:

https://www.debian.org/security/2021/dsa-4844
https://lists.debian.org/debian-security-announce/2021/msg00026.html

https://openwrt.org/advisory/2021-01-19-1

Celejar

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Gregory Seidman wrote: 
> If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> a variety of router hardware, but also PCs: 
> https://openwrt.org/docs/guide-user/installation/openwrt_x86
> 
> Importantly, it uses UCI
>  for configuration of
> switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
> substantially simplifies handling the issues you are encountering. Its web
> interface (luci) works directly with the UCI config files, so it's easy to
> switch between editing a file and working in the web UI.

Debian gets security updates in a timely manner (for stable).

How's OpenWRT's security team?

-dsr-

Re: Linux router AP with reserved IPs on wlan0?

[Gregory Seidman]

If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
a variety of router hardware, but also PCs: 
https://openwrt.org/docs/guide-user/installation/openwrt_x86

Importantly, it uses UCI
 for configuration of
switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
substantially simplifies handling the issues you are encountering. Its web
interface (luci) works directly with the UCI config files, so it's easy to
switch between editing a file and working in the web UI.

--Gregory

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?
> 
> Thanks,
> 
> John
> 
> -- 
> 
> John Conover, cono...@rahul.net, http://www.johncon.com/
> 
> 

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Tixy writes:
> On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> > Stefan Monnier writes:
> > > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > > works well with iptables, with one shortcoming.
> > > > 
> > > > After antagonizing the Google for hours, I can not find any way to add
> > > > reserved IPs based on the the MAC address of devices connected on
> > > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > > for a wireless AP.
> > > 
> > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > > perfectly sufficient so far and it lets you specify fixed IPs based on
> > > MACs by simply putting those in the `/etc/ethers` file.
> > > 
> > 
> > Thank you, Stefan.
> > 
> > Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> > address, followed by a space delimiter, followed by the IPv4 IP
> > address, per IP reservation. That IP address must also be in
> > /etc/hosts.
> 
> I didn't know about /etc/ethers, on my system I allocate fixed IP
> addresses and hostnames by adding a lines to dnsmasq.conf like
> 
> dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time
> 
> I guess there's more than one way to skin this cat.
>

Hi Tixy.

For the archives, the documentation to configuration of dnsmasq(1) is
in /etc/dnsmasq.conf, the dnsmasq configuration file. It is verbose,
and there are many options. Read thoroughly.

It is a very impressive accomplishment, and works well, and is fairly
easy to get working, (once familiar with the configuration file.)

As a closing note, the DHCP/DNS services, (for wlan0,) are configured
in the /etc/dnsmasq.conf file, *_NOT_* /etc/dhcpcd.conf, which is the
usual alternative.

(This is where I went astray-I mean the name is dnsmasq, probably
meaning it is something to do with dns, duh.)

Thanks to all,

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Tixy]

On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> Stefan Monnier writes:
> > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > works well with iptables, with one shortcoming.
> > > 
> > > After antagonizing the Google for hours, I can not find any way to add
> > > reserved IPs based on the the MAC address of devices connected on
> > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > for a wireless AP.
> > 
> > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > perfectly sufficient so far and it lets you specify fixed IPs based on
> > MACs by simply putting those in the `/etc/ethers` file.
> > 
> 
> Thank you, Stefan.
> 
> Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> address, followed by a space delimiter, followed by the IPv4 IP
> address, per IP reservation. That IP address must also be in
> /etc/hosts.

I didn't know about /etc/ethers, on my system I allocate fixed IP
addresses and hostnames by adding a lines to dnsmasq.conf like

dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time

I guess there's more than one way to skin this cat.

-- 
Tixy

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Stefan Monnier writes:
> > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > works well with iptables, with one shortcoming.
> >
> > After antagonizing the Google for hours, I can not find any way to add
> > reserved IPs based on the the MAC address of devices connected on
> > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > for a wireless AP.
> 
> I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> perfectly sufficient so far and it lets you specify fixed IPs based on
> MACs by simply putting those in the `/etc/ethers` file.
>

Thank you, Stefan.

Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
address, followed by a space delimiter, followed by the IPv4 IP
address, per IP reservation. That IP address must also be in
/etc/hosts.

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
>
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.

I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
perfectly sufficient so far and it lets you specify fixed IPs based on
MACs by simply putting those in the `/etc/ethers` file.


Stefan

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

John Conover wrote: 
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.


host conoverlaptop {
 hardware ethernet 00:14:d3:11:22:32;
 fixed-address 192.168.0.20;
}

Re: Linux router AP with reserved IPs on wlan0?

[tomas]

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?

I think the jargon is "DHCP reservation" or thereabouts. Do these ([1],
[2]) fit your quest?

And oh, BTW. Don't antagonize Google. They don't love you (besides, they
don't make for good neighbours, but I disgress). My search provider just
gave me those results in exchange for a moderate amount of effort (~15
min).

Cheers :)

[1] 
https://servercomputing.blogspot.com/2012/02/reserve-ip-address-in-dhcp-server-linux.html
[2] 
https://askubuntu.com/questions/392599/how-to-reserve-ip-address-in-dhcp-server

 - t


signature.asc
Description: Digital signature

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 14:22:48 -0600, from the fingers of 
Michael Madden came the words:
> I figured out what was wrong with my OpenBSD 3.6 setup. I needed to
> setup pf=YES in /etc/rc.conf.  I must have missed this when reading
> though the install documentation.
>
> Anyhow these are the steps that worked for me:
>
> 1.) Install OpenBSD 3.6 according to the directions at:
> http://www.openbsd.org/faq/faq4.html
>
> 2.) Add the following line to /etc/sysctl.conf:
> net.inet.ip.forwarding=1
>
> 3.) Add the following line to /etc/pf.conf: nat on ep1 from
> ep2:network to any -> (ep1)
>
> 4.) Add the following to /etc/rc.conf: pf=YES
>
> Thanks again for all the help.
>
> Thanks,
>
> Mike

Glad you got it going Mike! Sorry i didn't mention that last pf=YES comment... 
I was doing it from the top of my head. Good job figuring it out!

Thanks and Regards,

Ken Gilmour BOFH
Script Monkey
Irish Operations

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 12:23:08 -0600, from the fingers of 
Michael Madden came the words:
>> The main point is that there are so many things to do in Linux in
>> order to configure it for masquerading (Recompiling Kernel etc).
>> There also so many different commands that do exactly the same
>> thing but in different ways. If a person is starting off in
>> firewalling it's not good to overwhelm them with information.
>> With OpenBSD, you simply edit stuff that's already there, for
>> example. These are the steps i would take to setup a gateway on a
>> brand newly setup OpenBSD machine:
>>
>> Uncomment the following in /etc/sysctl.conf
>>
>> net.inet.ip.forwarding=1
>> net.inet6.ip6.forwarding=1 (if using IPv6)
>>
>> Uncomment and edit this line in /etc/pf.conf (stuff in <> needs
>> to be edited, stuff in [] is optional)
>>
>> nat [pass] on  [af] from  [port src_port] to
>>  [port ] ->  [pool_type] [static-
>> port]
>>
>> You may then reboot the machine or just issue the following two
>> commands:
>>
>> # sysctl net.inet.ip.forwarding=1
>>
>> Or
>>
>> # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
>>
>> Then
>>
>> # pfctl -f /etc/pf.conf
>>
>> You now have a fully working NAT box.
>>
>> To perform IP forwarding uncomment the port redirect line in
>> pf.conf and modify it to your taste then issue:
>>
>> # pfctl -f /etc/pf.conf
>>
>> The default configuration for the machine has zero known security
>> holes. (have a look at www.openbsd.org for security info)
>>
>> Regards,
>>
>> Ken
>>
>
> Forgive me if I'm new to the OpenBSD approach, but I've installed
> OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any
> of my clients behind the firewall to see beyond the firewall.
>
> My two network cards are setup as:
>
> bsdrouter# ifconfig ep1
> ep1: flags=8863
> mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT
> inet 172.16.1.100 netmask 0x broadcast 172.16.255.255 inet6
> fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter#
> ifconfig ep2
> ep2: flags=8863
> mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT
> inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 inet6
> fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6
>
> I've got IP forwarding enabled:
>
> bsdrouter# cat /etc/sysctl.conf
> net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
> packets
>
> Finally I've setup pf.conf:
>
> bsdrouter# cat /etc/pf.conf
> f="ep1"
> int_if="ep2"
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
>
> I rebooted the machine after the above network setup, and while I'm
> on the router I can see the 192.168.3.x network, the 172.16.x.x
> network, and the internet.  But my Windows machines behind the
> firewall cannot reach beyond the firewall even though the OpenBSD
> router is set as the default gateway.  On machines on the
> 172.16.x.x network, I can reach the router at 172.16.1.100 and the
> machines behind the router (if I add a route to the 172.16.x.x
> machines).
>
> Has anyone experienced this before?
>
> Thanks,
> Mike

Hi Mike

Have you set a rule to allow the NAT to pass through the box? Simply adding 
"pass" to your above command should do that for you.

nat pass on $ext_if from !($ext_if) -> ($ext_if:0)

Also, The macro for your external interface I assume it's not set to f="ep1" 
Was that just a couple of missed characters while copying and pasting? (it 
should read ext_if="ep1" not f="ep1")

Here is my pf.conf from one of my firewalls if it's any help to you. You might 
want to comment out the "Block" stuff and change the IP addresses for 
redirection etc.

# macros
int_if = "fxp0"
ext_if = "rl0"

tcp_services = "{ 22, 80, }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from any to $ext_if port smtp -> 10.2.0.15
#rdr pass on $int_if proto tcp from any to $int_if port 350 -> 10.2.2.202

# filter rules
block all

pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to 10.2.0.15 port smtp
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass in on $ext_if inet proto tcp from any to ($ext_if) \
#   port $tcp_services flags S/SA keep state

#pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Regards,

Ken

Re: Linux Router

[Michael Madden]

I figured out what was wrong with my OpenBSD 3.6 setup.
I needed to setup pf=YES in /etc/rc.conf.  I must have
missed this when reading though the install documentation.
Anyhow these are the steps that worked for me:
1.) Install OpenBSD 3.6 according to the directions at:
http://www.openbsd.org/faq/faq4.html
2.) Add the following line to /etc/sysctl.conf:
net.inet.ip.forwarding=1
3.) Add the following line to /etc/pf.conf:
nat on ep1 from ep2:network to any -> (ep1)
4.) Add the following to /etc/rc.conf:
pf=YES
Thanks again for all the help.
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

> The main point is that there are so many things to do in Linux in order to 
> configure it for masquerading (Recompiling Kernel etc). There also so many 
> different commands that do exactly the same thing but in different ways. If a 
> person is starting off in firewalling it's not good to overwhelm them with 
> information. With OpenBSD, you simply edit stuff that's already there, for 
> example. These are the steps i would take to setup a gateway on a brand newly 
> setup OpenBSD machine:
> 
> Uncomment the following in /etc/sysctl.conf
> 
> net.inet.ip.forwarding=1
> net.inet6.ip6.forwarding=1 (if using IPv6)
> 
> Uncomment and edit this line in /etc/pf.conf (stuff in <> needs to be edited, 
> stuff in [] is optional)
> 
> nat [pass] on  [af] from  [port src_port] to  
> [port ] ->  [pool_type] [static-port]
> 
> You may then reboot the machine or just issue the following two commands:
> 
> # sysctl net.inet.ip.forwarding=1
> 
> Or
> 
> # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
> 
> Then
> 
> # pfctl -f /etc/pf.conf
> 
> You now have a fully working NAT box.
> 
> To perform IP forwarding uncomment the port redirect line in pf.conf and 
> modify it to your taste then issue:
> 
> # pfctl -f /etc/pf.conf
> 
> The default configuration for the machine has zero known security holes. 
> (have a look at www.openbsd.org for security info)
> 
> Regards,
> 
> Ken
> 

Forgive me if I'm new to the OpenBSD approach, but I've installed OpenBSD 3.6
on a laptop with 2 PCMCIA cards, and I cannot get any of my clients behind the
firewall to see beyond the firewall.

My two network cards are setup as:

bsdrouter# ifconfig ep1
ep1: flags=8863 mtu 1500
address: 00:60:97:87:8b:4d
media: Ethernet 10baseT
inet 172.16.1.100 netmask 0x broadcast 172.16.255.255
inet6 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5
bsdrouter# ifconfig ep2
ep2: flags=8863 mtu 1500
address: 00:10:4b:ec:64:80
media: Ethernet 10baseT
inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255
inet6 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6

I've got IP forwarding enabled:

bsdrouter# cat /etc/sysctl.conf
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets

Finally I've setup pf.conf:

bsdrouter# cat /etc/pf.conf
f="ep1"
int_if="ep2"
nat on $ext_if from !($ext_if) -> ($ext_if:0)

I rebooted the machine after the above network setup, and while I'm  
on the router I can see the 192.168.3.x network, the 172.16.x.x network,
and the internet.  But my Windows machines behind the firewall cannot
reach beyond the firewall even though the OpenBSD router is set as the
default gateway.  On machines on the 172.16.x.x network, I can reach the
router at 172.16.1.100 and the machines behind the router (if I add a route
to the 172.16.x.x machines). 

Has anyone experienced this before?

Thanks,
Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 15:46 -0800, Scarletdown wrote:
> Michael Madden wrote:
> 
> > Alex Barylo wrote:
[snip]
> 
> 
> Freesco is a pretty decent floppy based router.
> 
> freesco.org

Note, though, that it uses kernel 2.0.39.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

"Don't be so open minded that your brains fall out."
s. keeling



signature.asc
Description: This is a digitally signed message part

Re: Linux Router

[Sridhar M.A.]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:
   > 
   > Thanks for all the advice.  I guess something like
   > LRP appealed to me more since it was floppy based
   > and didn't require setting up a distro with many
   > unneeded utilities. Does anyone know of an active
   > floppy based firewall (Linux or *BSD)?
   > 
If you have a cd drive, why not try the Live CD Router? Just boot off
the cd and it runs.

  http://www.wifi.com.ar/english/cdrouter.html

HTH,

-- 
Sridhar M.A.   GPG KeyID : F6A35935
  Fingerprint: D172 22C4 7CDC D9CD 62B5  55C1 2A69 D5D8 F6A3 5935

Plus ,ca change, plus c'est la m^eme chose.
[The more things change, the more they remain the same.]
-- Alphonse Karr, "Les Gu^epes"


signature.asc
Description: Digital signature

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 19:26:40 -0500, from the fingers of 
Bruce Park came the words:
> Ken Gilmour wrote:

>> The only problem i have with Linux's iptables as opposed to
>> OpenBSD's PF is that iptables has an overwhelming amount of stuff
>> it can do and you can easily break it. But it is, however, much
>> more configurable. You can set them to just allow everything
>> through and use NAT and IP Forwarding in the process.
>>
>
> Ken,
>
> Can you explain this in further detail? I've used iptables on Woody
> for almost two years without any problems. Thanks.

The main point is that there are so many things to do in Linux in order to 
configure it for masquerading (Recompiling Kernel etc). There also so many 
different commands that do exactly the same thing but in different ways. If a 
person is starting off in firewalling it's not good to overwhelm them with 
information. With OpenBSD, you simply edit stuff that's already there, for 
example. These are the steps i would take to setup a gateway on a brand newly 
setup OpenBSD machine:

Uncomment the following in /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1 (if using IPv6)

Uncomment and edit this line in /etc/pf.conf (stuff in <> needs to be edited, 
stuff in [] is optional)

nat [pass] on  [af] from  [port src_port] to  
[port ] ->  [pool_type] [static-port]

You may then reboot the machine or just issue the following two commands:

# sysctl net.inet.ip.forwarding=1

Or

# sysctl net.inet6.ip6.forwarding=1 (if using IPv6)

Then

# pfctl -f /etc/pf.conf

You now have a fully working NAT box.

To perform IP forwarding uncomment the port redirect line in pf.conf and modify 
it to your taste then issue:

# pfctl -f /etc/pf.conf

The default configuration for the machine has zero known security holes. (have 
a look at www.openbsd.org for security info)

Regards,

Ken

Re: Linux Router

[Bruce Park]

Ken Gilmour wrote:
Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
Does anyone know of a decent Linux based router project out there?
In the past I've used LRP (http://www.linuxrouter.org), but it
looks like the project isn't maintained anymore.
My requirements are pretty simple.  I want to route traffic from
network A to network B and route traffice from network B to A.  I
don't need firewalling, but would like IP forwarding and NAT.  Any
recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.
The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.
Ken,
Can you explain this in further detail? I've used iptables on Woody for 
almost two years without any problems. Thanks.

bp
HTH
Regards,
Ken


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Alex Barylo]

I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.

HTH,
Alex.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[William Ballard]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:
> unneeded utilities. Does anyone know of an active
> floppy based firewall (Linux or *BSD)?

No.  Use an old laptop with a hard drive, and two PCMCIA net cards.
Take one floppy.  Put the OpenBSD install image on it.
Install OpenBSD via FTP and configure pf.

The package management system is similar to apt-get -- you can install 
an app and all dependencies with one command.

It is absolutely breathtaking as a router.  Utterly secure and never 
needs looking at.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Scarletdown]

Michael Madden wrote:
Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?

Freesco is a pretty decent floppy based router.
freesco.org

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 17:31:18 -0600, from the fingers of 
Michael Madden came the words:
> Thanks for all the advice.  I guess something like
> LRP appealed to me more since it was floppy based
> and didn't require setting up a distro with many
> unneeded utilities. Does anyone know of an active
> floppy based firewall (Linux or *BSD)?

OpenBSD is what i would most recommend. It can be installed from two floppies 
and fully customised. (www.openbsd.org) I _really_ love PF. Others may 
disagree. I've never had any problems with Linux firewalling / NATing / IP 
Forwarding for as long as i can remember, but i prefer OpenBSD simply because 
it only installs exactly what you tell it to from the time you put the floppy 
in (which some other people would have a problem with) and it's very low 
maintenance. The only time i ever needed to shut down an OpenBSD machine is 
when i was moving office. So far I've never needed to upgrade any hardware 
(probably because it doesn't do much work anyway).

# du -h pf.conf
2.0Kpf.conf

There's a Great man who once said "Donuts - Is there anything they can't do?" 
(Homer Simpson). Maybe when PF can be used as a contraceptive we can say that 
too!

Re: Linux Router

[Joao Clemente]

Croy, Nathan wrote:
From: Michael Madden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 13, 2004 5:31 PM
Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based "Wizard", if you are so inclined.
[1] http://www.coyotelinux.com/products.php?Product=coyote
I've used Coyote for a long time. It was great. Easy to setup and it has 
a 2.4 kernel (so you can use iptables if you need to manually tweek 
something), a wizard that works OK from windows, and a shell menu-driven 
or web interface that allows you to setup most cenarios...
anything more complicated than you find in the interfacem you can go to 
the shell and setup yourself

Using floppy = read-only medium, easy system backup ;-), no noise, low 
heat... I was using it in a diskless/fanless P200 Classic with 16Mb Ram

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 17:31 -0600, Michael Madden wrote:
> Alex Barylo wrote:
[snip]
> 
> Thanks for all the advice.  I guess something like
> LRP appealed to me more since it was floppy based
> and didn't require setting up a distro with many
> unneeded utilities. Does anyone know of an active
> floppy based firewall (Linux or *BSD)?

floppyfw does the trick.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

"The United States is not a nation to which peace is a
necessity."
Grover Cleveland



signature.asc
Description: This is a digitally signed message part

RE: Linux Router

[Croy, Nathan]

> From: Michael Madden [mailto:[EMAIL PROTECTED]
> Sent: Monday, December 13, 2004 5:31 PM
> 
> Thanks for all the advice.  I guess something like
> LRP appealed to me more since it was floppy based
> and didn't require setting up a distro with many
> unneeded utilities. Does anyone know of an active
> floppy based firewall (Linux or *BSD)?

(maybe this time i'll reply to the list ;-)

I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based "Wizard", if you are so inclined.

[1] http://www.coyotelinux.com/products.php?Product=coyote


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
> Does anyone know of a decent Linux based router project out there?
> In the past I've used LRP (http://www.linuxrouter.org), but it
> looks like the project isn't maintained anymore.
>
> My requirements are pretty simple.  I want to route traffic from
> network A to network B and route traffice from network B to A.  I
> don't need firewalling, but would like IP forwarding and NAT.  Any
> recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.

The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.

HTH

Regards,

Ken

Re: [Linux: Router] What does I need ???

[Oki DZ]

Michelle Konzack wrote:
> Now, my Question is, WHAT DOES I NEED to install a simpel Router ???
> 
...
> Curently I must work with IP-Masquerading only...
> ...but it runs.
> 
> OK, I have a LRP 2.9.4 box running which is based on Debian 2.1 (2.0.36).
> I have no knowledge from ipchains and ...

If you have LRP, so what's the problem? All you need is to set it up.
I have a router machine which is a 486/8MHz running Linux that I
downloaded from www.linuxrouter.org.

The setup is pretty simple; you need to download the kernel from the
site, download the modules (according to the NICs you have), put the
image on a floppy, and then boot the machine. root login will lead you
to the lrcfg (a menu-based program for configuring the router); using
the program you can set what modules to load, the IP addresses, etc.
Don't forget to "back-up" the system; meaning, putting everything back
to the floppy.

Oki

Re: Linux router and NetMeeting

[ferret]

On Mon, 30 Aug 1999 [EMAIL PROTECTED] wrote:

> 
> 
> I think someone needs to write an IP masq helper module for Netmeeting. I
> just got the port specs from M$'s site, and I'm looking into how to do it
> right now. I'll post what I have in a few days (Don't have time to do any
> coding during work days. :< ), and hopefully...
> I could also use someone to help me test the thing. :>
 
Okay.. I just looked at the kernel sources and little bits of
documentation, and I'm completely stumped on how to actually write the
ip_masq modules.

So here's the ports Netmeeting uses:

389 Internet locator server (TCP)
522 User location server (TCP)
1503T.120 (TCP)
1720H.323 call setup (TCP)
1731Audio call control (TCP)
DYN H.323 call control (TCP)
DYN H.323 streaming RTP (UDP)

The information is at
http://support.microsoft.com/support/kb/ARTICLES/Q158/23.asp



> On Mon, 30 Aug 1999, Carlos Santos wrote:
> 
> > Here's my problem (please help if you can):
> > 
> > I've setup a Linux to route between my intranet and the Internet (through a
> > cable modem). I'm using IP Masquerading, which is working fine and has been
> > for a long time. Now, i'm trying to connect to a friend of mine through
> > Netmeeting and i can't get the router to let sound go both ways (i'm using
> > my intranet NT server, that goes through a Linux router, that connects to
> > the net by cable modem). I call my friend, he accepts the connection, i
> > speak through my microphone and he hears me ok but i can't hear him. It
> > seems some kind of restriction at the ip masquerading level but i can't
> > figure out what. Ftp is working fine, telnet, http, you name it. But i
> > can't get Netmeeting to work.
> > 
> > Any ideas ?
> > Thanks,
> > Carlos.
> > 
> > 
> > 
> > 
> > 
> > 
> > -
> > CARLOS SANTOS  (ICQ: 21537583)
> > NETOSFERA: http://www.netosfera.pt  
> > Tel(Phone): (+351 53 276998)
> > Fax: (+351 53 274255)
> > Braga - Portugal
> > 
> > 
> > -- 
> > Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> > 
> 
> 

Re: Linux router and NetMeeting

[ferret]

I think someone needs to write an IP masq helper module for Netmeeting. I
just got the port specs from M$'s site, and I'm looking into how to do it
right now. I'll post what I have in a few days (Don't have time to do any
coding during work days. :< ), and hopefully...
I could also use someone to help me test the thing. :>

On Mon, 30 Aug 1999, Carlos Santos wrote:

> Here's my problem (please help if you can):
> 
> I've setup a Linux to route between my intranet and the Internet (through a
> cable modem). I'm using IP Masquerading, which is working fine and has been
> for a long time. Now, i'm trying to connect to a friend of mine through
> Netmeeting and i can't get the router to let sound go both ways (i'm using
> my intranet NT server, that goes through a Linux router, that connects to
> the net by cable modem). I call my friend, he accepts the connection, i
> speak through my microphone and he hears me ok but i can't hear him. It
> seems some kind of restriction at the ip masquerading level but i can't
> figure out what. Ftp is working fine, telnet, http, you name it. But i
> can't get Netmeeting to work.
> 
> Any ideas ?
> Thanks,
> Carlos.
> 
> 
> 
> 
> 
> 
> -
> CARLOS SANTOS  (ICQ: 21537583)
> NETOSFERA: http://www.netosfera.pt  
> Tel(Phone): (+351 53 276998)
> Fax: (+351 53 274255)
> Braga - Portugal  
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 

Re: Linux router and NetMeeting

[Bob Nielsen]

This is because the router uses NAT and the packets arriving at your
friend's computer appear to come from your router, not your NT server. 
I'm not familiar with Netmeeting, but if it tries to create a return
connection, this may not work.  Several other protocols do this and only
some of them are supported by Linux IP masquerading via modules which
are created when you compile your kernel. 

My router runs 2.0.37 which supports this for cuseeme, irc, 
ftp, quake, vdolive and real audio.  I tried ICQ, but didn't have any
luck.  I suspect this is what is happening to you with Netmeeting.

Bob


On Mon, Aug 30, 1999 at 07:00:20PM +0100, Carlos Santos wrote:
> Here's my problem (please help if you can):
> 
> I've setup a Linux to route between my intranet and the Internet (through a
> cable modem). I'm using IP Masquerading, which is working fine and has been
> for a long time. Now, i'm trying to connect to a friend of mine through
> Netmeeting and i can't get the router to let sound go both ways (i'm using
> my intranet NT server, that goes through a Linux router, that connects to
> the net by cable modem). I call my friend, he accepts the connection, i
> speak through my microphone and he hears me ok but i can't hear him. It
> seems some kind of restriction at the ip masquerading level but i can't
> figure out what. Ftp is working fine, telnet, http, you name it. But i
> can't get Netmeeting to work.
> 
> Any ideas ?
> Thanks,
> Carlos.
> 
> 
> 
> 
> 
> 
> -
> CARLOS SANTOS  (ICQ: 21537583)
> NETOSFERA: http://www.netosfera.pt  
> Tel(Phone): (+351 53 276998)
> Fax: (+351 53 274255)
> Braga - Portugal  
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 

-- 
Bob Nielsen Internet: [EMAIL PROTECTED]
Tucson, AZ  AMPRnet:  [EMAIL PROTECTED]
DM42nh  http://www.primenet.com/~nielsen

Re: Linux Router Project -- About to get working and need more people!

[Dermot John Bradley]

I'm willing to help. Although not a networking guru I've created several
Debian networking-based packages (Merit radiusd, Hylafax, MRTG, gated
[internal use only], nocol).

-- 
Dermot Bradley
Derry/Belfast, Northern Ireland
[EMAIL PROTECTED]
[EMAIL PROTECTED]


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .

Re: Linux Router Project -- About to get working and need more people!

[Bruce Perens]

Try the root on the resc1440.bin floppy . It contains a functional Unix
tool set, a good shell, and an editor. It fits on a 1.44MB ramdisk image,
compresses down to 700KB on the floppy, leaves enough room for the kernel
on the same 1.44MB floppy, and supports shared libraries. You would be hard
pressed to improve on its size.

If you study the script that builds it in the boot-floppies package, you'll
learn the dirty tricks necessary to get a system in a space that small.

Thanks

Bruce
-- 
Bruce Perens K6BP   [EMAIL PROTECTED]   510-215-3502
Finger [EMAIL PROTECTED] for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6  1F 89 6A 76 95 24 87 B3 


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .