Re: selecting old machines for firewall/router use

To: debian-user@lists.debian.org
Subject: Re: selecting old machines for firewall/router use
From: Nate Bargmann <n0nb@n0nb.us>
Date: Mon, 21 Feb 2011 07:17:18 -0600
Message-id: <[🔎] 20110221131718.GA6437@n0nb.us>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 4D61E478.4080504@hardwarefreak.com>
References: <[🔎] 4D617362.2020801@att.net> <[🔎] 4D61E478.4080504@hardwarefreak.com>

* On 2011 20 Feb 22:06 -0600, Stan Hoeppner wrote:
> Some consumer wireless routers don't like to do DHCP pass through, and
> won't serve DHCP when configured as a bridge, in which case the Linux
> firewall will have to serve DHCP.  If the wireless router won't pass
> DHCP from the wired to wireless segments while in bridge mode, then
> you're in a catch 22.  Some simply can't be configured as bridges at all
> (access points--APs).  In this case, you'll have to run the Netgear in
> router mode and run multiple RFC 1918 subnets, one for wireless traffic
> and one for wired, and you'll have to setup the firewall to perform
> routing as well as packet filtering.

I found that one does not necessarily need specific bridging support in
the router firmware to make one a simple AP.  What I've done with three
different router models--two Linksys and one Netgear--was to disable the
internal DHCP server and connect the uplink cable to one of the switch
ports rather than the WAN port.  In that configuration they have worked
well by simply passing DHCP and other network protocols.  These have
been models with four wired LAN ports, a wired WAN port, and wireless.
This has the nice effect of my wireless being on the same subnet as my
wired LAN and the wireless clients are directly accessable with ping and
other protocols creating a seemless network.

> You've got your work cut out for you, and it will be a painful learning
> curve if you use the trial and error method of setting it up.  All your
> machines may be unable to access the net while you're changing your
> network architecture, which means no access to troubleshooting docs or
> forum help.
> 
> Thus, you need to have researched _everything_ and have a solid step by
> step migration plan in place _before_ you change a single thing.  If all
> clients were wired desktop machines and you didn't have the wireless
> Netgear in the mix it may be easier.  You've got a lot of research to do.

Indeed.  In my experience, the DNSmasq and Shorewall packages are
amongst the easiest ways to set up a DHCP server with caching DNS and
iptables firewall.  If an IPv6 tunnel configures or an IPv6 address is provided 
by the upstream ISP, then the shorewall6 package will be needed.

This can be a very fun project for a learning experience so long as
others aren't having a network outage during the transition.  Have fun!

- Nate >>

-- 

"The optimist proclaims that we live in the best of all
possible worlds.  The pessimist fears this is true."

Ham radio, Linux, bikes, and more: http://n0nb.us/index.html

Reply to:

Follow-Ups:
- Re: selecting old machines for firewall/router use
  - From: Andrei Popescu <andreimpopescu@gmail.com>

References:
- selecting old machines for firewall/router use
  - From: "Elmer E. Dow" <elmeredow@att.net>
- Re: selecting old machines for firewall/router use
  - From: Stan Hoeppner <stan@hardwarefreak.com>

Prev by Date: Re: Switching to NVIDIA
Next by Date: Re: Xfce Power Manager popup message about HAL daemon
Previous by thread: Re: selecting old machines for firewall/router use
Next by thread: Re: selecting old machines for firewall/router use
Index(es):
- Date
- Thread