LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 08-12-2008, 09:47 PM   #1
grittyminder
LQ Newbie
 
Registered: Nov 2006
Location: Fukuoka, Japan
Distribution: RHE, Ubuntu 8.04, VMware ESX
Posts: 19

Rep: Reputation: 0
Adding new Linux firewall/router on network with pre-existing gateway/router


I'm fooling around with Quagga/Shorewall at home and am wondering if what I am trying to do is possible. I will try to create an ASCII art diagram to give you a better picture of what I am trying to accomplish (and hopefully it will not look like crap):



{ TestNetwk 172.31.1.0/24 }---.1<MyFW>.1---{ HomeNetwk 172.31.254.0/24 }---.254<ISPRouter>---{ Internet }


The remaining details:
1) All the clients on the Home Network have the ISPRouter configured as the default gateway (e.g. 172.31.254.254)
2) I have a test server in the Test Network that I want to access (e.g. 172.31.1.2).
3) When I try to access the test server (i.e. 172.31.1.2) from a client computer on the home network it looks like the client is trying to access the test server via the default gateway. I want the client to access the test server via MyFW (i.e. 172.31.254.1).

Question: how can I reconfigure things such that the ISPRouter remains the default gateway for Internet requests, but MyFW is used when resources on the Test Network are to be accessed? Can the ISPRouter notify the client that the correct gateway is 172.31.254.1 for network 172.31.1.0? NOTE: I do not want to add static routing on the client side--too much hassle.
 
Old 08-12-2008, 11:13 PM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
The problem you have is that your HomeNetwork systems are all on the same network, so MyFW never gets a chance to route. The only possible solution is to have ISPRouter send ICMP redirects, and it has to be told about your TestNetwork.

Clients on the TestNetwork should use MyFW as their gateway.

Last edited by Mr. C.; 08-12-2008 at 11:29 PM.
 
Old 08-12-2008, 11:55 PM   #3
grittyminder
LQ Newbie
 
Registered: Nov 2006
Location: Fukuoka, Japan
Distribution: RHE, Ubuntu 8.04, VMware ESX
Posts: 19

Original Poster
Rep: Reputation: 0
Dear Mr. C,

Yes, yes, wow, what you are suggesting sounds exactly what I am aiming for. Thank you I had been trying to configure Quagga and my ISP's router to exchange internal routing information with each other (no success so far. I know I could use static routes, but I wanted to play with OSPF). So am I right in thinking that if I succeed in doing this, the ISP's router will be aware of MyFW and will use ICMP redirects to point clients to MyFW when they attempt to access resources on the test network? I just want to be sure that I am not barking up the wrong tree...
 
Old 08-13-2008, 12:00 AM   #4
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Well, you really don't want to use ICMP redirects if possible.

You really want:
Code:
Test Hosts -------FW/Router -------- ISP router
                     |
                     |
                     | 
                 Home Hosts
This creates three networks, and your FW/Router does your LAN routing, leaving the ISP router as the internet gateway.

ICMP redirects are advisory, and can be used maliciously, so are often disabled by default.

Since you don't have a routing network where routing protocols can have much impact, and because ICMP redirects are at a much lower layer, you'll not accomplish what you want.

Last edited by Mr. C.; 08-13-2008 at 12:04 AM.
 
Old 08-13-2008, 02:17 AM   #5
grittyminder
LQ Newbie
 
Registered: Nov 2006
Location: Fukuoka, Japan
Distribution: RHE, Ubuntu 8.04, VMware ESX
Posts: 19

Original Poster
Rep: Reputation: 0
I had a feeling that I was barking up the wrong tree. Who knows how much more time I would have wasted had I not asked for help...? I'm going to try to switch over to the more traditional, and admittedly superior, architecture that you suggested. Thanks again for your help
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 05:12 AM
CentoOS router/firewall prob - local network works but router can't access Internet elementalvoid Linux - Networking 6 12-12-2006 03:39 PM
linux as router/gateway/firewall to dsl-router sjoerdvvu Linux - Networking 2 02-24-2006 10:56 PM
adding second router to existing network crnchyfrog Linux - Networking 2 06-06-2005 08:19 PM
Yikes! No one can get Internet thru Linux gateway/router/firewall/DHCP Avatar Linux - Networking 14 02-11-2004 08:50 PM


All times are GMT -5. The time now is 01:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration