Hello,

I got problems setting up a firewall/gateway using two ethernetcards
I want to set up a network in the following way:

Mandrake 10.0,
dsl modem (speedtouch 510) to a eth0 on pc, from pc eth1 to switch, all clients behind switch.
The pc with the two ethernetcards is gonna act as firewall, dhcp-server, dns-server.

I tried to work with the network wizards, but for some reasing the one wizard seems to f*ck up the other (for example dns, or dhcp, more about this later)

My main question is how to make a static client for the switch, I can assign an ip addrress to the switch via a serial cable console session, so that's no prob,
but where should I enter my switch its ip-address in the server so they are able to ping eachother?

The clients-pc's can be dhcp-client, but for some reason (always had it before with a more simple setup) my switch doesn't like the boot/dhcp option in it's menu so I used to do it static.

Old setup: In my speedtouch I was able to write the switch it's information, then autodhcp all the client-computers via speedtouchs dhcp server.

But now my server must take over the speedtouch it's dhcp, dns servers, (and nat forwarding from speedtouch to server) How can I do that with mandrake?

I installed Mandrake 10.0, and the following packages:

-routed (router)
-dhcpd (dhcp-server)
-bind (dns-server)
-iptables (package filtering firewall)
-shorewall (firewall)
-squid (proxy-server)

Later after failure (with an old redhat helpfile how to edit network, with dhcp and dns) I edited most stuff with vi editor but after I made the dhcp server and tested it, it failed and gave an output: dns should be like this, tried what output said, failed (I think because of old example version redhat)
So i got stuck both the wizard and the manual way.

setup:

adsl speedtouch st510(i) router, still with dhcp, dns, napt all on
ext ip/netmask: my.ip.to.provider/32
int ip/netmask: 10.0.0.138/24
|
|
etho server
ip/netmask: 10.0.0.166/255.255.0.0
dnsserver1: 10.0.1.2 dnsserver2: 10.0.0.138

eth1 server
ip/netmask: 10.0.1.2/255.255.0.0
gateway: 10.0.1.2 eth1
dnsserver: 10.0.1.2 dnsserver2: 10.0.0.138
dhcpserver: 10.0.1.2
range 10.0.1.3/10.0.1.60
internet device eth0
|
|
switch
ip/netmask: 10.0.1.3/255.255.255.0
|
|
internal network
bootdhcp


Making the internal network, with the wizards i get stucked with dhcp-server, it keeps saying that server must be in range with range entered above the surver address? why?

Is there a mistake in my setup or has anyone suggestions, I don't mind editing it all but dhcp reports error! bout dns, maybe someone knows what to enter?

How to do the stuff with static ip's for my switch?

help?

sjoerd,

thanks!

IMHO using DHCP on small networks is a waste of time and resources. You can, however, disable DHCP from rewriting the network configs each time it starts, this is done from within the DHCP setup wizard.
My advice would be sending the DHCP server to the Forgotten Realms of Oblivion and use a static setup, which is faster to boot and doesn't mess up the configs.

The scheme would be using the machine with the two ether cards as default gateway. To refresh your info:
On the server set the default gateway to ETH0 pointing to the router's IP address.

IN the server install a package called "caching nameserver", this is a prebuild package that makes Bind act as a local caching-only nameserver.
Info on the package:
caching nameserver

Configure the boxes connected to eth1 to point to this DNS server and the server to use the speedtouch DNS server.

Now you need to decide how you want your boxes to connect to the internet. You have two choices: NAT or proxy.

Natting will make that all the connections are translated by the server so that the router will only see one single IP.
What a proxy does is also quite obvious.

You could also consider another approach:
Connecting all the machines *and* the router to the switch, this way you can have direct internet connection on all boxes and you would only require a single ethernet card on you 'server'.

The speedtouch has indeed a nice firewall and DNS servers and all the stuff, so the only thing you need is to set all your boxes with your routers IP as default gateway and pointing to the router's DNS server. You would also need a firewall in each box. You can access the router connecting to it's build-in web server, instead of using a terminal. Just connect to http://10.0.0.2

I would use firestarter instead of shorewall, as it has a GUI interface and enables you to change settings in real time. It's really easy to set up (a nice wizard) and as it's only a frontend to iptables it's exactly as powerful as shorewall (and the script is also a very nice piece of work). Be also sure that you haven't both, iptables and shorewall running, as it can lead to a completely b0rked network.

I can't stat why you use eth1 as gateway on eth1, the gateway on the server should be the IP of the router.
Why dose your switch have an IP address, anyway?

In short:

Send DHCP to hell,

On the server:
ETH1: gateway set to the router
ETH0: DNS server the one in the router
Install caching nameserver.


On the other boxes:

each box's ETH0: gateway set to the server (the IP of ETH0 on the server
DNS pointing to the server's caching nameserver.

If you need a more detailed explanation on how to set up a network by hand (it's not much work, anyway), just post and we will explain, it's easy, useful and once it's set up it doesn't fucks with the rest of the settings.
DHCP is practical only if you have a large network of dynamically connecting machines.

Veel geluk ;)