Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-01-2013, 04:21 PM
|
#1
|
Senior Member
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Rep: 
|
help me learn about home LAN configuration
Like most folks, I subscribe to a national ISP. They connect wire to my house and provide a "gateway" box. The box offers a few RJ-45 ports for wire-ethernet (100baseT) along with a wireless (802.11g) access point. This might be wonderful for those who live in a typical one-story apartment or small ranch-style house. I want -- dare I say "need" more and better -- and ask if someone can help me learn how to accomplish what I want to do.
A short list of enhancements that I seek:
1. deploy 802.11n wifi
--- main floor,
--- upstairs, and
--- outside around the pool
2. deploy 1000baseT where I use wire
3. move to something other than the 192.168.1.* default private network
4. deploy fixed IP addresses for primary in-house resources like printers and servers (files and media)
5. deploy wifi-DHCP for visitors and guests while blocking drive-by and nosey-neighbor users
6. limit some guests to internet-access while permitting others more extensive access to in-house resources.
NOTE -- The ISP uses the LAN to interconnect their resources within the house in addition to providing my workstations with internet access.
I would think that this is a common description of a home network for a power user and technical family. I'm hoping that some gentle reader can direct me to a collection of HOWTO documents or similar.
I don't want a full time job of network administration, but I'm willing to do some work to get things established.
I would prefer to learn enough to get things working and then learn more about how it works and why things work they way that they do. I understand that some how and why are required, but small bites where possible.
Thanks in advance,
~~~ 0;-Dan
|
|
|
10-02-2013, 09:35 AM
|
#2
|
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551
|
Ok.... you've a few things you want to do there.
- Not particularly difficult, you could do something as simple as plug in "repeater" access point extenders around your house, these are something like $40 a pop. Alternatively you can run cables to access points and get coverage pretty much where you need. You could set them all to the same SSID and authentication as your main one. If you are using multiple access points then it makes sense to change the channels on them so that they don't conflict. My personal favourite at the moment is a Zyxel access point that looks like a ceiling smoke detector and also has PoE capability, we use one at the office with a power injector so that only one network cable run is needed to where it's installed.
- Unless you're confident with DIY then get a network cable contractor to lay cables and install wall/floorports. I did my own at home, I have four cable runs that present as wall ports in different parts of the house and have a 8 port switch in the computer room. One of these cable runs is used as an "uplink" between my ISP router and the switch, the other three are used for 2xPS3, 1x spare.
- Couple of options here, if you have admin access to the LAN "side" of your ISP router then you should be able to change the default ranges, shortening it or allowing exclusions. Alternatively you could use a single linux machine as a gateway/router/DHCP/whatever server and have two NICs in that. One to your house network and one to your ISP and route ALL traffic through that server. For that you'd need to turn off your ISP wireless and use your own wireless access points. See also point 6.
- Not a problem, it's just good practise to assigne them outside your DHCP range, or make specific exclusions. Or you can have DHCP assign static addresses via the MAC address.
- Using a non-default SSID and password will give you some form of access control. Alternatively take a look at http://sourceforge.net/apps/trac/hotcakes/ At the office we have a dedicated ISP connection connected to a server running that suite of programs and with two wireless access points hung off a separate network switch on a second NIC. We have permanent users and we also have the ability to generate "tickets" for visitors that give them 1 day or 1 week of access. This could be combined with something like a SQUID proxy if you wanted to do content filtering.
|
|
1 members found this post helpful.
|
10-03-2013, 05:17 PM
|
#3
|
Senior Member
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Original Poster
Rep: 
|
(grinning & blushing) I never was one to take baby steps...
My primary trouble lies in the fact that my type-N wifi toys cannot interact with the ISP-side resources. I presume it is a sub-net or similar issue because my toys are on one side and the ISP parts are on the other side of my gateway/router.
I have a high end NetGearŪ router/gateway/access-point. Most of my LAN is on the "house side" of that box. The wire-net, again "house side", is all NetGear 1000/100/10baseT switches connected 1000baseT. The box provides 802.11bgn wifi. My stuff -- workstations, printers, servers, tablets, phones, toys -- just work.
On the ISP side, plain-old-telephone-system copper (POTS) connects to the ISP router/gateway/access-point. Their box provides 802.11bg (ugh) A LAN port here connects to the WAN port on my box over 100baseT (double ugh). VIOLA! My "house side" has access to the internet.
The ISP box typically connects their own supporting boxes scattered around the house via 100baseT. I put a 1000/100/10baseT box in to feed their boxes.
I know this only benefits connections among the support boxes and that connections to the internet get throttled to 100baseT then "copper".
Thanks in advance,
~~~ 0;-Dan
|
|
|
10-03-2013, 05:35 PM
|
#4
|
Senior Member
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Original Poster
Rep: 
|
Quote:
Originally Posted by TenTenths
Not particularly difficult, you could do something as simple as plug in "repeater" access point extenders around your house, these are something like $40 a pop. Alternatively you can run cables to access points and get coverage pretty much where you need. You could set them all to the same SSID and authentication as your main one. If you are using multiple access points then it makes sense to change the channels on them so that they don't conflict. My personal favourite at the moment is a Zyxel access point that looks like a ceiling smoke detector and also has PoE capability, we use one at the office with a power injector so that only one network cable run is needed to where it's installed.
|
I'm trying to discover how to set my gateway as a type-N access point on their "house side" LAN and quit the WAN-LAN NAT happening there.
Quote:
Originally Posted by TenTenths
Unless you're confident with DIY then get a network cable contractor to lay cables and install wall/floorports.
...
|
I did all of this during a major remodel a couple of years back. I have two home runs of CAT-6 everywhere. I also pulled TV-coax if the next buyer cares.
Quote:
Originally Posted by TenTenths
Couple of options here, if you have admin access to the LAN "side" of your ISP router then you should be able to change the default ranges, shortening it or allowing exclusions. Alternatively you could use a single linux machine as a gateway/router/DHCP/whatever server and have two NICs in that. One to your house network and one to your ISP and route ALL traffic through that server. For that you'd need to turn off your ISP wireless and use your own wireless access points. See also point 6.
|
I have a lot of admin access but there are parts that seem to be in read-only. I was able to stop their cheap wifi and set the "house side" IP range away from 192.168.1.xxx for the 2meter wire to my gateway. This results in a double-NAT (I think) which I'd like to get rid of.
Quote:
Originally Posted by TenTenths
Not a problem, it's just good practise to assigne them outside your DHCP range, or make specific exclusions. Or you can have DHCP assign static addresses via the MAC address.
|
Before ISPs resorted to a do-everything box and supplied a "modem," I had all of this working much as you describe. This works today on the "house side" of my box. There are still the occasional troubles when some new toy demands 192.168.1.xxx or 192.168.0.xxx before you can connect and move it elsewhere.
Quote:
Originally Posted by TenTenths
Using a non-default SSID and password will give you some form of access control.
|
Done done and DONE
Another good practice is to use nonsense names for your access points.
Cartoon characters and those from fantasy fiction are favorites of mine.
If SSIDs look too "official" they are targets. Clearly, "Accounting" or "SmithFamily" are clear targets too. However, who knows what is behind "Barney", "Goofy" or "Ulrick"? (grin)
Quote:
Originally Posted by TenTenths
Alternatively take a look at http://sourceforge.net/apps/trac/hotcakes/ At the office we have a dedicated ISP connection connected to a server running that suite of programs and with two wireless access points hung off a separate network switch on a second NIC. We have permanent users and we also have the ability to generate "tickets" for visitors that give them 1 day or 1 week of access. This could be combined with something like a SQUID proxy if you wanted to do content filtering.
|
Is the "hotcakes" project the same as your office "ticket" system?
I really REALLY like the sound of the ticket thing if it can be had or done open source [aka, cost=my time].
Thanks in advance,
~~~ 0;-Dan
|
|
|
10-04-2013, 04:53 AM
|
#5
|
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551
|
Looks like you've got it all heading pretty nicely along the way you want to proceeed.
Technically nothing wrong with double NATting, we do it here for one subnet that is passing through multiple routers before it gets to the interwebz.
Quote:
Originally Posted by SaintDanBert
Is the "hotcakes" project the same as your office "ticket" system?
I really REALLY like the sound of the ticket thing if it can be had or done open source [aka, cost=my time].
|
Yes, this is the system we use at the office. Permanent users have permanent accounts with a "soft" cap, a users account can also have a WiFi MAC address associated to it, so that device doesn't need to login. The "tickets" we actually just print off something like 100 1 day tickets and cut them up in to little bits of paper that the receptionist can just hand out as necessary.
|
|
1 members found this post helpful.
|
10-04-2013, 11:02 AM
|
#6
|
Senior Member
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Original Poster
Rep: 
|
Quote:
Originally Posted by TenTenths
Technically nothing wrong with double NATting, we do it here for one subnet that is passing through multiple routers before it gets to the interwebz.
|
It does cost a few ticks...
More importantly, everything is not on one (the same) "network". Rather, there is one on the house side of the ISP box and another on the house side of my box. I suspect this is where my troubles lie with toys talking to ISP boxes.
Quote:
Originally Posted by TenTenths
Yes, this is the system we use at the office. Permanent users have permanent accounts with a "soft" cap, a users account can also have a WiFi MAC address associated to it, so that device doesn't need to login. The "tickets" we actually just print off something like 100 1 day tickets and cut them up in to little bits of paper that the receptionist can just hand out as necessary.
|
I would really like to learn more about this. Are there other readings besides the link you posted earlier?
~~~ 0;-Dan
Last edited by SaintDanBert; 10-04-2013 at 11:04 AM.
|
|
|
10-04-2013, 11:25 AM
|
#7
|
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7 / 8
Posts: 3,551
|
Quote:
Originally Posted by SaintDanBert
It does cost a few ticks...
More importantly, everything is not on one (the same) "network". Rather, there is one on the house side of the ISP box and another on the house side of my box. I suspect this is where my troubles lie with toys talking to ISP boxes.
|
Ahh, well we have 60 PCs across two floors in the building, and several combinations of firewalls and routers to achieve the aims we have for PCI-DSS compliance in part of the office and simple filtering only compliance in other areas, so "a few ticks" isn't really one of our priorities
Quote:
Originally Posted by SaintDanBert
I would really like to learn more about this. Are there other readings besides the link you posted earlier?
|
To be honest, I didn't set our office WiFi up, I just happen to have to admin it and was told that was what we'd used and pointed to that resource as the documentation.
I've sketched up (roughly) what might be achievable. This would use the Linux box as a WiFi controler and also (I believe) have the side effect of allowing you to use the same "ticket" idea for any external access. So you could create fixed accounts and assign the MAC address of a device to that account, but for anyone that tries to use net access wired or wireless they'd need a ticket.
I've mentioned Squid as you could make people use that as a proxy server rather than allowing direct outbound access.
You may have to use your Linux Box as a DHCP server to dish out the correct routing information to your boxes and you may need some jigging around to get this to work but it would avoid the double NAT.
My personal preference would be to have the "inside" network on a separate subnet and have your Linux box do a NAT and then your ISP router also doing the outbound NAT. This makes rules a bit easier to set up and gives you much better control of routing inside your Linux box as you're dealing with two distinct subnets.
|
|
1 members found this post helpful.
|
10-04-2013, 11:45 AM
|
#8
|
Moderator
Registered: Aug 2002
Posts: 26,522
|
There is no requirement that you have to connect to the WAN port of your Netgear router. If you disable its DHCP server it should just be a switch/wireless access point. However, you could not use the built in wireless guest network function ( I assume it has one.)
|
|
1 members found this post helpful.
|
10-04-2013, 01:22 PM
|
#9
|
Member
Registered: Jul 2012
Distribution: Debian testing/stable, Gentoo, CentOS 7, Sailfish OS, Android
Posts: 167
Rep:
|
Depending on the topography of the area you want to be covered with wifi using directional antennas in place of omnidirectional ones could be a better option than scattering several APs across the place.
Double NAT actually is not a problem. Just remember that everything in your house must be behind your home router or you'll have problems with communicating stuff with each other.
For guest users you can also deploy a separate AP with limited bandwidth via the same router. High-end router usually are capable of it.
Quote:
Originally Posted by michaelk
There is no requirement that you have to connect to the WAN port of your Netgear router. If you disable its DHCP server it should just be a switch/wireless access point. However, you could not use the built in wireless guest network function ( I assume it has one.)
|
That would be a waste of a high-end router IMHO. But that's really an option.
|
|
1 members found this post helpful.
|
10-04-2013, 03:19 PM
|
#10
|
LQ Newbie
Registered: Feb 2007
Posts: 3
Rep:
|
Depending on the size of your area and the signal loss through your walls/floors, more than 3 AP's will cause inference. Plan to keep 2.4Ghz 802.11 AP's on channels 1, 6, and 11 to avoid overlapping frequencies.
|
|
1 members found this post helpful.
|
10-07-2013, 02:31 PM
|
#11
|
Moderator
Registered: Aug 2002
Posts: 26,522
|
It might be possible that your ISP MODEM can be configured in a bridge mode. Whereas it just basically functions as a MODEM i.e. no wireless or NAT functionality and no double NAT.
|
|
|
10-07-2013, 03:26 PM
|
#12
|
LQ Guru
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573
|
Quote:
Originally Posted by SaintDanBert
I'm trying to discover how to set my gateway as a type-N access point on their "house side" LAN and quit the WAN-LAN NAT happening there.
|
If this is a typical off the shelf wireless router you're referring to, you can usually switch it to "access point mode" by turning off the DHCP server and plugging the input (from your primary DHCP server) into one of the LAN ports instead of the WAN port. This works on my Asus with OS firmware as well as on various Linksys routers that I've owned. Anybody who connects to the wireless network will be assigned a DHCP address by your main DHCP server and will exist on the main network as if you had plugged it in. The wifi router is just acting as a transparent wired/wireless bridge.
|
|
1 members found this post helpful.
|
10-09-2013, 10:57 AM
|
#13
|
Senior Member
Registered: Jan 2009
Location: "North Shore" Louisiana USA
Distribution: Mint v21.3 & v22.x with Cinnamon
Posts: 1,797
Original Poster
Rep: 
|
Quote:
Originally Posted by suicidaleggroll
If this is a typical off the shelf wireless router you're referring to, you can usually switch it to "access point mode" by turning off the DHCP server and plugging the input (from your primary DHCP server) into one of the LAN ports instead of the WAN port...
|
Since the ISP hardware is typically not high end (to keep it cheap for them) it seems that what I'm trying to do would be common. Because it is common, I expect that there would be HOWTO that cover this situation. Sadly, I have not found anything.
Your posting is brief and somewhat obvious. So obvious that (whack forehead) "why didn't I think of that". I'll try that and report back to complete this thread. Thanks.
Regards,
~~~ 0;-Dan
|
|
|
All times are GMT -5. The time now is 06:46 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|