Network configuration: Firewalls (in addition to/replacing?)

[archived]

Many home configuration look something like this:

cable/xdsl-->cable/xdsl router<-->home firewall/router<--internal  network

a good linux box (dual nic'd) can replace the home hardware firewall/router (linksys, dlink...) if properly hardened and kept up to date.

Is pluto designed be used in addtion to,  or replacing the hardware firewall?

[archived]

Our standard Core (the server) has dual NIC's too, and a firewall built-in.  The Pluto Admin website has a page to configure the firewall.  The intention is that the Pluto Core be the firewall.  

What matters is that the Core needs to be the DHCP server, since that is required for it to expose the network boot service for the media directors, and to implement plug-and-play.

We recommend dual NIC's since most of the cable/xdsl router's have a DHCP server built-in, and that allows them to co-exist.

[archived]

Our standard Core (the server) has dual NIC's too, and a firewall built-in.  The Pluto Admin website has a page to configure the firewall.  The intention is that the Pluto Core be the firewall.  

What matters is that the Core needs to be the DHCP server, since that is required for it to expose the network boot service for the media directors, and to implement plug-and-play.

We recommend dual NIC's since most of the cable/xdsl router's have a DHCP server built-in, and that allows them to co-exist.

What about support for direct connection to cable/xdsl modem ? In my country you get modem for free (well you pay for line), you have to pay for router...

It would be great feature to be able to configure PPoE (if I remember right) on outside network card...

Regards,

Rob.

[archived]

You can replace the router with a Pluto Core. Probably now you set each computer's gateway to be the router. But the router itself also know of a gateway where to send packets so they get to your provider. The Internet Provider may or may not disclose what that gateway is. If they do, then you can replace the router with a Pluto Core configured with the same data as the router. You don't need PPPoE to do this unless the provider has made such a setup, because the modem is (or should be) just a transparent convertor between ethernet and phone lines/tv cables. If your provider logs you in with PPPoE, then that's not supported (yet).

[archived]

You can replace the router with a Pluto Core. Probably now you set each computer's gateway to be the router. But the router itself also know of a gateway where to send packets so they get to your provider. The Internet Provider may or may not disclose what that gateway is. If they do, then you can replace the router with a Pluto Core configured with the same data as the router. You don't need PPPoE to do this unless the provider has made such a setup, because the modem is (or should be) just a transparent convertor between ethernet and phone lines/tv cables. If your provider logs you in with PPPoE, then that's not supported (yet).

Ok,

I have such setup where I can only PPPoE to get through without router. I can imagine Pluto by itself yet doesn't support this, but Debian Sarge should have this built in ? I guess this won't be hard to add once we have it figured out on Sarge itself...

Anyone more comfortable with Debian and PPPoE ?

Regards,

Rob.

[archived]

From you description, it sounds like you might be using an xdsl modem card that slots into your machine, and not an external xdsl device.

(if not, disregard below)

The OS has to be able to properly configure these cards, where the external devices save all the settings onboard (managed their onboard web admin pages.)  If you can, switch to a stand alone device, it will give you a lot more functionality/flexability.  (I think I might have a cayman xdsl modem/firewall in a box someplace if you want to try it.)  

Setting the modem up as a bridge (and not a router) will allow it be complete transparent to your network, saving you yet another NAT'ing layer.

[archived]

There is PPPoE in Linux--I remember it was used in our old series 1.  We don't have a web-based front-end for series 2 to set it up.  However, if it's true that your DSL modem is an internal card rather than an external box, there might not be a way to make it work on a Linux box.

Regarding the network issues, it sounds like your home network is more sophisticated than some of the corporate ones.    The web-based front-end was really designed for your average 'take it out of the box and plug it in' user.  They just plug the dsl modem into the external network port, plug the internal network port into the switch, and only rarely even mess with the firewall settings.

[archived]

There is PPPoE in Linux--I remember it was used in our old series 1.  We don't have a web-based front-end for series 2 to set it up.  However, if it's true that your DSL modem is an internal card rather than an external box, there might not be a way to make it work on a Linux box.

Regarding the network issues, it sounds like your home network is more sophisticated than some of the corporate ones.    The web-based front-end was really designed for your average 'take it out of the box and plug it in' user.  They just plug the dsl modem into the external network port, plug the internal network port into the switch, and only rarely even mess with the firewall settings.

Hi,

yes that is my scenario I'd like to have. But I do have external adsl modem and I must connect to it over PPPoE (I think that majority of European home users have ADSL connection and external modem). I did similar configuration on ipcop (www.ipcop.org), I changed outer network card to PPPoE and connect it to modem. So at least I'm looking for feature to select PPPoE on outer network card....

In the mean time, can someone from Pluto give some more details about PPPoE setup from series 1. I guess it would be not so hard repeat same on series 2. Of course when this feature will come to first plan...

Regards,

Rob.

[archived]

There is PPPoE in Linux--I remember it was used in our old series 1.  We don't have a web-based front-end for series 2 to set it up.  However, if it's true that your DSL modem is an internal card rather than an external box, there might not be a way to make it work on a Linux box.

Regarding the network issues, it sounds like your home network is more sophisticated than some of the corporate ones.    The web-based front-end was really designed for your average 'take it out of the box and plug it in' user.  They just plug the dsl modem into the external network port, plug the internal network port into the switch, and only rarely even mess with the firewall settings.

Hi,

yes that is my scenario I'd like to have. But I do have external adsl modem and I must connect to it over PPPoE (I think that majority of European home users have ADSL connection and external modem). I did similar configuration on ipcop (www.ipcop.org), I changed outer network card to PPPoE and connect it to modem. So at least I'm looking for feature to select PPPoE on outer network card....

In the mean time, can someone from Pluto give some more details about PPPoE setup from series 1. I guess it would be not so hard repeat same on series 2. Of course when this feature will come to first plan...

Regards,

Rob.

Hi,

I've found that pppoe support is already in Debian Sarge Pluto system. It just needs to be activated and probably do some slight change on web interface, so beside of outside IP network settings user could specifiy pppoe interface, its name and password and voila....

Documentation is in: /usr/share/doc/pppoe
there are two or three simple operations on files and /etc/init.d/pppoe activation...

In our country we get ADSL modem for free, but we have to but another router for Pluto to work. With pppoe interface we don't need it, and Pluto becomes real firewall...

I try to change it manually, will Pluto overwrite my settings ?

Regards,

Rob.

[archived]

I'm creating a todo item to add a pppoe setting on the network page.  In the meantime, you can go to advanced, bootscripts, and disable the "Network_Setup" boot script.  That way you can put your pppoe settings manually in /etc/network/interfaces and we won't overwrite it each time.

[archived]

I'm creating a todo item to add a pppoe setting on the network page.  In the meantime, you can go to advanced, bootscripts, and disable the "Network_Setup" boot script.  That way you can put your pppoe settings manually in /etc/network/interfaces and we won't overwrite it each time.

Hi,

I did some changes in my home, so I rolled up my sleeves and tried to get pppoe working. It was easier as I thought. I swithed off eth1 (my external interface) and then ran pppoeconfig - I left all default settings except my username and password and Internet started working right away.

There are some warnings about MTU, so I guess Radu will be able to comment on that....

I removed eth1 from routes, pppoe added its own - so I guess I'm close to fully working state.

Right now, the only thing that is missing is NAT feature. I can access Internet and LAN from core and LAN only from computers on LAN - so no Internet for them...

I'd kindly for some further guidance, so pppoe will be added to pluto - I guess this would be useful for DSL users...

Regards,

Rob.

Code: [Select]


dcerouter_260:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
213.250.19.90   0.0.0.0         255.255.255.255 UH        0 0          0
ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0
eth0
0.0.0.0         213.250.19.90   0.0.0.0         UG        0 0          0
ppp0


dcerouter_260:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0E:A6:A7:8B:F4
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20e:a6ff:fea7:8bf4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:778 errors:0 dropped:0 overruns:0 frame:0
          TX packets:457 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:111611 (108.9 KiB)  TX bytes:76826 (75.0 KiB)
          Interrupt:209 Memory:feaf8000-0

eth1      Link encap:Ethernet  HWaddr 00:80:5A:28:94:EA
          inet6 addr: fe80::280:5aff:fe28:94ea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7121 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9393 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1089273 (1.0 MiB)  TX bytes:5029346 (4.7 MiB)
          Interrupt:193 Base address:0xd000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2674 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2674 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9503023 (9.0 MiB)  TX bytes:9503023 (9.0 MiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:193.77.90.224  P-t-P:213.250.19.90  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2495 (2.4 KiB)  TX bytes:13661 (13.3 KiB)

dcerouter_260:~$



[archived]

Hi,

today I had remote session with Radu and my PPPoE is working now. I have Pluto as main NAT & Firewall. I guess this will come in next week release if nothing major happens.

Thanks Pluto guys,

regards,

Rob.