Liunx and DSL routing

I've been trying to figure this one out for a while and am getting my
small brain into knots - so hopefully one of you guys (girls?) can
shed some light.

I run two Linux mail servers in different locations, but with similar
setups: Each with static IP address (block of 4), DSL modem/router fed
by the same ISP (PPPoA). The linux server has 2 NICs, eth0 for private
LAN (DHCP, NAT etc for Windows and Mac clients) and eth1 which is
connected to the modem/router.

For server A:
Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
address, 157/158 are standard routeable addresses and 159 is the
broadcast?)

The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
instructed by the ISP, has been configured to have a LAN address of
aaa.aaa.aaa.158, subnet mask 255.255.255.252.

The linux box (Slackware 9.1) is then configured to have:
IPADDR[0]="195.168.1.100"
NETMASK[0]"=255.255.255.0"

IPADDR[1]="aaa.aaa.aaa.157"
NETMASK[0]"=255.255.255.252"

GATEWAY="aaa.aaa.aaa.158"

Which gives the routing table as:

aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0 0
eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0 0
eth1



So, to configure the router, I just telnet the gateway,
aaa.aaa.aaa.158 and everything is fine. This gateway is also
accessible to the outside world.

Now, the second mail server is configured as follows:

Server B:
Public IPs are bbb.bbb.bbb.76-79
Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
configuration is less flexible with this modem/router and fires up
with the following information (which I cannot change!)

IP Address bbb.bbb.bbb.77
Gateway bbb.bbb.bbb.78
Connection Type PPPoA
Encapsulation VC Mux

So in order to route to the modem I manually add the 192.168.0.1 route
(see blow)

The linux box (Slackware 9.1) is then configured as:
IPADDR[0]="195.168.2.100"
NETMASK[0]"=255.255.255.0"

IPADDR[1]="bbb.bbb.bbb.77"
NETMASK[0]"=255.255.255.252"

GATEWAY="bbb.bbb.bbb.78"

Which gives the routing table as:
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
eth1
bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0 0
eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0 0
eth1

This configuration also works fine!! But, I cannot "see" the gateway
from the outside. ie nothing from nmap, cannot telnet - but this might
be a security feature of the modem. I can telnet into it (via
192.168.0.1) but the commands are not exactly intuitive.

If you're still following this then thank you - I've nearly got to my
point....

Question: The difference is the LAN IP setup: the first has a
routeable public IP and the second has a private address. Which is
correct? Exactly where do the gateways actually live?
If I use bridging mode, do I need to bother with 4 IP addresses?

Thanks for your help

Will


Will Hall

Will Hall wrote:

> I've been trying to figure this one out for a while and am getting
> my small brain into knots - so hopefully one of you guys (girls?)
> can shed some light.
>
> I run two Linux mail servers in different locations, but with
> similar setups: Each with static IP address (block of 4), DSL
> modem/router fed by the same ISP (PPPoA). The linux server has 2
> NICs, eth0 for private LAN (DHCP, NAT etc for Windows and Mac
> clients) and eth1 which is connected to the modem/router.
>
> For server A:
> Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
> address, 157/158 are standard routeable addresses and 159 is the
> broadcast?)

All of them are routable public adresses.

> The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
> instructed by the ISP, has been configured to have a LAN address
> of aaa.aaa.aaa.158, subnet mask 255.255.255.252.
>
> The linux box (Slackware 9.1) is then configured to have:
> IPADDR[0]="195.168.1.100"
> NETMASK[0]"=255.255.255.0"
>
> IPADDR[1]="aaa.aaa.aaa.157"
> NETMASK[0]"=255.255.255.252"
>
> GATEWAY="aaa.aaa.aaa.158"
>
> Which gives the routing table as:
>
> aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0 0
> eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> lo
> 0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0 0
> eth1
>

Waste of IP addresses though it works.

>
>
> So, to configure the router, I just telnet the gateway,
> aaa.aaa.aaa.158 and everything is fine. This gateway is also
> accessible to the outside world.
>
> Now, the second mail server is configured as follows:
>
> Server B:
> Public IPs are bbb.bbb.bbb.76-79
> Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
> configuration is less flexible with this modem/router and fires up
> with the following information (which I cannot change!)
>
> IP Address bbb.bbb.bbb.77
> Gateway bbb.bbb.bbb.78
> Connection Type PPPoA
> Encapsulation VC Mux
>
> So in order to route to the modem I manually add the 192.168.0.1
> route (see blow)
>
> The linux box (Slackware 9.1) is then configured as:
> IPADDR[0]="195.168.2.100"
> NETMASK[0]"=255.255.255.0"
>
> IPADDR[1]="bbb.bbb.bbb.77"
> NETMASK[0]"=255.255.255.252"
>
> GATEWAY="bbb.bbb.bbb.78"
>
> Which gives the routing table as:
> 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
> eth1
> bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0 0
> eth1
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> lo
> 0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0 0
> eth1
>

I am assuming modem's internal address is 77, since gateway is
specified as 78, implying the external address. But this
contradicts with your gateway settings in linux unless your modem
does proxy-arp the external interface to LAN (an unneeded
complication).
Your eth1 address is also 77 clashing with modem's IP address.
Then the 76 in routing table: Who is it? According to what is
presented above there is no 76 in your network.
Then the 192.168.0.1 in the routing table...

I don't see how this setup can ever work.

> This configuration also works fine!! But, I cannot "see" the
> gateway from the outside. ie nothing from nmap, cannot telnet -
> but this might be a security feature of the modem. I can telnet
> into it (via 192.168.0.1) but the commands are not exactly
> intuitive.

So modem's LAN interface has two addresses (bbb.77 and 0.1) which
means that your modem has IP aliasing feature (and enabled) at the
LAN port? This suggests me that you have enabled DMZ mode on your
modem and one of the LAN addresses is for DMZ network.

All in all, the whole setup seems incorrect, overly complicated and
fragile to me. I would suggest following one of two ways:

1. Use your modem in bridge mode, exposing your server directly to
internet and using up only one public IP address. In bridge mode
the modem is a stupid piece of electronics (no ppp, no userid, no
firewall, no NAT, no IP addresses, nothing but just raw ADSL
connection to telco) like a dialup fax/modem. All the intelligence
has to be implemented by the server. So you must run a pppoe
program to do all these (roaming penguen's "rp-pppoe" is probably
included in your distro). Your modem will not have any IP addresses
and the only public IP address will be assumed by the server, which
will be the one that your modem is getting now from ISP for its
external interface. Since you will be fully exposed to internet (as
you currently are), you will have to apply all the relevant
security measures. Some modems also have "half-bridge" mode,
handling the connection details (which would have been done by
rp-pppoe otherwise) but still providing bridge behavior. This could
be more convenient/easy to operate.

2. Or use your modem in router mode and route specific ports (NAT)
or all ports (DMZ) to your server. Here Linux box has only one
ethenet card, sharing the same LAN with other clients. If you use
DMZ mode of the modem, (depending on the modem) you have 2 aliased
networks on the same physical LAN segment: One is 192.168.x.0
(clients) the other is 192.168.y.0 (DMZ). Ethernet on linux has two
addresses, one for LAN, the other for modem. And your modem routes
all incoming connection requests to DMZ network (to your server).
The server is still exposed to internet, but somewhat more securely
because traffic first passes through the firewall on the modem.
Mind you, the term "DMZ" may change meaning from one modem to
another. Some means real DMZ with different network addresses,
others mean just forwarding all the ports. If you run only a few
services you might also consider plain port forwarding. In this
case modem and server don't have a second, aliased network address.
And everybody on the LAN, including modem and server have the same
network address (192.168.x.0), but your modem routes incoming
connection request to specific ports to the Linux server (with or
without translating port numbers). Security is more enhanced
because both you have the firewall on modem, and also you are
exposing the bare minimum, just required ports, of your server to
internet.

>
> If you're still following this then thank you - I've nearly got to
> my point....
>
> Question: The difference is the LAN IP setup: the first has a
> routeable public IP and the second has a private address. Which is
> correct? Exactly where do the gateways actually live?
> If I use bridging mode, do I need to bother with 4 IP addresses?
>
> Thanks for your help
>
> Will

--
Abdullah | aramazan@ |
Ramazanoglu | myrealbox |
________________| D O T cöm |

Abdullah Ramazanoglu <(E-Mail Removed)öm> wrote in message
Thanks for your comments - have added mine below (oh God, am I going
to suffer the wrath of anti-top-posters?)

news:<40ead17c$0$23874$(E-Mail Removed)>.. .
> Will Hall wrote:
>
> > I've been trying to figure this one out for a while and am getting
> > my small brain into knots - so hopefully one of you guys (girls?)
> > can shed some light.
> >
> > I run two Linux mail servers in different locations, but with
> > similar setups: Each with static IP address (block of 4), DSL
> > modem/router fed by the same ISP (PPPoA). The linux server has 2
> > NICs, eth0 for private LAN (DHCP, NAT etc for Windows and Mac
> > clients) and eth1 which is connected to the modem/router.
> >
> > For server A:
> > Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
> > address, 157/158 are standard routeable addresses and 159 is the
> > broadcast?)
>
> All of them are routable public adresses.
>
> > The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
> > instructed by the ISP, has been configured to have a LAN address
> > of aaa.aaa.aaa.158, subnet mask 255.255.255.252.
> >
> > The linux box (Slackware 9.1) is then configured to have:
> > IPADDR[0]="195.168.1.100"
> > NETMASK[0]"=255.255.255.0"
> >
> > IPADDR[1]="aaa.aaa.aaa.157"
> > NETMASK[0]"=255.255.255.252"
> >
> > GATEWAY="aaa.aaa.aaa.158"
> >
> > Which gives the routing table as:
> >
> > aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0 0
> > eth1
> > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> > eth0
> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> > lo
> > 0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0 0
> > eth1
> >
>
> Waste of IP addresses though it works.

From what I know, the basics are this: As I'm running a public mail
server (amongst others) I need the public IP address aaa.157 assigned
to eth1 on the server. The modem/router is assigned aaa.158 so the
255.255.255.252 netmask will happily sit between the two. Where I am
confused is the difference between the modem WAN and LAN addresses.


>
> >
> >
> > So, to configure the router, I just telnet the gateway,
> > aaa.aaa.aaa.158 and everything is fine. This gateway is also
> > accessible to the outside world.
> >
> > Now, the second mail server is configured as follows:
> >
> > Server B:
> > Public IPs are bbb.bbb.bbb.76-79
> > Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
> > configuration is less flexible with this modem/router and fires up
> > with the following information (which I cannot change!)
> >
> > IP Address bbb.bbb.bbb.77
> > Gateway bbb.bbb.bbb.78
> > Connection Type PPPoA
> > Encapsulation VC Mux
> >
> > So in order to route to the modem I manually add the 192.168.0.1
> > route (see blow)
> >
> > The linux box (Slackware 9.1) is then configured as:
> > IPADDR[0]="195.168.2.100"
> > NETMASK[0]"=255.255.255.0"
> >
> > IPADDR[1]="bbb.bbb.bbb.77"
> > NETMASK[0]"=255.255.255.252"
> >
> > GATEWAY="bbb.bbb.bbb.78"
> >
> > Which gives the routing table as:
> > 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
> > eth1
> > bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0 0
> > eth1
> > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> > eth0
> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
> > lo
> > 0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0 0
> > eth1
> >
>
> I am assuming modem's internal address is 77, since gateway is
> specified as 78, implying the external address. But this
> contradicts with your gateway settings in linux unless your modem
> does proxy-arp the external interface to LAN (an unneeded
> complication).
> Your eth1 address is also 77 clashing with modem's IP address.
> Then the 76 in routing table: Who is it? According to what is
> presented above there is no 76 in your network.
> Then the 192.168.0.1 in the routing table...
>
> I don't see how this setup can ever work.
It does. The 192.168.0.1 route is just so I can gain access to the
modem's web interface from the LAN.
>
> > This configuration also works fine!! But, I cannot "see" the
> > gateway from the outside. ie nothing from nmap, cannot telnet -
> > but this might be a security feature of the modem. I can telnet
> > into it (via 192.168.0.1) but the commands are not exactly
> > intuitive.
>
> So modem's LAN interface has two addresses (bbb.77 and 0.1) which
> means that your modem has IP aliasing feature (and enabled) at the
> LAN port? This suggests me that you have enabled DMZ mode on your
> modem and one of the LAN addresses is for DMZ network.

Haven't touched any settings for aliasing or DMZ
>
> All in all, the whole setup seems incorrect, overly complicated and

That's why I'm posting this!

> fragile to me. I would suggest following one of two ways:
>
> 1. Use your modem in bridge mode, exposing your server directly to
> internet and using up only one public IP address. In bridge mode
> the modem is a stupid piece of electronics (no ppp, no userid, no
> firewall, no NAT, no IP addresses, nothing but just raw ADSL
> connection to telco) like a dialup fax/modem. All the intelligence
> has to be implemented by the server. So you must run a pppoe
> program to do all these (roaming penguen's "rp-pppoe" is probably
> included in your distro). Your modem will not have any IP addresses
> and the only public IP address will be assumed by the server, which
> will be the one that your modem is getting now from ISP for its
> external interface. Since you will be fully exposed to internet (as
> you currently are), you will have to apply all the relevant
> security measures. Some modems also have "half-bridge" mode,
> handling the connection details (which would have been done by
> rp-pppoe otherwise) but still providing bridge behavior. This could
> be more convenient/easy to operate.

I don't want to use bridge mode as I want to be able to perform
reconnects to the ADSL service without touching the server, so I want
the username/password authentication and negotiation on the modem.

>
> 2. Or use your modem in router mode and route specific ports (NAT)
> or all ports (DMZ) to your server. Here Linux box has only one
> ethenet card, sharing the same LAN with other clients. If you use
> DMZ mode of the modem, (depending on the modem) you have 2 aliased
> networks on the same physical LAN segment: One is 192.168.x.0
> (clients) the other is 192.168.y.0 (DMZ). Ethernet on linux has two
> addresses, one for LAN, the other for modem. And your modem routes
> all incoming connection requests to DMZ network (to your server).
> The server is still exposed to internet, but somewhat more securely
> because traffic first passes through the firewall on the modem.
> Mind you, the term "DMZ" may change meaning from one modem to
> another. Some means real DMZ with different network addresses,
> others mean just forwarding all the ports. If you run only a few
> services you might also consider plain port forwarding. In this
> case modem and server don't have a second, aliased network address.
> And everybody on the LAN, including modem and server have the same
> network address (192.168.x.0), but your modem routes incoming
> connection request to specific ports to the Linux server (with or
> without translating port numbers). Security is more enhanced
> because both you have the firewall on modem, and also you are
> exposing the bare minimum, just required ports, of your server to
> internet.

I don't see any need for a DMZ. eth1 is "public" and eth0 is "private"
with iptables doing the firewalling, port forwarding, syslogs etc. I'm
happy that security is tight as only the required ports are visible to
the outside world.
>
> >
> > If you're still following this then thank you - I've nearly got to
> > my point....
> >
> > Question: The difference is the LAN IP setup: the first has a
> > routeable public IP and the second has a private address. Which is
> > correct? Exactly where do the gateways actually live?
> > If I use bridging mode, do I need to bother with 4 IP addresses?
> >
> > Thanks for your help
> >
> > Will

Will Hall <(E-Mail Removed)> wrote:

> I run two Linux mail servers in different locations, but with similar
> setups: Each with static IP address (block of 4), DSL modem/router fed
> by the same ISP (PPPoA). The linux server has 2 NICs, eth0 for private
> LAN (DHCP, NAT etc for Windows and Mac clients) and eth1 which is
> connected to the modem/router.

> For server A:
> Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
> address, 157/158 are standard routeable addresses and 159 is the
> broadcast?)

Correct.

> The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
> instructed by the ISP, has been configured to have a LAN address of
> aaa.aaa.aaa.158, subnet mask 255.255.255.252.

So aaa.aaa.aaa.158 must be the IP address of a Zyxel interface, serving
as the "gateway" IP address in the aaa.aaa.aaa.156/30 subnet as well as
an IP address for telnetting to and configuring the router (as indicated
later on in your post). And doing ifconfig eth1 should show the local
IP address as aaa.aaa.aaa.157.

> The linux box (Slackware 9.1) is then configured to have:
> IPADDR[0]="195.168.1.100"
> NETMASK[0]"=255.255.255.0"

> IPADDR[1]="aaa.aaa.aaa.157"
> NETMASK[0]"=255.255.255.252"

Based on the routing table below, I think the line just above should be
NETMASK[1]"=255.255.255.252".

> GATEWAY="aaa.aaa.aaa.158"

> Which gives the routing table as:

> aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0 0
> eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0 0
> eth1

> So, to configure the router, I just telnet the gateway,
> aaa.aaa.aaa.158 and everything is fine. This gateway is also
> accessible to the outside world.

> Now, the second mail server is configured as follows:

> Server B:
> Public IPs are bbb.bbb.bbb.76-79
> Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
> configuration is less flexible with this modem/router and fires up
> with the following information (which I cannot change!)

> IP Address bbb.bbb.bbb.77
> Gateway bbb.bbb.bbb.78
> Connection Type PPPoA
> Encapsulation VC Mux

> So in order to route to the modem I manually add the 192.168.0.1 route
> (see blow)

I take it that "which I cannot change" really means that telnet to the
IP address bbb.bbb.bbb.77 fails.

> The linux box (Slackware 9.1) is then configured as:
> IPADDR[0]="195.168.2.100"

I believe the line just above should be
IPADDR[0]="192.168.2.100"

> NETMASK[0]"=255.255.255.0"
> IPADDR[1]="bbb.bbb.bbb.77"
> NETMASK[0]"=255.255.255.252"

Again I believe the line just above should be
NETMASK[1]"=255.255.255.252".

> GATEWAY="bbb.bbb.bbb.78"

> Which gives the routing table as:
> 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0
> eth1
> bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0 0
> eth1
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0 0
> eth1

> This configuration also works fine!! But, I cannot "see" the gateway
> from the outside. ie nothing from nmap, cannot telnet - but this might
> be a security feature of the modem. I can telnet into it (via
> 192.168.0.1) but the commands are not exactly intuitive.

Does "from the outside" mean from your connection host? I'd think it
_could_ well be a security feature since the gateway does not allow you
access to it with it's routable IP address. It only needs to forward
traffic from other hosts to your host and from your host to other hosts.

Saying "the commands are not exactly intuitive" doesn't tell us much.
What is it that is troublesome?

Also, out of curiosity, why did you decide to create the host route
192.168.0.1 to eth1? Some hint from the manual for this "modem" or from
the ISP? Anyway, if you can telnet to *something* by using it then
there is an interface associated with 192.168.0.1 in the cloud beyond
the eth1 interface.

> If you're still following this then thank you - I've nearly got to my
> point....

A twisty maze with many potholes is hard for me to follow.

> Question: The difference is the LAN IP setup: the first has a
> routeable public IP and the second has a private address. Which is
> correct? Exactly where do the gateways actually live?

The gateway IP address, bbb.bbb.bbb.78, is that of an interface on the
other (ISP or modem/router) side of eth1 just as bbb.bbb.bbb.77 is the
IP address of the interface eth1 on your side. Since the ISP is the
same in both instances, and using the first modem you can telnet to the
gateway address to do configuration, it seems to me that the gateway IP
address is that of some interface within both modems.

If this is indeed PPPoA then the modems must perform some internal
magic to use an Ethernet interface on your host without the host
using PPP, as evidenced by your host's lack of a PPP interface.

The magic performed in the modems differs, since the first one allows
you to use the "gateway" IP address to access and configure it while
the second one doesn't.

> If I use bridging mode, do I need to bother with 4 IP addresses?

You need IP addresses for routing IP packets. AIUI, a bridge depends
on ARP and link-layer frames, and is used only to connect the two LANs
it bridges. Does the modem and ISP even allow you use "bridging mode?"

I hereby disclaim any responsibility for any result from any action
taken on the basis of these remarks. In addition to being nowhere near
qualified by practical experience, and assuming some things that may not
be true, I may well have become lost somewhere in the maze.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/

Clifford Kite <(E-Mail Removed)> wrote:

> I take it that "which I cannot change" really means that telnet to the
> IP address bbb.bbb.bbb.77 fails.
^^^^^^^^^^^^^^
Oops. This should be bbb.bbb.bbb.78.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/

Will Hall wrote:

[snip]

>> > For server A:
>> > Public IPs are aaa.aaa.aaa.156-159 (I assume 156 is the network
>> > address, 157/158 are standard routeable addresses and 159 is
>> > the broadcast?)
>>
>> All of them are routable public adresses.
>>
>> > The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
>> > instructed by the ISP, has been configured to have a LAN
>> > address of aaa.aaa.aaa.158, subnet mask 255.255.255.252.
>> >
>> > The linux box (Slackware 9.1) is then configured to have:
>> > IPADDR[0]="195.168.1.100"
>> > NETMASK[0]"=255.255.255.0"
>> >
>> > IPADDR[1]="aaa.aaa.aaa.157"
>> > NETMASK[0]"=255.255.255.252"
>> >
>> > GATEWAY="aaa.aaa.aaa.158"
>> >
>> > Which gives the routing table as:
>> >
>> > aaa.aaa.aaa.156 0.0.0.0 255.255.255.252 U 0 0
>> > 0 eth1
>> > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
>> > 0 eth0
>> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> > 0
>> > lo
>> > 0.0.0.0 aaa.aaa.aaa.158 0.0.0.0 UG 1 0
>> > 0 eth1
>> >
>>
>> Waste of IP addresses though it works.
>
> From what I know, the basics are this: As I'm running a public
> mail server (amongst others) I need the public IP address aaa.157
> assigned to eth1 on the server. The modem/router is assigned
> aaa.158 so the 255.255.255.252 netmask will happily sit between
> the two. Where I am confused is the difference between the modem
> WAN and LAN addresses.

Each interface needs an IP address for addressability, so it is
normal that your modem will have 2 addresses (one for WAN if, other
for eth if), like the linux box with 2 eth cards.
ISPs usually choose the easiest, "one size fits all" approach and
recommend a separate public address for each interface (at least
here in Turkey). But this is almost always an unneeded waste of
public addresses, and also adds to complexity of customer site. In
your case, currently you have something like this:

ISP
[aaa.aaa.aaa.isp] (belongs to ISP)
|
[aaa.aaa.aaa.wan] (assigned by ISP)
MODEM (def route: aaa.aaa.aaa.isp, maybe dynamically gotten)
[aaa.aaa.aaa.158]
|
[aaa.aaa.aaa.157]
LINUX (default route: aaa.aaa.aaa.158)
[192.168.1.100]
/|\
/ | \
PC PC PC (default route: 192.168.1.100)

Modem is accessible from within LAN as aaa.aaa.aaa.158, from
internet as aaa.aaa.aaa.wan (which may be static as well as not).

In my previous post I was incorrect about usability of 4 address IP
block: As long as you use 255.255.255.252 as netmask, 156 and 159
becomes reserved addresses (network and broadcast) so you are left
with 2 addresses to use. If you use netmask 255.255.255.0 then all
4 addresses would be usable.


Considering your priorities, what I would suggest is either:
(with netmask 255.255.255.0 all over the place)

ISP
[aaa.aaa.aaa.isp]
|
[aaa.aaa.aaa.156] (static, can also be 157, 158 or 159)
MODEM (default route: aaa.aaa.aaa.isp)
[192.168.1.1]
|
------------------------ LAN
| | | | | | | |
|
[192.168.1.100]
LINUX (just eth0)

Every box on the LAN (including server) has 192.168.1.1 as default
route. On modem, certain ports are forwarded to 192.168.1.100
(server). All clients access internet through NAT on modem, and
they are not addressable from outside. This achieves good level of
security even if you use no firewall at all on the modem. Most
router/modems also provide built-in firewall rules for common DoS
attacks. If you enable them you would have a fairly tight ship in
terms of clients' security. As for the server, it is only
addressable on the forwarded ports, so you would have two layers of
protection (one at the modem, other at the server firewall). Always
the more layers the better. But ofcourse neither your current
setup, nor the ones I am describing above and below is recommended
for security: My preferred motto is "Never deliver any service to
internet from within LAN". This is where DMZ comes into play. But
since you are not interested in that, I skip it.


Or, (again netmask 255.255.255.0 all over the place) :

ISP
[aaa.aaa.aaa.isp]
|
[aaa.aaa.aaa.156] (fixed addr)
MODEM (default route: aaa.aaa.aaa.isp)
[192.168.1.1]
|
[192.168.1.2]
LINUX (default route: 192.168.1.1, routing enabled)
[192.168.1.100]
|
------------------------ LAN
| | | | | | | |
(All clients' default route: 192.168.1.100)

Server security is weakened as it now solely depends on your
firewall settings on the server. Any overlooking, forgetfulness,
self-confidence (I learned to be a humble paranoid when it comes to
security ;-), and you may be exposing yourself for months without
even being aware of it, until,.... boom!
Also reliability / availability / serviceability is weakened,
because you can't take the server offline easily (planned or not),
both from LAN-to-internet access point of view, and from
server-switching (switch load to a backup server and take the main
server down) point of view. But ofcourse these are all site
specific details and may or may not be worthwhile for your needs.

>> >
>> > Server B:
>> > Public IPs are bbb.bbb.bbb.76-79
>> > Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
>> > configuration is less flexible with this modem/router and fires
>> > up with the following information (which I cannot change!)
>> >
>> > IP Address bbb.bbb.bbb.77
>> > Gateway bbb.bbb.bbb.78
>> > Connection Type PPPoA
>> > Encapsulation VC Mux
>> >
>> > So in order to route to the modem I manually add the
>> > 192.168.0.1 route (see blow)
>> >
>> > The linux box (Slackware 9.1) is then configured as:
>> > IPADDR[0]="195.168.2.100"
>> > NETMASK[0]"=255.255.255.0"
>> >
>> > IPADDR[1]="bbb.bbb.bbb.77"
>> > NETMASK[0]"=255.255.255.252"
>> >
>> > GATEWAY="bbb.bbb.bbb.78"
>> >
>> > Which gives the routing table as:
>> > 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0
>> > 0 eth1
>> > bbb.bbb.bbb.76 0.0.0.0 255.255.255.252 U 0 0
>> > 0 eth1
>> > 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
>> > 0 eth0
>> > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
>> > 0
>> > lo
>> > 0.0.0.0 bbb.bbb.bbb.78 0.0.0.0 UG 1 0
>> > 0 eth1
>> >

I would suggest ditto setup for both sides, whatever that setup
might be.

[snip]

> I don't see any need for a DMZ. eth1 is "public" and eth0 is
> "private" with iptables doing the firewalling, port forwarding,
> syslogs etc. I'm happy that security is tight as only the required
> ports are visible to the outside world.

Please don't be happy with security. I'm no expert, but what they
say is: It never was, is, and never will be "good enough".

HTH

--
Abdullah | aramazan@ |
Ramazanoglu | myrealbox |
________________| D O T cöm |

Abdullah Ramazanoglu wrote:

[snip]

> Or, (again netmask 255.255.255.0 all over the place) :
>
> ISP
> [aaa.aaa.aaa.isp]
> |
> [aaa.aaa.aaa.156] (fixed addr)
> MODEM (default route: aaa.aaa.aaa.isp)
> [192.168.1.1]
> |
> [192.168.1.2]
> LINUX (default route: 192.168.1.1, routing enabled)
> [192.168.1.100]
> |
> ------------------------ LAN
> | | | | | | | |
> (All clients' default route: 192.168.1.100)
>
> Server security is weakened as it now solely depends on your
> firewall settings on the server. Any overlooking, forgetfulness,

This is not correct. Sorry, I have mistaken the modem for bridge
mode. If you make use of the firewall on modem then ofcourse you
will have two layers of security.

Also I would like to add that, in both configurations, your server
is accessed as aaa.aaa.aaa.156 from internet, and as 192.168.1.100
from within LAN. Also in both cases your modem is accessed as
aaa.aaa.aaa.156 from internet and as 192.168.1.1 from within LAN.
That means you can't deliver the same service (port) to internet
from both your modem and server. Most notably, if you serve http
from the server, then you cannot access to modem's web interface
from internet (a blessing IMHO, I disable it anyway) because port
80 is routed to server.

[snip]

--
Abdullah | aramazan@ |
Ramazanoglu | myrealbox |
________________| D O T cöm |

Clifford Kite <(E-Mail Removed)> wrote in message

[snip]

>
> > The modem is a Zyxel prestige 650R-31 with NAT/DHCP off and, as
> > instructed by the ISP, has been configured to have a LAN address of
> > aaa.aaa.aaa.158, subnet mask 255.255.255.252.
>
> So aaa.aaa.aaa.158 must be the IP address of a Zyxel interface, serving
> as the "gateway" IP address in the aaa.aaa.aaa.156/30 subnet as well as
> an IP address for telnetting to and configuring the router (as indicated
> later on in your post). And doing ifconfig eth1 should show the local
> IP address as aaa.aaa.aaa.157.

Quiet correct
>
> > The linux box (Slackware 9.1) is then configured to have:
> > IPADDR[0]="195.168.1.100"
> > NETMASK[0]"=255.255.255.0"
>
> > IPADDR[1]="aaa.aaa.aaa.157"
> > NETMASK[0]"=255.255.255.252"
>
> Based on the routing table below, I think the line just above should be
> NETMASK[1]"=255.255.255.252".

Correct again

[snip]

> > Now, the second mail server is configured as follows:
>
> > Server B:
> > Public IPs are bbb.bbb.bbb.76-79
> > Modem is a DLink DSL-300G+ with NAT and DHCP turned off. The
> > configuration is less flexible with this modem/router and fires up
> > with the following information (which I cannot change!)
>
> > IP Address bbb.bbb.bbb.77
> > Gateway bbb.bbb.bbb.78
> > Connection Type PPPoA
> > Encapsulation VC Mux
>
> > So in order to route to the modem I manually add the 192.168.0.1 route
> > (see blow)
>
> I take it that "which I cannot change" really means that telnet to the
> IP address bbb.bbb.bbb.77 fails.

Yes

>
> > The linux box (Slackware 9.1) is then configured as:
> > IPADDR[0]="195.168.2.100"
>
> I believe the line just above should be
> IPADDR[0]="192.168.2.100"

Holmes, you've done it again.

>
> > NETMASK[0]"=255.255.255.0"
> > IPADDR[1]="bbb.bbb.bbb.77"
> > NETMASK[0]"=255.255.255.252"
>
> Again I believe the line just above should be
> NETMASK[1]"=255.255.255.252".

Damn fingers

[snip]

> > This configuration also works fine!! But, I cannot "see" the gateway
> > from the outside. ie nothing from nmap, cannot telnet - but this might
> > be a security feature of the modem. I can telnet into it (via
> > 192.168.0.1) but the commands are not exactly intuitive.
>
> Does "from the outside" mean from your connection host? I'd think it
> _could_ well be a security feature since the gateway does not allow you
> access to it with it's routable IP address. It only needs to forward
> traffic from other hosts to your host and from your host to other hosts.
>

The "outside" refers to telneting the gateway from another WAN

> Saying "the commands are not exactly intuitive" doesn't tell us much.
> What is it that is troublesome?

It's one of those command line interfaces that scares then pants off
me. Zillions of menus and commands that I've never heard of! I guess
I'm trusting the Web interface too much and assuming that it can
provide full configuration if required and will prevent bad
configuration. Probably more a question of designed for non techy
people.

>
> Also, out of curiosity, why did you decide to create the host route
> 192.168.0.1 to eth1? Some hint from the manual for this "modem" or from
> the ISP? Anyway, if you can telnet to *something* by using it then
> there is an interface associated with 192.168.0.1 in the cloud beyond
> the eth1 interface.

Because the modem/router LAN interface defaults to 192.168.0.1 and
it's the only way to access the Web/telnet interface.

>
> > If you're still following this then thank you - I've nearly got to my
> > point....
>
> A twisty maze with many potholes is hard for me to follow.

You're doing well, my son.

>
> > Question: The difference is the LAN IP setup: the first has a
> > routeable public IP and the second has a private address. Which is
> > correct? Exactly where do the gateways actually live?
>
> The gateway IP address, bbb.bbb.bbb.78, is that of an interface on the
> other (ISP or modem/router) side of eth1 just as bbb.bbb.bbb.77 is the
> IP address of the interface eth1 on your side. Since the ISP is the
> same in both instances, and using the first modem you can telnet to the
> gateway address to do configuration, it seems to me that the gateway IP
> address is that of some interface within both modems.
>
I guess this is the crux of my issue:

Server A:
modem linux PC clients
<---<ISP> --- <WAN IP | LAN IP> --- <ETH 1 | ETH 0> --------> LAN
aaa.xxx aaa.isp aaa.158 aaa.157 192.168.1.100

aaa.isp is dynamically assignd, but "somehow" knows where aaa.157 is
I belive this setup is correct.

Server B:
modem linux PC clients
<---<ISP> --- <WAN IP | LAN IP> ----- <ETH 1 | ETH 0> --------> LAN
bbb.xxx bbb.78 192.168.0.1 bbb.77 192.168.2.100

The mode LAN interface is either lying or it's aliased to be similar
to Server A.

> If this is indeed PPPoA then the modems must perform some internal
> magic to use an Ethernet interface on your host without the host
> using PPP, as evidenced by your host's lack of a PPP interface.

Yup. I wanted authentication at the modem/router.

>[snip]
>
> I hereby disclaim any responsibility for any result from any action
> taken on the basis of these remarks. In addition to being nowhere near
> qualified by practical experience, and assuming some things that may not
> be true, I may well have become lost somewhere in the maze.

Well, life would be dull without little problems to sort out. (Like
George W). Thanks for your help Clifford - much appreciated.

Abdullah Ramazanoglu <(E-Mail Removed)öm> wrote in message news:<40ec8c29$0$23880$(E-Mail Removed)>.. .
> Abdullah Ramazanoglu wrote:
>
> [snip]
>
> > Or, (again netmask 255.255.255.0 all over the place) :
> >
> > ISP
> > [aaa.aaa.aaa.isp]
> > |
> > [aaa.aaa.aaa.156] (fixed addr)
> > MODEM (default route: aaa.aaa.aaa.isp)
> > [192.168.1.1]
> > |
> > [192.168.1.2]
> > LINUX (default route: 192.168.1.1, routing enabled)
> > [192.168.1.100]
> > |
> > ------------------------ LAN
> > | | | | | | | |
> > (All clients' default route: 192.168.1.100)
> >
> > Server security is weakened as it now solely depends on your
> > firewall settings on the server. Any overlooking, forgetfulness,
>
> This is not correct. Sorry, I have mistaken the modem for bridge
> mode. If you make use of the firewall on modem then ofcourse you
> will have two layers of security.
>
I do not want either firewalling nor NAT to happen at the
modem/router.
I'm well versed in iptables and like full control of what comes
in/goes out as well as using my own logging facility.

> Also I would like to add that, in both configurations, your server
> is accessed as aaa.aaa.aaa.156 from internet, and as 192.168.1.100
> from within LAN. Also in both cases your modem is accessed as
> aaa.aaa.aaa.156 from internet and as 192.168.1.1 from within LAN.
> That means you can't deliver the same service (port) to internet
> from both your modem and server. Most notably, if you serve http
> from the server, then you cannot access to modem's web interface
> from internet (a blessing IMHO, I disable it anyway) because port
> 80 is routed to server.
>
> [snip]