routing two private subnets?

I apologize if this question gets a little convoluted, but here goes. I
recently moved my servers to someone else, so I no longer needed a
dedicated internet connection. I now have a residential class DSL line.
The modem provided (speedstream 5100) can be optioned to operate with
external or internal pppoe. The modem is “hardwired” to 192.168.0.1. I
have everything currently configured to use RP pppoe, but I would like
to use the modem’s pppoe (and NAT) and use the connected machine as my
barrier/router/firewall. Is it possible to set up the interfaces on the
router to addresses in the same subnet (i.e. eth0 & eth1 both on
192.168.0.0)? Alternately (probably simpler), I can configure two
subnets (192.168.0.0 & 192.168.1.0). Either way can I use iptables to
NAT or masq to allow my other machines (all on private ip’s) internet
access?

Thanks
Bill

William Gill wrote:
> I apologize if this question gets a little convoluted,

Yes, it is a little difficult to figure out what you want. I believe
you are talking about your home network, but am at a loss as to what
the remote servers have to do with it.

You can use Linux to FW and nat for your entire internal network. This
may be against the AUP of your ISP, but I never cared...

Your modem may or may not do NAT.

If you want your remote servers to be a part of your internal network
you have to use VPNs and/or tunneling, something I know next to nothing
about...

Noah Roberts wrote:
> William Gill wrote:
>
>>I apologize if this question gets a little convoluted,
>
>
> Yes, it is a little difficult to figure out what you want. I believe
> you are talking about your home network, but am at a loss as to what
> the remote servers have to do with it.
>
> You can use Linux to FW and nat for your entire internal network. This
> may be against the AUP of your ISP, but I never cared...
>
> Your modem may or may not do NAT.
>
> If you want your remote servers to be a part of your internal network
> you have to use VPNs and/or tunneling, something I know next to nothing
> about...
>
OK, I'll try to clear it up some.

>...am at a loss as to what the remote servers have to do with it.

Disregard anything to do with remote servers. Everything is hosted by
someone else now. My wife is spoiled by "direct access to the
internet", and I need to ftp to my servers, pull mail, and the usual
home user stuff.

current layout:

internet
|
modem
[optioned for pppoe on computer not modem]
[internal ip (for http interface to config, etc): 192.168.0.1]
|
eth0
[ip: 192.168.0.2]
|
ppp0
[Roaring Penguin pppoe client]
[ip: DHCP]
[linux box as firewall/router ]
[iptables masq allowing lan connectione to internet]
|
eth1
[ip:192.168.1.10]
|
LAN
_|___________________________
| | |
happy wife Me college student son

Not being versed in pppoe, it looks like there are two ports facing the
internet; the physical eth0 at 192.168.0.2, and the "virtual" ppp0 an a
DHCP assigned address. Also because i'm not well versed in pppoe I'm
not comfortable security wise.


What I do know is, the modem (speedstream 5100) can be configured for
pppoe on the computer or in the modem (default).
if I change it back to "in the modem", the config changes to:

internet
|
modem
[optioned for pppoe on modem]
[DHCP and NAT done internally on modem]
[ip: 192.168.0.1]
|
eth0
[ip: 192.168.0.2]
[linux box as firewall]
|
eth1
[ip:192.168.1.10]
|
LAN
[no internet connectivity]


My limited understanding is that addresses 192.168.xxx.xxx are
private,and non-routable, but I am wondering if I can use NAT (via
iptables) to allow lan computers internet access.

On first pass it looks like if I try, all connections would appear to be
coming from 192.168.0.1 i.e. public IP > NAT(in modem) > 192.168.0.1
so it won't work. However, it seems to me that NAT (possibly SNAT)
would allow all lan computers to appear to be at 192.168.0.2.
Am I wrong?

The second question was not NAT related, it was routing. I wanted both
eth0 and eth1 on 192.168.0.0/24. Again it seems possible, but as I said
"my limited knowledge".

Does this clear things up any?

Bill

William Gill wrote:

> eth0
> [ip: 192.168.0.2]
> |
> ppp0
> [Roaring Penguin pppoe client]
> [ip: DHCP]
> [linux box as firewall/router ]
> [iptables masq allowing lan connectione to internet]
> |
> eth1
> [ip:192.168.1.10]
> |
> LAN

Looks like all you need to do is set up some INPUT rules to the outside
interface of the linux fw/router? This setup is working? As long as
your firewall is set up right you should be ok. Stay up to date with
your security patches and don't run any services (except maybe ssh for
the LAN side only). If the ftp and such is not working you have not
loaded the right modules...
>
> What I do know is, the modem (speedstream 5100) can be configured for

> pppoe on the computer or in the modem (default).
> if I change it back to "in the modem", the config changes to:
>
> internet
> |
> modem
> [optioned for pppoe on modem]
> [DHCP and NAT done internally on modem]
> [ip: 192.168.0.1]
> |
> eth0
> [ip: 192.168.0.2]
> [linux box as firewall]
> |
> eth1
> [ip:192.168.1.10]
> |
> LAN
> [no internet connectivity]
>
>
> My limited understanding is that addresses 192.168.xxx.xxx are
> private,and non-routable, but I am wondering if I can use NAT (via
> iptables) to allow lan computers internet access.
>
> On first pass it looks like if I try, all connections would appear to
be
> coming from 192.168.0.1 i.e. public IP > NAT(in modem) > 192.168.0.1
> so it won't work. However, it seems to me that NAT (possibly SNAT)
> would allow all lan computers to appear to be at 192.168.0.2.
> Am I wrong?

You should be able to NAT twice...linux first, router second. This
provides additional security at the cost of performance...I don't know
how much.

>
> The second question was not NAT related, it was routing. I wanted
both
> eth0 and eth1 on 192.168.0.0/24. Again it seems possible, but as I
said
> "my limited knowledge".

Yes. BUT....you need to create two subnetworks...192.168.0.0/25 and
192.168.0.128/25.

On Thu, 27 Jan 2005 15:14:28 GMT, William Gill <(E-Mail Removed)> wrote:
> Noah Roberts wrote:
>> William Gill wrote:
>>
>>>I apologize if this question gets a little convoluted,
>>
>>
>> Yes, it is a little difficult to figure out what you want. I believe
>> you are talking about your home network, but am at a loss as to what
>> the remote servers have to do with it.
>>
>> You can use Linux to FW and nat for your entire internal network. This
>> may be against the AUP of your ISP, but I never cared...
>>
>> Your modem may or may not do NAT.
>>
>> If you want your remote servers to be a part of your internal network
>> you have to use VPNs and/or tunneling, something I know next to nothing
>> about...
>>
> OK, I'll try to clear it up some.
>
> >...am at a loss as to what the remote servers have to do with it.
>
> Disregard anything to do with remote servers. Everything is hosted by
> someone else now. My wife is spoiled by "direct access to the
> internet", and I need to ftp to my servers, pull mail, and the usual
> home user stuff.
>
> current layout:
>
> internet
> |
> modem
> [optioned for pppoe on computer not modem]
> [internal ip (for http interface to config, etc): 192.168.0.1]
> |
> eth0
> [ip: 192.168.0.2]
> |
> ppp0
> [Roaring Penguin pppoe client]
> [ip: DHCP]
> [linux box as firewall/router ]
> [iptables masq allowing lan connectione to internet]
> |
> eth1
> [ip:192.168.1.10]
> |
> LAN
> _|___________________________
> | | |
> happy wife Me college student son
>
> Not being versed in pppoe, it looks like there are two ports facing the
> internet; the physical eth0 at 192.168.0.2, and the "virtual" ppp0 an a
> DHCP assigned address. Also because i'm not well versed in pppoe I'm
> not comfortable security wise.

The eth0 interface will not go anywhere other than the modem when you are
doing pppoe. ppp0 tcp/ip is isolated from and does not use eth0 tcp/ip
(it would work just as well if eth0 had no IP or was firewalled
completely).

> What I do know is, the modem (speedstream 5100) can be configured for
> pppoe on the computer or in the modem (default).
> if I change it back to "in the modem", the config changes to:
>
> internet
> |
> modem
> [optioned for pppoe on modem]
> [DHCP and NAT done internally on modem]
> [ip: 192.168.0.1]
> |
> eth0
> [ip: 192.168.0.2]
> [linux box as firewall]
> |
> eth1
> [ip:192.168.1.10]
> |
> LAN
> [no internet connectivity]
>
>
> My limited understanding is that addresses 192.168.xxx.xxx are
> private,and non-routable, but I am wondering if I can use NAT (via
> iptables) to allow lan computers internet access.

Masquerading with iptables would be simplest. LAN side of modem would
only respond to IPs that appear to be directly on its LAN subnet anyway,
and would not know to use Linux eth0 as gateway to other subnet.

> On first pass it looks like if I try, all connections would appear to be
> coming from 192.168.0.1 i.e. public IP > NAT(in modem) > 192.168.0.1
> so it won't work. However, it seems to me that NAT (possibly SNAT)
> would allow all lan computers to appear to be at 192.168.0.2.
> Am I wrong?

Almost. Internet traffic would appear to come from whatever public IP it
originates from. Outgoing traffic from 192.168.1.0/24 net would use
gateway 192.168.1.10 and appear to modem to come from 192.168.0.2, and to
internet would appear to come from modem's PPPoE IP. The only place
192.168.0.1 matters is as a default gateway for the Linux router.

> The second question was not NAT related, it was routing. I wanted both
> eth0 and eth1 on 192.168.0.0/24. Again it seems possible, but as I said
> "my limited knowledge".

That may be possible using proxy_arp (if the modem accepts LAN IPs other
than the 1 DHCP IP it assigns. I have done something like this::

eth0 192.168.0.2/255.255.255.255
route add -host 192.168.0.1 dev eth0
route add default gw 192.168.0.1 dev eth0

eth1 192.168.0.2/255.255.255.0
(same IP, different netmask, or could use different 192.168.0.x IP)

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
(so eth0 answers modem arp requests for eth1 net)

All boxes on eth1 net (other than Linux router) would use eth1 IP as
default gateway.

David Efflandt wrote:
> On Thu, 27 Jan 2005 15:14:28 GMT, William Gill <(E-Mail Removed)> wrote:
>
>>Noah Roberts wrote:
>>
>>>William Gill wrote:
>>>
>>>
>>>>I apologize if this question gets a little convoluted,
>>>
>>>
>>>Yes, it is a little difficult to figure out what you want. I believe
>>>you are talking about your home network, but am at a loss as to what
>>>the remote servers have to do with it.
>>>
>>>You can use Linux to FW and nat for your entire internal network. This
>>>may be against the AUP of your ISP, but I never cared...
>>>
>>>Your modem may or may not do NAT.
>>>
>>>If you want your remote servers to be a part of your internal network
>>>you have to use VPNs and/or tunneling, something I know next to nothing
>>>about...
>>>
>>
>>OK, I'll try to clear it up some.
>>
>>
>>>...am at a loss as to what the remote servers have to do with it.
>>
>>Disregard anything to do with remote servers. Everything is hosted by
>>someone else now. My wife is spoiled by "direct access to the
>>internet", and I need to ftp to my servers, pull mail, and the usual
>>home user stuff.
>>
>>current layout:
>>
>>internet
>> |
>> modem
>>[optioned for pppoe on computer not modem]
>>[internal ip (for http interface to config, etc): 192.168.0.1]
>> |
>> eth0
>>[ip: 192.168.0.2]
>> |
>> ppp0
>>[Roaring Penguin pppoe client]
>>[ip: DHCP]
>>[linux box as firewall/router ]
>>[iptables masq allowing lan connectione to internet]
>> |
>> eth1
>>[ip:192.168.1.10]
>> |
>> LAN
>> _|___________________________
>> | | |
>> happy wife Me college student son
>>
>>Not being versed in pppoe, it looks like there are two ports facing the
>>internet; the physical eth0 at 192.168.0.2, and the "virtual" ppp0 an a
>>DHCP assigned address. Also because i'm not well versed in pppoe I'm
>>not comfortable security wise.
>
>
> The eth0 interface will not go anywhere other than the modem when you are
> doing pppoe. ppp0 tcp/ip is isolated from and does not use eth0 tcp/ip
> (it would work just as well if eth0 had no IP or was firewalled
> completely).
>
>
>>What I do know is, the modem (speedstream 5100) can be configured for
>>pppoe on the computer or in the modem (default).
>>if I change it back to "in the modem", the config changes to:
>>
>>internet
>> |
>> modem
>>[optioned for pppoe on modem]
>>[DHCP and NAT done internally on modem]
>>[ip: 192.168.0.1]
>> |
>> eth0
>>[ip: 192.168.0.2]
>>[linux box as firewall]
>> |
>> eth1
>>[ip:192.168.1.10]
>> |
>> LAN
>>[no internet connectivity]
>>
>>
>>My limited understanding is that addresses 192.168.xxx.xxx are
>>private,and non-routable, but I am wondering if I can use NAT (via
>>iptables) to allow lan computers internet access.
>
>
> Masquerading with iptables would be simplest. LAN side of modem would
> only respond to IPs that appear to be directly on its LAN subnet anyway,
> and would not know to use Linux eth0 as gateway to other subnet.
>
>
>>On first pass it looks like if I try, all connections would appear to be
>>coming from 192.168.0.1 i.e. public IP > NAT(in modem) > 192.168.0.1
>>so it won't work. However, it seems to me that NAT (possibly SNAT)
>>would allow all lan computers to appear to be at 192.168.0.2.
>>Am I wrong?
>
>
> Almost. Internet traffic would appear to come from whatever public IP it
> originates from. Outgoing traffic from 192.168.1.0/24 net would use
> gateway 192.168.1.10 and appear to modem to come from 192.168.0.2, and to
> internet would appear to come from modem's PPPoE IP. The only place
> 192.168.0.1 matters is as a default gateway for the Linux router.
>
>
>>The second question was not NAT related, it was routing. I wanted both
>>eth0 and eth1 on 192.168.0.0/24. Again it seems possible, but as I said
>>"my limited knowledge".
>
>
> That may be possible using proxy_arp (if the modem accepts LAN IPs other
> than the 1 DHCP IP it assigns. I have done something like this::
>
> eth0 192.168.0.2/255.255.255.255
> route add -host 192.168.0.1 dev eth0
> route add default gw 192.168.0.1 dev eth0
>
> eth1 192.168.0.2/255.255.255.0
> (same IP, different netmask, or could use different 192.168.0.x IP)
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
> (so eth0 answers modem arp requests for eth1 net)
>
> All boxes on eth1 net (other than Linux router) would use eth1 IP as
> default gateway.
>
>
I need to digest what you are saying some more, but two points in
particular helped, "...ppp0 tcp/ip is isolated...", and the fact that
there is a way to put all the locals on the same subnet. While Noah was
helpful, I already knew how to define subnets, it was trying to get two
interfaces in one box, both be on the same subnet, that I was curious
about. Actually, knowing now that eth0 doesn't pose any "leaks", it's
probably simpler (well it IS simpler anyway, but clearer for
administration) to use two subnets.

> ..it would work just as well if eth0 had no IP...

That's what I thought, but how do you bring eth0 up without an IP. I
tried unsuccessfully.

I will probably be back for more help, once I figure out how to really
screw things up.

Thanks,

Bill