Linux router

I hope, someone could point me in the right direction...
I'm trying to build Debian based router. I've intalled Sarge distribution on
3 NIC computer, recompiled kernel from 2.6.14 source.
My desired configuration is:
192.168.0.0/24 network
|
subnet 192.168.0.16/28-> Debian box <- subnet 192.168.0.32/28

Debian has 3 NICs eth0-eth2. eth0 is connected to firewall at 192.168.0.1.
Two other NICs are used to create two subnets and have static IPs
192.168.0.17 and 192.168.0.33 with /28 netmasks respectively. Internet is
accessible through 192.168.0.1.

1. I'd like eth0 to get its IP from DHCP located at 192.168.0.10 on
192.168.0.0/24 network.
2. I want my clients from both subnets to get their IPs from the same DHCP.
3. I want them to see each other and the Internet.

The first is easily accomplished by eth0 configuration in /etc/interfaces
and dhcp client.
The second requires routing DHCP requests from subnets to 192.168.0.0/24
network and back. I seem to have trouble with that: I can see requests on
nat PREROUTING chain but then they dissappear and don't show up in the
FORWARD chain. I did enable forwarding in /proc/sys/net/ipv4/ip_forward.

Here's relevant part of my kernel config:
#
# Networking options
#
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=y
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=y
CONFIG_IP_ROUTE_MULTIPATH_DRR=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_BIC=y

#
# IP: Virtual Server Configuration
#
CONFIG_NETFILTER=y

#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_CONNMARK=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_PPTP=m

.... and result of ip route show:

192.168.0.32/28 dev eth2 proto kernel scope link src 192.168.0.33
192.168.0.16/28 dev eth1 proto kernel scope link src 192.168.0.17
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.6
default via 192.168.0.1 dev eth0

.... and result of packet logging:
Feb 19 19:59:17 localhost kernel: NAT:IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34932 PROTO=UDP
SPT=68 DPT=67 LEN=308
Feb 19 19:59:17 localhost kernel: IN:IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34932 PROTO=UDP
SPT=68 DPT=67 LEN=308
Feb 19 19:59:22 localhost kernel: IN:IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34933 PROTO=UDP
SPT=68 DPT=67 LEN=308

Log prefix NAT: comes from nat PREROUTING chain and IN: - from filter INPUT
chain. I've got nothing in FORWARD chain, otherwise it would be in the log
with prefix FWD:. Why did those packets came to INPUT chain anyway? What am
I missing?

I'd appreciate if somebody could shed some light on this.

Mikhail.


*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

Mikhail wrote:
> I hope, someone could point me in the right direction...
> I'm trying to build Debian based router. I've intalled Sarge distribution on
> 3 NIC computer, recompiled kernel from 2.6.14 source.
> My desired configuration is:
> 192.168.0.0/24 network
> |
> subnet 192.168.0.16/28-> Debian box <- subnet 192.168.0.32/28
>
> Debian has 3 NICs eth0-eth2. eth0 is connected to firewall at 192.168.0.1.
> Two other NICs are used to create two subnets and have static IPs
> 192.168.0.17 and 192.168.0.33 with /28 netmasks respectively. Internet is
> accessible through 192.168.0.1.
>
> 1. I'd like eth0 to get its IP from DHCP located at 192.168.0.10 on
> 192.168.0.0/24 network.
> 2. I want my clients from both subnets to get their IPs from the same DHCP.
> 3. I want them to see each other and the Internet.
>
> The first is easily accomplished by eth0 configuration in /etc/interfaces
> and dhcp client.
> The second requires routing DHCP requests from subnets to 192.168.0.0/24
> network and back. I seem to have trouble with that: I can see requests on
> nat PREROUTING chain but then they dissappear and don't show up in the
> FORWARD chain. I did enable forwarding in /proc/sys/net/ipv4/ip_forward.
>
> Here's relevant part of my kernel config:
> #
> # Networking options
> #
> CONFIG_PACKET=y
> CONFIG_UNIX=y
> CONFIG_INET=y
> CONFIG_IP_MULTICAST=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_ASK_IP_FIB_HASH=y
> CONFIG_IP_FIB_HASH=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_IP_ROUTE_MULTIPATH=y
> CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
> CONFIG_IP_ROUTE_MULTIPATH_RR=y
> CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=y
> CONFIG_IP_ROUTE_MULTIPATH_DRR=y
> CONFIG_IP_ROUTE_VERBOSE=y
> CONFIG_INET_DIAG=y
> CONFIG_INET_TCP_DIAG=y
> CONFIG_TCP_CONG_BIC=y
>
> #
> # IP: Virtual Server Configuration
> #
> CONFIG_NETFILTER=y
>
> #
> # IP: Netfilter Configuration
> #
> CONFIG_IP_NF_CONNTRACK=y
> CONFIG_IP_NF_CT_ACCT=y
> CONFIG_IP_NF_CONNTRACK_MARK=y
> CONFIG_IP_NF_FTP=m
> CONFIG_IP_NF_IRC=m
> CONFIG_IP_NF_NETBIOS_NS=m
> CONFIG_IP_NF_PPTP=m
> CONFIG_IP_NF_IPTABLES=y
> CONFIG_IP_NF_MATCH_LIMIT=y
> CONFIG_IP_NF_MATCH_IPRANGE=y
> CONFIG_IP_NF_MATCH_PKTTYPE=y
> CONFIG_IP_NF_MATCH_MARK=y
> CONFIG_IP_NF_MATCH_MULTIPORT=y
> CONFIG_IP_NF_MATCH_TOS=y
> CONFIG_IP_NF_MATCH_STATE=y
> CONFIG_IP_NF_MATCH_CONNTRACK=y
> CONFIG_IP_NF_MATCH_ADDRTYPE=y
> CONFIG_IP_NF_MATCH_CONNMARK=y
> CONFIG_IP_NF_FILTER=y
> CONFIG_IP_NF_TARGET_LOG=y
> CONFIG_IP_NF_NAT=y
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=y
> CONFIG_IP_NF_TARGET_REDIRECT=y
> CONFIG_IP_NF_NAT_IRC=m
> CONFIG_IP_NF_NAT_FTP=m
> CONFIG_IP_NF_NAT_PPTP=m
>
> ... and result of ip route show:
>
> 192.168.0.32/28 dev eth2 proto kernel scope link src 192.168.0.33
> 192.168.0.16/28 dev eth1 proto kernel scope link src 192.168.0.17
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.6
> default via 192.168.0.1 dev eth0
>
> ... and result of packet logging:
> Feb 19 19:59:17 localhost kernel: NAT:IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34932 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Feb 19 19:59:17 localhost kernel: IN:IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34932 PROTO=UDP
> SPT=68 DPT=67 LEN=308
> Feb 19 19:59:22 localhost kernel: IN:IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:50:ba:40:0e:8c:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=34933 PROTO=UDP
> SPT=68 DPT=67 LEN=308
>
> Log prefix NAT: comes from nat PREROUTING chain and IN: - from filter INPUT
> chain. I've got nothing in FORWARD chain, otherwise it would be in the log
> with prefix FWD:. Why did those packets came to INPUT chain anyway? What am
> I missing?

For the router's clients, you'll need a DHCP relay agent.
Google for possible daemons.

There is one problem, though: The DHCP server should know
the clients by MAC/other ID so that it's able to lease
an address in the proper subnet.

--

Tauno Voipio
tauno voipio (at) iki fi

Mikhail wrote:
> I hope, someone could point me in the right direction...
> I'm trying to build Debian based router. I've intalled Sarge distribution on
> 3 NIC computer, recompiled kernel from 2.6.14 source.
> My desired configuration is:
> 192.168.0.0/24 network
> |
> subnet 192.168.0.16/28-> Debian box <- subnet 192.168.0.32/28
>
> Debian has 3 NICs eth0-eth2. eth0 is connected to firewall at 192.168.0.1.
> Two other NICs are used to create two subnets and have static IPs
> 192.168.0.17 and 192.168.0.33 with /28 netmasks respectively. Internet is
> accessible through 192.168.0.1.
>
> 1. I'd like eth0 to get its IP from DHCP located at 192.168.0.10 on
> 192.168.0.0/24 network.
> 2. I want my clients from both subnets to get their IPs from the same DHCP.
> 3. I want them to see each other and the Internet.
>
> The first is easily accomplished by eth0 configuration in /etc/interfaces
> and dhcp client.
> The second requires routing DHCP requests from subnets to 192.168.0.0/24
> network and back. I seem to have trouble with that: I can see requests on
> nat PREROUTING chain but then they dissappear and don't show up in the
> FORWARD chain. I did enable forwarding in /proc/sys/net/ipv4/ip_forward.

Life will be much easier for you if you make your router the DHCP server.

Robert

I know, but my issue is not DHCP at this time. The actual one is that I
can't see its UDP packets passing to Linux FORWARD chain. Well, those
packets are also broadcast may be this causes the trouble. I'll
configure my client statically and try it with unicast request to see
if it makes any difference.

Mikhail wrote:
> I know, but my issue is not DHCP at this time. The actual one is that I
> can't see its UDP packets passing to Linux FORWARD chain. Well, those
> packets are also broadcast may be this causes the trouble. I'll
> configure my client statically and try it with unicast request to see
> if it makes any difference.


A packet sent to 255.255.255.255 or to Ethernet equivalent
ff:ff:ff:ff:ff:ff must not be routed out of the local network.

For DHCP to cross routers, you DO need the DHCP relay daemons
at the routers.

As was told by Robert Harris, you'd be much better off by making
the router serve as the DHCP daemon. It would also solve the
subnet problem of serving addresses of the proper subnet.

--

Tauno Voipio
tauno voipio (at) iki fi

Tauno Voipio <(E-Mail Removed)> wrote in news:B1pKf.346$oY3.231
@read3.inet.fi:

> Mikhail wrote:
>> I know, but my issue is not DHCP at this time. The actual one is that I
>> can't see its UDP packets passing to Linux FORWARD chain. Well, those
>> packets are also broadcast may be this causes the trouble. I'll
>> configure my client statically and try it with unicast request to see
>> if it makes any difference.
>
>
> A packet sent to 255.255.255.255 or to Ethernet equivalent
> ff:ff:ff:ff:ff:ff must not be routed out of the local network.
>
> For DHCP to cross routers, you DO need the DHCP relay daemons
> at the routers.
>
> As was told by Robert Harris, you'd be much better off by making
> the router serve as the DHCP daemon. It would also solve the
> subnet problem of serving addresses of the proper subnet.
>

That isn't really a problem as long as the DHCP server is properly
configured. The DHCP relays tell the DHCP server which subnet the request
pertains too and can therefore work out which pool to assign the address
from. At the office I work we have a dozen or so subnets all getting their
DHCP assigned addresses from a single central server. We are using,
depending on the situation, both Cisco "IP helpers" and the linux DHCP
relays to do this. It is not a big deal.

Klazm

I seem to misconfigured netmask - it should be /26 not /28.
I statically reconfigured my client to be at 192.168.0.18/26 with default
gateway at 192.168.0.17/26 (Linux eth1 interface).
I can successfully ping 192.168.0.17 (eth1) from the client and in opposit
direction- from Linux to client. I can't ping firewall though - request
times out and I'm not getting anything on et1 interface. What am I doing
wrong?


*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

"Mikhail" <(E-Mail Removed)> wrote in
news:43fab1e7$0$10963$(E-Mail Removed) om:

> I seem to misconfigured netmask - it should be /26 not /28.
> I statically reconfigured my client to be at 192.168.0.18/26 with
> default gateway at 192.168.0.17/26 (Linux eth1 interface).
> I can successfully ping 192.168.0.17 (eth1) from the client and in
> opposit direction- from Linux to client. I can't ping firewall though -
> request times out and I'm not getting anything on et1 interface. What am
> I doing wrong?
>
>
> *** Free account sponsored by SecureIX.com ***
> *** Encrypt your Internet usage with a free VPN account from
> http://www.SecureIX.com ***

So going back to your original picture:

192.168.0.0/24 network
|
subnet 192.168.0.16/28-> Debian box <- subnet 192.168.0.32/28


The overlap with the /24 subnet is ok because the more specific masks take
priority. The firewall doesn't know that you are further subnetting the
192.168.0.0/24 network and will expect that it will be able to locate devices
in the whole class C sized block directly on its' local interface. To get
around that the Debian box has to support ARP requests on behalf of the two
smaller subnets - i.e proxy ARP.

Changing the subnet mask to /26 is an error because 192.168.0.16/26 and
192.168.0.32/26 are the same subnet and should be written 192.168.0.0/26. You
could get around this by using 192.168.0.64/26 and 192.168.0.128/26. A /26
bit mask covers a range of 64 addresses (62 useable host addresses)

Klazmon

"Llanzlan Klazmon" <(E-Mail Removed)> wrote in message
news:Xns97728BC32B4C9Klazmonllurdiaxorbgo@203.97.3 7.6...
> "Mikhail" <(E-Mail Removed)> wrote in
> news:43fab1e7$0$10963$(E-Mail Removed) om:
>
> So going back to your original picture:
>
> 192.168.0.0/24 network
> |
> subnet 192.168.0.16/28-> Debian box <- subnet 192.168.0.32/28
>
>
> The overlap with the /24 subnet is ok because the more specific masks take
> priority. The firewall doesn't know that you are further subnetting the
> 192.168.0.0/24 network and will expect that it will be able to locate
> devices
> in the whole class C sized block directly on its' local interface. To get
> around that the Debian box has to support ARP requests on behalf of the
> two
> smaller subnets - i.e proxy ARP.

Thank you for this information, it cleared few things up for me: I'm still
very new to network configuration. One more question: would masquerading
give similar effect in the sense that subnets will see each other directly?
They won't be reacheable from the /24 network but in my case it's OK since I
used /24 network as an example only and in real scenario this is going to be
Internet side of the box. My company will most likely have only single
static IP which would become eth0 static IP.

> Changing the subnet mask to /26 is an error because 192.168.0.16/26 and
> 192.168.0.32/26 are the same subnet and should be written 192.168.0.0/26.
> You
> could get around this by using 192.168.0.64/26 and 192.168.0.128/26. A /26
> bit mask covers a range of 64 addresses (62 useable host addresses)

You're right, my initial setup was correct. I got confused a little along
the way. Thank you for pointing this out.

Mikhail.


*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***

On Tue, 21 Feb 2006 01:19:52 -0500, Mikhail wrote:

> I seem to misconfigured netmask - it should be /26 not /28. I statically
> reconfigured my client to be at 192.168.0.18/26 with default gateway at
> 192.168.0.17/26 (Linux eth1 interface). I can successfully ping
> 192.168.0.17 (eth1) from the client and in opposit direction- from Linux
> to client. I can't ping firewall though - request times out and I'm not
> getting anything on et1 interface. What am I doing wrong?
>

I don't know exactly what you want offcourse, but when you create a /26
subnet will have address spaces of 62 addresses and a broadcast address.
This means that 192.168.0.17/26 and 192.168.0.32/26 will be in the same
subnet. 192.168.0.0/26 runs from 192.168.0.1 to 192.168.0.63 with the last
address being the broadcast address. This is probebly also the reason that
a ping won't succeed.

192.168.0.0/28 runs from 192.168.0.1 to 192.168.0.15 with the last address
being the broadcast address.
192.168.0.17/28 and 192.168.0.33/28 are in 2 different subnets. So that
was good in the first schematic of your network.

Then for DHCP. What someone else also mentioned was that DHCP is not
working through routers. This is probebly why you are not seeing some
packets on the other side of a router. DHCP is a broadcast based protocol.
In any subnet that does not have a DHCP server but that needs DHCP you
need a DHCP Relay agent. This agent picks up the broadcast, transmits the
request with unicast to the DHCP Server that can be anywhere in your
network, and broadcasts the answer back on the network when it is received
from the server. Traffic between the DHCP Relay agent and the DHCP Server
is unicast traffic and that will pass through a router just fine.

On the DHCP Server you have to create a subnet definition for every subnet
that the DHCP Server should serve. So in a /28 splitted subnet you have to
create the following ranges:
Network 192.168.0.0/28
192.168.0.2 to 192.168.0.14 Gway 192.168.0.1 / bc 192.168.0.15
Network 192.168.0.16/28
192.168.0.18 to 192.168.0.30 Gway 192.168.0.17 / bc 192.168.0.31
Network 192.168.0.32/28
192.168.0.34 to 192.168.0.46 Gway 192.168.0.33 / bc 192.168.0.47
Network 192.168.0.48/28
192.168.0.50 to 192.168.0.62 Gway 192.168.0.49 / bc 192.168.0.63
etc ... depending on the number of subnets.

I hope this helps a little.
Jan Hugo