LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-24-2010, 03:29 PM   #1
jmoschetti45
Member
 
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 136
Blog Entries: 1

Rep: Reputation: 17
Multiple IPs/Routes Through Router?


Not sure what this idea would be called.

I have a LAN connection coming in my router, which has an outside IP of (we'll use these for examples) A.A.A.A1. My routers internal IP is 192.168.0.1. I have one box connected to the router, with IP 192.168.0.100.

Now, box can have multiple IPs assigned to that NIC.

Is there any way for me to 'route' another IP through the router, basically bypassing it entirely?

I want 1 IP thats currently assigned to the router, which puts box in the DMZ, and another IP to basically pass straight through to box.

Basically, box needs 2 external IPs somehow. I only have 1 LAN port to use, and the router is a requirement for other things, so I can't get rid of it.

Does any of this make any sense?
 
Old 01-24-2010, 04:36 PM   #2
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Rep: Reputation: 47
I would guess that this is going to depend entirely on the router. Let's say, for a second, that you didn't have any hardware restrictions: multiple NICs, plus no restriction about what the router is connected to upstream. You would have a set-up that looks like this:

Code:
NIC A [NIC A WAN IP] -----------------------------.
                                                   \
                                                    Switch -------- WAN         
                                                   /                            
NIC B [192.168.0.100] ----- [192.168.0.1] Router [router WAN IP]
The switch is a link layer device, so it's going to send packets to either the WAN port of your router, or to NIC A, based on ethernet address [AKA MAC address or HWaddress].

Your router is a Network layer device, as such, it will determine where packets are sent via IP address rather than by ethernet address.

Your question, then, is whether it's possible to emulate this setup on your router. My Linksys WRT54G has a feature called 'static routing', allowing specific routes from the router to a given LAN IP address... I think that this will do what you want it to, assuming that the router doesn't try to get too smart about what's happening at the link layer.

On my router this is available under [setup]->[advanced routing], and allows IP address, subnet mask and default gateway to be set up for up to 20 static routes.

Your Mileage May Vary.
 
Old 01-24-2010, 08:54 PM   #3
jmoschetti45
Member
 
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 136
Blog Entries: 1

Original Poster
Rep: Reputation: 17
I've got a D-Link DIR-628, and it has the same options basically.

Problem I've run into: I ran the other cat5 up to the router from the box, and gave that NIC an IP that would be on the network. I put that IP in on the router, and the gateway IP in as well.

I can't find the box from elsewhere on the network, it's simply not there (no ping replies), and if I unplug the other cat5 and setup Lenny to use the new NIC, no internet period.

Am I missing something somewhere?
 
Old 01-27-2010, 10:19 AM   #4
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Rep: Reputation: 47
This is one of those cases where a picture is worth a thousand words... that's why I put together the ascii art diagram of the network as I saw it.

If you can put together a sketch of how your network is set up, either as ascii art, or an attached picture (svg is a good option), that would help. Make sure that you show the IP address of each connection on both sides e.g.

Code:
 ____192.168.1.100         192.168.1.1  ____               
|    |_________________________________|    |            
|____|                                 |____|                         
Computer                               Router
 
Old 01-27-2010, 10:45 PM   #5
jmoschetti45
Member
 
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 136
Blog Entries: 1

Original Poster
Rep: Reputation: 17
Code:
 ____192.168.0.100         192.168.0.1  ____            Pub. IP   
|    |_________________________________|    |__@_________            
|____|-----------------------------@---|____|                         
Computer  192.168.0.101                Router (D-Link DIR-628)
Solid lines are current connections, dashed are planned.

Basically, I need some sort of way to make a "virtual connection" between the @'s, so that 192.168.0.101 becomes another public IP.

Edit: One more important thing I forgot to mention. IPs are assigned via DHCP based on MAC address as far as I can tell. IPs change if MACs change, otherwise stay the same.

Last edited by jmoschetti45; 01-27-2010 at 10:50 PM.
 
Old 01-27-2010, 11:36 PM   #6
Elemecca
Member
 
Registered: Nov 2008
Location: San Francisco, CA
Distribution: Gentoo, CentOS
Posts: 71

Rep: Reputation: 22
You have a very interesting problem there. What you're trying to do is called SNAT (Static Network Address Translation). Unfortunately, your SOHO router almost certainly doesn't support SNAT (or multiple WAN IPs in any way). What you need to do is use a static route to get it to route packets for the public IP to your server's LAN IP. You then need to get your server to realize that those packets are for it.

The static route to set on the router is easy: network <public IP> netmask 255.255.255.255 gateway <LAN IP>. This will make it think that the LAN IP of the server is the next hop for packets destined for the public IP. In point of fact, that's exactly correct.

The second part (making the server realize that the packets addressed to the public IP are for it) is rather more complicated. I'm guessing that it'll involve creating a virtual Ethernet device. I'll fire up some VMs when I get home and play around with it.
 
Old 01-27-2010, 11:57 PM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
You can subnet your network. Assign the regular IP and the virtual IP on different subnets. Then use the router to route between them.

You could also use a 10.xxx.xxx.xxx address for the virtual IP address.

However, as the routers output port is also a port, you don't have the isolation you should with one device. A computer in the DMZ should not have any interface in the LAN.

In the DMZ it is exposed to hostile traffic. It it is successfully compromised, the attacker has full access to your LAN. Even without being compromised, you are allowing internet traffic on the wire you use for the LAN which will eat up bandwidth. If there is a DOS attack for example, the attacker can deny LAN access as well as to the internet.

There is a type of scanning where a 3rd device is used (such as a printer), which could reveal to an attacker that the device is actually on the LAN, making you a more attractive target.

Last edited by jschiwal; 01-27-2010 at 11:59 PM.
 
Old 01-28-2010, 01:41 AM   #8
Elemecca
Member
 
Registered: Nov 2008
Location: San Francisco, CA
Distribution: Gentoo, CentOS
Posts: 71

Rep: Reputation: 22
As jschiwal says, it's rather insecure to have a publicly visible host connected to your LAN. If that host is breached, it effectively makes the rest of your LAN public too. Most computers on LANs aren't secure enough for public visibility, so that can be a Very Bad Thing. You have been warned.

As it turns out, it's simpler than I thought. All you need to do in order to get your server to listen on the public IP is register it as a virtual interface on eth0. The command to do that is below. Replace '<public IP>' with the public IP you want it to listen on. I'm not a Debian user so I have no idea how to make its init scripts set that up for you. Someone else (you?) will have to figure it out.
Code:
ifconfig eth0:1 <public IP> netmask 255.255.255.255
As I said above, you then need to configure a static route on your router so it routes packets for the public IP to the server's private IP. When the server receives packets addressed to the public IP, it'll realize that IP belongs to one of its interfaces and handle them appropriately. The parameters of the route are network=<public IP>, netmask=255.255.255.255, gateway=<private IP>.
 
Old 01-28-2010, 09:42 AM   #9
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Rep: Reputation: 47
Quote:
Originally Posted by Elemecca View Post
You have a very interesting problem there. What you're trying to do is called SNAT (Static Network Address Translation). Unfortunately, your SOHO router almost certainly doesn't support SNAT (or multiple WAN IPs in any way). What you need to do is use a static route to get it to route packets for the public IP to your server's LAN IP.
I looked up the d-link dir-628 for compatibility with OpenWRT and dd-WRT... unfortunately it runs a ubicom chip which doesn't seem to be supported by much. If you can't get the routing capabilities that you need from your router, it may be worth investing in a router which will support one of the open source firmwares. OpenWRT and dd-WRT are both Linux based, and as such will use iptables, which allow you to do pretty much any type of routing that you want. A Linksys WRT-54G (or whatever its successor is) goes for about 60 US dollars, I'm sure that you could do a lot better on Ebay.

We haven't discussed the issue that you run in to is getting a second public IP address from your ISP.

Another issue that wold bother me somewhat is the issue of security. As mentioned by others on this thread, having an publicly routable address in your LAN is a bad idea from a security stand-point... but even if you fix that, you still have to deal with the fact that both your virtual, publicly routable address, and the other IP address running through the same jack are both on the same box. Unless you set up some sort of chroot environment or a virtual box connected to the outside world, you risk having that box getting compromised, which will leave the rest of your LAN vulnerable.
 
Old 01-28-2010, 09:50 AM   #10
bartonski
Member
 
Registered: Jul 2006
Location: Louisville, KY
Distribution: Fedora 12, Slackware, Debian, Ubuntu Karmic, FreeBSD 7.1
Posts: 443
Blog Entries: 1

Rep: Reputation: 47
Quote:
Originally Posted by bartonski View Post
If you can't get the routing capabilities that you need from your router, it may be worth investing in a router which will support one of the open source firmwares. OpenWRT and dd-WRT are both Linux based, and as such will use iptables, which allow you to do pretty much any type of routing that you want. A Linksys WRT-54G (or whatever its successor is) goes for about 60 US dollars, I'm sure that you could do a lot better on Ebay.
Come to think of it, you can probably do this more economically by investing in a 10/100 switch and a second ethernet card for your computer. Plug the switch between your router and ISP access point (cable modem/DSL modem/fiber optic jack...), then plug a cat5 between your second ethernet card and the switch. As long as your ISP will give you a second public IP address, you're all set at that point.
 
Old 01-28-2010, 06:53 PM   #11
jmoschetti45
Member
 
Registered: Oct 2004
Location: Michigan
Distribution: Debian Squeeze (2.6.32-5)
Posts: 136
Blog Entries: 1

Original Poster
Rep: Reputation: 17
I'll look into the idea of getting a switch if I can find a cheap one. I've already got 2 NICs in the box right now, both going to the router.

Edit: I'll get another public IP as long as another MAC address is seen on their end. Worst case I can do what I've done before and just assign as static one and pray to not have a conflict...

Last edited by jmoschetti45; 01-28-2010 at 06:57 PM.
 
  


Reply

Tags
network, router, snat, switch


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting things straight: Apache, SSL, Multiple External IPs / Internal IPs robin.com.au Linux - Server 21 10-14-2007 12:39 AM
internet router for multiple static ips shizzilla Linux - Networking 3 11-24-2005 12:20 AM
Linux as a router but for multiple public IPs gnirtS Linux - Networking 8 03-07-2005 04:08 PM
MRTG - Graphing multiple IPs on one router? gnirtS Linux - Networking 1 02-04-2005 08:04 PM
Router with multiple public IPs Neodymium Linux - Newbie 1 04-13-2004 07:39 PM


All times are GMT -5. The time now is 06:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration