LinuxMCE Forums

General => Users => Topic started by: finsdown on February 11, 2008, 09:05:26 pm

Title: Network configuration questions
Post by: finsdown on February 11, 2008, 09:05:26 pm
Ok, I realize this may have been asked already ad naseum, but searching the forum I still don't seem to find the answer to this question:

First, this is my current setup.  My CORE has 2 network interfaces, ETH0: 192.168.1.100, and ETH1: 192.168.80.1.
ETH0 goes to my Belkin Wifi Router (192.168.1.1). ETH1 goes to a 10/100mbit switch.  My M/D's all connect to this switch.  My regular w/s's all use wifi to connect to the Belkin router, and DHCP is turned off here. DHCP is on of course on the CORE.

My concern is this: If I let my regular worstations get their DHCP address from the CORE (i.e. if they all get 192.168.80.x addresses) how will they get routed to the internet if the CORE happens to be not up. Because in reality the CORE is going to be down at times.  Will they be unable to since the CORE isn't able to route the data? Since my wife gets pretty frustrated with me if the "internet" is down, I don't want to implement this networking topology.

What I've done instead is assign static IP addresses to my "regular computers" (which use wifi, i.e. 192.168.1.x ip addresses) which don't depend on the CORE being up to get to the internet.  This seems to work fine except that if I want to see the COREs external IP address  I have to disable the CORE firewall all-together.  This doesn't really bother me since is inside the hardware firewall anyway.  This allows me to install Windows Orbiters and other good stuff.

Is this the "correct" and accepted way of setting up this network scheme? Are there any firewall rules I can implement on the CORE instead of turning off the firewall?  If I turn on DHCP on the Belkin broadband router will this cause problems on the internal network? 
Title: Re: Network configuration questions
Post by: teedge77 on February 11, 2008, 09:10:46 pm
that setup sounds fine to me. having dhcp on the 1.X network wont affect the 80.X network. all you would have to do for the firewall is let port 80 through. the web orbiter is different though. youd have to enable what ever port an orbiter uses to go through the firewall also. i dont remember which port it is off the top of my head but i have seen it somewhere. i think it was 13something but...not too sure.
Title: Re: Network configuration questions
Post by: teedge77 on February 11, 2008, 09:12:56 pm
also...ive never used it...but ive read that you can use a web based orbiter...so that may solve the orbiter problem.
Title: Re: Network configuration questions
Post by: rrambo on February 11, 2008, 09:15:31 pm
You're basically correct...  If the core is down, you want be able to access the internet without setting static addresses on your workstations and point them to your router...  I had the same concern, but now, I just leave my core up all the time...  now that it is stable it doesn't bother me leaving it up..  on the off chance my core has to be down for some reason, I just temporarily set a static address on any computer that needs to get out to the internet...  your question about the firewall is I assume that you want to be able to talk to the core from a workstation that has a 192.168.1.x address..  the best answer is just to leave your core on all the time and don't have any static addresses on the external side other than of course your router..  other than that, you could temporarily turn off your core's firewall or put in some port forwarding in the core's firewall setup.
Title: Re: Network configuration questions
Post by: rrambo on February 11, 2008, 09:18:31 pm
that setup sounds fine to me. having dhcp on the 1.X network wont affect the 80.X network. all you would have to do for the firewall is let port 80 through. the web orbiter is different though. youd have to enable what ever port an orbiter uses to go through the firewall also. i dont remember which port it is off the top of my head but i have seen it somewhere. i think it was 13something but...not too sure.

not true..  if you have md's plugged into the same switch, 2 dhcp servers are going to be a problem
Title: Re: Network configuration questions
Post by: finsdown on February 11, 2008, 09:39:05 pm
I Appreciate the quick replies. I think I gather my setup is ok. Then really all I really need to do is figure out how to configure the CORE firewall. When I have the Firewall on and I try to ping from a 192.168.1.x w/s to the 192.168.1.100 CORE external interface, I don't get thru. When I turn the firewall off the ping requests work.  So then this is a port issue? If so  then which port does it use?   I think also I will leave the broadband router DHCP off, less chance of confusion, and turn it on briefly if I have to configure a new piece of network equipment, like my network storage device.

Title: Re: Network configuration questions
Post by: teedge77 on February 11, 2008, 09:44:08 pm
that setup sounds fine to me. having dhcp on the 1.X network wont affect the 80.X network. all you would have to do for the firewall is let port 80 through. the web orbiter is different though. youd have to enable what ever port an orbiter uses to go through the firewall also. i dont remember which port it is off the top of my head but i have seen it somewhere. i think it was 13something but...not too sure.

not true..  if you have md's plugged into the same switch, 2 dhcp servers are going to be a problem

they arent on the same switch. linuxmce will provide dhcp over one nic which is on a switch. the belkin router is not on that switch at all.


Quote
My CORE has 2 network interfaces, ETH0: 192.168.1.100, and ETH1: 192.168.80.1.
ETH0 goes to my Belkin Wifi Router (192.168.1.1). ETH1 goes to a 10/100mbit switch.

linuxmce wont route dhcp between the two. his setup is fine.

ICMP (ping) doesnt use ports. you just need to enable icmp through the firewall. or for the firewall to respond to icmp if you are only pinging it.
Title: Re: Network configuration questions
Post by: rrambo on February 11, 2008, 09:47:42 pm
that setup sounds fine to me. having dhcp on the 1.X network wont affect the 80.X network. all you would have to do for the firewall is let port 80 through. the web orbiter is different though. youd have to enable what ever port an orbiter uses to go through the firewall also. i dont remember which port it is off the top of my head but i have seen it somewhere. i think it was 13something but...not too sure.

not true..  if you have md's plugged into the same switch, 2 dhcp servers are going to be a problem

they arent on the same switch. linuxmce will provide dhcp over one nic which is on a switch. the belkin router is not on that switch at all.


Quote
My CORE has 2 network interfaces, ETH0: 192.168.1.100, and ETH1: 192.168.80.1.
ETH0 goes to my Belkin Wifi Router (192.168.1.1). ETH1 goes to a 10/100mbit switch.

linuxmce wont route dhcp between the two. his setup is fine.

ICMP (ping) doesnt use ports. you just need to enable icmp through the firewall. or for the firewall to respond to icmp if you are only pinging it.

DAMNIT!!..  that's twice today I've replied without reading an entire post and been wrong because of it....  teedge77..  you're right, I'm wrong....  didn't read that his internal side was on a separate switch...
Title: Re: Network configuration questions
Post by: teedge77 on February 11, 2008, 09:51:25 pm
its ok. i wasnt explaining it well anyway.


finsdown - rrambo is right...if you do ever plug an MD into that belkin router you will have trouble. as long as you keep the belkin router and the other switch separate it will be ok.
Title: Re: Network configuration questions
Post by: finsdown on February 11, 2008, 10:02:43 pm
Ok I think I have a handle on the firewall but DHCP is still confusing me.

Consider this:

If the CORE is the only DHCP server and then if I tell my  WIFI workstation which connects to the Belkin router to request a DHCP address, the CORE will respond with an IP address  on the 192.168.80.x subnet.    Right?  So then doesn't that mean the CORE DHCP service is advertising on both lan segments?  And if so, wouldn't that cause problems if two DHCP servers were running?

Thanks alot,

fins


Title: Re: Network configuration questions
Post by: teedge77 on February 11, 2008, 10:06:57 pm
If the CORE is the only DHCP server and then if I tell my  WIFI workstation which connects to the Belkin router to request a DHCP address, the CORE will respond with an IP address  on the 192.168.80.x subnet.    Right?  

no, not right at all. the core will only give dhcp on the 80.X network over the eth1 card. it only monitors that card for dhcp requests. anything requested on eth0 will just be ignored. (unless you changed something)



Title: Re: Network configuration questions
Post by: finsdown on February 11, 2008, 10:14:59 pm
Well that was happening before I think...well it's all fuzzy now. I think that was when I was using 1 network card.
Title: Re: Network configuration questions
Post by: rrambo on February 11, 2008, 10:27:20 pm
Well that was happening before I think...well it's all fuzzy now. I think that was when I was using 1 network card.

Yes, I have one nic so it's plugged into my router... dhcp on my router is off with a dhcp forward to 192.168.1.2 (external side of core) so everything plugged into my router gets dhcp forwarded to the core and receives a 192.168.80.x address on the internal side.
Title: Re: Network configuration questions
Post by: colinjones on February 11, 2008, 10:55:34 pm
finsdown - the core's DHCP server can be configured to do both networks but by default it won't, as the guys say. One of the main reasons for this is because it doesn't have a "scope" configured for the external network. DHCP servers will only hand out IP leases for subnets that it has a scope for. It only has a scope for 192.168.80.0/24, and it knows that any requests that come in through the external NIC are not on that subnet, and that it doesn't have a scope configured for that subnet, so it will ignore the request assuming there is another DHCP server responsible for that subnet. If it is configured to listen on both interfaces AND has a scope configured for the external subnet, then it would attempt to respond. And get in trouble if your broadband router is doing DHCP as well. So you are all OK by the looks...
Title: Re: Network configuration questions
Post by: finsdown on February 12, 2008, 01:53:34 am
10-4.  I will go ahead and turn on DHCP on my external side and leave it on. 
Title: Re: Network configuration questions
Post by: finsdown on February 12, 2008, 03:38:37 pm
I have one more configuration issue I'm trying to resolve with my networking configuration.

Here is the scenerio:  I have a 500GB HP MediaVault  that currently has an IP address of 192.168.1.50, which I defined as static. Therefore it communicates fine with all my "regular" home w/s on this same subnet. I keep all my audio, pictures, and videos here.  However, the problem is the CORE hasn't mapped any CIFS shares to it, presumably because the way the CORE works it wants the HP unit to be on the 192.168.80.x subnet to discover it.
 
But, if I put it on this side of the LAN, I can't see it anymore from the "regular w/s" on the 192.168.1.x subnet. I can't ping or see anything on the 192.168.80.x subnet from them.

So maybe I need some routing entries defined on the CORE so that they will see it, is this correct?  If so, where in LCME admin would I do this, and what would the entries have to say.  If I leave it the way it is now, I possibly could manually configure the network shares. But are there advantages to having the HP unit on the 192.168.80.x subnet besides the discoverabilty factor?

Thanks in advance for any input on this.

-fins


Title: Re: Network configuration questions
Post by: colinjones on February 12, 2008, 11:07:47 pm
Yes, you need to relocate it.

Switch it to DHCP and put it on the 192.168.80.0/24 network, let LMCE discover it and add the shares as appropriate
In the admin console you need to go to Advanced->Network->Firewall Rules.

Here you can either turn off the firewall completely and it will just route straight through to the internal network like a normal router and your external network and internal network will be able to communicate freely. However, note that if you do this, you will not be able to use the port_forwarding functions of LMCE. These will be needed, typically, if you want to publish something on your internal network to the Internet, like a website. Or if you need to have other kinds of inbound connections to the internal network, eg if you have a bittorrent client on the internal network, for maximum performance you need to forward the port.

Alternatively, you will need to leave the firewall on, and allow only the ports you need through it. This depends on what you want to get access to through the Core.

Basic filesharing is typically on port 445 and perhaps 139 if using Windows. You may need to add others if you want to be able to browse your network neighbourhood. FTP - ports 20/21, ssh-22, web browsing-80, remote desktop-3389

Also, you will also need to add a static route to your broadband router that tells it how to get to the 192.168.80.0/24 network via the Core's external IP address. This will allow clients on the external network to get to the internal network.
Title: Re: Network configuration questions
Post by: teedge77 on February 12, 2008, 11:15:27 pm
You haven't mentioned what kind of connection you have to the WAN. It is possible that you could use LMCE to be your gateway to the WAN and then move the Belkin router to the switch with the MDs. Then let everything get its adresses from LMCE. Of course....you are gonna want to wait til you are running well with LMCE before hand. You mentioned your wife not being happy when the internet is down. Once it is going well you shouldnt really have to take LMCE down for anything. Just a thought. It might end up making the network a little more simple for you.
Title: Re: Network configuration questions
Post by: finsdown on February 13, 2008, 12:29:23 am
Also, you will also need to add a static route to your broadband router that tells it how to get to the 192.168.80.0/24 network via the Core's external IP address. This will allow clients on the external network to get to the internal network.

Yes I believe that is the crux of my question, is do I need to add a static route to the Core. Would that be using a shell and using the route command or is there a better way?

Title: Re: Network configuration questions
Post by: hari on February 13, 2008, 01:02:44 am
Also, you will also need to add a static route to your broadband router that tells it how to get to the 192.168.80.0/24 network via the Core's external IP address. This will allow clients on the external network to get to the internal network.

Yes I believe that is the crux of my question, is do I need to add a static route to the Core. Would that be using a shell and using the route command or is there a better way?


1.) make sure routing is correct (if you put the route on the outside router you don't have to touch all outside clients)
2.) make sure the firewall allows the traffic
3.) make sure the inside hosts don't get natted when communication with the outside hosts (aka no nat rule)

best regards,
Hari
Title: Re: Network configuration questions
Post by: colinjones on February 13, 2008, 01:06:29 am
No, no route on the Core
Title: Re: Network configuration questions
Post by: finsdown on February 13, 2008, 03:34:23 pm
Well things are getting a little clearer. 

Following your directions I took a look at my Belkin router's configuration.

1.) make sure routing is correct (if you put the route on the outside router you don't have to touch all outside clients)[/color]

 I don't see any ability to put routes into it. The only configuration I see is the  port forwarding ability in the firewall settings. Is this where I would have to configure routes to the 192.168.80/24 subnet?  I thought this was only used to open ports in the firewall from the internet. Anyway,  I put entries into it for ports 80, 139, 445 to forward to my Core/Hybrid external interface, but alas I still don't have access to the HPMediaVault on the internal subnet. 

2.) make sure the firewall allows the traffic

See above

3.) make sure the inside hosts don't get natted when communication with the outside hosts (aka no nat rule)

NAT is enabled on the Belkin router.  Could you explain this more because I thought I needed to keep NAT turned on to protect the inside computers from internet hacks.

I appreciate y'alls help.

Fins


PS The good news is now all my media shares have been discovered by the Core!
Title: Re: Network configuration questions
Post by: hari on February 13, 2008, 06:25:05 pm
I don't see any ability to put routes into it.
so you don't have a router but an internet access appliance ;)
Maybe there is an alternate (linux?) firmware for the device? Setting static routes is really a _basic_ feature of a router.

Quote
2.) make sure the firewall allows the traffic

See above
i meant the firewall on the core. That has to allow traffic from outside hosts routed to the inside. Maybe you wan't to disable it for further tests. The outside router^H^Hinternet access appliance will still "protect" you from the internet.

Quote
3.) make sure the inside hosts don't get natted when communication with the outside hosts (aka no nat rule)

NAT is enabled on the Belkin router.  Could you explain this more because I thought I needed to keep NAT turned on to protect the inside computers from internet hacks.

of course you need nat on the outside router. I meant the core. The core also does nat in the default setup. That will possibly interfere with successful routing from outside to inside hosts (to be exact the inside responses will be tried to rewritten).

best regards,
Hari
Title: Re: Network configuration questions
Post by: hari on February 13, 2008, 06:26:29 pm
just asked myself if you could get away forwarding ports from the core to the inside hosts.

best regards,
Hari
Title: Re: Network configuration questions
Post by: finsdown on February 13, 2008, 07:40:17 pm
Then I guess it must be NAT interfering with my routing because I have the CORE firewall off.  I can see (ping) the Core's external IP of 192.168.1.100 from the outside subnet when the firewall is off, and can't when the firewall is on.  I can't see anything on the 192.168.80/24 subnet from outside.
Title: Re: Network configuration questions
Post by: teedge77 on February 13, 2008, 07:54:16 pm
Could that be more of a gateway problem? It sounds like he has the Belkin router set as the gateway. Won't everything not on its own subnet go there to find other subnets? What do you have set as the gateway on the 1.X stuff?
Title: Re: Network configuration questions
Post by: finsdown on February 13, 2008, 08:04:36 pm
Yes the Belkin rtr is the gateway for the 192.168.1.x network. So yes everything would have to go there to find another network subnet.  How I route packets to 192.168.80.x is the problem. Maybe I can find an update for the Belkin that will allow me to build static routes.  I'm no expert, but what may be happening is the packets from the 192.168.1/24 network goes to the belkin, then out to the external WAN side, which then has no idea how to route to 192.168.80/24 subnet, since it is a private address. 


Title: Re: Network configuration questions
Post by: hari on February 13, 2008, 08:34:45 pm
I'm no expert, but what may be happening is the packets from the 192.168.1/24 network goes to the belkin, then out to the external WAN side, which then has no idea how to route to 192.168.80/24 subnet, since it is a private address. 
of course the belkin uses its own default gateway as it has no "better" route for the 80.x network.
To see if this is what's holding you back you could add a static route on a 1.x host for the 192.168.80.0/24 via gateway 192.168.1.<your core's outside ip's last octet here>

you may want to look at the tool "tcpdump" to trace the packet flow.

best regards,
Hari
Title: Re: Network configuration questions
Post by: colinjones on February 13, 2008, 08:49:33 pm
Hari is right - the broadband route should have a route function somewhere, it really is one of the most basic things. A NAT/port forward is completely different and yes it probably will interfere if you try to use it as a route. Perhaps take a look to see if the device has a command line interface, not just the web site and telnet into it. Sometimes the more advanced features are in there.

Just be aware though, as I said previously, if you turn the firewall off on the Core, and you want to be able to access this device from the Internet (do you?) then the broadband router needs to be able to NAT to a "remote subnet" which many cannot do.
Title: Re: Network configuration questions
Post by: finsdown on February 13, 2008, 10:12:26 pm
I don't believe the Belkin can be manually configured for multiple static routes <hmm> so I'm going to put a static route to the internal network on my regular workstations and see how that goes.   I don't have any use to access the CORE from the internet at the moment so leaving the firewall off there is no problem.  Thanks a bunch.

fins
Title: Re: Network configuration questions
Post by: colinjones on February 13, 2008, 11:09:57 pm
No problem - don't forget to use the "persistent" option when creating the static routes on your workstations, otherwise they will disappear each time you reboot!
Title: Re: Network configuration questions
Post by: finsdown on February 14, 2008, 03:32:38 pm
My 2 machines are XP and Vista and  what I ended up doing is adding another gateway route pointing to the CORE 192.168.80.1 interface, with a metric of 1 under Advanced Options of the TCP/IP configuration.  So any default traffic goes to the default external router, and any internal traffice to the 192.168.80.x side.  I can see my HPMediaVault now and map network drives to it. The only issue I have left which I can get around, is that the HPMediaVault uses netbios protocol by default, but netbios isn't routable I think. Anyway I just added the ip address of the NAS box to the c:\windows\system32\drivers\etc\hosts file.

-fins
Title: Re: Network configuration questions
Post by: colinjones on February 14, 2008, 09:30:34 pm
fins - maybe you are thinking of NetBEUI? NetBIOS is routable as a session service both in its native form and over TCP (NetBT), however its name resolution service isn't routable unless you have NBS/WINS server, as it just uses broadcasts. Course you could enable subnet broadcast forwarding on your Core but I wouldn't recommend it. If the only thing you are having problems with is the name resolution then the host entries are probably the best way around this, unless you can turn off NetBIOS altogether and use TCP connections in conjunction with DNS!
Title: Re: Network configuration questions
Post by: hari on February 14, 2008, 10:14:22 pm
fins - maybe you are thinking of NetBEUI? NetBIOS is routable as a session service both in its native form and over TCP (NetBT), however its name resolution service isn't routable unless you have NBS/WINS server, as it just uses broadcasts. Course you could enable subnet broadcast forwarding on your Core but I wouldn't recommend it. If the only thing you are having problems with is the name resolution then the host entries are probably the best way around this, unless you can turn off NetBIOS altogether and use TCP connections in conjunction with DNS!
i second that. If you are out for pain (and some say there is no gain, without) you could run a WINS server. Samba4WINS even supports replication ;)

best regards,
Hari
Title: Re: Network configuration questions
Post by: finsdown on February 15, 2008, 06:58:54 pm
Here is what HP says to do:  http://h10025.www1.hp.com/ewfrf/wc/document?docname=c00792602&lc=en&cc=us&dlc=en&product=3193065&lang=en (http://h10025.www1.hp.com/ewfrf/wc/document?docname=c00792602&lc=en&cc=us&dlc=en&product=3193065&lang=en)

It is working fine for now, if it a'int broke, don't fix it.