Would anyone please be kind enough to comment on this outrageous setup I "invented":

cable modem (dynamic ip)

|
|

router (dynamic for modem, static 192.168.1.1 internally)

|
|

debian firewall/nat/dnsmasq with dhcp (two interfaces: eth0 for router above [static 192.168.1.2]; eth1 for switch below [static 192.168.3.1])

|
|

8-port gigabit switch ---- wireless router/ access point(static 192.168.3.254) - DHCP'd laptops (not working)

|
|

static LAN computers






Would you please help me understand the following;

1) The static LAN computers work ok. They find the dnsmasq on the debian computer, and they can access each other via dns, and the internet.

2) I can also ping the wireless router/access point from any of my other computers.

3) I cannot seem to make DHCP on the debian work. If I connect a laptop via wire to the gigabit switch, it will not find the DHCP server on the debian. In fact, it will give me a strange message: pinging 192.168.1.1 from 192.168.1.2... and then that it failed.

4) I cannot make a wireless connection via the wireless router/access point. I also cannot make a wired connection from it - none at all if I configure it for DHCP. I can, however, get to 192.168.1.1 if I configure a laptop in a wired connection statically. But in neither case I can connect to the internet.

Both routers have DHCP servers disabled and static IPs assigned, so there is only one DHCP server that should be running - of dnsmasq.

Thank you for your response. The reason why I did not make the frontline router statically route packets to my debian is because I would like to keep the flexibility of adding other networks to it later if needed; and also, it was simpler to have debian have a static address on its eth0 interface, rather than a dynamic one.

If anyone else is having this issue, adding this line to iptables script helped:

# enable broadcast traffic
iptables -A INPUT -i $INTIF -d 255.255.255.255 -j ACCEPT

This apparently enabled DHCP broadcast request from a laptop to reach the firewall, which is also hosting the DNS/DHCP server. This makes me wonder if this setup is recommended?

Please advise of security implications?

Anton.

DHCP is an extension of the BOOTP protocol. Check that port 68/udp is open on the client and 68/udp is open on the server.

One technique is to scan localhost on the server. Then from another computer, scan the server. Also use
netcat --inet -l
or
netcat --inet -ln
to list listening ports. Compare those with which ports are open using nmap from outside your servers firewall.
Some Windows clients expect a non-standard broadcast address to be 255.255.255.255 instead of 192.168.3.255 and you need to add a route to 255.255.255.255 to compensate.

You also didn't show your netmasks to see if you have the cable router and the wireless segments on different subnets.

You could maybe simply things by using the dhcp server on your wireless router instead. Unless you want to filter different clients differently for outgoing connections. For incoming requests, you need to forward a port to a particular client anyway.

Why do you have two routers after each other? If the first router is doing NAT (which most likely it is) the second NAT is not gone do you any good. In fact I don't understand why you don't connect your debian box directly to the cable modem.

Hi, I just wanted to be able to connect other networks to the main router in the future. I wanted Debian to have a static IP (easier to configure IP tables.)

Other than than, it all works now with the addition to iptables the line in the second post. Even wireless works seamlessly.

Anton.

You might want to look at peoples setups that have Internet / DMZ / Firewall zones. Wireless being less secure could be considered as the DMZ zone.