Which router?

For discussing Linux compatible (or not) devices

Moderators: ChrisThornett, LXF moderators

Which router?

Postby kimcarsons » Thu Jan 20, 2011 9:20 pm

I need to set up a network at home. The set up i want is as follows:
Code: Select all
|LAN|----|switch|----|linux firewall|-----|switch|------|ADSL/border router|

The problem at the moment is that the Linux firewall has to have it's NICs on different subnets( external(ia dhcp from border router on 192.168.1.*) and it's internal on 192.168.2.*). I can, with the current border router, change the subnetmask to 255.255.0.0 so that it doesn't "mind" dealing with addresses on the two different subnets. However i can't add a route to the internal LAN(192.168.2.*).So the border router only knows that the linux firewall is reached at 192.168.1.*. And there's no way, on this border router, to add a route to 192.168.2.*. So i can't ping the border router from my ubuntu hosts on the LAN. I can ping the linux firewall's internal and external interfaces from the ubuntu hosts on the LAN. But i can't ping the border router from the LAN because it doesn't know how to get to 192.168.2.*.
I need to replace the border router, which is just a home router, with a machine that has all the usual capabilities of a home router/ADSL box AND the capability to add routes to other subnets. IIt needs firewalling capabilities because plugged into the switch(coming out of the ADSL box), in the diagram, are 2 Ubuntu servers. It would also be good if it could do things like changing the subnet mask. As flexible as possible.I'm willing to spend a fair bit i.e less than 200 pounds. Off the top of your heads is there any router that you could recommend that is good for a fully UNIX network involving different subnets that could replace a home router.
Or do i need a router that you can install a special Linux on? And if so are there any recommended?.
Thank you so much for your time and any replies. Fare ye well.
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby Dutch_Master » Thu Jan 20, 2011 10:20 pm

Have a look at the Linksys/Cisco WRT series. There are models that actually run Linux and have attracted a development-community around them. Google for "Open-WRT" ;)
Dutch_Master
LXF regular
 
Posts: 2471
Joined: Tue Mar 27, 2007 1:49 am

Postby nelz » Thu Jan 20, 2011 10:30 pm

Is the problem that your firewall box is not set up to route packets from one subnet to the other?

I'd put a third NIC in the firewall box for the server DMZ and run the firewall on that, using the ADSL modem as just a modem. It will give you far more control over what's going on.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8577
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby kimcarsons » Fri Jan 21, 2011 1:55 pm

That's what i tried(putting firewall in ADSL's DMZ)originally. The ADSL/router just seemed do it a bit unpredictably and i decided on the sometimes called "screened subnet architecture". I will try that again though(with the ADSL's DMZ).If i have a problem with this i'll probably post to here again.Thank you very much for your speedy replies. That's great. This seems like a great forum.
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby nelz » Fri Jan 21, 2011 9:59 pm

The firewall is supposed to protect the internal LAN, it can't do that from the DMZ.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8577
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby kimcarsons » Tue Jan 25, 2011 2:09 pm

I've tried putting the dedicated firewall in the ADSL/border router's DMZ. The ADSL/border router won't let this happen. It won't recognise that the dedicated firewall is part of the network and so give it to me as one of the optional hosts to put in it's DMZ. So i decided to go with the original plan but buy a new ADSL/border router that runs dd wrt. I'm just wondering will it have all the necessary configuration options to replace the ADSL/border router that my I.S.P gave me?. The router i'm replacing the I.S.P's router with is a "buffalo technologies Nfiniti Wireless-N High Power Router & Access Point WZR-HP-G300NH"
.So i'm very much hoping that with this and an ADSL modem i'll be able to build whatever network i want at home being as though said router does come preloaded with dd wrt. I just thought i'd check here before i bought it.
Thank you for any replies
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby kimcarsons » Tue Jan 25, 2011 2:18 pm

btw i'm only asking in case you had a general opinion about replacing ones given I.S.P's router or if you'd heard anything about these routers. I don't realistically expect you to go away and find out through research what i couldn't find out with google.
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby kimcarsons » Tue Jan 25, 2011 2:22 pm

nelz thanks very much for your reply.i'd very much like to hear about why a firewall can't protect an internal LAN if it's in the ADSL/border router's DMZ?
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby nelz » Tue Jan 25, 2011 3:28 pm

The DMZ is a separate network to the LAN. Expecting a firewall in the DMZ to protect the LAN is like putting a padlock on the garden shed and expecting it to secure the house.

Your router sits and the conjunction of three networks: your ISP's, the LAN and the DMZ, so putting a firewall between the router and the DMZ will only protect the DMZ.

As for replacing the ISP's router with something else. That is generally a good idea. Unless they charged you a lot of money for it, it will be the cheapest one they could get hold of.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8577
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby kimcarsons » Tue Jan 25, 2011 6:12 pm

Sorry we were talking at cross purposes. I meant a dedicated firewall that is a Linux/BSD box with 3 NICs.One NIC is plugged into the ADSL/border router(and in it's DMZ) the other two NICs are plugged into a LAN and a DMZ.
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby towy71 » Tue Jan 25, 2011 6:33 pm

kimcarsons wrote:Sorry we were talking at cross purposes. I meant a dedicated firewall that is a Linux/BSD box with 3 NICs.One NIC is plugged into the ADSL/border router(and in it's DMZ) the other two NICs are plugged into a LAN and a DMZ.
if you plug your firewall in the DMZ then you are bypassing the DMZ which is illogical, the whole point of the DMZ is to eliminate any possibility of your private network being touched by the interweb. If the machine on the DMZ is accessible from the outside then you can obviously get at it :? :?
Last edited by towy71 on Tue Jan 25, 2011 10:58 pm, edited 1 time in total.
still looking for that door into summer
User avatar
towy71
Moderator
 
Posts: 4276
Joined: Wed Apr 06, 2005 2:11 pm
Location: wild West Wales

Postby nelz » Tue Jan 25, 2011 10:36 pm

So it's a router that is setting up the DMZ, not just a firewall?
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8577
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby kimcarsons » Wed Jan 26, 2011 8:07 pm

yes, well i thought i could put the dedicated firewall(Linux/BSD box) in the ADSL/border router's DMZ. Then the dedicated firewall(Linux/BSD box) could do N.A.T and dhcp and be a firewall for servers, which would be hanging off one of it's NICs, and a LAN, which would be hanging off the other NIC.
What's wrong with that?. The servers wouldn't be in the dedicated firewall's DMZ. The dedicated firewall's external NIC would be in the ADSL/border router's DMZ. Any other clients in the house(that are other people's would just use the ADSL/border router in the normal way and have nothing to do with my set up).
you can lead a horse to water but you can't climb a ladder with a bell in both hands
kimcarsons
 
Posts: 26
Joined: Thu Jan 20, 2011 9:14 pm
Location: sheffield

Postby nelz » Wed Jan 26, 2011 8:36 pm

It sounds unnecessarily complicated, why not just connect the firewall to one of the modem/router's LAN ports, effectively using it only as a modem. Then your firewall/router box could take care of everything else.

Remember, the more complex and difficult to understand a firewall setup is, the more likely it is to work incorrectly.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8577
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby Grinch » Tue Mar 01, 2011 3:17 pm

I can, with the current border router, change the subnet mask to 255.255.0.0 so that it doesn't "mind" dealing with addresses on the two different subnets.

With a mask of 255.255.0.0 or /16 they are both in the same subnet as are all 192.168.x.x addresses That alone will prevent any routing as you can only route between different subnets.

There is nothing complex about your setup it is standard for an internet facing DMZ and an internal NAT-ed lan.

To make this work you need to change the masks to 192.168.x.x 255.255.255.0 or /24


The firewall will need a default route which would be ip route 0.0.0.0 0.0.0.0 192.168.1.1 assuming you routers address is 192.168.1.1 /24 and you will need to be nating on it,s 192.168.1.x /24 address

If you need to be able to get from the 192.168.1.1 lan to the 192.168.2.1 lan you will need to put a static route pointing at the ip address of the firewall in your router.

The firewalls 192.168.2.x address needs to be the default gateway for the 192.168.2.0 /24 lan and the firewalls default gateway needs to be the routers ethernet port 192.168.1.1 /24


As your ip space is private the firewall is not doing anything useful as the 192.168.0.0 /16 is not publically routable ip space( see rfc1918).

Even if some isp was dumb enough to advertise it into BGP most of the isp's in the world filter it out.Even if they did not there are millions of 192.168.1.0 /24 networks so the cant easly conect.
They would need a trojan to connect out and that is a tad difficult in linux but maybe not impossible.
Grinch
 
Posts: 1
Joined: Tue Mar 01, 2011 2:28 pm
Location: Cheshire


Return to Hardware

Who is online

Users browsing this forum: No registered users and 3 guests