LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-30-2010, 12:09 AM   #1
AntonGolovin
LQ Newbie
 
Registered: Jan 2010
Posts: 6

Rep: Reputation: 0
Lost among routers, firewalls, and access points.


Would anyone please be kind enough to comment on this outrageous setup I "invented":

cable modem (dynamic ip)

|
|

router (dynamic for modem, static 192.168.1.1 internally)

|
|

debian firewall/nat/dnsmasq with dhcp (two interfaces: eth0 for router above [static 192.168.1.2]; eth1 for switch below [static 192.168.3.1])

|
|

8-port gigabit switch ---- wireless router/ access point(static 192.168.3.254) - DHCP'd laptops (not working)

|
|

static LAN computers






Would you please help me understand the following;

1) The static LAN computers work ok. They find the dnsmasq on the debian computer, and they can access each other via dns, and the internet.

2) I can also ping the wireless router/access point from any of my other computers.

3) I cannot seem to make DHCP on the debian work. If I connect a laptop via wire to the gigabit switch, it will not find the DHCP server on the debian. In fact, it will give me a strange message: pinging 192.168.1.1 from 192.168.1.2... and then that it failed.

4) I cannot make a wireless connection via the wireless router/access point. I also cannot make a wired connection from it - none at all if I configure it for DHCP. I can, however, get to 192.168.1.1 if I configure a laptop in a wired connection statically. But in neither case I can connect to the internet.

Both routers have DHCP servers disabled and static IPs assigned, so there is only one DHCP server that should be running - of dnsmasq.

Thank you for your response. The reason why I did not make the frontline router statically route packets to my debian is because I would like to keep the flexibility of adding other networks to it later if needed; and also, it was simpler to have debian have a static address on its eth0 interface, rather than a dynamic one.

Last edited by AntonGolovin; 01-30-2010 at 12:26 AM.
 
Old 01-30-2010, 01:58 AM   #2
AntonGolovin
LQ Newbie
 
Registered: Jan 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Solved accidentally.

If anyone else is having this issue, adding this line to iptables script helped:

# enable broadcast traffic
iptables -A INPUT -i $INTIF -d 255.255.255.255 -j ACCEPT

This apparently enabled DHCP broadcast request from a laptop to reach the firewall, which is also hosting the DNS/DHCP server. This makes me wonder if this setup is recommended?

Please advise of security implications?

Anton.

Last edited by AntonGolovin; 01-30-2010 at 02:07 AM.
 
Old 01-30-2010, 05:39 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
DHCP is an extension of the BOOTP protocol. Check that port 68/udp is open on the client and 68/udp is open on the server.

Code:
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-30 05:36 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT   STATE         SERVICE
67/udp closed        dhcps
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
jschiwal@qosmio:~/Documents/pdfdocs> sudo nmap -sN localhost -p 67-68

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-30 05:37 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT   STATE  SERVICE
67/tcp closed dhcps
68/tcp closed dhcpc

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
Code:
dhcps   67/tcp  0.000013        # DHCP/Bootstrap Protocol Server
dhcps   67/udp  0.228010        # DHCP/Bootstrap Protocol Server
dhcpc   68/tcp  0.000063        # DHCP/Bootstrap Protocol Client
dhcpc   68/udp  0.140118        # DHCP/Bootstrap Protocol Client
One technique is to scan localhost on the server. Then from another computer, scan the server. Also use
netcat --inet -l
or
netcat --inet -ln
to list listening ports. Compare those with which ports are open using nmap from outside your servers firewall.
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
...
udp        0      0 *:bootpc                *:*
..
Some Windows clients expect a non-standard broadcast address to be 255.255.255.255 instead of 192.168.3.255 and you need to add a route to 255.255.255.255 to compensate.

You also didn't show your netmasks to see if you have the cable router and the wireless segments on different subnets.

You could maybe simply things by using the dhcp server on your wireless router instead. Unless you want to filter different clients differently for outgoing connections. For incoming requests, you need to forward a port to a particular client anyway.

Last edited by jschiwal; 01-30-2010 at 06:03 AM.
 
Old 01-30-2010, 07:12 AM   #4
Yakideo
Member
 
Registered: Jan 2010
Posts: 37

Rep: Reputation: 16
Quote:
Originally Posted by AntonGolovin View Post
Would anyone please be kind enough to comment on this outrageous setup I "invented":

cable modem (dynamic ip)

|
|

router (dynamic for modem, static 192.168.1.1 internally)

|
|

debian firewall/nat/dnsmasq with dhcp (two interfaces: eth0 for router above [static 192.168.1.2]; eth1 for switch below [static 192.168.3.1])
Why do you have two routers after each other? If the first router is doing NAT (which most likely it is) the second NAT is not gone do you any good. In fact I don't understand why you don't connect your debian box directly to the cable modem.
 
Old 01-30-2010, 12:25 PM   #5
AntonGolovin
LQ Newbie
 
Registered: Jan 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Both doing NAT, I think.

Quote:
Originally Posted by Yakideo View Post
Why do you have two routers after each other? If the first router is doing NAT (which most likely it is) the second NAT is not gone do you any good. In fact I don't understand why you don't connect your debian box directly to the cable modem.
Hi, I just wanted to be able to connect other networks to the main router in the future. I wanted Debian to have a static IP (easier to configure IP tables.)

Other than than, it all works now with the addition to iptables the line in the second post. Even wireless works seamlessly.

Anton.
 
Old 01-31-2010, 02:32 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You might want to look at peoples setups that have Internet / DMZ / Firewall zones. Wireless being less secure could be considered as the DMZ zone.
 
  


Reply

Tags
access, firewall, point, router


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS mount points lost silently dxangel Linux - Server 1 04-29-2009 02:24 AM
Asus WL-330g access point vs other access points dimgr Linux - Wireless Networking 3 09-20-2006 05:29 AM
Looking for access points. al912912 Linux - Wireless Networking 6 02-11-2005 05:34 PM
Partition formatted, mount points, data lost eneko Linux - Newbie 7 11-16-2003 08:46 PM
Wireless - Routers - Firewalls - Slack 9 Culbert Slackware 1 05-06-2003 06:47 PM


All times are GMT -5. The time now is 05:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration