Date: Sat, 27 Dec 1997 09:49:25 -0500 (EST) From: Brian Clapper <bmc@WillsCreek.COM> To: Chuck Robey <chuckr@glue.umd.edu> Cc: FreeBSD-Questions@freebsd.org Subject: Re: Net questions Message-ID: <199712271449.JAA15764@current.willscreek.com> In-Reply-To: <Pine.BSF.3.96.971226235313.302B-100000@localhost> References: <Pine.BSF.3.96.971226235313.302B-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 December, 1997, at 00:07 (-0500)
Chuck Robey wrote:
> I have to do some rearrangement quickly, but I don't know a bunch about
> how to do it, or what to read to help. Here's the problem.
>
> I have a machine, picnic, which connects to my isp via ppp. I also have a
> NetBSD machine (a DEC 5000/133) and another FreeBSD machine, all connected
> up via ethernet here at my house. My ISP has let me have 2 static ip
> addresses. I've only needed the one, because I've been too busy during
> the semester to get the network I want going. Well, classes are over
> (Yea!) and I have to connect things right.
>
> Here's a picture:
>
> ISP
> |
> (tel line)|
> | (local ethernet)
> =============================================================
> | | |
> FreeBSD FreeBSD NetBSD
> (picnic)
>
> I have to get names for these guys! I have them written down here
> somewhere, hidden under a PILE of homework.
>
> I want to know how to configure the addresses on the ethernet, and the ppp
> (I use user-mode iijppp). I don't clearly understand how to set up the
> stuff. I know it'll involve stuff like aliases ... would anyone care to
> fill me in enough so I can begin to ask the right questions?
>
> On the other hand, point me at what to read and I'll be off like a shot.
>
> Thanks for your help.
Chuck,
With only two static IP addresses, and three machines, you're better off
just using RFC 1918 addresses on your internal LAN, and employing network
address translation (sometimes called "IP Masquerading") to permit the
inside machines to talk "directly" to the Internet. RFC 1918 address
ranges are specifically reserved for use on private (internal) LANs. Then,
you can have `picnic' do network address translation to translate the
internal addresses to legal Internet addresses when you connect out.
Here's a modified version of your drawing, with some sample IP numbers.
For this drawing, I've arbitrarily chosen to use the 192.168.1.x private
network number for your internal LAN.
ISP
|
|
| 206.246.122.117
------------
| FreeBSD |
| (picnic) |
------------
| 192.168.1.117
|
==============================
| 192.168.1.1 | 192.168.1.2
----------- ----------
| FreeBSD | | NetBSD |
----------- ----------
Picnic's PPP interface gets the static IP address. Its ethernet address is
an arbitrarily-chosen address from the private (hidden) network, as are the
ethernet addresses for the other boxes. The three machines can talk to one
another directly, and picnic can talk to the outside world directly.
The two internal machines use picnic as a router; they believe they can
talk directly to the outside world. However, it's not legal to route their
packets directly to the Internet, because of the use of private LANs. So,
when an inside packet destined for the Internet gets to picnic, it silently
translates the packet's (illegal) source address to 206.246.122.117 before
sending it on its way; when the response packet comes back in from the
Internet, picnic translates it back.
There are two ways to accomplish this feat, depending on which PPP you use.
1. If you use user PPP, there's a "-alias" switch that automatically does
it all for you. Lots of people have great success with this approach;
it has the advantage of being the simpler to set up than the kernel mode
PPP solution. For details, see:
a) The Pedantic PPP Primer, at
`http://www.freebsd.org/tutorials/ppp/ppp.html'--specifically, the
section on IP Aliasing, which is currently at URL
`http://www.freebsd.org/tutorials/ppp/ppp21.html#24'. (NOTE: When the
Primer talks about reserved IP addresses, it refers to RFC 1597. RFC
1918 is the updated version of RFC 1597.)
b) The man page for user ppp, ppp(8)
c) Brian Somers' web page, `http://www.freebsd.org/~brian/'.
2. If you use kernel PPP, you need to run the network address translation
daemon (natd), and you'll need to use the kernel packet filtering
(firewall) features to redirect specific packets to natd. This is the
method I use, and it's worked perfectly for me for many months now.
It's a bit more difficult to set up, in that you have to compile the IP
Firewall code into your kernel; set up an appropriate set of filtering
rules, including rules that'll redirect the appropriate packets to natd;
and arrange to run natd when your PPP link comes up. I use this method
over user PPP because I've historically used kernel-mode PPP (due to
problems I had with the user PPP code when I first set PPP up 1.5 years
ago); since it works, I've little incentive to switch to user PPP.
Plus, I wanted to use kernel packet filtering (ipfw) for other reasons,
so this approach makes sense for me.
If you elect to go this route, you'll want to read through:
a) The "Firewalls" section in the Handbook, currently at
`http://www.freebsd.org/handbook/handbook72.html#74'
b) The ipfw(8) man page
c) The natd(8) man page
Regards,
Brian Clapper, bmc@WillsCreek.COM, http://WWW.WillsCreek.COM/
Success is what happens when something goes right.
-- Arnold Glasow
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712271449.JAA15764>