[Techtalk] Network routing/bridging help...

[Maria Blackmore]

On Sat, 28 Dec 2002, Michelle Murrain wrote:
> I have a T1 line, connected to a Cisco router. I decided to add a 
> linux firewall (running debian testing). I am now stuck with a 
> routing problem.

Hi,

The Cisco is perfectly capable (usually) of performing firewall functions,
which would simplify things a great deal unless you're trying to setup the
linux machine for a reason or for a challenge.

> For a variety of reasons (primarily because almost everything I have 
> are servers of one sort or another, and I have enough IPs) I decided 
> to give everything public IP addresses (all in one subnet).

ok

> The firewall has 2 nic cards. It's connected by a crossover cable to
> the Cisco router, which basically now sits there and simply routes
> traffic from my subnet in and out.

Sounds like it's fairly sensible.

<snip>

> We (helpful irc chix and I) cannot figure out how to do the routing 
> on this, the most likely problem is that all of the IPs are on the 
> same subnet. So far, I have set up a default gateway on the firewall 
> as the .35 cisco router, and the default gateways on the individual 
> boxes as .50 (the firewall), although neither trying .35 or .51 work 
> either.

hmm

> When I have this set up, I can get out into the world from the 
> firewall, and also ping .50 and .51 from the internal boxes, but 
> can't get out into the world from them, no matter what. This is what 
> my /etc/network/interfaces looks like:
> 
> auto eth0
> iface eth0 inet static
>          address 66.152.196.50
>          netmask 255.255.255.224
> 
> auto eth1
> iface eth1 inet static
>          address 66.152.196.51
>          netmask 255.255.255.224
>          gateway 66.152.196.35

This isn't going to work, you're splitting a single IP subnet over two
physical subnets.

The key here is whether you have control over the cisco or not...

if you do, then you need to switch to using a /30 of private IP space on
the link between the cisco and the firewall. eg 192.168.1.0/30

set the cisco to be 192.168.1.1 and the linux machine to be 192.168.1.2

on the cisco log in and enable, then

interface ethernet0
ip address 192.168.1.1 255.255.255.252
^Z			(Control Z)
write

If you don't have the login or enable passwords, contact me offlist and
i'll talk you through running password recovery on the router, you'll need
a serial cable and a terminal program

doing it this way means that when someone runs a traceroute to you, a
packet with a private IP on it will be originated from you, if this is a
problem then we can do something about it

If you don't have access to the cisco, you need to make the cisco think
that the linux box is the destination for all the IP addresses that you're
using.  Proxy arp is the key here and well explained, I think, in this web
page http://www.sjdjweis.com/linux/proxyarp/

have fun :)

Maria