Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This is the question,
I have a router from linksys to network my computers and some other devices, I am wanting to install a fire wall. I have decided the best way to do this for me physical is to put the firewall between the cable modem and router. Now my question is this how will the rotuer interact with the fire wall to route the approriate packets to the computers ( Static IP address btw)
Cable Modem ----Firewall --- Router -----Intranet
Do i just set the router to look for the fire wall as the gateway ?
Almost forgot I have to have the router as a wireless access point for my wife's computer.
any [x]---[y] pair of addresses should belong to different networks eg.:
192.168.168.0/24
192.168.1.0/24
10.0.0.0/24
or similar.
;-)
further questions (You're welcome.)?
The only reason I have not subnetted the network is this
the gateway address is 192.168.1.1
there are only 10 devices on the network atm ranging from x.x.1.2 to x.x.1.12
so I didnt really see a reason to sub it.
i should also add, this is for a home set up and not a bussness.
I am not useing the router to make multi- phsyical networks, its just forwarding the packets
from the cable modem to the respective computers ( its a linksys wrt54g router)
so what you are saying is if i dont sub it add a firewall, the router will get confused ?
not forsure if I am following what you are saying.
I thought the only time you needed to really subnet something was if you were trying to
devide 2 phsyical networks say ( accounts ) ( management)
from yours :
"Now my question is this how will the rotuer interact with the fire wall to route the approriate packets to the computers ( Static IP address btw)"
are those IPs from your ISP?
if not - then you should do NAT.
there 2 kinds of network operation :
1. is bridging mode,
2. is routing mode (NAT).
if you have those static IPs from your ISP - then you can directly bridge your connection to your end computer. From your end computer perspective - the default gateway will be your ISP.
if you dont have them, then you can do routing/NAT (thus - you need different subnet) mode either from your edge FW or your middle router or can be BOTH (the last is a bit complicated). From your end computer perspective - the default gateway will be your router.
or you can do the same bridging technique on your router (if supported).
DNS server can just pointed to your ISP.
HTH.
Last edited by rossonieri#1; 06-30-2007 at 12:49 AM.
What kind of router do you have? If it is a NAT router, then you already have a firewall. The router can't forward a connection if you haven't already started it from the inside. It simply has no way of knowing for which IP to forward it to and has to drop it.
You need to use subnetting to perform routing between two connections. I once used my laptop to forward traffic to my wireless router. The wired subnet was 192.168.1.0/255.255.255.128. The wireless subnet was 192.168.1.128/255.25.255.128.
Then I could configure the routes so that it would use eth0 for the wired subnet and wlan0 for the wireless subnet.
I even gave each network a name in /etc/networks. The NAT function was supplied by the router, so I didn't need to add any ip_table rules. ( The desktop & printer used the dhcp server from another wired linksys router/switch ).
Its just a store bought linksys router, and yes it does have a firewall built in to it, but with no configuration options. I wanted to install a Firewall passed the router, so I could get a beter understand on how firewalls work.
also if i set the router to routing mode over gateway mode it opts to use arp.
The only thing I am not understanding exactly is why, I should subnet the Devices on to diffrent networks ? Deviding them in to 2 seperate networks doesnt really make any since to me beings that I have Plenty of address for hosts when I dont see having more then 10 devices connected to my network.
also the only real reason the router even exists atm is to provide a WAP for my wifes wireless connection.
as for the Ip address my ISP ( Cox Communications) Provides one static address to me But i used the reserved addresses for the internetwork.
last but not least every thing is working fine on my network. I am just trying to Figure out How the Firewall Will Route packets to the router then from there how the router will know how to send them to the hosts on my network.
such as Will the information denoting that the packet is for PC.1 be droped between the firewall and the router..
Internet
|
|
(isp assigned address)
Router
(192.168.1.1) Ineternal gateway address for my network
| | |
| | |
| | |
| | 192.168.1.2 ( Linux file server)
| 192.168.1.3 ( My Computer)
|
192.168.1.4 ( my Xbox)
then there is (wireless Devices)
192.168.1.5 my wifes computer
192.168.1.6 my PsP
192.168.1.7 My Nintendo wii
192.168.1.8 my Xbox 360
192.168.1.9 ( some times friends come over ext ext)
That is my current configuration
What I want to know is if I add a Firewall between the Internet and my current
gateway ( that is primarly used to provide Wi-Fi) will there be any problems
Also I should add that the router is just a linksys wireless router with a built in 5 port eathernet switch, Its only there to provide access to multiple computers not to connect two internal networks
if this isnt explaning what I am tryint to do well enough I can get out the camera and snap some picts to help describe it beter.
The Linux Network Administrator's Guide 2nd Ed. is available at the www.tldp.org website. It explains networks, and IP addresses and what various devices do.
Actually, you wouldn't need to subnet your network. Just use the Linksys as a switch. One interface will be for the modem and have a public IP address. The other will have a 192.168.1.0/24 address. You could use the Linksys for the DHCP server, or you could do that yourself as well. You will need to configure NAT on the computer of course.
Internet
|
|
(isp assigned address)
Router
(192.168.1.1) Ineternal gateway address for my network
| | |
| | |
| | |
| | 192.168.1.2 ( Linux file server)
| 192.168.1.3 ( My Computer)
|
192.168.1.4 ( my Xbox)
To this:
Code:
Internet
|
|
(isp assigned address)
|
|
Firewall
(192.168.2.1)
|
|
(192.168.2.2) WAN port
Router
(192.168.1.1) Internal gateway address for my network
| | |
| | |
| | |
| | 192.168.1.2 ( Linux file server)
| 192.168.1.3 ( My Computer)
|
192.168.1.4 ( my Xbox)
Then you shouldn't have a problem. Configure the internet side of the firewall to behave as the Linksys router did. ( You may need to authorize the firewall with the cable company, just like you did for the Linksys, because it has a different MAC address ) Now you need a network address between the firewall and the router that isn't 192.168.1.0/255.255.255.0 and isn't the old WAN address. I arbitrarily chose 192.168.2.0/255.255.255.0 for this network.
Here, you could keep the NAT on the Linksys router and just use the firewall to filter traffic; or you could even have both provide NAT(which would be silly for the firewall because it would only be serving the Linksys router); or you could put the Linksys in router mode (vs what they call gateway mode) and perform NAT on the firewall. Now your present LAN configuration should still work.
You could also do this:
Code:
Internet
|
|
(isp assigned address)
|
|
Firewall
|
|
(192.168.1.1) Internal gateway address for my network
|
|
| Router switch ports
| | | | |
|________| | | |
| | |
| | 192.168.1.2 ( Linux file server)
| 192.168.1.3 ( My Computer)
|
192.168.1.4 ( my Xbox)
Here the router is just used as a switch, and the firewall is configured to behave as the router did. The server, "My Computer", and Xbox have the same configuration. You will need to change the local IP address of the router so there isn't a conflict with 192.168.1.1. The router is used as a the gateway for the LAN using the same gateway IP address. If your wife's wireless host has the IP address of the AP in it's configuration (The Linksys), that will need to be changed.
Here you will provide NAT masquerading on the Firewall. The router will be used as a switch and an AP for the wireless computer. You could use the DHCP server on the Linksys and have a client running on the LAN hosts and the firewall. Or you could have a DHCP server running on the firewall for more control. In both cases you need to change the "Local IP Address" setting on the Linksys router because you are using that address for the LAN side of the firewall.
The third method would waste one LAN port on the Linksys. The WAN port would be unused. However you wouldn't need to reconfigure LAN hosts. They can still use DHCP if they were before, and don't need to change their gateway IP address settings.
It is often best to use static IP addresses for servers. You could have a 3rd NIC interface on the firewall for the DMZ as well. SuSE Linux's SuSEfirewall2 configures zones; internal, external, DMZ. Then you can have different services allowed for the different zones. Because you want to do this as a learning experience, you might want to roll your own instead. You may be able to find Linux router kits that have 4 or more interfaces, are small and low power compared to a desktop. Something like that might be ideal for what you want to do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.