LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-01-2013, 04:21 PM   #1
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
help me learn about home LAN configuration


Like most folks, I subscribe to a national ISP. They connect wire to my house and provide a "gateway" box. The box offers a few RJ-45 ports for wire-ethernet (100baseT) along with a wireless (802.11g) access point. This might be wonderful for those who live in a typical one-story apartment or small ranch-style house. I want -- dare I say "need" more and better -- and ask if someone can help me learn how to accomplish what I want to do.

A short list of enhancements that I seek:
1. deploy 802.11n wifi
--- main floor,
--- upstairs, and
--- outside around the pool
2. deploy 1000baseT where I use wire
3. move to something other than the 192.168.1.* default private network
4. deploy fixed IP addresses for primary in-house resources like printers and servers (files and media)
5. deploy wifi-DHCP for visitors and guests while blocking drive-by and nosey-neighbor users
6. limit some guests to internet-access while permitting others more extensive access to in-house resources.

NOTE -- The ISP uses the LAN to interconnect their resources within the house in addition to providing my workstations with internet access.

I would think that this is a common description of a home network for a power user and technical family. I'm hoping that some gentle reader can direct me to a collection of HOWTO documents or similar.

I don't want a full time job of network administration, but I'm willing to do some work to get things established.

I would prefer to learn enough to get things working and then learn more about how it works and why things work they way that they do. I understand that some how and why are required, but small bites where possible.

Thanks in advance,
~~~ 0;-Dan
 
Old 10-02-2013, 09:35 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551

Rep: Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599
Ok.... you've a few things you want to do there.
  1. Not particularly difficult, you could do something as simple as plug in "repeater" access point extenders around your house, these are something like $40 a pop. Alternatively you can run cables to access points and get coverage pretty much where you need. You could set them all to the same SSID and authentication as your main one. If you are using multiple access points then it makes sense to change the channels on them so that they don't conflict. My personal favourite at the moment is a Zyxel access point that looks like a ceiling smoke detector and also has PoE capability, we use one at the office with a power injector so that only one network cable run is needed to where it's installed.
  2. Unless you're confident with DIY then get a network cable contractor to lay cables and install wall/floorports. I did my own at home, I have four cable runs that present as wall ports in different parts of the house and have a 8 port switch in the computer room. One of these cable runs is used as an "uplink" between my ISP router and the switch, the other three are used for 2xPS3, 1x spare.
  3. Couple of options here, if you have admin access to the LAN "side" of your ISP router then you should be able to change the default ranges, shortening it or allowing exclusions. Alternatively you could use a single linux machine as a gateway/router/DHCP/whatever server and have two NICs in that. One to your house network and one to your ISP and route ALL traffic through that server. For that you'd need to turn off your ISP wireless and use your own wireless access points. See also point 6.
  4. Not a problem, it's just good practise to assigne them outside your DHCP range, or make specific exclusions. Or you can have DHCP assign static addresses via the MAC address.
  5. Using a non-default SSID and password will give you some form of access control. Alternatively take a look at http://sourceforge.net/apps/trac/hotcakes/ At the office we have a dedicated ISP connection connected to a server running that suite of programs and with two wireless access points hung off a separate network switch on a second NIC. We have permanent users and we also have the ability to generate "tickets" for visitors that give them 1 day or 1 week of access. This could be combined with something like a SQUID proxy if you wanted to do content filtering.
 
1 members found this post helpful.
Old 10-03-2013, 05:17 PM   #3
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
(grinning & blushing) I never was one to take baby steps...

My primary trouble lies in the fact that my type-N wifi toys cannot interact with the ISP-side resources. I presume it is a sub-net or similar issue because my toys are on one side and the ISP parts are on the other side of my gateway/router.

I have a high end NetGearŪ router/gateway/access-point. Most of my LAN is on the "house side" of that box. The wire-net, again "house side", is all NetGear 1000/100/10baseT switches connected 1000baseT. The box provides 802.11bgn wifi. My stuff -- workstations, printers, servers, tablets, phones, toys -- just work.

On the ISP side, plain-old-telephone-system copper (POTS) connects to the ISP router/gateway/access-point. Their box provides 802.11bg (ugh) A LAN port here connects to the WAN port on my box over 100baseT (double ugh). VIOLA! My "house side" has access to the internet.

The ISP box typically connects their own supporting boxes scattered around the house via 100baseT. I put a 1000/100/10baseT box in to feed their boxes.
I know this only benefits connections among the support boxes and that connections to the internet get throttled to 100baseT then "copper".

Thanks in advance,
~~~ 0;-Dan
 
Old 10-03-2013, 05:35 PM   #4
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
Quote:
Originally Posted by TenTenths View Post
Not particularly difficult, you could do something as simple as plug in "repeater" access point extenders around your house, these are something like $40 a pop. Alternatively you can run cables to access points and get coverage pretty much where you need. You could set them all to the same SSID and authentication as your main one. If you are using multiple access points then it makes sense to change the channels on them so that they don't conflict. My personal favourite at the moment is a Zyxel access point that looks like a ceiling smoke detector and also has PoE capability, we use one at the office with a power injector so that only one network cable run is needed to where it's installed.
I'm trying to discover how to set my gateway as a type-N access point on their "house side" LAN and quit the WAN-LAN NAT happening there.
Quote:
Originally Posted by TenTenths View Post
Unless you're confident with DIY then get a network cable contractor to lay cables and install wall/floorports.
...
I did all of this during a major remodel a couple of years back. I have two home runs of CAT-6 everywhere. I also pulled TV-coax if the next buyer cares.
Quote:
Originally Posted by TenTenths View Post
Couple of options here, if you have admin access to the LAN "side" of your ISP router then you should be able to change the default ranges, shortening it or allowing exclusions. Alternatively you could use a single linux machine as a gateway/router/DHCP/whatever server and have two NICs in that. One to your house network and one to your ISP and route ALL traffic through that server. For that you'd need to turn off your ISP wireless and use your own wireless access points. See also point 6.
I have a lot of admin access but there are parts that seem to be in read-only. I was able to stop their cheap wifi and set the "house side" IP range away from 192.168.1.xxx for the 2meter wire to my gateway. This results in a double-NAT (I think) which I'd like to get rid of.
Quote:
Originally Posted by TenTenths View Post
Not a problem, it's just good practise to assigne them outside your DHCP range, or make specific exclusions. Or you can have DHCP assign static addresses via the MAC address.
Before ISPs resorted to a do-everything box and supplied a "modem," I had all of this working much as you describe. This works today on the "house side" of my box. There are still the occasional troubles when some new toy demands 192.168.1.xxx or 192.168.0.xxx before you can connect and move it elsewhere.
Quote:
Originally Posted by TenTenths View Post
Using a non-default SSID and password will give you some form of access control.
Done done and DONE
Another good practice is to use nonsense names for your access points.
Cartoon characters and those from fantasy fiction are favorites of mine.
If SSIDs look too "official" they are targets. Clearly, "Accounting" or "SmithFamily" are clear targets too. However, who knows what is behind "Barney", "Goofy" or "Ulrick"? (grin)
Quote:
Originally Posted by TenTenths View Post
Alternatively take a look at http://sourceforge.net/apps/trac/hotcakes/ At the office we have a dedicated ISP connection connected to a server running that suite of programs and with two wireless access points hung off a separate network switch on a second NIC. We have permanent users and we also have the ability to generate "tickets" for visitors that give them 1 day or 1 week of access. This could be combined with something like a SQUID proxy if you wanted to do content filtering.
Is the "hotcakes" project the same as your office "ticket" system?
I really REALLY like the sound of the ticket thing if it can be had or done open source [aka, cost=my time].

Thanks in advance,
~~~ 0;-Dan
 
Old 10-04-2013, 04:53 AM   #5
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551

Rep: Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599
Looks like you've got it all heading pretty nicely along the way you want to proceeed.

Technically nothing wrong with double NATting, we do it here for one subnet that is passing through multiple routers before it gets to the interwebz.

Quote:
Originally Posted by SaintDanBert View Post
Is the "hotcakes" project the same as your office "ticket" system?
I really REALLY like the sound of the ticket thing if it can be had or done open source [aka, cost=my time].
Yes, this is the system we use at the office. Permanent users have permanent accounts with a "soft" cap, a users account can also have a WiFi MAC address associated to it, so that device doesn't need to login. The "tickets" we actually just print off something like 100 1 day tickets and cut them up in to little bits of paper that the receptionist can just hand out as necessary.
 
1 members found this post helpful.
Old 10-04-2013, 11:02 AM   #6
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
Quote:
Originally Posted by TenTenths View Post
Technically nothing wrong with double NATting, we do it here for one subnet that is passing through multiple routers before it gets to the interwebz.
It does cost a few ticks...
More importantly, everything is not on one (the same) "network". Rather, there is one on the house side of the ISP box and another on the house side of my box. I suspect this is where my troubles lie with toys talking to ISP boxes.
Quote:
Originally Posted by TenTenths View Post
Yes, this is the system we use at the office. Permanent users have permanent accounts with a "soft" cap, a users account can also have a WiFi MAC address associated to it, so that device doesn't need to login. The "tickets" we actually just print off something like 100 1 day tickets and cut them up in to little bits of paper that the receptionist can just hand out as necessary.
I would really like to learn more about this. Are there other readings besides the link you posted earlier?
~~~ 0;-Dan

Last edited by SaintDanBert; 10-04-2013 at 11:04 AM.
 
Old 10-04-2013, 11:25 AM   #7
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551

Rep: Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599Reputation: 1599
Quote:
Originally Posted by SaintDanBert View Post
It does cost a few ticks...
More importantly, everything is not on one (the same) "network". Rather, there is one on the house side of the ISP box and another on the house side of my box. I suspect this is where my troubles lie with toys talking to ISP boxes.
Ahh, well we have 60 PCs across two floors in the building, and several combinations of firewalls and routers to achieve the aims we have for PCI-DSS compliance in part of the office and simple filtering only compliance in other areas, so "a few ticks" isn't really one of our priorities


Quote:
Originally Posted by SaintDanBert View Post
I would really like to learn more about this. Are there other readings besides the link you posted earlier?
To be honest, I didn't set our office WiFi up, I just happen to have to admin it and was told that was what we'd used and pointed to that resource as the documentation.

I've sketched up (roughly) what might be achievable. This would use the Linux box as a WiFi controler and also (I believe) have the side effect of allowing you to use the same "ticket" idea for any external access. So you could create fixed accounts and assign the MAC address of a device to that account, but for anyone that tries to use net access wired or wireless they'd need a ticket.

I've mentioned Squid as you could make people use that as a proxy server rather than allowing direct outbound access.

You may have to use your Linux Box as a DHCP server to dish out the correct routing information to your boxes and you may need some jigging around to get this to work but it would avoid the double NAT.

My personal preference would be to have the "inside" network on a separate subnet and have your Linux box do a NAT and then your ISP router also doing the outbound NAT. This makes rules a bit easier to set up and gives you much better control of routing inside your Linux box as you're dealing with two distinct subnets.
Attached Thumbnails
Click image for larger version

Name:	PossibleBlockDiagram.jpg
Views:	21
Size:	52.2 KB
ID:	13632  
 
1 members found this post helpful.
Old 10-04-2013, 11:45 AM   #8
michaelk
Moderator
 
Registered: Aug 2002
Posts: 26,522

Rep: Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224
There is no requirement that you have to connect to the WAN port of your Netgear router. If you disable its DHCP server it should just be a switch/wireless access point. However, you could not use the built in wireless guest network function ( I assume it has one.)
 
1 members found this post helpful.
Old 10-04-2013, 01:22 PM   #9
redfox2807
Member
 
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 167

Rep: Reputation: 31
Depending on the topography of the area you want to be covered with wifi using directional antennas in place of omnidirectional ones could be a better option than scattering several APs across the place.

Double NAT actually is not a problem. Just remember that everything in your house must be behind your home router or you'll have problems with communicating stuff with each other.


For guest users you can also deploy a separate AP with limited bandwidth via the same router. High-end router usually are capable of it.


Quote:
Originally Posted by michaelk View Post
There is no requirement that you have to connect to the WAN port of your Netgear router. If you disable its DHCP server it should just be a switch/wireless access point. However, you could not use the built in wireless guest network function ( I assume it has one.)
That would be a waste of a high-end router IMHO. But that's really an option.
 
1 members found this post helpful.
Old 10-04-2013, 03:19 PM   #10
jeebs01
LQ Newbie
 
Registered: Feb 2007
Posts: 3

Rep: Reputation: 1
Depending on the size of your area and the signal loss through your walls/floors, more than 3 AP's will cause inference. Plan to keep 2.4Ghz 802.11 AP's on channels 1, 6, and 11 to avoid overlapping frequencies.
 
1 members found this post helpful.
Old 10-07-2013, 02:31 PM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 26,522

Rep: Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224Reputation: 6224
It might be possible that your ISP MODEM can be configured in a bridge mode. Whereas it just basically functions as a MODEM i.e. no wireless or NAT functionality and no double NAT.
 
Old 10-07-2013, 03:26 PM   #12
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143Reputation: 2143
Quote:
Originally Posted by SaintDanBert View Post
I'm trying to discover how to set my gateway as a type-N access point on their "house side" LAN and quit the WAN-LAN NAT happening there.
If this is a typical off the shelf wireless router you're referring to, you can usually switch it to "access point mode" by turning off the DHCP server and plugging the input (from your primary DHCP server) into one of the LAN ports instead of the WAN port. This works on my Asus with OS firmware as well as on various Linksys routers that I've owned. Anybody who connects to the wireless network will be assigned a DHCP address by your main DHCP server and will exist on the main network as if you had plugged it in. The wifi router is just acting as a transparent wired/wireless bridge.
 
1 members found this post helpful.
Old 10-09-2013, 10:57 AM   #13
SaintDanBert
Senior Member
 
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797

Original Poster
Blog Entries: 3

Rep: Reputation: 108Reputation: 108
Quote:
Originally Posted by suicidaleggroll View Post
If this is a typical off the shelf wireless router you're referring to, you can usually switch it to "access point mode" by turning off the DHCP server and plugging the input (from your primary DHCP server) into one of the LAN ports instead of the WAN port...
Since the ISP hardware is typically not high end (to keep it cheap for them) it seems that what I'm trying to do would be common. Because it is common, I expect that there would be HOWTO that cover this situation. Sadly, I have not found anything.

Your posting is brief and somewhat obvious. So obvious that (whack forehead) "why didn't I think of that". I'll try that and report back to complete this thread. Thanks.

Regards,
~~~ 0;-Dan
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Learn and configuration Unix/ Linux OS kkkngnavy Linux - Newbie 8 01-15-2012 08:39 PM
how do YOU name your in-home LAN? SaintDanBert Linux - Networking 13 10-21-2010 05:25 PM
Re: Learn Proxy/Firewall configuration matsyuf Linux - Server 2 02-27-2008 10:16 AM
LAN at Home akvino Linux - Networking 12 07-04-2007 07:17 PM
Home LAN Setup bLaDe Linux - Networking 3 04-28-2006 08:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration