Need help with 3-NIC linux router

psion · 06-03-2002, 12:55 AM

I'm setting up a linux router (hereafter called LINROUTE) with 3 NICs in it, which will be segmented into 4 subnets (subnet mask of 255.255.255.192).

I've got a cablemodem that gets a dynamic address from the ISP. The cablemodem goes to an SMC router, which is a DHCP client from the cablemodem, and a DHCP server to the internal network. The SMC is 192.168.50.1 serving the 192.168.50.0 network. The SMC will give LINROUTE a static assignment of 192.168.50.2 on its external iface (eth0).I'm having trouble setting up the IP's, subnet masks, and gateways for the 3 cards on LINROUTE. Here's a diagram:

    --------------------------------------------- (INTERNET)
          |
  ----------------
  |  SMC router  | <--DHCP client from cablemodem / DHCP server to LAN
  | 192.168.50.1 |
  ----------------
          |
          |
        ---------------------------------------- (192.168.50.0 network)
                     |
                     |
                     | (eth0 192.168.50.2 static map from SMC router)
                  ----------------
                  |   LINROUTE   |
                  ----------------
(192.168.100.1 eth1  |      | (eth2 192.168.100.65 / 255.255.255.192)
  /255.255.255.192)  |      |
                     |      -------------------- (192.168.100.0 network)
                     |
                     |
                     |
                  ------------------------------ (192.168.100.0 network)

Does this look right up to here?

Next, is the address of each of the internal NICs (192.168.100.1 & 192.168.100.65) supposed to be the gateway for each of those cards too, or is the gateway for the internal NICs something else?

Is the gateway for eth0 the SMC router address, 192.168.50.1? What's the subnet mask for eth0 on LINROUTE? Is it 255.255.0.0 since it's routing out to the 192.168.50.0 network from the 192.168.100.0 network..?

I plan to connect each of the two internal interfaces (eth1 and eth2) to the uplink ports on a pair of Linksys switches, and then connect clients to those switches... Is that the proper way of setting up the 192.168.100.0 subnets...?

Hope someone can give me a few pointers.

/psion

DavidPhillips · 06-03-2002, 01:36 PM

the default gateway for everyone will be 192.168.50.1

unless you are using IPMASQ on more than one machine

psion · 06-03-2002, 02:47 PM

The LINROUTE machine is an Astaro Security Linux router.. During installation it asks me to configure the administrative interface which, in the above diagram, is eth1. The problem comes in after installation, when I use the webadmin interface to configure the other NICs. As soon as I configure either eth0 or eth2, I lose access to LINROUTE completely. I can still ping out from LINROUTE, but I can't ping to it.

Also, when config'ing eth1, it won't allow me to enter 192.168.50.1 as the gateway if the subnet mask is 255.255.255.192. In any case, shouldn't the gateway of eth1 and eth2 be the address of eth0 (192.168.50.2), since that's the outermost interface on the 192.168.100.0 subnet...?

All machines in the 192.168.100.0 subnet should be MASQ'ng as the outermost interface on that machine (eth0).

/psion

psion · 06-03-2002, 08:29 PM

Okay, well, I basically solved this part of the subnetting issue by adjusting the subnets...

Instead of doing

eth1 - 192.168.100.1 / 255.255.255.192 and
eth2 - 192.168.100.65 / 255.255.255.192

I set them up as:

eth1 - 192.168.100.1/255.255.0.0 and
eth2 - 192.168.101.1/255.255.0.0
behind the external interface
eth0 - 192.168.50.2/255.255.255.0

I'm able to set up clients behind the eth1 and eth2 interfaces properly now. However, the routing is still a bit screwy. From the linux router, I can ping my external gateway (a hardware SMC router 192.168.50.1) and I can ping addresses on the internet. Clients behind the linux router can ping the linux router, and they can ping the SMC router, but they can't ping anything on the internet. I'm not sure if this is a MASQ problem, or something else... Anyone have an idea?

/psion

DavidPhillips · 06-04-2002, 12:49 PM

are you pinging names or addresses?

if it's names try addresses, if it works then it's your dhcp is not providing the dns servers.

option domain-name-servers 192.168.100.1, 192.168.100.65;

if your box is not running dns server then use the ones from your isp.
or you are blocking the port for dns

on windows clients use ipconfig /all to see if the nameservers are setup. on linux clients look in /etc/resolv.conf

psion · 06-04-2002, 01:03 PM

It's both names and IP addresses.

specifically, it's a PC on one of the subnets behind the Astaro Linux router.

The Linux router can ping the PC, can ping the SMC router, and can ping addresses on the internet by name, and by IP.

The PC can ping the Linux router, and can ping the SMC router, but cannot ping addresses on the internet.

/psion

DavidPhillips · 06-04-2002, 01:28 PM

is it masqed by the router?

if it has the ip address you show here it is not routable on the internet and needs to be masqed to a valid ip from an isp

psion · 06-04-2002, 03:17 PM

Well that's what I'm having trouble setting up. Basically I want this to function as:

cablemodem -> SMC router -> linux router -> clients

The SMC router is a DHCP server, giving out addresses on the 192.168.50.0 network. It gives 192.168.50.2 to the linux router, which in turn gives out addresses on either the 192.168.5.0 or 192.168.10.0 networks to the clients behind it... the machines behind the linux router can be either static or dynamic, it shouldn't matter, but they should masquerade as the external address of the linux router (192.168.50.2)...

/psion

DavidPhillips · 06-04-2002, 08:48 PM

what do you have for your MASQ rule?

psion · 06-06-2002, 05:17 PM

i've got the internal network behind the linux router masq'd as the external interface.

i've also added an iptables rule to allow all connections, on all protocols, inbound on the internal interface and outbound onto the external network.

i'm still able to ping the linux router from clients behind it, and i can ping the SMC router on the outer subnet, but still can't ping anything behind it, neither by ip nor by name...

/syf3r

DavidPhillips · 06-06-2002, 06:30 PM

the clients inside the router should be able to ping anything the router itself can ping if masq is setup correctly