Fw: [suse-security] Advice Please - Extending a Network
If the hardware solutions described are not an option then you have two options using Linux (i) seperate subnets or (ii) a bridge. The latter consists of extra modules in the kernel which effectively turn your box into a switch, thus saving the expense, and all LAN traffic goes across both segments. Alternatively split the LAN into two subnets, have two IP addresses, one for each NIC and have DHCP serve different IP addresses to hosts on each segment. This is more traditional in some ways but can be annoying for users, depending on what applications they use. For instance if they are SMB clients that want to browse a "Network Neighbourhood" then you'll need to implement a WINS server (and possibly a domain server) to keep the two subnets talking to each other.
Carl Peto Linux Server Support Bookman Associates
It seems to be quite hard to find an 8 port hub with a coax connector, though I will keep looking. In the meantime can you expand on what I need to do following your (i) seperate subnets suggestion. I am already running ... 1) DHCP(providing IP addresses to the local machines and also updating the DNS zone files automatically) 2) DNS (administering the local domain and forwarding to my Cable Company's DNS servers) 3) SuSEFirewall2 (blocks everything inbound, there are NO services accessible from the internet other than those initiated by the local network machines) 4) Samba to support Windows Clients 5) Squid so I think I have all the parts running I need, but need some pointers on how to add the extra interface into the settings for each. Thanks everyone for your advice. Philip
On Saturday 10 January 2004 23:03, Philip B Cook wrote:
If the hardware solutions described are not an option then you have two options using Linux (i) seperate subnets or (ii) a bridge. The latter consists of extra modules in the kernel which effectively turn your box
into
a switch, thus saving the expense, and all LAN traffic goes across both segments. Alternatively split the LAN into two subnets, have two IP addresses, one for each NIC and have DHCP serve different IP addresses to hosts on each segment. This is more traditional in some ways but can be annoying for users, depending on what applications they use. For instance if they are SMB clients that want to browse a "Network Neighbourhood" then you'll need to implement a WINS server (and possibly a domain server) to keep the two subnets talking to each other.
Carl Peto Linux Server Support Bookman Associates
It seems to be quite hard to find an 8 port hub with a coax connector, though I will keep looking.
In the meantime can you expand on what I need to do following your (i) seperate subnets suggestion.
I am already running ...
1) DHCP(providing IP addresses to the local machines and also updating the DNS zone files automatically) 2) DNS (administering the local domain and forwarding to my Cable Company's DNS servers) 3) SuSEFirewall2 (blocks everything inbound, there are NO services accessible from the internet other than those initiated by the local network machines) 4) Samba to support Windows Clients 5) Squid
so I think I have all the parts running I need, but need some pointers on how to add the extra interface into the settings for each.
Thanks everyone for your advice.
Philip
If you do add the extra interface you are going to have a routing problem between machines on different interfaces. Maybe this is not a problem. If all the machines only talk to the server and not to eacy other then this will not be a problem. Simply add the new interface and set up your dhcp server to dish out ips in a different subnet for that interface. Remember to have your samba set up to allow the new interface. But remember, you can avoid all of this reconfiguration by simply replacing the server nic with a 10/100 cat 5 nic and getting a cheap 4 or 5 port switch/or hub with a cat 5 port. I guarentee if you know more than one computer geek they will trade you one of these older hubs for a $25 10/100 switch. You only need it till you are fully cut over and off the coax. They you may never use it again, or perhaps only for printers or something slow, so you don't care that its a hub rather than a switch and you don't care that its only 10meg instead of 10/100 or even 10/100/1000. Its a short term solution to keep your coax on line till you get the cat 5 opperational. Further this system puts your server a less risk than adding another subnet. -- _____________________________________ John Andersen
Philip,
If you want to run two seperate subnets then you'll need to update various
bits of config. I'm going to be a bit pathetic and not describe it very
fully as I've got a cold (!) and a major server crash to handle today!
Sorry if this isn't as good as it could be.
I am assuming that you are running a DHCP server that serves IP addresses
and updates DNS for one simple subnet at present.
Before you start, when the new card is in you'll use YaST2 to configure the
new card with an appropriate IP address. If you decide to use the
192.168.10. subnet for the new NIC then 192.168.10.1 might be a good
suggestion for the new NIC IP address.
Firstly DHCP. Decide on a new subnet. Probably something on a different C
class, like 192.168.10.xxx would be a good idea, just for simplicity. Add
another entry to dhcp.conf for this new subnet. Given that you worked out
how to do the first DHCP subnet in dhcp.conf I reckon you can work out how
to add another?
Second DNS. Add new zone data for the new subnet. You'll probably be using
some made up domain at the moment with a zone file for this. You should
also have a reverse lookup zone file for the existing 192.168.0 subnet.
Copy this to create a new reverse lookup zone file for the new (e.g.
192.168.10.) subnet. Modify named.conf accordingly too, make sure that the
new zone definition allows update from localhost (or whatever address you've
configured) so that DHCP can update it dynamically.
Those two bits should be easy ish for you.
SuSEfirewall2, you just add the new Ethernet NIC device (probably eth2?) to
the FW_DEV_INT line where the existing internal NIC (probably eth1?) is.
Also make sure to add the new subnet to FW_MASQ_NETS.
I'm not sure about squid. If any changes are needed to support two subnets
instead of one then they should be fairly obvious.
Finally and the most nasty of all is Samba and WINS. If you have only win
2k/XP clients then you are probably fairly home free. You should be able to
ping clients on one subnet from the other and vice versa and should then be
able to see file shares/printers using the usual \\pc2\sharename "UNC" type
notation in the Windows Explorer Address Bar box, luckily for you you can
thereby bypass the horrid NetBIOS and WINS mess. I'm not sure how Network
Neighbourhood works in that case (it probably just doesn't) but that's
really just a user training issue in the end (arguably) and not worth the
hassle.
However if you've got Win 3.1, Win 98, Win ME, Win NT 4.0 or likewise
clients on *any* of your connected PCs they won't be able to network without
the dreaded NetBIOS over TCP/IP ("NBT"), worse luck. :(
In that case the best thing to do is get DHCP to set all of them up as
"hybrid" nodes (use "man dhcp.conf" for info), with a NBNS ("WINS") server
at ... (your Linux box IP address on *that* subnet being configured). Then
adjust smb.conf (my preferred method is using SWAT over a webbrowser if it's
running) so that "wins support = yes". Next make sure all PCs are in the
same WORKGROUP, restart Samba, DNS, DHCP, SuSEfirewall2 and all MS clients
and pray.
If you network the two segments together at an ethernet level you'll save
all that hassle, however! Mind you, arguably, you'll learn less in the
(possibly slightly painful) process... :)
Regards,
Carl Peto
Linux Server Support
Bookman Associates
----- Original Message -----
From: "Philip B Cook"
If the hardware solutions described are not an option then you have two options using Linux (i) seperate subnets or (ii) a bridge. The latter consists of extra modules in the kernel which effectively turn your box into a switch, thus saving the expense, and all LAN traffic goes across both segments. Alternatively split the LAN into two subnets, have two IP addresses, one for each NIC and have DHCP serve different IP addresses
hosts on each segment. This is more traditional in some ways but can be annoying for users, depending on what applications they use. For instance if they are SMB clients that want to browse a "Network Neighbourhood"
to then
you'll need to implement a WINS server (and possibly a domain server) to keep the two subnets talking to each other.
Carl Peto Linux Server Support Bookman Associates
It seems to be quite hard to find an 8 port hub with a coax connector, though I will keep looking.
In the meantime can you expand on what I need to do following your (i) seperate subnets suggestion.
I am already running ...
1) DHCP(providing IP addresses to the local machines and also updating the DNS zone files automatically) 2) DNS (administering the local domain and forwarding to my Cable Company's DNS servers) 3) SuSEFirewall2 (blocks everything inbound, there are NO services accessible from the internet other than those initiated by the local network machines) 4) Samba to support Windows Clients 5) Squid
so I think I have all the parts running I need, but need some pointers on how to add the extra interface into the settings for each.
Thanks everyone for your advice.
Philip
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Philip,
If you want to run two seperate subnets then you'll need to update various bits of config. I'm going to be a bit pathetic and not describe it very fully as I've got a cold (!) and a major server crash to handle today! Sorry if this isn't as good as it could be.
I am assuming that you are running a DHCP server that serves IP addresses and updates DNS for one simple subnet at present.
Before you start, when the new card is in you'll use YaST2 to configure
new card with an appropriate IP address. If you decide to use the 192.168.10. subnet for the new NIC then 192.168.10.1 might be a good suggestion for the new NIC IP address.
Firstly DHCP. Decide on a new subnet. Probably something on a different C class, like 192.168.10.xxx would be a good idea, just for simplicity. Add another entry to dhcp.conf for this new subnet. Given that you worked out how to do the first DHCP subnet in dhcp.conf I reckon you can work out how to add another?
Second DNS. Add new zone data for the new subnet. You'll probably be using some made up domain at the moment with a zone file for this. You should also have a reverse lookup zone file for the existing 192.168.0 subnet. Copy this to create a new reverse lookup zone file for the new (e.g. 192.168.10.) subnet. Modify named.conf accordingly too, make sure that
new zone definition allows update from localhost (or whatever address you've configured) so that DHCP can update it dynamically.
Those two bits should be easy ish for you.
SuSEfirewall2, you just add the new Ethernet NIC device (probably eth2?) to the FW_DEV_INT line where the existing internal NIC (probably eth1?) is. Also make sure to add the new subnet to FW_MASQ_NETS.
I'm not sure about squid. If any changes are needed to support two subnets instead of one then they should be fairly obvious.
Finally and the most nasty of all is Samba and WINS. If you have only win 2k/XP clients then you are probably fairly home free. You should be able to ping clients on one subnet from the other and vice versa and should then be able to see file shares/printers using the usual \\pc2\sharename "UNC" type notation in the Windows Explorer Address Bar box, luckily for you you can thereby bypass the horrid NetBIOS and WINS mess. I'm not sure how Network Neighbourhood works in that case (it probably just doesn't) but that's really just a user training issue in the end (arguably) and not worth the hassle.
However if you've got Win 3.1, Win 98, Win ME, Win NT 4.0 or likewise clients on *any* of your connected PCs they won't be able to network without the dreaded NetBIOS over TCP/IP ("NBT"), worse luck. :(
In that case the best thing to do is get DHCP to set all of them up as "hybrid" nodes (use "man dhcp.conf" for info), with a NBNS ("WINS") server at ... (your Linux box IP address on *that* subnet being configured). Then adjust smb.conf (my preferred method is using SWAT over a webbrowser if it's running) so that "wins support = yes". Next make sure all PCs are in the same WORKGROUP, restart Samba, DNS, DHCP, SuSEfirewall2 and all MS clients and pray.
If you network the two segments together at an ethernet level you'll save all that hassle, however! Mind you, arguably, you'll learn less in the (possibly slightly painful) process... :)
Regards,
Carl Peto Linux Server Support Bookman Associates
----- Original Message ----- From: "Philip B Cook"
To: Sent: Sunday, January 11, 2004 8:03 AM Subject: Fw: [suse-security] Advice Please - Extending a Network If the hardware solutions described are not an option then you have
options using Linux (i) seperate subnets or (ii) a bridge. The latter consists of extra modules in the kernel which effectively turn your box into a switch, thus saving the expense, and all LAN traffic goes across both segments. Alternatively split the LAN into two subnets, have two IP addresses, one for each NIC and have DHCP serve different IP addresses to hosts on each segment. This is more traditional in some ways but can be annoying for users, depending on what applications they use. For instance if they are SMB clients that want to browse a "Network Neighbourhood"
two then
you'll need to implement a WINS server (and possibly a domain server) to keep the two subnets talking to each other.
Carl Peto Linux Server Support Bookman Associates
It seems to be quite hard to find an 8 port hub with a coax connector, though I will keep looking.
In the meantime can you expand on what I need to do following your (i) seperate subnets suggestion.
I am already running ...
1) DHCP(providing IP addresses to the local machines and also updating
Carl,
thanks for the advice. I am pursuing both upgrade paths we have discussed,
but find the one presented by you a challenge.
I have added an ISA Coax Ethernet Card into the machine (eth2) (I only had
an ISA slot left). My current internal net is on eth0 and my Cable Modem
sits on eth1. Hopefully I have followed all your advice below and also
added in SuSEfirewall2 FW_ALLOW_CLASS_ROUTING="yes" to permit the two local
nets to talk without having explicit forwarding instructions. They are
192.168.0.xxx (original) and 192.168.1.xxx (new).
However, when I swap the coax cable over to eth2 I cannot get it to assign
any IP addresses to hosts.. Do I have to wait for the Lease Time to expire ?
Also as soon as I bring up the eth2 interface, with all my hosts on eth0,
they can still communicate to one another BUT I lose access to the internet
from all hosts. Does the sequence the interface come up when booting matter
? As it stands I they come up as eth0 - first local net; eth1 -
cable/internet; eth2 - new local net.
Any ideas ?
Philip
----- Original Message -----
From: "Carl Peto"
DNS zone files automatically) 2) DNS (administering the local domain and forwarding to my Cable Company's DNS servers) 3) SuSEFirewall2 (blocks everything inbound, there are NO services accessible from the internet other than those initiated by the local network machines) 4) Samba to support Windows Clients 5) Squid
so I think I have all the parts running I need, but need some pointers on how to add the extra interface into the settings for each.
Thanks everyone for your advice.
Philip
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello, Am Mittwoch, 21. Januar 2004 08:22 schrieb Philip B Cook:
[...] However, when I swap the coax cable over to eth2 I cannot get it to assign any IP addresses to hosts.. Do I have to wait for the Lease Time to expire ?
Does your dhcpd listen on eth2 also? I don't know your SuSE version, on newer versions (>= 8.0?) see /etc/sysconfig/dhcpd, DHCPD_INTERFACE="eth0 eth2".
Also as soon as I bring up the eth2 interface, with all my hosts on eth0, they can still communicate to one another BUT I lose access to the internet from all hosts. Does the sequence the interface come up when booting matter ? As it stands I they come up as eth0 - first local net; eth1 - cable/internet; eth2 - new local net.
Maybe that your routing is mixed up. What does route -n show?
Any ideas ?
Yes: do not quote mails as "TOFU" (german "Text oben - Fullquote unten" - translated: fullquote below your text)
----- Original Message -----
I removed about 200 lines of trash here :-| Gruß Christian Boltz -- Microsoft, what do you want to crash today?
see answers in context below
----- Original Message -----
From: "Philip B Cook"
Carl,
thanks for the advice. I am pursuing both upgrade paths we have discussed, but find the one presented by you a challenge.
I have added an ISA Coax Ethernet Card into the machine (eth2) (I only had an ISA slot left). My current internal net is on eth0 and my Cable Modem sits on eth1.
ISA should be fine, probably, I think it depends mostly on the card itself, some are really slow but you should be fine. When people want fast networking you can just encourage them to upgrade onto your 100Mb network! Hopefully I have followed all your advice below and also
added in SuSEfirewall2 FW_ALLOW_CLASS_ROUTING="yes" to permit the two local nets to talk without having explicit forwarding instructions. They are 192.168.0.xxx (original) and 192.168.1.xxx (new).
Those two subnets are fine. I don't recognize that particular parameter, perhaps my version of SuSEfirewall2 is out of date. I used FW_ROUTE=yes. Anyway the thing to check is... cat /proc/sys/net/ipv4/ip_forward ...if that says... 1 ..then routing is enabled at the kernel level, otherwise the kernel will never route packets. If it's set to 0 then check your config files for something obvious missing and come back here if not.
However, when I swap the coax cable over to eth2...
I'm assuming that your PCI based NIC ("eth0") is 10/100 switching and has a coax BNC connector as well as twisted pair RJ-45? Is that right??
...I cannot get it to assign any IP addresses to hosts.. Do I have to wait for the Lease Time to expire ?
Well possibly a bit more than that. DHCP hosts (especially MS Windows in my experience) seem to be pretty keen to try and keep the IP addresses they were first assigned. I'm not (yet) an expert on DHCP but I know enough that there's a complex set of scenarios it can cater for, including many servers/subnets on the same physical (layer 2) network segment ("LAN"). The upshot of this is that clients should by default hold onto their addresses and try to keep contacting their original DHCP server (which is 192.168.0.1 in your case). To make Windows clients give up and start again you need to use the ipconfig command from a DOS box. The syntax differs from Win98 to Win 2k/XP. Usually it's something like... ipconfig /release ...then... ipconfig ...to check that the address has been released. On win 2k PCs this will then show an IP address of 0.0.0.0, meaning none assigned, then check they are all networked correctly and do... ipconfig /renew ...after a short delay the IP stack should pick up a new IP address or an error message. If it comes up with an address in the range 169.254.0.1-169.255.254 then this also indicates DHCP server unavailability. These are called APIPA addresses. You can switch them off with a registry change, I think it's HKLM\System\CurrentControlSet\Services\Tcpip\IPAutoconfigurationEnabled = 0 or something. If you're still not getting addresses then run the dhcp server in debug mode to see if you can see the client's connecting and attemtping to get IP addresses. If even that doesn't work then check network connectivity somehow.
Also as soon as I bring up the eth2 interface, with all my hosts on eth0, they can still communicate to one another BUT I lose access to the internet from all hosts.
Sounds like bringing up eth2 is changing the existing routing table. How exactly are you bringing up these interfaces? Are you using rcnetwork start or something else? If rcnetwork start then what's your network config in yast2?
Does the sequence the interface come up when booting matter ? As it stands I they come up as eth0 - first local net; eth1 - cable/internet; eth2 - new local net.
Sequence shouldn't matter at all. do... ip route ls ifconfig ...and show us the output. It should be informative! Regards Carl
Any ideas ?
Philip ----- Original Message ----- From: "Carl Peto"
To: "Philip B Cook" ; Sent: Monday, January 12, 2004 5:39 PM Subject: Re: [suse-security] Advice Please - Extending a Network Philip,
If you want to run two seperate subnets then you'll need to update
bits of config. I'm going to be a bit pathetic and not describe it very fully as I've got a cold (!) and a major server crash to handle today! Sorry if this isn't as good as it could be.
I am assuming that you are running a DHCP server that serves IP addresses and updates DNS for one simple subnet at present.
Before you start, when the new card is in you'll use YaST2 to configure the new card with an appropriate IP address. If you decide to use the 192.168.10. subnet for the new NIC then 192.168.10.1 might be a good suggestion for the new NIC IP address.
Firstly DHCP. Decide on a new subnet. Probably something on a different C class, like 192.168.10.xxx would be a good idea, just for simplicity. Add another entry to dhcp.conf for this new subnet. Given that you worked out how to do the first DHCP subnet in dhcp.conf I reckon you can work out how to add another?
Second DNS. Add new zone data for the new subnet. You'll probably be using some made up domain at the moment with a zone file for this. You should also have a reverse lookup zone file for the existing 192.168.0 subnet. Copy this to create a new reverse lookup zone file for the new (e.g. 192.168.10.) subnet. Modify named.conf accordingly too, make sure that the new zone definition allows update from localhost (or whatever address you've configured) so that DHCP can update it dynamically.
Those two bits should be easy ish for you.
SuSEfirewall2, you just add the new Ethernet NIC device (probably eth2?) to the FW_DEV_INT line where the existing internal NIC (probably eth1?) is. Also make sure to add the new subnet to FW_MASQ_NETS.
I'm not sure about squid. If any changes are needed to support two subnets instead of one then they should be fairly obvious.
Finally and the most nasty of all is Samba and WINS. If you have only win 2k/XP clients then you are probably fairly home free. You should be able to ping clients on one subnet from the other and vice versa and should then be able to see file shares/printers using the usual \\pc2\sharename "UNC" type notation in the Windows Explorer Address Bar box, luckily for you you can thereby bypass the horrid NetBIOS and WINS mess. I'm not sure how Network Neighbourhood works in that case (it probably just doesn't) but that's really just a user training issue in the end (arguably) and not worth
hassle.
However if you've got Win 3.1, Win 98, Win ME, Win NT 4.0 or likewise clients on *any* of your connected PCs they won't be able to network without the dreaded NetBIOS over TCP/IP ("NBT"), worse luck. :(
In that case the best thing to do is get DHCP to set all of them up as "hybrid" nodes (use "man dhcp.conf" for info), with a NBNS ("WINS") server at ... (your Linux box IP address on *that* subnet being configured). Then adjust smb.conf (my preferred method is using SWAT over a webbrowser if it's running) so that "wins support = yes". Next make sure all PCs are in
various the the
same WORKGROUP, restart Samba, DNS, DHCP, SuSEfirewall2 and all MS clients and pray.
If you network the two segments together at an ethernet level you'll save all that hassle, however! Mind you, arguably, you'll learn less in the (possibly slightly painful) process... :)
Regards,
Carl Peto Linux Server Support Bookman Associates
----- Original Message ----- From: "Philip B Cook"
To: Sent: Sunday, January 11, 2004 8:03 AM Subject: Fw: [suse-security] Advice Please - Extending a Network If the hardware solutions described are not an option then you have
options using Linux (i) seperate subnets or (ii) a bridge. The latter consists of extra modules in the kernel which effectively turn your box into a switch, thus saving the expense, and all LAN traffic goes across both segments. Alternatively split the LAN into two subnets, have two IP addresses, one for each NIC and have DHCP serve different IP addresses to hosts on each segment. This is more traditional in some ways but can be annoying for users, depending on what applications they use. For instance if they are SMB clients that want to browse a "Network Neighbourhood"
you'll need to implement a WINS server (and possibly a domain server) to keep the two subnets talking to each other.
Carl Peto Linux Server Support Bookman Associates
It seems to be quite hard to find an 8 port hub with a coax connector, though I will keep looking.
In the meantime can you expand on what I need to do following your (i) seperate subnets suggestion.
I am already running ...
1) DHCP(providing IP addresses to the local machines and also updating
two then the
DNS zone files automatically) 2) DNS (administering the local domain and forwarding to my Cable Company's DNS servers) 3) SuSEFirewall2 (blocks everything inbound, there are NO services accessible from the internet other than those initiated by the local network machines) 4) Samba to support Windows Clients 5) Squid
so I think I have all the parts running I need, but need some pointers on how to add the extra interface into the settings for each.
Thanks everyone for your advice.
Philip
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (4)
-
Carl Peto
-
Christian Boltz
-
John Andersen
-
Philip B Cook