From Jose Avalis
Answered By Faber Fedor, Jason Creighton, Benjamin A. Okopnik, John Karns
Hi guys and thanks in advance fro your time. I'm Joe From Toronto.
I have this scenario at home.
3 WS with Winxx
1 Linux redhat 7.3
1 DSL Connection (Bell / Sympatico)
I would like to use the linux machine as a router for the internal PC> Could you help me with that, please???
[Ben] OK, I'll give it a shot. You have read and followed the advice in the IP-Masquerade HOWTO, right? If not, it's always available at the Linux Documentation Project <http://www.linuxdoc.org>, or possibly on your own system under /usr/doc/HOWTO or /usr/share/doc/HOWTO.
The Linux Machine has 2 NIC eth0 (10.15.1.10 | 16 ) is connected to the internal net (hub) , while the other ETH1 (10.16.1.10 | 16) is connected to the DSL Modem.
[Ben] You have private IPs on both interfaces. Given a DSL modem on one of them, it would usually have an Internet-valid address, either one that you automatically get via DHCP or a static one that you get from your ISP (that's become unusual for non-commercial accounts.) Looks like you have a PPPoE setup - so you're not actually going to be hooking eth0 to eth1, but eth0 to ppp0.
as you can see in the following text, everything is Up and run and I can access internet from the Linux machine.
[Jason] This may see like a stupid question, but do the internal PCs have valid internet address? (i.e., those outside the 10.*.*.*, 172.16.*.*-172.31.*.* or 192.168.*.* ranges) If they don't, you need to do IP masquerading. This is not all that hard, I could give a quick & dirty answer as to how to do it (Or you could look at the IP-Masquerading-HOWTO, for the long answer), but I'd like to know if that's your situation first. Yes, I am that lazy.
ifconfig says
See attached jose.ifconfig-before.txt
See attached jose.ping-before.txt
The problem is that when I try to access the internet from the internal lan. I can't access it.
[Ben] Yep, that's what it is. That MTU of 1492 is a good hint: that's the correct setting for PPPoE, and that's your only interface with a Net-valid IP.
[John] The adjusted MTU for PPPoE (from the usual 1500 to 1492) is necessary, but can cause problems with the other machines on the LAN unless they too are adjusted for MTU.
[Ben] Right - although not quite as bad as the gateway's MTU (that one can chase its own tail forever - looks like there's no connection!)
[John] I've been stuck with using PPPoE for about a month now, and have found the Roaring Penguin pkg (http://www.roaringpenguin.com) to work quite well, once it's configured. I seem to remember reading that it does the MTU adjustment internally, and alleviates the headache of having to adjust the rest of the machines on the LAN to use the PPPoE gateway (see the ifconfig output below).
[Ben] Oh, _sweet._ I'm not sure how you'd do that "internally", but I'm no network-programming guru, and that would save a bunch of headaches.
[John] Especially nice if one of the LAN nodes is a laptop that gets carried around to different LAN environments - would be a real PITA to have to reset the MTU all the time.
# ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:40:F4:6D:AA:3F UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21257 errors:0 dropped:0 overruns:0 frame:0 TX packets:14201 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4568502 (4.3 Mb) TX bytes:1093173 (1.0 Mb) Interrupt:11 Base address:0xcc00
Then I just tacked on the firewall / masq script I've been using right along, with the only change being the external interface from eth0 to ppp0. PPPoE is also a freak in that the NIC that connects to the modem doesn't get an assigned IP.
[Ben] Yep, that's what got me thinking "PPPoE" in the first place. Two RFC-1918 addresses - huh? An MTU of 1492 for ppp0 and reasonably short ping times to the Net - oh.
all the PCs in the net have as Default gateway 10.15.1.10 (Linux internal NIC )
[Ben] That part is OK.
Linux's default gateway is the ppp0 adapter
[root@linuxrh root]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 64.229.190.1 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 10.16.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth1 10.15.0.0 0.0.0.0 255.255.0.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 64.229.190.1 0.0.0.0 UG 40 0 0 ppp0 [root@linuxrh root]#
[Ben] Yep, that's what "netstat" says. I've never done masquerading with PPP-to-Ethernet, but it should work just fine, provided you do the masquerading correctly.
[Ben] Can you guys give me some cues of what my problem is ???
I don't have any firewall installed.
Thanks a lot. JOE
[Ben] That's probably the problem. Seriously - a firewall is nothing more than a set of routing rules; in order to do masquerading, you need - guess what? - some routing rules (as well as having it enabled in the kernel.) Here are the steps in brief - detailed in the Masquerading HOWTO:
- Make sure that your kernel supports masquerading; reconfigure and
- Load the "ip_masq" module if necessary.
- Enable IP forwarding (ensure that /proc/sys/net/ipv4/ip_forward is
- Set up the rule set (the HOWTO has good examples.)
That's the whole story. If you're missing any part of it, go thou and fix it until it cries "Lo, I surrender!" If you run into problems while following the advice in the HOWTO, feel free to ask here.
[Faber] One thing you didn't mention doing is turning on forwarding between the NICs; you have to tell the Linux to forward packets from one NIC to the other. To see if it is turned on, do this:
cat /proc/sys/net/ipv4/ip_forward
If it says "0", then it's not turned on. To turn it on, type
echo "1" > /proc/sys/net/ipv4/ip_forward
And see if your Win boxen can see the internet.
If that is your problem, once you reboot the Linux box you'll lose the setting. There are two ways not to lose the setting. One is to put the echo command above into your /etc/rc.local file. The second and Approved Red Hat Way is to put the line
net.ipv4.ip_forward = 1
in your /etc/sysctl.conf file. I don't have any Red Hat 7.3 boxes lying around, so I don't know if Red Hat changed the syntax between 7.x and 8.x. One way to check is to run
/sbin/sysctl -a | grep forward
and see which one looks most like what I have.
Hey Faber in NJ /.... thanks for your clues. In fact it was in 0, I changed it to 1, I've restarted tehe box and it is in 1 now; but it is still not working.
[Faber] Well, that's a start. There's no way it would have worked with it being 0!
First at all, m I right with this setup method? I mean using Linux as a router only ??? or shoud I set up a masquerading and use the NAT facility to populate all my internal addresses in Internet?
[Faber] Whoops! Forgot that piece! Yes, you'll hve to do masquerading/NAT (I can never keep the two distinct in my head).
[Jason] It seems to me that you would want the DSL modem (eth1) to be the default route to the internet, not the modem (ppp0).
Because maybe the problem is that I'm trying to route my internal net to the DSL net and Internet and maybe it is not a valid proc.
[Faber] Well, it can be done, that's for sure. We just have to get all the t's dotted and the i's crossed.
[Jason] IP-Masquerading. Here's the HOWTO:
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO
And here's a script that's supposed (I've never used it) to just be a "fill in the blanks and go":
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X
Note this is in the HOWTO, it's just later on after explaining all the gory details of NATing.
Hey, thanks for your mail, the thing is working now. I didn�t know that the NAT functions in Linux are called Masquerading.
[Ben] Yeah, that's an odd one.
Masquerading is only a specific case (one-to-many) of NAT. As an example of other stuff that NAT can do, IBM had an ad for the Olympics a while back (their equipment handled all the traffic for the website); they did "many-to-many" NAT to split up the load.
Thanks again for your help, due to I'm new in Linux, it took me a while to learn of the terminology in this platform.
To many NOS in may head.
I have averything working now, including the firewall, I had to compile the kernel again, but it was ok.
C U.
[Ben] You're welcome! Glad we could help.