LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-18-2016, 05:19 PM   #1
jetberrocal
Member
 
Registered: Feb 2010
Posts: 45

Rep: Reputation: 15
Need help making my Debian server a simple router and fix damage that I have done


I have a LAN1 in 192.168.0.0/24
and other LAN2 in 192.168.1.0/24

In LAN2 I have Debian server (e2guardian) with two NICs
eth0 = 192.168.1.20 DHCP Assign by LAN1/LAN2 Firewall Appliance
eth1 = 192.168.0.100 DHCP Assign by LAN2 Cable Modem

Cable Modem - Static IP 192.168.0.1
Firewall Appliance - WAN/LAN1 IP 192.168.0.3, LAN2 IP 192.168.1.1

In LAN1 I have DVR Device with Static IP 192.168.0.99

Need to make routing rules to allow the LAN2 computers to connect to the DVR passing around the Firewall. (Firewall seems to be incompatible with the DVR)

Trying to make e2guardian a router added the eth1 interface and made some routing rules. I think I damage the routing table.

ip route output:

default via 192.168.1.1 dev eth0
192.168.0.0/24 via 192.168.1.1 dev eth0
192.168.0.99 via 192.168.0.100 dev eth1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.20

First I need to make sure the e2guardian routing table is OK.
1. pings the DVR using the eth1 interface.
2. pings the Cable Modem (192.168.0.1) and LAN1 except DVR using eth0 through the default Gateway
3. pings the Internet using eth0 through the default Gateway

Then I think I need to enable forwarding in the e2guardian to the DVR only.

Finally I have to add some rules in the Firewall to send the LAN2 Computers to the DVR through the e2guardian server. This part I think I know how to do it.

Last edited by jetberrocal; 10-18-2016 at 05:22 PM.
 
Old 10-18-2016, 10:50 PM   #2
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 548

Rep: Reputation: 72
It looks like you are doing a double-nat and that can get difficult with multimedia anything.

I went at your issue little more simply.

Set your dhcp server to issue a /23 netmask instead of the /24 (255.255.254.0) Let's say 192.168.5.0/23
Set your Debian server address to something like 192.168.4.11/23. Use the firewall (iptables) on the Debian host to control access to the LAN.

I know it's not perfect, but you get nice, clear distinction between your dmz host without double-nating as many consumer firewalls (cable router) just don't handle anything beyond the normal firewall NAT.

Last edited by mpapet; 10-18-2016 at 10:56 PM.
 
Old 10-19-2016, 12:15 PM   #3
jetberrocal
Member
 
Registered: Feb 2010
Posts: 45

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by mpapet View Post
It looks like you are doing a double-nat and that can get difficult with multimedia anything.

I went at your issue little more simply.

Set your dhcp server to issue a /23 netmask instead of the /24 (255.255.254.0) Let's say 192.168.5.0/23
Set your Debian server address to something like 192.168.4.11/23. Use the firewall (iptables) on the Debian host to control access to the LAN.

I know it's not perfect, but you get nice, clear distinction between your dmz host without double-nating as many consumer firewalls (cable router) just don't handle anything beyond the normal firewall NAT.
You are making my eyes pop out. I did not understand anything.

The Cable Modem is natting the Internet to the LAN1 where the DVR and the Firewall WAN are
The Firewall is natting the LAN1 to the LAN2

I though that there is no need to do NAT for the LAN2 to see some IP in LAN1, that plain routing was enough.
 
Old 10-20-2016, 02:57 PM   #4
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 548

Rep: Reputation: 72
Quote:
Originally Posted by jetberrocal View Post
You are making my eyes pop out. I did not understand anything.

The Cable Modem is natting the Internet to the LAN1 where the DVR and the Firewall WAN are
The Firewall is natting the LAN1 to the LAN2

I though that there is no need to do NAT for the LAN2 to see some IP in LAN1, that plain routing was enough.
Yeah, the problem with routing is not all protocols easily route.

That's why if you set your dhcp server LAN address to something like 192.168.5.1 255.255.254.0 you can then assign your DMZ machine a 192.168.4.xx 255.255.254.0. There's no need to route or fiddle with double-nat that your cable modem likely can't handle. Then your DMZ machine has iptables rules to restrict traffic into the LAN as you please.
 
Old 10-25-2016, 01:14 PM   #5
jetberrocal
Member
 
Registered: Feb 2010
Posts: 45

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by mpapet View Post
Yeah, the problem with routing is not all protocols easily route.

That's why if you set your dhcp server LAN address to something like 192.168.5.1 255.255.254.0 you can then assign your DMZ machine a 192.168.4.xx 255.255.254.0. There's no need to route or fiddle with double-nat that your cable modem likely can't handle. Then your DMZ machine has iptables rules to restrict traffic into the LAN as you please.
The DVR is not a full OS, or at least I can not customize iptables or routing tables.
 
  


Reply

Tags
debian stable, iproute2


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Debian Router cov Linux - Networking 5 10-24-2009 03:47 AM
Simple Debian Router Setup th_dan Linux - Networking 5 08-26-2007 06:43 PM
Making a simple file server - which OS? DaveSalt Linux - Software 2 02-26-2005 07:19 AM
fs damage. e2fsck will not run to fix linux partition aya_rei Linux - Software 4 02-23-2005 08:55 AM
Simple Debian Router including a DHCP Server stormblast Debian 20 09-22-2004 05:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration