Set Up a LAN Where There is No Access From the Outside World
 

I have a LAN consisting of four systems (three desk tops and one lap top occasionally connected). My ISP is HughesNet which does not permit access from the outside -- it's a modem/router and you can't get though the router from the Internet. In addition to my LAN, I'm going to be setting up a similar LAN for a non-profit institute I'm associated with; that ISP allows connection from the outside but that's not going to happen if or until the board of directors approves doing so. I suspect that both my LAN and the institute LAN will be similar. The institute will have two Slackware 64-bit servers and there are, oh, four or five WinXP PC's that will access the servers via the LAN.

Neither I or the institute have a registered domain name; the institute will when I can talk somebody into it but, for now, no.

The way I have configured things for a long time is that I use fixed-IP addresses for each machine, they all talk to each other with SSH, and one has a web server that the others access with a browser. I happen to have a router (because I am connected to the Internet) but the institute will not, I suspect it will be connected via a switch (which can later be connected to the Internet). Every on of my boxes (all Slackware) has an identical /etc/hosts file (so they can talk to each other with SSH and can access the network-connected plotter and printer which also have fixed-IP addresses as well as the Internet).

Now the question is, what's the best way to do a LAN (both for me and for the institute)? Set up one machine as a pseudo "internet" with DNS services, perhaps internal and maybe external mail services along with print service?

Is there a tutorial that might be good guide?

I have been doing some reading, much of which is a little confusing but the little light hasn't popped on and I'd appreciate any advice.

I don't completely follow what you are trying to accomplish. Are you looking for a way to configure the LAN so that you don't have to use static IPs and maintain synchronized /etc/hosts files, but still be able to access each system on the LAN from any other system via ssh user@hostname?

If that is what you are after, you can set up a DNS server (actually, a master on one system and a slave on another so you have redundancy), and a dhcpd server (and a backup for failover), and let it assign dynamic IP addresses to most systems. You configure dynamic DNS in the dhcp server and it will keep your DNS server updated with the current IP address for each host on your LAN. The dhcp server will also supply the DNS server addresses to each client.

You would need to continue to assign a static IP to the systems that host the DNS and dhcp servers. I feel it is best to assign static IPs to appliances like printers and NAS systems. But all the regular desktop systems could be assigned dynamic IP.

This is what I do on my LAN, which has both Linux and Windows systems on it, and I can ssh to any system from any other by using hostname, so I don't have to be concerned with what the IP addresses happen to be at the moment.

If I misunderstood what you were after, I apologize.

IMO, as long as you have a valid name in your local network DNS server, there's no real reason to give static IPs to your printers and NAS systems.

In my case, I run an internal DHCP service that uses a totally BS internal network name (one that is highly unlikely to exist in the external world) that dynamically updates my internal DNS server. However, I'm not running an internal e-mail service which has implications on how you configure your MTA.

It's best to read the DNS HOW-TO. It's chock full of good information and even gives an example.

Richard, the only reason I give static IPs to network printers on my LAN is because a Windows Vista desktop system on my LAN can't handle it when the printer's IP address changes and it takes a reboot of the Vista system to fix it. I could get away with giving the NAS a dynamic IP.

Here's how I would do it. I would set up one for doing firewall/router services including dhcp. I would set up that box with "sticky" ip's for every machine on the network. You can also set up that machine to do DNS and have everything set up to have CNAMES for everything. Then when/if you get connection, you can have that box do the routing for you and you don't have to worry about the rest of the network when you don't/can't have connectivity. I've set up networks like this and used something like pfSense for that box. Works like a charm.

At my workplace, I have a Slackware firewall/gateway server with two network interface cards; one connected to the corporate LAN, the other to an intranet of Windows machines.
The layout is
The server is running dnsmasq to provide IP addresses to the Windows PCs via DHCP with dnsmasq configured to always supply the same IP address (effectively static addressing).
The server is running CUPS to provide access to LAN printers from the Windows PCs.
The server is running Samba to provide access to files on the Windows PCs from the corporate LAN.
The server is running iptables with a ruleset that does port forwarding of RDP from the corporate LAN to the Windows PCs to allow remote desktop connections. The ruleset also governs access to the internet from the Windows PCs.

This is certainly not bullet proof, but is an arrangement that has served well for many years.

Wow.

OK, maybe I can explain this a little better. I was having a problem with sendmail on the lap top I'm using to install and check out DSpace, a "a turnkey institutional repository application." See http://www.dspace.org if you're interested; the institute I mentioned has large diverse collections (think Smithsonian writ small without bugs-'n'-bones and airplanes). sendmail, on Slackware, usually "just works," but on this box, with a fresh install of Slackware 64-bit 14.0 (fully patched) just didn't want to work properly. I solved that, after a lot of suggestions from LQ members (including Pat) by saying to hell with, just reinstall Slackware and see what happens which "fixed" the problem. That entire thread is at http://www.linuxquestions.org/questi...1/#post4983424, probably not worth your time to look at.

Pat kindly posted this: http://www.linuxquestions.org/questi...ml#post4987332:
Which got me thinking and realizing that I did not have a clue what all the means (I'm pretty good with some stuff but not so hot with every stuff, ya know?). And I haven't been able to get my arms around stuff I'm reading from Google searches, dang it.

The whole sendmail thing is over and done, but CNAME in DNS? somehost.pita.lan? Uh... duh. That's what prompts this thread (that lap top is now named pita.lan and I'm thinking it would be a good idea to rename all my other boxes somename.lan while I'm at it).

I guess I still don't know how to ask a decent question, but perhaps this is a little clearer?

A CNAME is an alias for an A (address) record in the zone file for your domain. An A record resolves to an IP address. You'll need to set up /etc/named.conf and your zone files for localhost, pita.lan, and the reverse zones for both of those.

Would an example help?

Edit: I can post a sample named.conf and the forward and reverse zone files for a DNS server, and a dhcpd.conf for a DHCP server, if you would like. But I don't want to clutter up the thread if you don't want to see the example.

I would be grateful to see a sample; trust me, it won't clutter up anything and may actually unclutter me!

dnsmasq would kill several birds with one stone.
It is a DHCP/(forwarding)DNS server that is very easy to configure to do exactly what you want.
Just set it up on your server and set all your clients for DHCP.
You can also assign static ip's to specific machines (e.g. by MAC) via DHCP.

So here is an example. Please note that I am no expert on DNS or DHCP, but through trial and error and after reading lots of examples on the web, I managed to get it all working on my LAN. A real expert may find fault with the example I'm going to give you and could probably improve it a lot.

If pita.lan is your domain name, then you need to give each system a unique hostname on that domain. lap1.pita.lan, desk1.pita.lan, server1.pita.lan, and so forth, where lap1, desk1, and server1 are all hostnames.

Let's say you are running a BIND master DNS server on server1.pita.lan, and a slave DNS server on server2.pita.lan. You give both of these systems static IP addresses, 192.168.15.5 and 192.168.15.10, respectively. All your other systems, like lap1, are assigned dynamic IP addresses by your DHCP server, which is also running on server1.

Here is /etc/named.conf for your master DNS server on server1.pita.lan at 192.168.15.5. The files named in the zone definitions are relative to the base directory "/var/named" that is specified in the options section at the top.

The DNS configuration is defined using views. The internal view is for machines on your private LAN. It includes your localhost zone, your pita.lan zone, and the reverse pointer zones that correspond to those.

The external view is for public internet access from the outside, in the event that you exposed your DNS server to the world. It's not applicable in your case because you said there won't be any access from the internet. I just wanted to show you the structure. You could delete that whole section.

Here is localhost forward zone file at /var/named/internal/zone.localhost.

Here is the reverse lookup zone file for localhost at /var/named/internal/revp.127.0.0

Here is the pita.lan forward zone file at /var/named/internal/zone.pita.lan.

Here is the reverse lookup zone file for pita.lan at /var/named/internal/revp.192.168.15.

Here is /etc/dhcpd.conf for your DHCP server on server1 at 192.168.15.5.

You may have noticed that named.conf had an include for /etc/ddns.key, and the dhcp.conf had a dynamic DNS key section also. Both specify the same key, and this is what allows your DHCP server to update your DNS server to add the currently assigned dynamic IP address for any DHCP client system to your zone files. If your DNS and DHCP server were running and clients named desk1 and lap1 joined the network and were given dynamic IP addresses, your pita.lan zone file would be dynamically updated to add something like this:

Here is an example /etc/ddns.key file. Note that the password in this example is a real one that was generated with dnssec-keygen, but it's not one I use. The same password must be in named.conf and in dhcpd.conf.

It probably goes without saying that the ddns.key file and the dhcpd.conf file need to have restrictive permissions with no world access, since they contain the dynamic update key that DHCP uses to talk to DNS.

I have not shown what a slave DNS configuration would look like. It will have a named.conf that looks similar to the master one, but with a few differences, and its zone files are different. They get transferred from master. I can add that in another post later.

I have not shown the root.hints file. You download that from the web periodically. It doesn't change very often, and it works even if it isn't totally up to date. I'll follow up with more info on that later also.

I hope this helps.

Or ...
You could use dnsmasq, set your local network name and and upstream dns, and just add a single line for any hosts that need a static ip. :D