Simon Hobson
2009-Oct-23 14:16 UTC
OT - problem configuring ADSL connection with dynamic address and routed IP block
Not strictly related to Shorewall, but there are people here with far more detailed networking knowledge than I have. I''m trying to set up a routed system (which will be running Shorewall) on a BT ADSL line with a /28 block of public IPs. On connection (PPPoA), the modem is given a single dynamic IP address by the ISP, and then the /28 traffic is passed up that link. My first attempt with a Netgear DM111P modem resulted in the public traffic not reaching the linux box - I assume because the modem just wasn''t designed for it. I''ve since bought a Viking PCI modem (http://www.traverse.com.au/productview.php?product_id=115) which has a Conexant DSL-Ethernet modem and RTL8139 ethernet chip on the card - to the system it appears as an ethernet card with an external modem attached. So I have : adsl line --- modem-ethernet --- linux box --- clients If I set up the modem in bridge mode, then the dynamic IP would have to be on the linux box. Unlike the Netgear modem, the Viking card doesn''t have the ability to configure the downstream device by DHCP. What I''ve done is configured an RFC1918 subnet (192.168.x.0/24) on the virtual ethernet link between modem and linux box. This works fine except for one little detail ... Outbound connections from the linux box default to using the RFC1918 address as the source address - so the traffic just gets dropped by the internet routers. With some software (eg ping) you can specify the source address, or BIND can be bound to just the internal interface, and things work fine. Here''s the options I''ve considered : 1) Configure the modem with one of the public IPs on it''s ethernet port, and run the linux box as a bridge. It would work, but then ties up yet another of my IPs. I''m already having to be careful as we''re being forced to switch from having a /27 to having a /28 - and we have 11 clients to connect with potential for more if the empty rooms get let. 2) Get the modem to NAT the RFC1918 address to it''s external dynamic address. Would be the best way, but I don''t know if the modem has that capability - the vendor hasn''t used it in that way (normally uses PPPoE) and the manufacturer hasn''t returned my emails yet. The manual is rather vague in places. 3) Put the modem in bridge mode, and figure out some way to make the outside interface on the linux box track the ISP provided address. Could be fun ! 4) Somehow get all the outbound connections from the linux box to use it''s internal interface address instead of it''s external one by default. Any ideas how to do this ? 5) Forget about ''intelligent'' modems like this and get something more basic - but it seems that decent, modern, linux supported ADSL modems are a bit thin on the ground (the box has one PCI slot). Any other ideas ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep
2009-Oct-23 16:02 UTC
Re: OT - problem configuring ADSL connection with dynamic address and routed IP block
Simon Hobson wrote: .> > Outbound connections from the linux box default to using the RFC1918 > address as the source address - so the traffic just gets dropped by > the internet routers. With some software (eg ping) you can specify > the source address, or BIND can be bound to just the internal > interface, and things work fine.Have you tried adding a ''reserved nat'' on the modem to map your firewall''s RFC1918 address to the modem''s external IP address? I presume that you have added a route on the modem to route your /28 via the firewall''s RFC1918 address? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Simon Hobson
2009-Oct-23 19:32 UTC
Re: OT - problem configuring ADSL connection with dynamic address and routed IP block
Tom Eastep wrote:> > Outbound connections from the linux box default to using the RFC1918 >> address as the source address - so the traffic just gets dropped by >> the internet routers. With some software (eg ping) you can specify >> the source address, or BIND can be bound to just the internal >> interface, and things work fine. > >Have you tried adding a ''reserved nat'' on the modem to map your >firewall''s RFC1918 address to the modem''s external IP address?Unfortunately, it appears to be "all or nothing" as far as NAT goes. If I turn on NAT in general, then the public addresses get mapped as well. There is a facility to do a 1:1 mapping - but with a dynamic address that''s not very practical, and I don''t know if it forces an outbound mapping. I''ll look into whether we can have the link address fixed as well as having the /28 block - I can probably put the modem in bridged mode then. When you order it, it''s a selection (single address, 5 usable addresses, or 13 usable addresses) with no mention of a fixed link address together with an address block. I don''t know what they charge for the /28 block, but I know the rip off merchants charge £5/month to have a single fixed address ! The current connection is great, the provider put in the SDSL modem and a Cisco router - and we just get an ethernet port with a /30 on it for our outside interface, plus a /27 for our customers - nice and simple. Unfortunately, under EU competition rules they''ve been told to stop selling the service commercially as the network was built with public funding to supply the educational institutions in the area. So we have to put something else in, and the boss chose ADSL - my preferred option was 5GHz radio (they are only about 200yards from our office) and share our nice uncontended, unmetered fibre connection.>I presume that you have added a route on the modem to route your /28 via >the firewall''s RFC1918 address?Yes, that''s working fine. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference