[lugm.org] help configuring linux as a router

Nishal Goburdhan ndg at ieee.org
Tue Dec 17 13:08:39 UTC 2013 

On 03 Dec 2013, at 10:12 AM, Nadeem M Nayeck <nadeem.m.nayeck at gmail.com> wrote:

> Sorry i accidentally sent it without completing it.
> 
> Now I have an Orange ADSL Router. Connected to the LAN i have 3 computers. One running  Gentoo and 2 windows 7.
> Now, I have two VPNC Clients connected to 2 CISCO VPNS on the Gentoo Linux. 
> Routing Table is allright because I can ping Google.mu, machine from VPN-A, and machine from VPN-B successfully.
> 
> Now, how do I configure the Windows Machine to use the Gentoo Linux machine as a router?
> 
> My goal behind this setup is to have the Gentoo act as a router, instead of connecting to the respective VPNs on the Windows machines. (Besides, one can only connect to 1 VPN at a time on CISCO VPN Client on Windows )

(caveat:  i don't know anything about linux;  but i do know about network design.)

do you mean that you want to use the linux host as a vpn termination point, to get to the windows hosts, and presumably, anything else you add in?
or is your intent to use the linux host as the sole gateway for your winPCs? 

start with:  
* is you linux host on the same logical network as your winPCs, or, are the winPCs "behind" this ?
ie.  what topology do you have? 

#1:  
Router-eth0 <--> eth0-Linux host-eth1<--> eth0-WinPC

or #2:  
Router eth0 -----> eth0-Linux Host
                     |---> eth0-WinPC

depending on what you want to achieve, both could work.  however, i suspect you're looking more, at implementing something like  #1
(in which case, you could probably make the orange router just act as a dumb modem, and have the linux host act as a PPPoE router, as well as a gateway for the internal network?).

to achieve #1, you'd need:
* ip forwarding to be enabled between the router's interfaces
* either two NICs in your linux host, or
* a switch that can support 802.1q VLANs, and the linux host plugged into that.

if you're not familiar with using VLANs, two NICs make for a much easier solution.
however, as you'd need a switch anyway (you have multiple ethernet devices) you could save on the extra NIC and cabling by simply using vlan trunking.

you choice of OS is irrelevant, provided (as i think it was ajay who said the same) you can set:
net.inet.ip.forwarding: 0  --> 1
net.inet6.ip6.forwarding: 0 --> 1 

you *were* planning on *not* being left behind in the 20th century, and running IPv6, right...?

i can't help you with the linux commands to do that, sorry.  

my advice to you, would be to use what you, and your operational team, are most familiar with.  
the last thing that you want to do, is install something and become the sole heir and operator of this - because, if it breaks at 03h00 (and everything always breaks...) then *you* would be the unlucky sod that gets called on to fix this - rather install, document, and teach the people that you work with, how the setup works, so that when it breaks, you can happily sleep through it, while someone else picks up the problem...

but elements that you would want to consider for your router design would be:
#1 -- run absolutely minimal services on a router;  so, please, no web service.  really.  bad idea.  really bad idea! 
your router should do only what it's meant to;  a router is a device that moves datagrams (packets) between different networks, so keep your router doing that, and you'll be happy for a long, long time.  in general, routers become insecure, and overwhelmed, when they have to do more than just that (this is true for more than just a *nix box acting as a router;  it's equally true for a fancy hardware forwarding router as well.).  the adage of: the less you add, the less there is to break, is particularly true.

if your router is also your dhcp server is also your ntp server is also your active directory cum ldap cum centralised auth service...then a flaw/vulnerability in one of those things could lead to your entire network being left vulnerable.

of course, over time, router vendors have come to market their router's ability to perform everything and anything.  that's to be expected;  understand that their primary concern is with getting you to spend $$$ on their products, where *your* perspective is to build a stable, secure and scalable network.  so understand when those needs become tangential.

#2 -- use reliable hardware;  PCs work fine.  servers too.  but using a server is probably overkill (and expensive).  and, if you believe what i wrote in #1 above, you want minimal amount of "stuff" to potentially fail in a router.  so a CPU fan, or non-SSD HDD, etc all add failure components in your design.  if you have the time and inclination to learn, something like a purpose built device like soekris (www.soekris.com) is a real winner.  i've used these, and know friends that have, for many years, and they're sturdy little boxes, that make for great low-capacity routers (where low capacity is <= 20mb/s)    (cue logan to chip in on the vr0 interfaces on the earlier boards ... ;-))

#3 -- use reliable software for maximum uptime;  i think this should be obvious :-)    and again, here, don't downplay the "additional" services that you run.  the fewer services, the less likely the chance for software bugs..

#4 -- separate, and segment, your network as necessary.  that means understand what services your network will need, and how to provision for them, at network level.  the simplest tool that you have at layer2 is differnet physical networks;  but, that's costs, so, as i mentioned above, an alternate trick is to use dot1q VLANs.  
i can imagine that *every* network would require, at least, a "services" and "clients" section.  yes, even home networks.  how would you segment your services from your clients?  and how would you scale this?  i ask because, perhaps you didn't have a "managed" switch for use initially, but now that you realise that you *should* separate out clients, and services, and..other things, and that you can use simple VLANs to do this, perhaps it's worth investing in such a switch !    a cheapish, gigabit capable, fanless (!) switch is the HP 1800 series.

a word on segmentation - before you tell me that your network only has three hosts, and that this is too small, and the things i'm telling you about are too grandiose, consider what you need your network to do, and how you will want to plan, and scale this organically.  yes - even small networks.  a small network is no excuse to simple "clump things into one broadcast domain" as is so often the case!   :-(
a simple example - in my home, i have 9, permanently, in-use VLANs, because, i wanted to segment different things, according to their usage on my network.  some of them are:   
* my wired devices from the wireless (to contain broadcasts, and because VLANs are free ;-));   
* guests  and visitors who want internet access while they're visiting;
* my media, etc.
* "open-wifi"  to anyone war-driving past me because i'm generous
i run my own mini dns server (doesn't everyone?);  not because i don't trust my ISP, but because, when my telco decides to do maintenance on my VDSL line, my internal hosts can still happily speak to each other, and, internal "stuff" still works.  so i have a "services"  VLAN too.  there are other things in there too, like dhcp and simple nms box so i can hold my ISP accountable for the service that they provide to me.  do you think that such a thing is important for you ?   (if you say "no" then i have several things that i'd like to sell to you and your organisation... :-))
there's no reason that you can't, or shouldn't do this - or, even design for this, in your network now.  virtualisation is easy (and cheap).

as i said - the days of "clumping into one big open network" are over.  you're limited only by what you want to, and choose to, do...

--n.

More information about the Discuss mailing list