LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Lost among routers, firewalls, and access points. (http://www.linuxquestions.org/questions/linux-networking-3/lost-among-routers-firewalls-and-access-points-785752/)

AntonGolovin 01-30-2010 12:09 AM

Lost among routers, firewalls, and access points.
 
Would anyone please be kind enough to comment on this outrageous setup I "invented":

cable modem (dynamic ip)

|
|

router (dynamic for modem, static 192.168.1.1 internally)

|
|

debian firewall/nat/dnsmasq with dhcp (two interfaces: eth0 for router above [static 192.168.1.2]; eth1 for switch below [static 192.168.3.1])

|
|

8-port gigabit switch ---- wireless router/ access point(static 192.168.3.254) - DHCP'd laptops (not working)

|
|

static LAN computers






Would you please help me understand the following;

1) The static LAN computers work ok. They find the dnsmasq on the debian computer, and they can access each other via dns, and the internet.

2) I can also ping the wireless router/access point from any of my other computers.

3) I cannot seem to make DHCP on the debian work. If I connect a laptop via wire to the gigabit switch, it will not find the DHCP server on the debian. In fact, it will give me a strange message: pinging 192.168.1.1 from 192.168.1.2... and then that it failed.

4) I cannot make a wireless connection via the wireless router/access point. I also cannot make a wired connection from it - none at all if I configure it for DHCP. I can, however, get to 192.168.1.1 if I configure a laptop in a wired connection statically. But in neither case I can connect to the internet.

Both routers have DHCP servers disabled and static IPs assigned, so there is only one DHCP server that should be running - of dnsmasq.

Thank you for your response. The reason why I did not make the frontline router statically route packets to my debian is because I would like to keep the flexibility of adding other networks to it later if needed; and also, it was simpler to have debian have a static address on its eth0 interface, rather than a dynamic one.

AntonGolovin 01-30-2010 01:58 AM

Solved accidentally.
 
If anyone else is having this issue, adding this line to iptables script helped:

# enable broadcast traffic
iptables -A INPUT -i $INTIF -d 255.255.255.255 -j ACCEPT

This apparently enabled DHCP broadcast request from a laptop to reach the firewall, which is also hosting the DNS/DHCP server. This makes me wonder if this setup is recommended?

Please advise of security implications?

Anton.

jschiwal 01-30-2010 05:39 AM

DHCP is an extension of the BOOTP protocol. Check that port 68/udp is open on the client and 68/udp is open on the server.

Code:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-30 05:36 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT  STATE        SERVICE
67/udp closed        dhcps
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
jschiwal@qosmio:~/Documents/pdfdocs> sudo nmap -sN localhost -p 67-68

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-30 05:37 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT  STATE  SERVICE
67/tcp closed dhcps
68/tcp closed dhcpc

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Code:

dhcps  67/tcp  0.000013        # DHCP/Bootstrap Protocol Server
dhcps  67/udp  0.228010        # DHCP/Bootstrap Protocol Server
dhcpc  68/tcp  0.000063        # DHCP/Bootstrap Protocol Client
dhcpc  68/udp  0.140118        # DHCP/Bootstrap Protocol Client

One technique is to scan localhost on the server. Then from another computer, scan the server. Also use
netcat --inet -l
or
netcat --inet -ln
to list listening ports. Compare those with which ports are open using nmap from outside your servers firewall.
Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State
...
udp        0      0 *:bootpc                *:*
..

Some Windows clients expect a non-standard broadcast address to be 255.255.255.255 instead of 192.168.3.255 and you need to add a route to 255.255.255.255 to compensate.

You also didn't show your netmasks to see if you have the cable router and the wireless segments on different subnets.

You could maybe simply things by using the dhcp server on your wireless router instead. Unless you want to filter different clients differently for outgoing connections. For incoming requests, you need to forward a port to a particular client anyway.

Yakideo 01-30-2010 07:12 AM

Quote:

Originally Posted by AntonGolovin (Post 3845693)
Would anyone please be kind enough to comment on this outrageous setup I "invented":

cable modem (dynamic ip)

|
|

router (dynamic for modem, static 192.168.1.1 internally)

|
|

debian firewall/nat/dnsmasq with dhcp (two interfaces: eth0 for router above [static 192.168.1.2]; eth1 for switch below [static 192.168.3.1])

Why do you have two routers after each other? If the first router is doing NAT (which most likely it is) the second NAT is not gone do you any good. In fact I don't understand why you don't connect your debian box directly to the cable modem.

AntonGolovin 01-30-2010 12:25 PM

Both doing NAT, I think.
 
Quote:

Originally Posted by Yakideo (Post 3846005)
Why do you have two routers after each other? If the first router is doing NAT (which most likely it is) the second NAT is not gone do you any good. In fact I don't understand why you don't connect your debian box directly to the cable modem.

Hi, I just wanted to be able to connect other networks to the main router in the future. I wanted Debian to have a static IP (easier to configure IP tables.)

Other than than, it all works now with the addition to iptables the line in the second post. Even wireless works seamlessly.

Anton.

jschiwal 01-31-2010 02:32 AM

You might want to look at peoples setups that have Internet / DMZ / Firewall zones. Wireless being less secure could be considered as the DMZ zone.


All times are GMT -5. The time now is 06:58 AM.