RE: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP withreserved IPs on wlan0?

[Michael Grant]

I have used openwrt, but not recent version of it.  I have been using Ubiquiti 
EdgeRouters running the stock EdgeOS.  Very solid routers.  I even have one 
sitting up in a tree in a Tupperware container in the snowy mountains!

I recently discovered that EdgeOS is based on Debian and you can install Debian 
packages on them.

Michael Grant

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 16:42:40 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> > 
> > My understanding - please correct me if I'm wrong - is that with those
> > types of cards, the ports are distinct and aren't actually switched in
> > hardware, so switching occurrs at the OS / kernel level. I don't know
> > how much of a load this puts on the system in practice, but my
> > understanding is that it's certainly not an ideal way to design a
> > switch.
> 
> Modern processors -- even the ones 5 years old -- are really
> fast.
> 
> Linux bridging (switching) is very efficient.

Fair enough.

> Is it "ideal"? No. But given that you want one device which acts
> as a WAP, router, firewall and switch, it should perform quite 
> well. If you hate the idea of doing that, though, an 8-port
> gigabit switch is about the same price as a used 4-port gigabit
> NIC. Not as flexible, though.
> 
> > > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > > you can use it as a WAP and have nine switched/routed gigabit ports,
> > > counting one on the motherboard.  If you only need 5 ports, you only
> > > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> > 
> > My understanding, although I could not find solid documentation of this,
> > is that consumer wireless chipsets designed for client use don't make
> > particularly performant APs. They'll work, but purpose built APs will
> > perform much better, especially with their AP optimized antennas. I
> > don't really know if this is true, though, and to what extent it's an
> > issue, if it really is one.
> 
> Oh, no, this is a myth. The $20-150 consumer wifi routers use
> the same wifi interface chips as good PCIe cards, for the most
> part. OpenWRT is actually a great source of information on
> these.
> 
> Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
> antenna MIMO on a consumer router, you should get equivalent
> range and performance.

Thanks. I'd love to see actual tests comparing performance of wireless
APs (consumer, enterprise, and DIY ones like we're discussing), but
they seem very hard to come by.

> > And the power usage on a five year old desktop (which I don't actually
> > have) will be much higher than a purpose-built AIO AP / switch / router.
> 
> That can be true. But then, the desktop can also be your server
> for a bunch of other things that, perhaps, you were going to
> run.

Fair enough. I'm currently using an old R210 ii as my server, so I'm
not one to talk ;) I suppose it might be fun to see if I can fit a
modern AX200 based PCIe (perhaps a low profile one) into it and see how
it performs as an AP / router ...

> > But again, I don't really disagree. If I had the hardware lying around,
> > and I determined that the power consumption wasn't a factor, it would
> > certainly be tempting to consider this route.
> 
> Everything is a tradeoff.

Yes.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> > to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
> 
> My understanding - please correct me if I'm wrong - is that with those
> types of cards, the ports are distinct and aren't actually switched in
> hardware, so switching occurrs at the OS / kernel level. I don't know
> how much of a load this puts on the system in practice, but my
> understanding is that it's certainly not an ideal way to design a
> switch.

Modern processors -- even the ones 5 years old -- are really
fast.

Linux bridging (switching) is very efficient.

Is it "ideal"? No. But given that you want one device which acts
as a WAP, router, firewall and switch, it should perform quite 
well. If you hate the idea of doing that, though, an 8-port
gigabit switch is about the same price as a used 4-port gigabit
NIC. Not as flexible, though.

> > desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> > you can use it as a WAP and have nine switched/routed gigabit ports,
> > counting one on the motherboard.  If you only need 5 ports, you only
> > need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.
> 
> My understanding, although I could not find solid documentation of this,
> is that consumer wireless chipsets designed for client use don't make
> particularly performant APs. They'll work, but purpose built APs will
> perform much better, especially with their AP optimized antennas. I
> don't really know if this is true, though, and to what extent it's an
> issue, if it really is one.

Oh, no, this is a myth. The $20-150 consumer wifi routers use
the same wifi interface chips as good PCIe cards, for the most
part. OpenWRT is actually a great source of information on
these.

Assuming you're comparing a 3 antenna MIMO on a PCIe card to a 3
antenna MIMO on a consumer router, you should get equivalent
range and performance.

> And the power usage on a five year old desktop (which I don't actually
> have) will be much higher than a purpose-built AIO AP / switch / router.

That can be true. But then, the desktop can also be your server
for a bunch of other things that, perhaps, you were going to
run.

> But again, I don't really disagree. If I had the hardware lying around,
> and I determined that the power consumption wasn't a factor, it would
> certainly be tempting to consider this route.

Everything is a tradeoff.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 11:03:35 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > > I can be glad that OpenWRT has improved their security practices
> > > and simultaneously not be interested in using it.
> > 
> > I think we are really in basic agreement. The reason I use OpenWRT is
> > that I use a residential all-in-one WAP / switch / router, which Debian
> > is unsuitable for. If I ever go the separate WAP / switch / router
> > route, I'll probably use Debian on the router for the reasons you
> > give: good support, a system I'm familiar with, etc.
> 
> Debian works well in this situation. You just need to arrange
> for enough NIC ports to meet your needs.
> 
> If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
> to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old

My understanding - please correct me if I'm wrong - is that with those
types of cards, the ports are distinct and aren't actually switched in
hardware, so switching occurrs at the OS / kernel level. I don't know
how much of a load this puts on the system in practice, but my
understanding is that it's certainly not an ideal way to design a
switch.

> desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
> you can use it as a WAP and have nine switched/routed gigabit ports,
> counting one on the motherboard.  If you only need 5 ports, you only
> need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

My understanding, although I could not find solid documentation of this,
is that consumer wireless chipsets designed for client use don't make
particularly performant APs. They'll work, but purpose built APs will
perform much better, especially with their AP optimized antennas. I
don't really know if this is true, though, and to what extent it's an
issue, if it really is one.

And the power usage on a five year old desktop (which I don't actually
have) will be much higher than a purpose-built AIO AP / switch / router.

> Debian has hostapd and dnsmasq packages.

But again, I don't really disagree. If I had the hardware lying around,
and I determined that the power consumption wasn't a factor, it would
certainly be tempting to consider this route.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Here's a related datapoint:

For a couple years, I have used a Pi box as router+WAP, running
Debian (after having used "home routers" running OpenWRT for many years
before that).

I was quite happy with it software side (a bit less convenient to
configure than OpenWRT for the WAP part, but largely makes up for it for
the ease with which I could add auxiliary services and the convenience
of using the same OS as I use on all my other machines), but I was
unable to make it provide a good enough wireless signal to cover
my apartment.

So I switched to a box dedicated to WAP+router (BT HomeHub, in my case
https://openwrt.org/toh/bt/homehub_v5a), whose hardware is too limited
to run Debian.  IOW the problem for me was to find hardware which is
low-power enough to have it "always on" yet whose wifi interface is good
enough to cover my apartment: these thingies seem to be much more often
able to run OpenWRT than to run Debian :-(

W.r.t security, an important advantage of Debian is that upgrades are
much easier and smoother (so much so that they can be fully automatic)
than in OpenWRT.  But I'm a very happy user of OpenWRT (and have been
for many many years).


Stefan


PS: Another reason I went with the BT HomeHub is that it includes the
modem (and that this modem is supported by OpenWRT, tho with
a proprietary firmware), so it saves me having to have yet another box
in that corner (I still have the Pi there since the HomeHub is not
well suited to provide some of those services, which require a largish
storage which I'd rather not connect via USB).

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> > I can be glad that OpenWRT has improved their security practices
> > and simultaneously not be interested in using it.
> 
> I think we are really in basic agreement. The reason I use OpenWRT is
> that I use a residential all-in-one WAP / switch / router, which Debian
> is unsuitable for. If I ever go the separate WAP / switch / router
> route, I'll probably use Debian on the router for the reasons you
> give: good support, a system I'm familiar with, etc.

Debian works well in this situation. You just need to arrange
for enough NIC ports to meet your needs.

If you are OK buying used equipment, Intel-based gigabit NICs, 4 ports
to a PCIe slot, cost about $35 (or $70 new). If you've got a 5 year old
desktop sitting around with 2GB or more RAM and 3 available PCIe slots,
you can use it as a WAP and have nine switched/routed gigabit ports,
counting one on the motherboard.  If you only need 5 ports, you only
need 2 PCIe slots -- one for a WiFI NIC and one for the ethernet NIC.

Debian has hostapd and dnsmasq packages.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 09:57:13 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 08:36:34 -0500
> > Dan Ritter  wrote:
> > 
> > > OpenWRT's security process doesn't look as terrible as it used
> > > to be, but it doesn't really look good right now, just trying to
> > > be better.
> > 
> > Again, let's look at specific examples of vulnerabilities present in
> > both OpenWRT and Debian, and compare the projects' responses. I gave
> > you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> > was issued about two weeks before Debian's.
> > 
> > You feel that OpenWRT's security process "doesn't look good." Based on
> > what? Can you provide a vulnerability that affects their software that
> > they dropped the ball on?
> 
> No, thanks. I don't need to poke at OpenWRT any further.
> 
> I already have a Debian firewall that has had good security
> support from Debian since 2014; I see no reason not to continue
> using it until the hardware fails. At that point, I will buy
> another relatively small fully supported Debian box, and carry
> on. Among other benefits, it means that all the machines at home
> have the same procedures and can be used as testbeds for each
> other. E.g. the music-playing machine in the living room is now
> testing out Bullseye.
> 
> I can be glad that OpenWRT has improved their security practices
> and simultaneously not be interested in using it.

I think we are really in basic agreement. The reason I use OpenWRT is
that I use a residential all-in-one WAP / switch / router, which Debian
is unsuitable for. If I ever go the separate WAP / switch / router
route, I'll probably use Debian on the router for the reasons you
give: good support, a system I'm familiar with, etc.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 08:36:34 -0500
> Dan Ritter  wrote:
> 
> > OpenWRT's security process doesn't look as terrible as it used
> > to be, but it doesn't really look good right now, just trying to
> > be better.
> 
> Again, let's look at specific examples of vulnerabilities present in
> both OpenWRT and Debian, and compare the projects' responses. I gave
> you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
> was issued about two weeks before Debian's.
> 
> You feel that OpenWRT's security process "doesn't look good." Based on
> what? Can you provide a vulnerability that affects their software that
> they dropped the ball on?

No, thanks. I don't need to poke at OpenWRT any further.

I already have a Debian firewall that has had good security
support from Debian since 2014; I see no reason not to continue
using it until the hardware fails. At that point, I will buy
another relatively small fully supported Debian box, and carry
on. Among other benefits, it means that all the machines at home
have the same procedures and can be used as testbeds for each
other. E.g. the music-playing machine in the living room is now
testing out Bullseye.

I can be glad that OpenWRT has improved their security practices
and simultaneously not be interested in using it.

-dsr-

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 08:36:34 -0500
Dan Ritter  wrote:

> Celejar wrote: 
> > On Mon, 8 Feb 2021 06:41:23 -0500
> > Dan Ritter  wrote:
> > 
> > > Gregory Seidman wrote: 
> > > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs 
> > > > on
> > 
> > ...
> > 
> > > Debian gets security updates in a timely manner (for stable).
> > > 
> > > How's OpenWRT's security team?
> > 
> > I'm not sure if this is a genuine question or a rhetorical one (sorry -
> > tone doesn't always come across well in email), but OpenWRT does have a
> > security process, with advisories, bug fixes, etc.:
> 
> Semi-rhetorical: my experience with OpenWRT and ddWRT is that
> once a device is installed, it never gets an upgrade. I'd be
> happy to learn otherwise.

Rejoice, then! If you choose never to upgrade, that's your choice, but
the project releases point releases every couple of months or so, and
new major versions every year or two:

https://downloads.openwrt.org/releases/

> > https://openwrt.org/docs/guide-developer/security
> > 
> > I suspect the process may not be as good as Debian's, but they do fix
> > at least some serious bugs fairly quickly. E.g., if I'm reading the
> > following pages correctly, the Debian DSAs for the recent serious set of
> > dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> > Security Advisory on Jan. 19:
> 
> That page lists 15 advisories over the last 3 years -- let's say
> 2 years, since this year is just beginning. Four of those
> advisories are for OpenWRT-only problems.
> 
> In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
> Let's discount the desktop software -- that's 8 of them, by my
> count -- because nobody runs desktop software on a router.

I think this is a misleading comparison. It's not just a question
of desktop software - Debian includes vastly more software in general,
for which the security team is responsible, than OpenWRT does. Debian
proudly announces that it comes with "more than 59000 packages":

https://www.debian.org/intro/about

OpenWRT includes merely "several thousand packages" (I can't find an
exact number):

https://openwrt.org/packages/start

So of course Debian is going to have more SAs.

> OpenWRT's security process doesn't look as terrible as it used
> to be, but it doesn't really look good right now, just trying to
> be better.

Again, let's look at specific examples of vulnerabilities present in
both OpenWRT and Debian, and compare the projects' responses. I gave
you one timely example: OpenWRT's SA for the dnsmasq vulnerabilities
was issued about two weeks before Debian's.

You feel that OpenWRT's security process "doesn't look good." Based on
what? Can you provide a vulnerability that affects their software that
they dropped the ball on?

> This probably doesn't matter much if you just want a WAP inside
> your house, but I feel confirmed that Debian is still a much
> better choice for an Internet-facing router/firewall.

Celejar

Re: Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Celejar wrote: 
> On Mon, 8 Feb 2021 06:41:23 -0500
> Dan Ritter  wrote:
> 
> > Gregory Seidman wrote: 
> > > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> 
> ...
> 
> > Debian gets security updates in a timely manner (for stable).
> > 
> > How's OpenWRT's security team?
> 
> I'm not sure if this is a genuine question or a rhetorical one (sorry -
> tone doesn't always come across well in email), but OpenWRT does have a
> security process, with advisories, bug fixes, etc.:

Semi-rhetorical: my experience with OpenWRT and ddWRT is that
once a device is installed, it never gets an upgrade. I'd be
happy to learn otherwise.

> https://openwrt.org/docs/guide-developer/security
> 
> I suspect the process may not be as good as Debian's, but they do fix
> at least some serious bugs fairly quickly. E.g., if I'm reading the
> following pages correctly, the Debian DSAs for the recent serious set of
> dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
> Security Advisory on Jan. 19:

That page lists 15 advisories over the last 3 years -- let's say
2 years, since this year is just beginning. Four of those
advisories are for OpenWRT-only problems.

In the 2 months of 2021, so far, Debian's security team has issued 28 notices.
Let's discount the desktop software -- that's 8 of them, by my
count -- because nobody runs desktop software on a router.

OpenWRT's security process doesn't look as terrible as it used
to be, but it doesn't really look good right now, just trying to
be better.

This probably doesn't matter much if you just want a WAP inside
your house, but I feel confirmed that Debian is still a much
better choice for an Internet-facing router/firewall.

-dsr-

Security: OpenWRT vs. Debian [Was:] Re: Linux router AP with reserved IPs on wlan0?

[Celejar]

On Mon, 8 Feb 2021 06:41:23 -0500
Dan Ritter  wrote:

> Gregory Seidman wrote: 
> > If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on

...

> Debian gets security updates in a timely manner (for stable).
> 
> How's OpenWRT's security team?

I'm not sure if this is a genuine question or a rhetorical one (sorry -
tone doesn't always come across well in email), but OpenWRT does have a
security process, with advisories, bug fixes, etc.:

https://openwrt.org/docs/guide-developer/security

I suspect the process may not be as good as Debian's, but they do fix
at least some serious bugs fairly quickly. E.g., if I'm reading the
following pages correctly, the Debian DSAs for the recent serious set of
dnsmasq vulnerabilities went out on Feb. 4, whereas OpenWRT issued its
Security Advisory on Jan. 19:

https://www.debian.org/security/2021/dsa-4844
https://lists.debian.org/debian-security-announce/2021/msg00026.html

https://openwrt.org/advisory/2021-01-19-1

Celejar

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

Gregory Seidman wrote: 
> If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
> a variety of router hardware, but also PCs: 
> https://openwrt.org/docs/guide-user/installation/openwrt_x86
> 
> Importantly, it uses UCI
>  for configuration of
> switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
> substantially simplifies handling the issues you are encountering. Its web
> interface (luci) works directly with the UCI config files, so it's easy to
> switch between editing a file and working in the web UI.

Debian gets security updates in a timely manner (for stable).

How's OpenWRT's security team?

-dsr-

Re: Linux router AP with reserved IPs on wlan0?

[Gregory Seidman]

If you want a Linux router/AP, I recommend OpenWRT over Debian. It runs on
a variety of router hardware, but also PCs: 
https://openwrt.org/docs/guide-user/installation/openwrt_x86

Importantly, it uses UCI
 for configuration of
switches, networks, 802.11 (wifi) radios, SSIDs, firewalls, etc. which
substantially simplifies handling the issues you are encountering. Its web
interface (luci) works directly with the UCI config files, so it's easy to
switch between editing a file and working in the web UI.

--Gregory

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?
> 
> Thanks,
> 
> John
> 
> -- 
> 
> John Conover, cono...@rahul.net, http://www.johncon.com/
> 
> 

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Tixy writes:
> On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> > Stefan Monnier writes:
> > > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > > works well with iptables, with one shortcoming.
> > > > 
> > > > After antagonizing the Google for hours, I can not find any way to add
> > > > reserved IPs based on the the MAC address of devices connected on
> > > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > > for a wireless AP.
> > > 
> > > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > > perfectly sufficient so far and it lets you specify fixed IPs based on
> > > MACs by simply putting those in the `/etc/ethers` file.
> > > 
> > 
> > Thank you, Stefan.
> > 
> > Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> > address, followed by a space delimiter, followed by the IPv4 IP
> > address, per IP reservation. That IP address must also be in
> > /etc/hosts.
> 
> I didn't know about /etc/ethers, on my system I allocate fixed IP
> addresses and hostnames by adding a lines to dnsmasq.conf like
> 
> dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time
> 
> I guess there's more than one way to skin this cat.
>

Hi Tixy.

For the archives, the documentation to configuration of dnsmasq(1) is
in /etc/dnsmasq.conf, the dnsmasq configuration file. It is verbose,
and there are many options. Read thoroughly.

It is a very impressive accomplishment, and works well, and is fairly
easy to get working, (once familiar with the configuration file.)

As a closing note, the DHCP/DNS services, (for wlan0,) are configured
in the /etc/dnsmasq.conf file, *_NOT_* /etc/dhcpcd.conf, which is the
usual alternative.

(This is where I went astray-I mean the name is dnsmasq, probably
meaning it is something to do with dns, duh.)

Thanks to all,

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Tixy]

On Sat, 2021-02-06 at 11:00 -0800, John Conover wrote:
> Stefan Monnier writes:
> > > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > > works well with iptables, with one shortcoming.
> > > 
> > > After antagonizing the Google for hours, I can not find any way to add
> > > reserved IPs based on the the MAC address of devices connected on
> > > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > > for a wireless AP.
> > 
> > I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> > perfectly sufficient so far and it lets you specify fixed IPs based on
> > MACs by simply putting those in the `/etc/ethers` file.
> > 
> 
> Thank you, Stefan.
> 
> Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
> address, followed by a space delimiter, followed by the IPv4 IP
> address, per IP reservation. That IP address must also be in
> /etc/hosts.

I didn't know about /etc/ethers, on my system I allocate fixed IP
addresses and hostnames by adding a lines to dnsmasq.conf like

dhcp-host=MAC-Address,IP-Address,Hostname,Lease-Time

I guess there's more than one way to skin this cat.

-- 
Tixy

Re: Linux router AP with reserved IPs on wlan0?

[John Conover]

Stefan Monnier writes:
> > A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> > works well with iptables, with one shortcoming.
> >
> > After antagonizing the Google for hours, I can not find any way to add
> > reserved IPs based on the the MAC address of devices connected on
> > wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> > for a wireless AP.
> 
> I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
> perfectly sufficient so far and it lets you specify fixed IPs based on
> MACs by simply putting those in the `/etc/ethers` file.
>

Thank you, Stefan.

Works like a charm. The syntax of /etc/ethers is ':' delimited MAC
address, followed by a space delimiter, followed by the IPv4 IP
address, per IP reservation. That IP address must also be in
/etc/hosts.

John

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: Linux router AP with reserved IPs on wlan0?

[Stefan Monnier]

> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
>
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.

I'm not familiar with dhcpd, but dnsmasq's built-in DHCP server has been
perfectly sufficient so far and it lets you specify fixed IPs based on
MACs by simply putting those in the `/etc/ethers` file.


Stefan

Re: Linux router AP with reserved IPs on wlan0?

[Dan Ritter]

John Conover wrote: 
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.


host conoverlaptop {
 hardware ethernet 00:14:d3:11:22:32;
 fixed-address 192.168.0.20;
}

Re: Linux router AP with reserved IPs on wlan0?

[tomas]

On Sat, Feb 06, 2021 at 02:29:08AM -0800, John Conover wrote:
> 
> A wireless router made with hostapd/dnsmasq/dhcpcd is fairly easy, and
> works well with iptables, with one shortcoming.
> 
> After antagonizing the Google for hours, I can not find any way to add
> reserved IPs based on the the MAC address of devices connected on
> wlan0, (presumably in dhcpcd.conf.) Seems kind of a simple oversight
> for a wireless AP.
> 
> Am I correct in my assumption?

I think the jargon is "DHCP reservation" or thereabouts. Do these ([1],
[2]) fit your quest?

And oh, BTW. Don't antagonize Google. They don't love you (besides, they
don't make for good neighbours, but I disgress). My search provider just
gave me those results in exchange for a moderate amount of effort (~15
min).

Cheers :)

[1] 
https://servercomputing.blogspot.com/2012/02/reserve-ip-address-in-dhcp-server-linux.html
[2] 
https://askubuntu.com/questions/392599/how-to-reserve-ip-address-in-dhcp-server

 - t


signature.asc
Description: Digital signature

Re: Linux router para ISP con posibles problemas

[Camaleón]

El Fri, 09 Aug 2013 15:28:00 -0300, Mauro Antivero escribió:

 El 09/08/13 10:32, Camaleón escribió:

(...)

 Aquí tienes una configuración muy completa para un equipo con Debian
 que hace de router de alto rendimiento (para un ISP):

 http://itservice-bg.net/?p=1122
 Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple
 casualidad?

Yo lo cargo bien. 

Prueba a acceder al sitio desde otra conexión (p. ej., módem UMTS) o a 
través de un proxy:

http://www.hidemyass.com/

Si sigues con problemas me dices y te mando el contenido de la página web 
por mensaje privado.

Saludos,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2013.08.10.09.21...@gmail.com

Re: Linux router para ISP con posibles problemas

[Alberto]

El 09/08/13 04:36, Mauro Antivero escribió:
 Estimados:
 
 En mi lugar de trabajo tenemos un router Linux (Debian Squeeze corriendo
 en un Dell PowerEdge R210-II) por el cual cursa todo el tráfico de la
 red de usuarios del ISP.
 
 El problema que estamos teniendo es que pareciera ser que cuando el
 tráfico total que atraviesa al servidor llega a los 550 Mbps se
 estanca, es decir no suele crecer mucho más que ese valor. Esto nos
 parece extraño puesto que según estimamos el tráfico debería estar
 llegando a los 650 Mbps aprox.
 
 En su momento se modificó lo que es el valor de:
 
 /proc/sys/net/ipv4/netfilter/ip_conntrack_max
 
 Puesto que cuando el tráfico llegaba a 200 Mbps aprox. el mismo en lugar
 de subir comenzaba a bajar y con dmesg obteníamos el siguiente mensaje:
 
 nf_conntrack: table full, dropping packet

si, quizas haya algun valor mas a nivel de /proc que se podria mirar,
aunque ahora a bote pronto no sabria decirte, pero el de ip_conntrack
era el que yo tambien mire en su dia.

 Posteriormente a esto, en un servidor mucho menos potente que el actual
 hubo que jugar con los parámentros de la placa de red (Intel Gigabit,
 no recuerdo bien el modelo ahora) para que pueda manejar las
 interrupciones y además hubo que hacer un bondig entre dos de estas
 placas de red para que pueda manejar todo el tráfico.
 
 En el servidor por el cual ahora les consulto no fue necesario hacer un
 bonding, pero si modificar el valor de ip_conntrack_max.

bueno, obviamente tienes que ver cual es el tráfico generado y hasta
donde da la tarjeta de red, en cualquier caso, teniendo un equipo como
router corporativo, si tienes alguna tarjeta adicional, yo pondria
bonding SI o SI, no solo por el balanceo sino como alta disponibilidad

 El tema es que ahora como les decía, a simple vista, no estamos teniendo
 ninguno de estos problemas, pero tenemos la sensación de que algo está
 pasando.
 
 Les quería consultar entonces qué parámetros tendría que ir mirando y
 controlando para ver si realmente estamos teniendo un problema en el
 servidor o no.
 
 Un detalle que creo muy importante es que a veces, sin razón aparente,
 la interfaz de red dropea paquetes. Pero como les decía esto, si bien no
 tiene que pasar, pasa poco. Acá van los datos de la interfaz por la cual
 ingresa el tráfico:
 
 ifconfig eth0
 
 eth0  Link encap:Ethernet  HWaddr d0:67:e5:e7:d7:45
   inet addr:172.30.0.1  Bcast:172.30.0.255 Mask:255.255.255.0
   inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:232816986602 errors:462 dropped:1606 overruns:0
 frame:462
   TX packets:337849634947 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000
   RX bytes:67228041135161 (61.1 TiB)  TX bytes:317032238655465
 (288.3 TiB)
   Interrupt:16 Memory:c000-c0012800
 
 Les agradecería mucho sus comentarios y ayuda para así determinar si el
 problema está en el servidor o no.
 
 Espero no haber omitido cualquier dato que sea útil, cualquier cosa me
 avisan.

el ifconfig no dice nada del otro barrio, si hay paquetes dropped pero
no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin.

la salida completa de ethtool, por ejemplo

hay muchos valores que podrian influir, fijate lo que he sacado del mio...
/proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
600
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent2
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
60
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
432000
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
60
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
120
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
10
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans
300
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose
1
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
0
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans
3
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream
180
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
30
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_count
269
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
16384
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_checksum
1
-
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
0
-

Como puedes ver hay muchas variables, y desde luego no te aconsejo que
toques sin saber exactamente que.

Una prueba sencilla que puedes 

Re: Linux router para ISP con posibles problemas

[jors]

On 2013-08-09 09:34, Alberto wrote:

El 09/08/13 04:36, Mauro Antivero escribió:

(...)
Posteriormente a esto, en un servidor mucho menos potente que el 
actual
hubo que jugar con los parámentros de la placa de red (Intel 
Gigabit,

no recuerdo bien el modelo ahora) para que pueda manejar las
interrupciones y además hubo que hacer un bondig entre dos de estas
placas de red para que pueda manejar todo el tráfico.

En el servidor por el cual ahora les consulto no fue necesario hacer 
un

bonding, pero si modificar el valor de ip_conntrack_max.


bueno, obviamente tienes que ver cual es el tráfico generado y hasta
donde da la tarjeta de red, en cualquier caso, teniendo un equipo 
como

router corporativo, si tienes alguna tarjeta adicional, yo pondria
bonding SI o SI, no solo por el balanceo sino como alta 
disponibilidad


+1 a mirar el rendimiento que da la tarjeta de red. Puedes usar iperf 
para eso, pero claro, para obtener valores fiables debería ser fuera de 
producción.


El tema es que ahora como les decía, a simple vista, no estamos 
teniendo
ninguno de estos problemas, pero tenemos la sensación de que algo 
está

pasando.

Les quería consultar entonces qué parámetros tendría que ir mirando 
y

controlando para ver si realmente estamos teniendo un problema en el
servidor o no.

Un detalle que creo muy importante es que a veces, sin razón 
aparente,
la interfaz de red dropea paquetes. Pero como les decía esto, si 
bien no
tiene que pasar, pasa poco. Acá van los datos de la interfaz por la 
cual

ingresa el tráfico:

ifconfig eth0

eth0  Link encap:Ethernet  HWaddr d0:67:e5:e7:d7:45
  inet addr:172.30.0.1  Bcast:172.30.0.255 
Mask:255.255.255.0

  inet6 addr: fe80::d267:e5ff:fee7:d745/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:232816986602 errors:462 dropped:1606 overruns:0
frame:462
  TX packets:337849634947 errors:0 dropped:0 overruns:0 
carrier:0

  collisions:0 txqueuelen:1000
  RX bytes:67228041135161 (61.1 TiB)  TX 
bytes:317032238655465

(288.3 TiB)
  Interrupt:16 Memory:c000-c0012800

Les agradecería mucho sus comentarios y ayuda para así determinar si 
el

problema está en el servidor o no.

Espero no haber omitido cualquier dato que sea útil, cualquier cosa 
me

avisan.


el ifconfig no dice nada del otro barrio, si hay paquetes dropped 
pero

no sabemos ni la velocidad, si esta a full duplex, el TSO... en fin.


Además de lo que comenta Alberto, los paquetes dropped pueden indicar 
saturación del interfaz de red [1]. Por eso si todos las configuraciones 
del interfaz de red son correctas (ethtool, proc...), interesa hacer 
pruebas de carga para descartar que no sea éste el motivo.


[1] 
http://stackoverflow.com/questions/8987926/how-to-find-which-packets-got-dropped


Salut,
jors


--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/fb3d3637e7adb5a78aee7f7cbc50a...@enchufado.com

Re: Linux router para ISP con posibles problemas

[Camaleón]

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:

 En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
 corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
 tráfico de la red de usuarios del ISP.
 
 El problema que estamos teniendo es que pareciera ser que cuando el 
 tráfico total que atraviesa al servidor llega a los 550 Mbps se 
 estanca, es decir no suele crecer mucho más que ese valor. Esto nos 
 parece extraño puesto que según estimamos el tráfico debería estar 
 llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que 
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122

Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel 
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera 
resultar útil en tu caso.

Saludos,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2013.08.09.13.33...@gmail.com

Re: Linux router para ISP con posibles problemas

[Mauro Antivero]

El 09/08/13 10:32, Camaleón escribió:

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:


En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
tráfico de la red de usuarios del ISP.

El problema que estamos teniendo es que pareciera ser que cuando el
tráfico total que atraviesa al servidor llega a los 550 Mbps se
estanca, es decir no suele crecer mucho más que ese valor. Esto nos
parece extraño puesto que según estimamos el tráfico debería estar
llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122

Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera
resultar útil en tu caso.

Saludos,

Muchas gracias a todos por sus respuestas. Voy a leer un poco y 
verificar mejor la configuración del server. Cuando tenga algo más 
concreto comento como me fue.


Saludos, Mauro.


--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520533ee.5050...@gmail.com

Re: Linux router para ISP con posibles problemas

[Mauro Antivero]

El 09/08/13 10:32, Camaleón escribió:

El Thu, 08 Aug 2013 23:36:18 -0300, Mauro Antivero escribió:


En mi lugar de trabajo tenemos un router Linux (Debian Squeeze
corriendo en un Dell PowerEdge R210-II) por el cual cursa todo el
tráfico de la red de usuarios del ISP.

El problema que estamos teniendo es que pareciera ser que cuando el
tráfico total que atraviesa al servidor llega a los 550 Mbps se
estanca, es decir no suele crecer mucho más que ese valor. Esto nos
parece extraño puesto que según estimamos el tráfico debería estar
llegando a los 650 Mbps aprox.

(...)

Aquí tienes una configuración muy completa para un equipo con Debian que
hace de router de alto rendimiento (para un ISP):

http://itservice-bg.net/?p=1122
Perdón, no me funciona el enlace. Puede ser que esté mal o es una simple 
casualidad?


Saludos y gracias, Mauro.


Lo interesante creo que viene al final, donde dice:

NOTE: settings in /proc/sys/net are essential to enable the Linux kernel
to pass big traffic.

Echa un ojo a los parámetros que tunea para ver si alguno te pudiera
resultar útil en tu caso.

Saludos,




--
To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/520534b0.4050...@gmail.com

Re: Linux Router

[Christian Schmidt]

Hallo Mathias,

Mathias Kruemmel, 25.06.2006 (d.m.y):

 der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
 das der eine Rechner als Router arbeiten soll muss es doch möglich sein 
 das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz 
 anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
 Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
 sein das sich evtl. in meinem Router die Karten beißen?

Sowohl der Router als auch die Clients muessen aber wissen, ueber
welche Route bzw. welches Interface sie die anderen IP-Subnetze
erreichen koennen.
Da solltest Du IMO mal ansetzen.

Gruss,
Christian Schmidt

-- 
Wer A sagt, wird auch Au sagen.
-- Zarko Petan


signature.asc
Description: Digital signature

Re: Linux Router

[Richard Mittendorfer]

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
 Hallo Leute,

'abend
 
 ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
 192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem
 Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der
 
 /etc/network/interfaces mit ip-adressen und allen anderen werten 
 bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
 jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach
 habe  ich mit
 
 echo 1 /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
 das routing eingeschaltet.

Was sagt # route -n bzw. # ip route show ?

 ein ifconfig zeigte mir alle devices mit den entsprechenden
 IP-Adressen  an.

Ok. Irgendwelche errors, kollisionen?

 Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1

Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
 (Router) den Client 192.168.20.2 nicht anpingen kann.

Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

 Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
 probierte, funktioniete das anpingen und das routing zwischen diesen 
 beiden Netzen (192.168.20.0 und 192.168.21.0)
 
 Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
 drei verschiedenen Netze über den Router überhaupt möglich?

Selbstvernatuerlich.

sl ritch

Re: Linux Router

[Thorsten Haude]

Moin,

* Mathias Kruemmel wrote (2006-06-24 23:35):
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet.

Ich gehe mal von /24 aus.


ein ifconfig zeigte mir alle devices mit den entsprechenden IP-Adressen  an.

Wie sieht die Routingtabelle aus?


Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1 
(Router) den Client 192.168.20.2 nicht anpingen kann.

Klappt ein Ping in die anderen Netze? Klappt ein Ping von einem
anderen Host in 192.168.20.0?


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der 
drei verschiedenen Netze über den Router überhaupt möglich?

Klar.


Thorsten
-- 
It is exactly because markets are amoral that we cannot
leave the allocation of resources entirely to them.
- George Soros


pgpc5OQ45do6j.pgp
Description: PGP signature

Re: Linux Router

[Mathias Kruemmel]

Richard Mittendorfer schrieb:

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
  

Hallo Leute,



'abend
 
  
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem

Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der

/etc/network/interfaces mit ip-adressen und allen anderen werten 
bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach

habe  ich mit

echo 1 /proc/sys/net/ipv4/ip_forward



cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
  

das routing eingeschaltet.



Was sagt # route -n bzw. # ip route show ?

  

ein ifconfig zeigte mir alle devices mit den entsprechenden
IP-Adressen  an.



Ok. Irgendwelche errors, kollisionen?

  

Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1



Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
  

(Router) den Client 192.168.20.2 nicht anpingen kann.



Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

  
Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
probierte, funktioniete das anpingen und das routing zwischen diesen 
beiden Netzen (192.168.20.0 und 192.168.21.0)


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
drei verschiedenen Netze über den Router überhaupt möglich?



Selbstvernatuerlich.

sl ritch


  
der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
das der eine Rechner als Router arbeiten soll muss es doch möglich sein 
das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen Netz 
anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
sein das sich evtl. in meinem Router die Karten beißen?



--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/


Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router

[Thorsten Haude]

Moin,

* Mathias Kruemmel wrote (2006-06-25 00:04):
der Router sowie die clients könne ihre eigene IP anpingen.

Ok. Was ist mit den anderen Fragen?


abgesehen das der eine Rechner als Router arbeiten soll muss es doch
möglich sein das sich die rechner (192.168.20.1 und 192.168.20.2) im
gleichen Netz anpingen können. Ich habe keine firewall aktiv. Wenn
ich nur 2 Netzwerkkarten statt der jetzigen drei einbaue dann geht
es.

Wissen wir schon.


Kann es sein das sich evtl. in meinem Router die Karten beißen?

Ja.


Thorsten
-- 
Necessity is the plea for every infringement of human freedom.
It is the argument of tyrants; it is the creed of slaves.
- William Pitt


pgp9V5Mo5lD8B.pgp
Description: PGP signature

Re: Linux Router

[Mathias Kruemmel]

Mathias Kruemmel schrieb:

Richard Mittendorfer schrieb:

Also sprach Mathias Kruemmel [EMAIL PROTECTED] (Sat, 24 Jun 2006
23:35:17 +0200):
 

Hallo Leute,



'abend
 
 
ich möchte mir einen Router bauen der die Netze 192.168.20.0, 
192.168.21.0 und 192.168.22.0 verbindet. Dazu habe  ich in meinem

Linux  Rechner drei Netzwerkkarten eingebaut und die interfaces in der

/etc/network/interfaces mit ip-adressen und allen anderen werten 
bestückt. Ich habe den drei Karten die jeweils erste ip aus den 
jeweiligen netzen gegeben (also 192.168.20.1, 21.1 und 22.1) Danach

habe  ich mit

echo 1 /proc/sys/net/ipv4/ip_forward



cat /proc/sys/net/ipv4/ip_forward ergibt hoffentlich 1. :-)
 
 

das routing eingeschaltet.



Was sagt # route -n bzw. # ip route show ?

 

ein ifconfig zeigte mir alle devices mit den entsprechenden
IP-Adressen  an.



Ok. Irgendwelche errors, kollisionen?

 

Folgendes Problem was ich jetzt habe ist das die adresse 192.168.20.1



Firewall aktiv? Kannst du dein eigenes Interface anpingen?
 
 

(Router) den Client 192.168.20.2 nicht anpingen kann.



Hat der Klient eventuell den ICMP ECHO Reply ausgeschalten. Wer/Was ist
der Klient?

Netzwerkverwehr mit tcpdump/(t)ethereal mitschneiden und sehen, wohin
die Pakete flitzen...

 
Als ich das ganze Szenario nur mit 2 Netzen sprich 2 Netzwerkkarten 
probierte, funktioniete das anpingen und das routing zwischen diesen 
beiden Netzen (192.168.20.0 und 192.168.21.0)


Ist dieses Szenario mit den drei Netzwerkkarten bzw. den verbinden der
drei verschiedenen Netze über den Router überhaupt möglich?



Selbstvernatuerlich.

sl ritch


  
der Router sowie die clients könne ihre eigene IP anpingen. abgesehen 
das der eine Rechner als Router arbeiten soll muss es doch möglich 
sein das sich die rechner (192.168.20.1 und 192.168.20.2) im gleichen 
Netz anpingen können. Ich habe keine firewall aktiv. Wenn ich nur 2 
Netzwerkkarten statt der jetzigen drei einbaue dann geht es. Kann es 
sein das sich evtl. in meinem Router die Karten beißen?




Entwarnung!

ich habe das ganze auf einer VMware Plattform ausprobiert und dort die 
devices in den einstellungen verwechselt. Sorry und nochmal danke für 
eure Anstrengungen



--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/


Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 12:23:08 -0600, from the fingers of 
Michael Madden came the words:
 The main point is that there are so many things to do in Linux in
 order to configure it for masquerading (Recompiling Kernel etc).
 There also so many different commands that do exactly the same
 thing but in different ways. If a person is starting off in
 firewalling it's not good to overwhelm them with information.
 With OpenBSD, you simply edit stuff that's already there, for
 example. These are the steps i would take to setup a gateway on a
 brand newly setup OpenBSD machine:

 Uncomment the following in /etc/sysctl.conf

 net.inet.ip.forwarding=1
 net.inet6.ip6.forwarding=1 (if using IPv6)

 Uncomment and edit this line in /etc/pf.conf (stuff in  needs
 to be edited, stuff in [] is optional)

 nat [pass] on interface [af] from src_addr [port src_port] to
 dst_addr [port dst_port] - ext_addr [pool_type] [static-
 port]

 You may then reboot the machine or just issue the following two
 commands:

 # sysctl net.inet.ip.forwarding=1

 Or

 # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)

 Then

 # pfctl -f /etc/pf.conf

 You now have a fully working NAT box.

 To perform IP forwarding uncomment the port redirect line in
 pf.conf and modify it to your taste then issue:

 # pfctl -f /etc/pf.conf

 The default configuration for the machine has zero known security
 holes. (have a look at www.openbsd.org for security info)

 Regards,

 Ken


 Forgive me if I'm new to the OpenBSD approach, but I've installed
 OpenBSD 3.6 on a laptop with 2 PCMCIA cards, and I cannot get any
 of my clients behind the firewall to see beyond the firewall.

 My two network cards are setup as:

 bsdrouter# ifconfig ep1
 ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST
 mtu 1500 address: 00:60:97:87:8b:4d media: Ethernet 10baseT
 inet 172.16.1.100 netmask 0x broadcast 172.16.255.255 inet6
 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5 bsdrouter#
 ifconfig ep2
 ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST
 mtu 1500 address: 00:10:4b:ec:64:80 media: Ethernet 10baseT
 inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 inet6
 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6

 I've got IP forwarding enabled:

 bsdrouter# cat /etc/sysctl.conf
 net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of
 packets

 Finally I've setup pf.conf:

 bsdrouter# cat /etc/pf.conf
 f=ep1
 int_if=ep2
 nat on $ext_if from !($ext_if) - ($ext_if:0)

 I rebooted the machine after the above network setup, and while I'm
 on the router I can see the 192.168.3.x network, the 172.16.x.x
 network, and the internet.  But my Windows machines behind the
 firewall cannot reach beyond the firewall even though the OpenBSD
 router is set as the default gateway.  On machines on the
 172.16.x.x network, I can reach the router at 172.16.1.100 and the
 machines behind the router (if I add a route to the 172.16.x.x
 machines).

 Has anyone experienced this before?

 Thanks,
 Mike

Hi Mike

Have you set a rule to allow the NAT to pass through the box? Simply adding 
pass to your above command should do that for you.

nat pass on $ext_if from !($ext_if) - ($ext_if:0)

Also, The macro for your external interface I assume it's not set to f=ep1 
Was that just a couple of missed characters while copying and pasting? (it 
should read ext_if=ep1 not f=ep1)

Here is my pf.conf from one of my firewalls if it's any help to you. You might 
want to comment out the Block stuff and change the IP addresses for 
redirection etc.

# macros
int_if = fxp0
ext_if = rl0

tcp_services = { 22, 80, }
icmp_types = echoreq

priv_nets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any - ($ext_if)
#rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from any to $ext_if port smtp - 10.2.0.15
#rdr pass on $int_if proto tcp from any to $int_if port 350 - 10.2.2.202

# filter rules
block all

pass quick on lo0 all

pass in on $ext_if inet proto tcp from any to 10.2.0.15 port smtp
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

#pass in on $ext_if inet proto tcp from any to ($ext_if) \
#   port $tcp_services flags S/SA keep state

#pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Regards,

Ken

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Tue, 14 Dec 2004 14:22:48 -0600, from the fingers of 
Michael Madden came the words:
 I figured out what was wrong with my OpenBSD 3.6 setup. I needed to
 setup pf=YES in /etc/rc.conf.  I must have missed this when reading
 though the install documentation.

 Anyhow these are the steps that worked for me:

 1.) Install OpenBSD 3.6 according to the directions at:
 http://www.openbsd.org/faq/faq4.html

 2.) Add the following line to /etc/sysctl.conf:
 net.inet.ip.forwarding=1

 3.) Add the following line to /etc/pf.conf: nat on ep1 from
 ep2:network to any - (ep1)

 4.) Add the following to /etc/rc.conf: pf=YES

 Thanks again for all the help.

 Thanks,

 Mike

Glad you got it going Mike! Sorry i didn't mention that last pf=YES comment... 
I was doing it from the top of my head. Good job figuring it out!

Thanks and Regards,

Ken Gilmour BOFH
Script Monkey
Irish Operations

Re: Linux Router

[Michael Madden]

 The main point is that there are so many things to do in Linux in order to 
 configure it for masquerading (Recompiling Kernel etc). There also so many 
 different commands that do exactly the same thing but in different ways. If a 
 person is starting off in firewalling it's not good to overwhelm them with 
 information. With OpenBSD, you simply edit stuff that's already there, for 
 example. These are the steps i would take to setup a gateway on a brand newly 
 setup OpenBSD machine:
 
 Uncomment the following in /etc/sysctl.conf
 
 net.inet.ip.forwarding=1
 net.inet6.ip6.forwarding=1 (if using IPv6)
 
 Uncomment and edit this line in /etc/pf.conf (stuff in  needs to be edited, 
 stuff in [] is optional)
 
 nat [pass] on interface [af] from src_addr [port src_port] to dst_addr 
 [port dst_port] - ext_addr [pool_type] [static-port]
 
 You may then reboot the machine or just issue the following two commands:
 
 # sysctl net.inet.ip.forwarding=1
 
 Or
 
 # sysctl net.inet6.ip6.forwarding=1 (if using IPv6)
 
 Then
 
 # pfctl -f /etc/pf.conf
 
 You now have a fully working NAT box.
 
 To perform IP forwarding uncomment the port redirect line in pf.conf and 
 modify it to your taste then issue:
 
 # pfctl -f /etc/pf.conf
 
 The default configuration for the machine has zero known security holes. 
 (have a look at www.openbsd.org for security info)
 
 Regards,
 
 Ken
 

Forgive me if I'm new to the OpenBSD approach, but I've installed OpenBSD 3.6
on a laptop with 2 PCMCIA cards, and I cannot get any of my clients behind the
firewall to see beyond the firewall.

My two network cards are setup as:

bsdrouter# ifconfig ep1
ep1: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:60:97:87:8b:4d
media: Ethernet 10baseT
inet 172.16.1.100 netmask 0x broadcast 172.16.255.255
inet6 fe80::260:97ff:fe87:8b4d%ep1 prefixlen 64 scopeid 0x5
bsdrouter# ifconfig ep2
ep2: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:10:4b:ec:64:80
media: Ethernet 10baseT
inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255
inet6 fe80::210:4bff:feec:6480%ep2 prefixlen 64 scopeid 0x6

I've got IP forwarding enabled:

bsdrouter# cat /etc/sysctl.conf
net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets

Finally I've setup pf.conf:

bsdrouter# cat /etc/pf.conf
f=ep1
int_if=ep2
nat on $ext_if from !($ext_if) - ($ext_if:0)

I rebooted the machine after the above network setup, and while I'm  
on the router I can see the 192.168.3.x network, the 172.16.x.x network,
and the internet.  But my Windows machines behind the firewall cannot
reach beyond the firewall even though the OpenBSD router is set as the
default gateway.  On machines on the 172.16.x.x network, I can reach the
router at 172.16.1.100 and the machines behind the router (if I add a route
to the 172.16.x.x machines). 

Has anyone experienced this before?

Thanks,
Mike


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

I figured out what was wrong with my OpenBSD 3.6 setup.
I needed to setup pf=YES in /etc/rc.conf.  I must have
missed this when reading though the install documentation.
Anyhow these are the steps that worked for me:
1.) Install OpenBSD 3.6 according to the directions at:
http://www.openbsd.org/faq/faq4.html
2.) Add the following line to /etc/sysctl.conf:
net.inet.ip.forwarding=1
3.) Add the following line to /etc/pf.conf:
nat on ep1 from ep2:network to any - (ep1)
4.) Add the following to /etc/rc.conf:
pf=YES
Thanks again for all the help.
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
 Does anyone know of a decent Linux based router project out there?
 In the past I've used LRP (http://www.linuxrouter.org), but it
 looks like the project isn't maintained anymore.

 My requirements are pretty simple.  I want to route traffic from
 network A to network B and route traffice from network B to A.  I
 don't need firewalling, but would like IP forwarding and NAT.  Any
 recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.

The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.

HTH

Regards,

Ken

RE: Linux Router

[Croy, Nathan]

 From: Michael Madden [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 13, 2004 5:31 PM
 
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

(maybe this time i'll reply to the list ;-)

I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based Wizard, if you are so inclined.

[1] http://www.coyotelinux.com/products.php?Product=coyote


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 17:31 -0600, Michael Madden wrote:
 Alex Barylo wrote:
[snip]
 
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

floppyfw does the trick.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

The United States is not a nation to which peace is a
necessity.
Grover Cleveland



signature.asc
Description: This is a digitally signed message part

Re: Linux Router

[Joao Clemente]

Croy, Nathan wrote:
From: Michael Madden [mailto:[EMAIL PROTECTED]
Sent: Monday, December 13, 2004 5:31 PM
Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
I've never used it, but CoyoteLinux [1] appears to be active.
It even has a Windows based Wizard, if you are so inclined.
[1] http://www.coyotelinux.com/products.php?Product=coyote
I've used Coyote for a long time. It was great. Easy to setup and it has 
a 2.4 kernel (so you can use iptables if you need to manually tweek 
something), a wizard that works OK from windows, and a shell menu-driven 
or web interface that allows you to setup most cenarios...
anything more complicated than you find in the interfacem you can go to 
the shell and setup yourself

Using floppy = read-only medium, easy system backup ;-), no noise, low 
heat... I was using it in a diskless/fanless P200 Classic with 16Mb Ram

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 17:31:18 -0600, from the fingers of 
Michael Madden came the words:
 Thanks for all the advice.  I guess something like
 LRP appealed to me more since it was floppy based
 and didn't require setting up a distro with many
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

OpenBSD is what i would most recommend. It can be installed from two floppies 
and fully customised. (www.openbsd.org) I _really_ love PF. Others may 
disagree. I've never had any problems with Linux firewalling / NATing / IP 
Forwarding for as long as i can remember, but i prefer OpenBSD simply because 
it only installs exactly what you tell it to from the time you put the floppy 
in (which some other people would have a problem with) and it's very low 
maintenance. The only time i ever needed to shut down an OpenBSD machine is 
when i was moving office. So far I've never needed to upgrade any hardware 
(probably because it doesn't do much work anyway).

# du -h pf.conf
2.0Kpf.conf

There's a Great man who once said Donuts - Is there anything they can't do? 
(Homer Simpson). Maybe when PF can be used as a contraceptive we can say that 
too!

Re: Linux Router

[Scarletdown]

Michael Madden wrote:
Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?

Freesco is a pretty decent floppy based router.
freesco.org

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[William Ballard]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:
 unneeded utilities. Does anyone know of an active
 floppy based firewall (Linux or *BSD)?

No.  Use an old laptop with a hard drive, and two PCMCIA net cards.
Take one floppy.  Put the OpenBSD install image on it.
Install OpenBSD via FTP and configure pf.

The package management system is similar to apt-get -- you can install 
an app and all dependencies with one command.

It is absolutely breathtaking as a router.  Utterly secure and never 
needs looking at.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Alex Barylo]

I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.

HTH,
Alex.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Bruce Park]

Ken Gilmour wrote:
Captain's Log, stardate Mon, 13 Dec 2004 14:11:46 -0600, from the fingers of 
Michael Madden came the words:
Does anyone know of a decent Linux based router project out there?
In the past I've used LRP (http://www.linuxrouter.org), but it
looks like the project isn't maintained anymore.
My requirements are pretty simple.  I want to route traffic from
network A to network B and route traffice from network B to A.  I
don't need firewalling, but would like IP forwarding and NAT.  Any
recommendations?

Linux is capable of routing by default almost. All you need are two interfaces 
and linux. You can use iptables (or ipchains if you're using an old distro) to 
do this. Personally i prefer OpenBSD to do this because it's very compact etc 
but I've also used Debian Woody to do the same task.
The only problem i have with Linux's iptables as opposed to OpenBSD's PF is 
that iptables has an overwhelming amount of stuff it can do and you can easily 
break it. But it is, however, much more configurable. You can set them to just 
allow everything through and use NAT and IP Forwarding in the process.
Ken,
Can you explain this in further detail? I've used iptables on Woody for 
almost two years without any problems. Thanks.

bp
HTH
Regards,
Ken


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Michael Madden]

Alex Barylo wrote:
I second that - I use my old AMD-K6 box with Sarge as a firewall. I use
and _highly_ recommend FIAIF firewall (http://www.fiaif.net/) - I
picked it up from securityfocus.com top tools.
HTH,
Alex.

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?
Thanks,
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Linux Router

[Ken Gilmour]

Captain's Log, stardate Mon, 13 Dec 2004 19:26:40 -0500, from the fingers of 
Bruce Park came the words:
 Ken Gilmour wrote:
snip
 The only problem i have with Linux's iptables as opposed to
 OpenBSD's PF is that iptables has an overwhelming amount of stuff
 it can do and you can easily break it. But it is, however, much
 more configurable. You can set them to just allow everything
 through and use NAT and IP Forwarding in the process.


 Ken,

 Can you explain this in further detail? I've used iptables on Woody
 for almost two years without any problems. Thanks.

The main point is that there are so many things to do in Linux in order to 
configure it for masquerading (Recompiling Kernel etc). There also so many 
different commands that do exactly the same thing but in different ways. If a 
person is starting off in firewalling it's not good to overwhelm them with 
information. With OpenBSD, you simply edit stuff that's already there, for 
example. These are the steps i would take to setup a gateway on a brand newly 
setup OpenBSD machine:

Uncomment the following in /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1 (if using IPv6)

Uncomment and edit this line in /etc/pf.conf (stuff in  needs to be edited, 
stuff in [] is optional)

nat [pass] on interface [af] from src_addr [port src_port] to dst_addr 
[port dst_port] - ext_addr [pool_type] [static-port]

You may then reboot the machine or just issue the following two commands:

# sysctl net.inet.ip.forwarding=1

Or

# sysctl net.inet6.ip6.forwarding=1 (if using IPv6)

Then

# pfctl -f /etc/pf.conf

You now have a fully working NAT box.

To perform IP forwarding uncomment the port redirect line in pf.conf and modify 
it to your taste then issue:

# pfctl -f /etc/pf.conf

The default configuration for the machine has zero known security holes. (have 
a look at www.openbsd.org for security info)

Regards,

Ken

Re: Linux Router

[Sridhar M.A.]

On Mon, Dec 13, 2004 at 05:31:18PM -0600, Michael Madden wrote:

Thanks for all the advice.  I guess something like
LRP appealed to me more since it was floppy based
and didn't require setting up a distro with many
unneeded utilities. Does anyone know of an active
floppy based firewall (Linux or *BSD)?

If you have a cd drive, why not try the Live CD Router? Just boot off
the cd and it runs.

  http://www.wifi.com.ar/english/cdrouter.html

HTH,

-- 
Sridhar M.A.   GPG KeyID : F6A35935
  Fingerprint: D172 22C4 7CDC D9CD 62B5  55C1 2A69 D5D8 F6A3 5935

Plus ,ca change, plus c'est la m^eme chose.
[The more things change, the more they remain the same.]
-- Alphonse Karr, Les Gu^epes


signature.asc
Description: Digital signature

Re: Linux Router

[Ron Johnson]

On Mon, 2004-12-13 at 15:46 -0800, Scarletdown wrote:
 Michael Madden wrote:
 
  Alex Barylo wrote:
[snip]
 
 
 Freesco is a pretty decent floppy based router.
 
 freesco.org

Note, though, that it uses kernel 2.0.39.

-- 
-
Ron Johnson, Jr.
Jefferson, LA USA
PGP Key ID 8834C06B I prefer encrypted mail.

Don't be so open minded that your brains fall out.
s. keeling



signature.asc
Description: This is a digitally signed message part

Re: Linux Router automisches wiedereinwählen

[Steffen Ille]

Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig.
Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl
mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und
Surfgewohnheiten des Plebus.
Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen.



-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Udo Mueller]

Hallo Steffen,

* Steffen Ille schrieb [18-03-03 23:07]:
 Im Gegensatz zur TLUG Mailingliste ist das hier ziemlich armselig.
 Da quält mann google und braucht ne Antwort auf die Frage nach nem 24/7 dsl
 mit 100%-igem Reconn und kriegt als Antwort ne Debatte über die Moral und
 Surfgewohnheiten des Plebus.
 Vielen Dank ihr X-perten... hat sehr geholfen mein Problem zu lösen.

Und genau an dieser Antwort können die anderen sehen, warum du
keine Lösung bekommen hast. 
Wenn die TLUG besser ist, dann geh doch. 

Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen
hab ich persönlich auch noch nicht gerade oft gelesen...

*kopfschüttlend*

Bezahl uns oder diejenigen, die dir helfen sollen, dann kannst du
auch solche Sprüche ablassen. Überleg mal, wo du hier bist!

Gruss Udo

-- 
Wenn ich einem Schwein eine RedHat-CD um den Hals binde und es trete
kann man sagen, dass KDE  Co. auch ohne Ram schnell laufen.
-- Robin S. Socha in de.comp.os.unix.linux.newusers--


pgp0.pgp
Description: PGP signature

Re: Linux Router automisches_wiedereinwählen

[Ruediger Noack]

 --- Udo Mueller [EMAIL PROTECTED] schrieb: 
 
 * Steffen Ille schrieb [18-03-03 23:07]:
  [Scheißendreck]
 
 Beschwerst dich darüber, daß dir keiner hilft, aber deinen Namen
 hab ich persönlich auch noch nicht gerade oft gelesen...
 
Ich habe eben mal das Archiv ab Februar durchsucht (weil ich das
Ursprungsposting finden wollte) - erfolglos.

Gruß
Rüdiger
-- 


__

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux router.

[PII 233]

Le Sun, 23 Feb 2003 13:49:35 -0500, Vincent M. écrivait :
Salut,
hello,

Je ne maitrise pas parfaitement iptables et j'ai essayé ceci pour faire
[snip]

  Existe-t-il une appli pour générer ce genre de règles
en ligne de commandes, tu as ferm, qui permet d'écrire des règles
structurées beaucoup plus lisibles.
C'est un package debian.
exemple :

chain fw_icmp proto icmp {
icmptype (
pong destination-unreachable time-exceeded
) ACCEPT;
DENY log;
}

qui marche comme un serveur web, style webmin: http://www.webmin.com/
certes, c'est en ligne de commandes, mais c'est efficace.

--
PII233

Re: Linux router.

[Vincent M.]

PII 233 wrote:


Le Sun, 23 Feb 2003 13:49:35 -0500, Vincent M. écrivait :
 


Salut,
   


hello,

 


Je ne maitrise pas parfaitement iptables et j'ai essayé ceci pour faire
   


[snip]

 


Existe-t-il une appli pour générer ce genre de règles
   


en ligne de commandes, tu as ferm, qui permet d'écrire des règles
structurées beaucoup plus lisibles.
C'est un package debian.
exemple :

chain fw_icmp proto icmp {
   icmptype (
   pong destination-unreachable time-exceeded
   ) ACCEPT;
   DENY log;
}

 


qui marche comme un serveur web, style webmin: http://www.webmin.com/
   


certes, c'est en ligne de commandes, mais c'est efficace.

 



J'ai parcouru un peu la doc, et je ne pense pas que cela me génère les 
règles permettant de prerouter les connexions msn micro, non ? Les 
réglès que j'ai établi sont propres et claires, je suis juste dépassé 
pour faire la manip du micro msn... :-(


Vincent.

Re: Linux router.

[Charles Plessy]

 Existe-t-il un moyen de faire la chose sans partir dans une instal d'un 
 serveur H323 ?  Existe-t-il une appli pour générer ce genre de règles 

voir le thread voix sur IP dans les archives...

Charles

Re: Linux Router automisches wiedereinwhlen

[Peter Palmreuther]

Hi Eduard,

On Mon, 17 Feb 2003 22:33:33 +0100 Eduard Bloch [EMAIL PROTECTED] wrote:

 Zweifellos. Aber bei DSL müsste das imho egal sein. Den Port freihalten
 muss er eh, teuer kommt nur der Traffic. Der ist aber wenn der Rechner
 eh nur online ist minimal. Diese Zeiten sollten mit den
 Breitbandangeboten vorbei sein.

 Zeig mir die Stelle in deinem Vertrag, in der sich der Provider
 verpflichtet, dir einen exclusiven Verbindungsport bereitzustellen.
 Permanente ADSL-Verbindung bedeutet noch lange nicht, dass die ganze
 Maschinerie dahinter auch immer für dich verfügbar ist.

Ich glaube was J. Volkmann meinte sagen zu wollen ist, dass der ISP so
oder so auf dem DSLAM einen Port exclusiv für jeden DSL-Nutzer
bereitstellen und frei halten muss. Das ist technisch zwingend und daher
hat der ISP von einer nicht erfolgten DSL-Einwahl keinen Vorteil, der
Port ist futsch und kann nicht anderweitig genutzt werden.

Trotzdem finde ich diese 24/7 Mentalität grundsätzlich daneben, ein 24
Stunden eingewählter Rechner, auch wenn per DSL und Flatrate, verleitet
in aller Regel nun einmal dazu, dass Traffic ohne Ende generiert wird.
Ausnahmen habe^Wbestätigen die Regel, aber die dröge Masse macht nun mal
nicht 23 von 24 Stunden nix auf der Leitung, sondern eher 25 von 24
Stunden Volllast. :-(
-- 
Ciao,
 Pit


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Eduard Bloch]

#include hallo.h
* J. Volkmann [Wed, Feb 12 2003, 06:54:38PM]:

 Zweifellos. Aber bei DSL müsste das imho egal sein. Den Port freihalten
 muss er eh, teuer kommt nur der Traffic. Der ist aber wenn der Rechner
 eh nur online ist minimal. Diese Zeiten sollten mit den
 Breitbandangeboten vorbei sein.

Zeig mir die Stelle in deinem Vertrag, in der sich der Provider
verpflichtet, dir einen exclusiven Verbindungsport bereitzustellen.
Permanente ADSL-Verbindung bedeutet noch lange nicht, dass die ganze
Maschinerie dahinter auch immer für dich verfügbar ist.

Gruss/Regards,
Eduard.
-- 
Wenn Microsoft Autos bauen würde ...
müßten wir alle auf Microsoft-Benzin (tm) umsteigen.



msg36794/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwhlen

[J. Volkmann]

Gerhard Schromm ([EMAIL PROTECTED]) schrieb:

 On Tue, 11 Feb 2003, J. Volkmann verbalised:
 
  Gerhard Schromm ([EMAIL PROTECTED]) schrieb:
  On Mon, 10 Feb 2003, Udo Mueller said:
   Weil er ne Flat hat und 24/7 online sein will?
  
  Warum will man das?
  
  Um zum Beispiel den ssh von aussen immer erreichbar zu haben? Oder
  den Imap? Oder DienstXY?
 
 Für sowas sollte man gleich Nägel mit Köpfen machen, und sich eine
 Standleitung besorgen (IMHO).
 
Du wirst lachen, es gibt in diesem Lande verdammt viele Orte wo man
_keine_ Standleitung bekommen kann.
Nebenbei scheißt nicht jeder Geld, Schüler schon garnicht. Wenn man also
eine Flat hat, wieso sollte man sie nicht als solche nutzen.

mfG Johannes



msg36081/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwählen

[Uwe Laverenz]

J. Volkmann wrote:


Du wirst lachen, es gibt in diesem Lande verdammt viele Orte wo man
_keine_ Standleitung bekommen kann.


Aber einen Server kann man unabhängig vom Wohnort mieten, wenn man 
Server-Dienste anbieten will.

Nebenbei scheißt nicht jeder Geld, Schüler schon garnicht. Wenn man also
eine Flat hat, wieso sollte man sie nicht als solche nutzen.


Genau, immer volle Pulle nutzen, schließlich bezahlt man ja für die 
Flat, richtig? Genau diese Haltung hat dazu geführt, daß ein größerer 
Provider im Nordwesten gerade seine DSL-Flat eingestellt hat.

Aber das ist hier völlig OT.

cu,
Uwe


--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Nico Lehmann]

Hi
Weil ich eine Flatrate habe und die auch ausnutzen will, wenn ich einen
für einen Monat den Internet Anschluss  bezahlt habe will ich davon auch
keine Minute verschenken. Ansonsten hätte ich auch gleich bei meinem
normalen Anschluss behalten können.Außerdem bin ich der einzige in
meiner Familie bin der die Internet Verbindung neu aufbauen kann
deswegen hat mich mein Vater immer morgens früh geweckt wenn ich
ausschlafen hätte können damit ich das Internet wieder anmache.
mfg
Nico Lehmann


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwhlen

[J. Volkmann]

Uwe Laverenz ([EMAIL PROTECTED]) schrieb:

 J. Volkmann wrote:
 
 Du wirst lachen, es gibt in diesem Lande verdammt viele Orte wo man
 _keine_ Standleitung bekommen kann.
 
 Aber einen Server kann man unabhängig vom Wohnort mieten, wenn man 
 Server-Dienste anbieten will.
 
1. Kann ich mir keinen leisten.
2. Brauche ich Daten die ich hier lokal habe. Was will ich dann mit
einem Rechner irgendwo in Hintertupfingen? Das mag für Imap gehen, macht
für SSH aber schon nurnoch sehr eingeschränkt Sinn.

Und ob es für deinen ISP billiger ist, wenn du dauernd mit deinen
Rechnern deinen imap syncst oder wenn er einmal, einen Rechner von dir
synced sei mal dahingestellt.

 Nebenbei scheißt nicht jeder Geld, Schüler schon garnicht. Wenn man also
 eine Flat hat, wieso sollte man sie nicht als solche nutzen.
 
 Genau, immer volle Pulle nutzen, schließlich bezahlt man ja für die 
 Flat, richtig? Genau diese Haltung hat dazu geführt, daß ein größerer 
 Provider im Nordwesten gerade seine DSL-Flat eingestellt hat.
 
Zweifellos. Aber bei DSL müsste das imho egal sein. Den Port freihalten
muss er eh, teuer kommt nur der Traffic. Der ist aber wenn der Rechner
eh nur online ist minimal. Diese Zeiten sollten mit den
Breitbandangeboten vorbei sein.

mfG Johannes



msg36149/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwählen

[Gerhard Schromm]

On Mon, 10 Feb 2003, Udo Mueller said:

 Hallo Marc,
 
 * Marc Haber schrieb [10-02-03 21:48]:
 On 01 Feb 2003 17:20:34 +0100, Nico Lehmann [EMAIL PROTECTED]
 wrote:
 Ich habe vollgendes Problem, wie bringe ich meinem Linux Router
 bei das fallst die Verbindung ungewollt beendet wird er sich neu
 einwählt.
 
 Warum willst Du das?
 
 Weil er ne Flat hat und 24/7 online sein will?

Warum will man das?

Wenn man dauernd was zieht, sollte dial on demand das Problem lösen.

bye Gerhard



msg35958/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwhlen

[J. Volkmann]

Gerhard Schromm ([EMAIL PROTECTED]) schrieb:

 On Mon, 10 Feb 2003, Udo Mueller said:
 
  Hallo Marc,
  
  Warum willst Du das?
  
  Weil er ne Flat hat und 24/7 online sein will?
 
 Warum will man das?
 
Um zum Beispiel den ssh von aussen immer erreichbar zu haben? Oder den
Imap? Oder DienstXY?

mfG Johannes



msg35959/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwählen

[Michael Schulz]

J. Volkmann schrieb am 11.02.2003 um 12:35:59 +0100:
Hallo J.,

 Gerhard Schromm ([EMAIL PROTECTED]) schrieb:
 
  On Mon, 10 Feb 2003, Udo Mueller said:
  
   Hallo Marc,
   
   Warum willst Du das?
   
   Weil er ne Flat hat und 24/7 online sein will?
  
  Warum will man das?
  
 Um zum Beispiel den ssh von aussen immer erreichbar zu haben? Oder den
 Imap? Oder DienstXY?

falls er eine ISDN Karte im Rechner hat, kann er die anrufen und 
dann den Rechner online gehen lassen. Nur so zum Beispiel :-)
Bis denne,

Michael


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Johannes Studt]

On Tue, Feb 11, 2003 at 08:05:23PM +0100, Michael Schulz wrote:
 J. Volkmann schrieb am 11.02.2003 um 12:35:59 +0100:
  Gerhard Schromm ([EMAIL PROTECTED]) schrieb:
   On Mon, 10 Feb 2003, Udo Mueller said:
Warum willst Du das?
Weil er ne Flat hat und 24/7 online sein will?
   Warum will man das?
  Um zum Beispiel den ssh von aussen immer erreichbar zu haben?
  Oder den Imap? Oder DienstXY?
 falls er eine ISDN Karte im Rechner hat, kann er die anrufen und
 dann den Rechner online gehen lassen. Nur so zum Beispiel :-)

Klar. Man kann auch die Nummer vom örtlichen Taxiunternehmen
auswendig lernen, bei Bedarf dort anrufen, ein Taxi bei sich zuhause
vorbeischicken und den Fahrer beim Nachbarn klingeln lassen. Der
muss dann an einer vorher vereinbarten Stelle an die Tür klopfen und
so den dahinter angebrachten Handclapschalter aktivieren, der
wiederum den PC einschaltet und damit die Verbindung aufbaut.

Was soll dieses IMHO sinnlose Oberlehrergetue? Was spricht denn
_gegen_ das 24/7 online sein?  Die Zeiten von belegten Wählleitungen
sind vorbei. *kopfschüttelt*

Hannes


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Gerhard Schromm]

On Tue, 11 Feb 2003, J. Volkmann verbalised:

 Gerhard Schromm ([EMAIL PROTECTED]) schrieb:
 On Mon, 10 Feb 2003, Udo Mueller said:
  Weil er ne Flat hat und 24/7 online sein will?
 
 Warum will man das?
 
 Um zum Beispiel den ssh von aussen immer erreichbar zu haben? Oder
 den Imap? Oder DienstXY?

Für sowas sollte man gleich Nägel mit Köpfen machen, und sich eine
Standleitung besorgen (IMHO).

bye Gerhard



msg36051/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwählen

[Marc Haber]

On 01 Feb 2003 17:20:34 +0100, Nico Lehmann [EMAIL PROTECTED] wrote:
Ich habe vollgendes Problem, wie bringe ich meinem Linux Router bei das
fallst die Verbindung ungewollt beendet wird er sich neu einwählt.

Warum willst Du das?

Grüße
Marc, den orthographischen Magen wieder zurückdrehend

-- 
-- !! No courtesy copies, please !! -
Marc Haber  |Questions are the | Mailadresse im Header
Karlsruhe, Germany  | Beginning of Wisdom  | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29


--
Haeufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux Router automisches wiedereinwählen

[Udo Mueller]

Hallo Marc,

* Marc Haber schrieb [10-02-03 21:48]:
 On 01 Feb 2003 17:20:34 +0100, Nico Lehmann [EMAIL PROTECTED] wrote:
 Ich habe vollgendes Problem, wie bringe ich meinem Linux Router bei das
 fallst die Verbindung ungewollt beendet wird er sich neu einwählt.
 
 Warum willst Du das?

Weil er ne Flat hat und 24/7 online sein will?

Gruss Udo

-- 
... My girlfriend says I don't pay attention, or something like that.



msg35920/pgp0.pgp
Description: PGP signature

Re: Linux Router automisches wiedereinwhlen

[Patrick Schnorbus]

Am Samstag, 1. Februar 2003 17:20 schrieb Nico Lehmann:

 Ich habe vollgendes Problem, wie bringe ich meinem Linux Router bei das
 fallst die Verbindung ungewollt beendet wird er sich neu einwählt. Zum
 verbinden nutze ich pppoe. Ich habe schon versucht in der
 /etc/ppp/options persist aus zukommentieren das hat aber keine wirkung
 gezeigt. Wär sehr dankbar für jede Hilfe da ich sonst weiter jeden
 morgen gewckt werde damit ich die Internet verbindung wieder herstelle.

Skripte, die in /etc/ppp/ip-down.d liegen, werden ausgefuehrt, wenn die 
PPP-Verbindung beendet wird. Da kannst du einfach ein Re-Dial-In Skript 
reinschreiben, z.B.:


#!/bin/sh

# Give the system a few seconds to clear up
sleep 5;

# And now, let's rock'n'roll and reconnect
pon dsl-provider

#EOF


cheers
Pat


--
Häufig gestellte Fragen und Antworten (FAQ):
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux-Router mit ADSL

[Patrick Pletscher]

Hallo,

Ich denke das mit dem ADSL-Gerät sollte ich nun begriffe, ich erreiche über
die IP 192.168.1.1 nun auf dem Linux-PC die Konfiguration des Modems, doch
was muss ich jetzt noch alles in die verschiedenen
Netzwerk-Konfigurationsdateien eintragen, dass alle Anfragen für auserhalb
des Netzes zuerst über den Debian-PC umgeleitet werden, und von diesem dann
weiter zu 192.168.1.1?

Vielen Dank und Grüsse Patrick


-- 
Häufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux-Router mit ADSL

[Patrick Pletscher]

Hallo,

Ich habe jetzt glaube ich gerade den Fehler gefunden, weiss nur noch nicht
ganz, wie ich ihn behebe :), das Problem ist, das der Linux-Router jedesmal,
wenn eine unbekannte adresse kommt (z.b. google.com), dann versucht er sich
per ISDN (wegen der Konfiguration von vorher) einzuwählen, wie stelle ich
das jetzt ab und mache ihm begreifflich, dass er anfragen an unbekannte
Adressen auf den ADSL-Router weiterleiten soll?

Vielen Dank und Grüsse Patrick


-- 
Häufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux-Router mit ADSL

[Alexander Grümmer]

Hi, erstmal ist die frage, ob du wirklich einen router hast oder ein 
modem! Wenn es ein router ist sollte es reichten die DEFAULTROUTE auf 
die 192.168.1.1 einzutragen und noch ip-Forwarding einzuschalten

Sollte es nur ein modem sein muß du noch das NAT (Masquerading) machen. 
Dazu nimmst du am besten iptables. Ein beispiel skript das schon mal 
nicht schlecht ist findest du unter netfilter.org (oder so ähnlich)...
dort bekommst du auch eine sehr umfassendes Howto, also läuft es dort 
auf RTFM hinaus

Gruß Alexander

Patrick Pletscher wrote:
Hallo,

Ich denke das mit dem ADSL-Gerät sollte ich nun begriffe, ich erreiche über
die IP 192.168.1.1 nun auf dem Linux-PC die Konfiguration des Modems, doch
was muss ich jetzt noch alles in die verschiedenen
Netzwerk-Konfigurationsdateien eintragen, dass alle Anfragen für auserhalb
des Netzes zuerst über den Debian-PC umgeleitet werden, und von diesem dann
weiter zu 192.168.1.1?

Vielen Dank und Grüsse Patrick






--
Häufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux-Router mit ADSL

[Jens Müller]

Patrick Pletscher [EMAIL PROTECTED] writes:

 jetzt wollte ich per pppoeconf den ADSL-Router erkennen, doch er findet
 nichts auf den beiden eth-Karten, oder brauche ich pppoeconf gar nicht

Nein, brauchst Du nicht.

Was sagt denn pppoe -A -I eth1
?
-- 
Please don't CC me on replies!


-- 
Häufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: Linux-Router mit ADSL

[Eduard Bloch]

Moin Jens!
Jens Müller schrieb am Friday, den 13. December 2002:

  jetzt wollte ich per pppoeconf den ADSL-Router erkennen, doch er findet
  nichts auf den beiden eth-Karten, oder brauche ich pppoeconf gar nicht
 
 Nein, brauchst Du nicht.


 Was sagt denn pppoe -A -I eth1

Meinst du nicht, dass diese zwei Aussagen angesichts des Stichworts
Router konkurieren? ;-)

Router ist Router. Der wird als IP-Gateway eingestellt (man interfaces).
Wenn er die IPs selber vergibt und nur für diese Routet, dann
installiere dhcp-client oder pump und dann nochmal: man interfaces,
Stichwort: dhcp.

Gruss/Regards,
Eduard.
-- 
security is an exercise in applied paranoia


-- 
Häufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: LINUX ROUTER

[Giuliano Cardozo Medalha]

Oi
 

 
Voce pode utilizar o pacote iproute
 

 
Porem deve recompilar o kernel para que o mesmo suporte as funcionalidades
 

 
Busque no google - iproute2
 

 
Ele te trara maiores detalhes de como faze-lo
 

 
Ate mais
 

 
Giuliano 





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: LINUX ROUTER

[Eduardo Marcel Maçan]

On Tue, 23 Apr 2002 10:07:12 -0300 Raphael Bittencourt Simões Costa
 Olá amigos,
 
 Como transformo meu Debian 2.2r5 em um Roteador???

Depende da Marca do roteador que você quer... se você quiser em um
cisco, pegue uma bacia de prata, deixe com água da fonte repousar
por 3 noites de lua cheia junto com agrião, alecrim e noz moscada.
Beba a água e recite o seguinte verso enquanto anda em círculos
ao redor do computador: babaluaô babaluaô transforma o pecê num
roteadô.

Se não der certo, você pode tentar instalar tantas placas de rede
quantas couberem nos slots, ou você precisar (em geral não se
precisa de mais do que 3)...

Para habilitar o forwarding de pacotes entre interfaces você
edita o arquivo /etc/network/options e muda ip_forward=no
para yes para que a partir do próximo boot ele esteja com
forwarding habilitado por default... não precisa rebootar só
pra ativar, você pode dar o comando na mão:

echo 1  /proc/sys/net/ipv4/ip_forward

Para habilitar o forward de pacotes entre interfaces.
A partir daí tudo o que você vai ter que fazer vai depender
da sua necessidade, é impossível adivinhar porque a sua
pergunta foi genérica demais e não sabemos absolutamente
nada sobre sua rede, me desculpe pela brincadeira
do primeiro parágrafo ;)

Boa sorte

-- 
Eduardo Marcel MaçanGerente de Redes / Network Manager
[EMAIL PROTECTED]   Colégio Bandeirantes


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: LINUX ROUTER

[Fabio Brito]

Em Terça 23 Abril 2002 13:27, Eduardo Marcel Maçan escreveu:
 On Tue, 23 Apr 2002 10:07:12 -0300 Raphael Bittencourt Simões Costa
  Olá amigos,
  
  Como transformo meu Debian 2.2r5 em um Roteador???
 
 Se não der certo, você pode tentar instalar tantas placas de rede
 quantas couberem nos slots, ou você precisar (em geral não se
 precisa de mais do que 3)...

Alem das placas de rede, provavelmente voce vai precisa de pelo menos uma 
interface Wan.

Aconselho a dar uma olhada na PC-300 da Cyclades.




-- 
+-[Fábio Brito d'Araújo e Oliveira]-+
| Coordenador de Tecnologia | Não, meu quarto não é bagunçado.
|  A Tarde On Line  | Apenas utilizo tecnologia de
|www.atarde.com.br  ICQ UIN:13597090| objetos distribuídos
+--[Registered Linux User #101978]--+


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [Linux: Router] What does I need ???

[Oki DZ]

Michelle Konzack wrote:
 Now, my Question is, WHAT DOES I NEED to install a simpel Router ???
 
...
 Curently I must work with IP-Masquerading only...
 ...but it runs.
 
 OK, I have a LRP 2.9.4 box running which is based on Debian 2.1 (2.0.36).
 I have no knowledge from ipchains and ...

If you have LRP, so what's the problem? All you need is to set it up.
I have a router machine which is a 486/8MHz running Linux that I
downloaded from www.linuxrouter.org.

The setup is pretty simple; you need to download the kernel from the
site, download the modules (according to the NICs you have), put the
image on a floppy, and then boot the machine. root login will lead you
to the lrcfg (a menu-based program for configuring the router); using
the program you can set what modules to load, the IP addresses, etc.
Don't forget to back-up the system; meaning, putting everything back
to the floppy.

Oki

Re: Linux router and NetMeeting

[Bob Nielsen]

This is because the router uses NAT and the packets arriving at your
friend's computer appear to come from your router, not your NT server. 
I'm not familiar with Netmeeting, but if it tries to create a return
connection, this may not work.  Several other protocols do this and only
some of them are supported by Linux IP masquerading via modules which
are created when you compile your kernel. 

My router runs 2.0.37 which supports this for cuseeme, irc, 
ftp, quake, vdolive and real audio.  I tried ICQ, but didn't have any
luck.  I suspect this is what is happening to you with Netmeeting.

Bob


On Mon, Aug 30, 1999 at 07:00:20PM +0100, Carlos Santos wrote:
 Here's my problem (please help if you can):
 
 I've setup a Linux to route between my intranet and the Internet (through a
 cable modem). I'm using IP Masquerading, which is working fine and has been
 for a long time. Now, i'm trying to connect to a friend of mine through
 Netmeeting and i can't get the router to let sound go both ways (i'm using
 my intranet NT server, that goes through a Linux router, that connects to
 the net by cable modem). I call my friend, he accepts the connection, i
 speak through my microphone and he hears me ok but i can't hear him. It
 seems some kind of restriction at the ip masquerading level but i can't
 figure out what. Ftp is working fine, telnet, http, you name it. But i
 can't get Netmeeting to work.
 
 Any ideas ?
 Thanks,
 Carlos.
 
 
 
 
 
 
 -
 CARLOS SANTOS  (ICQ: 21537583)
 NETOSFERA: http://www.netosfera.pt  
 Tel(Phone): (+351 53 276998)
 Fax: (+351 53 274255)
 Braga - Portugal  
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null
 

-- 
Bob Nielsen Internet: [EMAIL PROTECTED]
Tucson, AZ  AMPRnet:  [EMAIL PROTECTED]
DM42nh  http://www.primenet.com/~nielsen

Re: Linux router and NetMeeting

[ferret]

I think someone needs to write an IP masq helper module for Netmeeting. I
just got the port specs from M$'s site, and I'm looking into how to do it
right now. I'll post what I have in a few days (Don't have time to do any
coding during work days. : ), and hopefully...
I could also use someone to help me test the thing. :

On Mon, 30 Aug 1999, Carlos Santos wrote:

 Here's my problem (please help if you can):
 
 I've setup a Linux to route between my intranet and the Internet (through a
 cable modem). I'm using IP Masquerading, which is working fine and has been
 for a long time. Now, i'm trying to connect to a friend of mine through
 Netmeeting and i can't get the router to let sound go both ways (i'm using
 my intranet NT server, that goes through a Linux router, that connects to
 the net by cable modem). I call my friend, he accepts the connection, i
 speak through my microphone and he hears me ok but i can't hear him. It
 seems some kind of restriction at the ip masquerading level but i can't
 figure out what. Ftp is working fine, telnet, http, you name it. But i
 can't get Netmeeting to work.
 
 Any ideas ?
 Thanks,
 Carlos.
 
 
 
 
 
 
 -
 CARLOS SANTOS  (ICQ: 21537583)
 NETOSFERA: http://www.netosfera.pt  
 Tel(Phone): (+351 53 276998)
 Fax: (+351 53 274255)
 Braga - Portugal  
 
 
 -- 
 Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null
 

Re: Linux router and NetMeeting

[ferret]

On Mon, 30 Aug 1999 [EMAIL PROTECTED] wrote:

 
 
 I think someone needs to write an IP masq helper module for Netmeeting. I
 just got the port specs from M$'s site, and I'm looking into how to do it
 right now. I'll post what I have in a few days (Don't have time to do any
 coding during work days. : ), and hopefully...
 I could also use someone to help me test the thing. :
 
Okay.. I just looked at the kernel sources and little bits of
documentation, and I'm completely stumped on how to actually write the
ip_masq modules.

So here's the ports Netmeeting uses:

389 Internet locator server (TCP)
522 User location server (TCP)
1503T.120 (TCP)
1720H.323 call setup (TCP)
1731Audio call control (TCP)
DYN H.323 call control (TCP)
DYN H.323 streaming RTP (UDP)

The information is at
http://support.microsoft.com/support/kb/ARTICLES/Q158/23.asp



 On Mon, 30 Aug 1999, Carlos Santos wrote:
 
  Here's my problem (please help if you can):
  
  I've setup a Linux to route between my intranet and the Internet (through a
  cable modem). I'm using IP Masquerading, which is working fine and has been
  for a long time. Now, i'm trying to connect to a friend of mine through
  Netmeeting and i can't get the router to let sound go both ways (i'm using
  my intranet NT server, that goes through a Linux router, that connects to
  the net by cable modem). I call my friend, he accepts the connection, i
  speak through my microphone and he hears me ok but i can't hear him. It
  seems some kind of restriction at the ip masquerading level but i can't
  figure out what. Ftp is working fine, telnet, http, you name it. But i
  can't get Netmeeting to work.
  
  Any ideas ?
  Thanks,
  Carlos.
  
  
  
  
  
  
  -
  CARLOS SANTOS  (ICQ: 21537583)
  NETOSFERA: http://www.netosfera.pt  
  Tel(Phone): (+351 53 276998)
  Fax: (+351 53 274255)
  Braga - Portugal
  
  
  -- 
  Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED]  /dev/null
  
 
 

Re: Linux Router Project -- About to get working and need more people!

[Bruce Perens]

Try the root on the resc1440.bin floppy . It contains a functional Unix
tool set, a good shell, and an editor. It fits on a 1.44MB ramdisk image,
compresses down to 700KB on the floppy, leaves enough room for the kernel
on the same 1.44MB floppy, and supports shared libraries. You would be hard
pressed to improve on its size.

If you study the script that builds it in the boot-floppies package, you'll
learn the dirty tricks necessary to get a system in a space that small.

Thanks

Bruce
-- 
Bruce Perens K6BP   [EMAIL PROTECTED]   510-215-3502
Finger [EMAIL PROTECTED] for PGP public key.
PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6  1F 89 6A 76 95 24 87 B3 


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .

Re: Linux Router Project -- About to get working and need more people!

[Dermot John Bradley]

I'm willing to help. Although not a networking guru I've created several
Debian networking-based packages (Merit radiusd, Hylafax, MRTG, gated
[internal use only], nocol).

-- 
Dermot Bradley
Derry/Belfast, Northern Ireland
[EMAIL PROTECTED]
[EMAIL PROTECTED]


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .