# Confusion in Configuring Networks

## Fred Krogh

My primary computer has:

eth0 is for the outside world.

eth1 is a local wired network at 192.168.0.3

eth2 is connected to a wireless router at 192.168.2.3

A laptop connected to the wireless network can view the router at 191.168.1.1, and can access other stuff on 191.168.1.*

My primary computer can not see anything on the wireless network.  I'm guessing that I don't have things set up correctly in /etc/conf.d/net, but I'm not clear on what must be said there to access stuff on the wireless network.  Any suggestions there are elsewhere most welcome.  Thanks,

Fred

----------

## NeddySeagoon

Fred Krogh,

We need more info.

Please post 

```
ifconfig -a
```

 and 

```
route -n
```

I guess you have a static route missing either on your router or your primary computer. 

I normally set it up the other way round.  Wired can get anywhere but wireless cannot get to wired.

Assume your wireless is wide open, it might as well be since any determined attacker can get in.

----------

## Fred Krogh

 *Quote:*   

>  ifconfig -a
> 
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
> 
>         inet 216.86.203.11  netmask 255.255.255.0  broadcast 216.86.203.11
> ...

  *Quote:*   

>  route -n
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> ...

 

I originally had the wireless connected to the outside world, but then things on my local wired network could not get to the outside world, probably because of my problems configuring the wireless router or something else.  If I can't make things work the way I have them maybe I could manage to get it all to work through the wireless??  Thanks.

----------

## NeddySeagoon

Fred Krogh,

From your orinial post.

 *Quote:*   

> eth2 is connected to a wireless router at 192.168.2.3 

 

```
eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.2.3 netmask 255.255.255.0 broadcast 192.168.2.255 
```

Together those quotes says your PC has 192.168.2.3 and so does your WAP.

That can't work.

The AP will nomally be a transparent bridge.  It only has an IP so you can control it.

The AP is not a gateway. Its good enough to send  packets destined for wireless hosts to eth2 but eth2, the AP and the wireless hosts all need unique IPs in the   192.168.2..0/24 subnet.

----------

## UberLord

Any reason why the wireless is on a different subnet?

I run wired and wireless on the same subnet. I even give each wired and wireless interface the same IP address and dhcpcd works its magic and moves it to the most desired interface.

The benefit is that I can remotely connect to it regardless of how it's connected.

Anyway, in direct answer to your question you need to have a router between the wired and wireless which knows about both networks.

If you don't have this then just run them both on the same subnet.

----------

## Fred Krogh

I had just recently set  *Quote:*   

> routes_eth2="default via 192.168.2.3"

 in /etc/conf.d/net in a hope that that would change things which weren't working.  I guess that made things fail in a slightly different way, and I have removed that line.

I think that AP is a abbreviation for access point.  Does wireless hosts refer to everything on the wireless network?

I have eth1 going to a router, does that mean I should connect the wireless device to a line from the router.  But then what is the gateway that I put on the router.  I'm afraid I'm still a bit confused.  I do appreciate the help.  Thanks.

----------

## UberLord

 *Fred Krogh wrote:*   

> I think that AP is a abbreviation for access point.  Does wireless hosts refer to everything on the wireless network?

 

Yes

 *Quote:*   

> I have eth1 going to a router, does that mean I should connect the wireless device to a line from the router.  But then what is the gateway that I put on the router.  I'm afraid I'm still a bit confused.  I do appreciate the help.  Thanks.

 

So on the router you should have 3 physical ports - eth0, eth1 and eth2.

eth0 plugs into the internet

eth1 plugs into the wireless Access Point

eth2 plugs into the wired network (could be a cable to a switch or wired hub for example)

eth0 ISP assigned address

eth1 192.168.2.1/24

eth2 192.168.0.1/24

On the router you need to have the default route going via eth0

On the wired clients connected to this router they need a default route to 192.168.0.1

On the wireless clients connected to this router they need a default route to 192.168.2.1

----------

## Fred Krogh

I'm sorry, but I think I've been misleading you through confusing switch and router.  My main machine is serving as a router.  It is connected to the outside world (eth0) and connects to a switch (eth1) that connect to a bunch of different machine.  It also connects to the wireless box (eth2).

Anyway from what you suggested, I think there is a chance that I can get this all to work.  To minmize things that need to change, I'll change eth2 to 192.168.1.1/24.  The router now things it is at 192.168.2.3, and I'll change that to 192.168.1.1.  If I understand what was suggested that should be the only changes I need.  I'll post later on how this all works out.  Thanks.

----------

## Fred Krogh

I'm not getting there.  In changing things I have no wireless at all.  I've done a hard reset of the wireless modem, which allegedly sets its ip address to 192.168.1.1.  The documentation says that my pc and the router must be on the same subnet.  So I'm guessing that this is the problem.  Among other things, in /etc/cond.d/net, I have *Quote:*   

> config_eth1="192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255"
> 
> config_eth2="192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255"
> 
> config_192168001001="192.168.1.2/24"

 That last line was more a guess than anything.  But whether I leave it in or get it out, it does not work.  I'm hoping there is something I can put in /etc/cond.d/net that will get both machines on the same network, or any idea that will let me access the wireless router.  Currently ifconfig and route give:#  *Quote:*   

> ifconfig -a
> 
> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
> 
>         inet 216.86.203.11  netmask 255.255.255.0  broadcast 216.86.203.11
> ...

 

 *Quote:*   

> # route -n
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> ...

 

----------

## UberLord

You need to enable ip forwarding on the router as well - look in /etc/sysctl.conf and set 

```
net.ipv4.ip_forward = 1
```

----------

## UberLord

 *Fred Krogh wrote:*   

> I'm not getting there.  In changing things I have no wireless at all.  I've done a hard reset of the wireless modem, which allegedly sets its ip address to 192.168.1.1.  The documentation says that my pc and the router must be on the same subnet.  So I'm guessing that this is the problem.  Among other things, in /etc/cond.d/net, I have *Quote:*   config_eth1="192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255"
> 
> config_eth2="192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255"
> 
> config_192168001001="192.168.1.2/24" 

 

Remove that last line, it's pointless.

 *Quote:*   

> # route -n
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> ...

 

That looks fine, just enable IP forwarding and you're set.

----------

## szatox

Some things there are unclear, but hey, that's what glass orb is good for  :Laughing:  And my glass orb tells me you guys are looking for problem in a wrong place

Let's get some facts from previous posts:

pc-working-as-router has 2 subnets:

eth1 is a local wired network at 192.168.0.3

eth2 is connected to a wireless router at 192.168.2.3 

wireless client is connected to 192.168.1.1.

This makes me think that the wireless device you have there is a router and not a dumb AP you expect and want to use.

Also, routers tend to have dedicated WAN interface and several wired LAN sockets. If you connected your PC to WAN port it should just work anyway. My guess is it's some ISDN router with RJ11 WAN socket so you were unable to stuff big RJ45 plug into it. You didn't want to give up this easily, so you connected it to LAN port. You also forgot to disable advanced features intended for making it "plug and play" in it's typical use case. Now the wireless box is smart enough to conflict with your PC instead of simply providing copper-to-air interface.

Have you tried running dhcp client on your eth2? I suppose it would receive a new address from 192.168.1.0 pool.

I mentioned ISDN router because it makes it sound more funny, but exacly the same mistake can be done with other routers so check ports anyway. And disable firewall and DHCP, as you most likely want to use one installed on your PC instead

----------

## Fred Krogh

Sorry, I had to leave for a bit.  I've set net.ipv4.ip_forward = 1, it was set to 0 before.

That last line printed by route -n, is a mystery to me.  There is nothing in /etc/* that matches 216.86.203.0, and lots that match 216.86.203.1.  The change to ...forward=1, has made no discernable difference.  I hope someone has the patience to help me work through this as it makes no sense to me.  I am running shorewall, and looked for forward, and got the following: *Quote:*   

> shorewall.conf:FORWARD_CLEAR_MARK=
> 
> shorewall.conf:IP_FORWARDING=On
> 
> shorewall.conf:MARK_IN_FORWARD_CHAIN=No
> ...

 Might this suggest anything?

I have dhcpd running, and have reset the wireless router several times.  When I access 192.168.1.1 with a browser, it brings up the home page for my web site.  I believe this should bring up the configuration screen for the wireless router.  (192.168.0.3 and 216.86.203.11 does the same, but those should bring up the home page for my site.)

Perhaps this line in /etc/conf.d/staticroute: staticroute="net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1" could be changed to something that would help?

Are there options in uphcpd or in dnsmasq.conf that should be set a certain way.  Many thanks.

----------

## NeddySeagoon

Fred Krogh,

For help with shorewall and routing, we need /etc/shorewall/rules

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         216.86.203.1    0.0.0.0         UG    2      0        0 eth0

0.0.0.0         192.168.2.1     0.0.0.0         UG    4      0        0 eth2

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

216.86.203.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

routing rules are applied from the bottom of the routing table working up.  The fist rule that matches a packet is applied.

The first (bottom) rule says to reach the 216.86.203.0/24 subnet, no gatateway is required as send the packet out of eth0.

Thats probably incorrect unless you own the 216.86.203.0/24 subnet - thats unlikely.  Find out where this is being set up and remove it.

The next rule (up) says to reach 192.168.2.0/24, no gateway is required and use eth2.

Next up is to reach 192.168.0.0/24 use eth1 again, no gateway is required.

The 127. ... rules are for lo.

Now it gets trickier and more incorrect.

Destination 0.0.0.0 matches any packets that nave not yet been routed - thats your default route.  You may at most have one default route and you have two here.

Anyway,  

```
0.0.0.0         192.168.2.1     0.0.0.0         UG    4      0        0 eth2
```

says that for any packets not yet routed send them to 192.168.2.1  over eth2.  Essentially, I don't know what to do with these packets but 192.168.2.1 does.

All your internet traffic will be sent here.

The rule 

```
0.0.0.0         216.86.203.1    0.0.0.0         UG    2      0        0 eth0
```

can never be reached.

If  192.168.2.1  is your router, thats a good start.  You should never have any rules here with your public IP address as your router will have that.

In my best ASCII art, your network looks something like this.

```

            ----------                               ----------------

            |        | 192.168.2.1      192.168.2.?  |              |

Internet ---+ Router +-------------------------------+ eth2         |

            |        |                               |              |

            ----------                               |    PC   eth1 +--192.168.0.?

                                                     |              |

                                   216.86.203.?----- + eth0         |

                                                     |              |

                                                     ----------------

```

You need to use shorewall to do address translation (routing) so that interfaces in subnets other than 192.168.2.0/24 can reach each other and the internet.

Your router will do address translation for any host on the 192.168.2.0/24 subnet.  Packets from 192.168.0.0/24 that reach the router should be dropped as they are not routable.

If your router does forward packets from 192.168.0.0/24, your ISP will drop them.

----------

## szatox

Actually the very first post desribes this setup

```

            ----------                               ----------------

192.168.2.1 |        |                   192.168.2.?  |              |

WIFI ---+ Router +-------------------------------+ eth2         |

            |        |                               |              |

            ----------                               |    PC   eth0 +-internet

                                                     |              |

                                 192.168.0.?----- + eth1            |

                                                     |              |

                                                     ---------------- 
```

And I still think that wifi router is missconfigured. Refer to my previous post for details

----------

## Fred Krogh

Note that I have a switch that connects to other PC's.  The switch is downstairs, my main PC, and the wireless router are upstairs.  It would be very awkward to change the locations of any of these.

Initially I had the wireless router connected to the internet, and that to my PC.  The wireless also connected to the the switch.  But I never managed to get that part of the network to work.  The problem may have had to do with the way I was setting network addresses.

This is what I think (now?) should work.

```

            ----------------------

            |                    |

            | My main PC         |

            |                    |

Internet ---+ eth0 216.86.203.11 |

216.86.203.1|                    |

            | eth1 192.168.0.3   +--- switch 192.168.0.? --- More PC's

            |                    |

            | eth2 192.168.1.2   +--- Wireless router 192.168.1.1 --- more

            |                    |

            ----------------------

```

According to the manual for my ASUS WL-520GC, to setup IP addresses manually, you need to know the default settings of the ASUS Wireless Router.  IP address 192.168.1.1, subnet mask 255.255.255.0

It then goes on to say to set up the connection with a manually assigned IP address, the address of your PC and the wireless router must be within the same subnet.

IP address: 192.168.1.xxx (anything from 2 to 255)

Subnet mask: 255.255.255.0

Gateway: 192.168.1.1

Because the gateway is 192.168.1.1 it seems to me that my eth2 must have that address, but to access the router initially it seems I need to access it at address 192.168.1.1.

So thought I in woeful ignorance, to get restarted, set eth2 to 192.168.1.2, and try to access 192.168.1.1, and once there change settings.  But when trying to load 192.168.1.1, I get "This webpage is not available".

Clearly I can get nowhere with this, if I can't even get to the screen used to configure the wireless router.  So just to get started I need some way to configure the wireless router, and there seems to be nothing that can be done to accomplish that.  I really appreciate the help offered so far.  I think I have learned a bit, just not enough! If I manage to get to the router condiguration screen maybe something better can be done

----------

## NeddySeagoon

Fred Krogh,

For this bit to work, your main PC needs to be set up as a router. 

```
            ----------------------

            |                    |

            | My main PC         |

            |                    |

Internet ---+ eth0 216.86.203.11 |

216.86.203.1|                    |

            | eth1 192.168.0.3   +--- 

            |                    |

            | eth2 192.168.1.2   +--- 

            |                    |

            ---------------------- 
```

It will have to do Netword Address Translation (NAT) for the  192.168.0.0/24 and 192.168.1.0/24 subnets or they will have no access to the internet.

They may have access to one another without NAT.

You need this regardless of what gets connected to eth1 and eth2.  You can also set up a dhcp serwel on your main PC to serve network settings to both the  192.168.0.0/24 and 192.168.1.0/24 subnets.

You mention a "Wireless router" on 192.168.1.1.  Exactly what is this device?  

If its a dumb Access Point (AP) its a tranparent bridge if its really a router, you need to take care with its settings.

A switch is not an issue.

Setting up your PC as a router is your first step. That guide has you setting up iptables by hand but shorewall can do it too.

You will need the kernel settings and packages described in the guide, on yor main PC.

szatox,

I was unsure if there were any network topology changes since the original post.

----------

## Fred Krogh

[list=]Yes I have changed things as what I had was not working.  Once the wireless router (that's an ASUS WL-520GC) was reset, that has its address at 192.168.1.1 (I think!).  In /etc/shorewall.masq, I have *Quote:*   

> eth0        192.168.0.0/24 216.86.203.11
> 
> eth1        192.168.1.0/24 216.86.203.11
> 
> 

 My PC has worked just fine as a router for a long time. And with the configuration I started with the routing was working for the stuff on the wireless network as well.  The only problem was that I could not look at the wireless network from my PC.  Now that the wireless router has been reset, I can't get to its home page and thus am stuck.

It doesn't seem to me that I shouldn't need to setup NAT for the wireless router just to look at it.  In desperation I've tried to ssh to 192.168.1.1, and get "no route to host".  I still have

```
$ route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         216.86.203.1    0.0.0.0         UG    2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

216.86.203.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

Ping gives "Destination Host Unreachable".  It seems there is no path to reach 192.168.1.1.  For completness

```
# ifconfig -a

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 216.86.203.11  netmask 255.255.255.0  broadcast 216.86.203.11

        inet6 fe80::2e0:4cff:fe68:e40c  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e4:0c  txqueuelen 1000  (Ethernet)

        RX packets 17579  bytes 12258150 (11.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 18168  bytes 3177838 (3.0 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.3  netmask 255.255.255.0  broadcast 192.168.0.255

        inet6 fe80::2e0:4cff:fe68:e512  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e5:12  txqueuelen 1000  (Ethernet)

        RX packets 13222  bytes 1507886 (1.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 13019  bytes 10521880 (10.0 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::2e0:4cff:fe68:e40d  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e4:0d  txqueuelen 1000  (Ethernet)

        RX packets 299  bytes 176410 (172.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 246  bytes 22309 (21.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth3: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether 00:e0:4c:68:e5:11  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth4: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether f4:6d:04:d6:7d:15  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 823  bytes 185594 (181.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 823  bytes 185594 (181.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 0  (IPv6-in-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

[/list]Yes I have changed things as what I had was not working.  Once the wireless router (that's an ASUS WL-520GC) was reset, that has its address at 192.168.1.1 (I think!).  In /etc/shorewall.masq, I have *Quote:*   

> eth0        192.168.0.0/24 216.86.203.11
> 
> eth1        192.168.1.0/24 216.86.203.11
> 
> 

 My PC has worked just fine as a router for a long time. And with the configuration I started with the routing was working for the stuff on the wireless network as well.  The only problem was that I could not look at the wireless network from my PC.  Now that the wireless router has been reset, I can't get to its home page and thus am stuck.

It doesn't seem to me that I shouldn't need to setup NAT for the wireless router just to look at it.  In desperation I've tried to ssh to 192.168.1.1, and get "no route to host".  I still have

```
$ route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         216.86.203.1    0.0.0.0         UG    2      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

216.86.203.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
```

Ping gives "Destination Host Unreachable".  It seems there is no path to reach 192.168.1.1.  For completness

```
# ifconfig -a

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 216.86.203.11  netmask 255.255.255.0  broadcast 216.86.203.11

        inet6 fe80::2e0:4cff:fe68:e40c  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e4:0c  txqueuelen 1000  (Ethernet)

        RX packets 17579  bytes 12258150 (11.6 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 18168  bytes 3177838 (3.0 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.3  netmask 255.255.255.0  broadcast 192.168.0.255

        inet6 fe80::2e0:4cff:fe68:e512  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e5:12  txqueuelen 1000  (Ethernet)

        RX packets 13222  bytes 1507886 (1.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 13019  bytes 10521880 (10.0 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::2e0:4cff:fe68:e40d  prefixlen 64  scopeid 0x20<link>

        ether 00:e0:4c:68:e4:0d  txqueuelen 1000  (Ethernet)

        RX packets 299  bytes 176410 (172.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 246  bytes 22309 (21.7 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth3: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether 00:e0:4c:68:e5:11  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth4: flags=4098<BROADCAST,MULTICAST>  mtu 1500

        ether f4:6d:04:d6:7d:15  txqueuelen 1000  (Ethernet)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 823  bytes 185594 (181.2 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 823  bytes 185594 (181.2 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480

        sit  txqueuelen 0  (IPv6-in-IPv4)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

----------

## NeddySeagoon

[Fred Krogh,

That all looks mostly harmless.  The manual for your wireless router, it is a router, not a dumb access point, says that its default IP is 192.168.1.1

How did your PC get this setup?  

code]eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255 [/code]

Your wireless router will be handing out IP addresses using dhcp now its been reset.

If this address is manually assigned, it may have been allocated by dhcp to somethinfg else too.

----------

## Fred Krogh

I don't usually (and don't now) have dhcpd running on my PC.  When I had the wireless router working I was using it there.  The stuff you referred to was set in /etc/conf.d/net which contains:

```
config_eth0="216.86.203.11  netmask 255.255.255.0 broadcast 216.86.203.11"

routes_eth0="default via 216.86.203.1"

nis_domain_eth0="mathalacarte.com"

dns_domain_eth0="mathalacarte.com"

dns_servers_eth0="8.8.8.8 8.8.4.4"

config_eth1="192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255"

config_eth2="192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255"
```

I'm not clear on what address you say may have been reassigned.  Are you referring to the value used for eth2.  If so, I guess I could try the other 253 possible values.  Many thanks for your time and effort put into this.

----------

## szatox

Well, if everything works but you just can't see wireless network from your PC (previous posts suggested you can't see your PC from wireless network), it's because SOHO routers tend to have NAT enabled by default and it filters any trafic you would like to send to wireless segment.

Also, you can't access router's configuration page from your PC because from router's perspective you are connected over WAN which makes you an attacker rather than an admin.

As a side note, you're reinventing Great Chinese Wall with your layers upon layers of NATs and routers.

----------

## Fred Krogh

I agree with you Chinese Wall comment, but at the moment I'm just trying to get the wireless router configured.  For what it is worth the wireless network is no longer showing up on my laptop so I can't even get at it from there.

----------

## Fred Krogh

Just tried plugging the cord from my PC into a LAN port on the router.  It will now respond to a ping to 192.168.1.1, but after a long time reports "This webpage is not available".  There for a moment, I thought maybe I might get this sucker configured.

----------

## Fred Krogh

I've tried linking the wireless LAN port to a laptop that runs windows xp and ubuntu.  After changing the network configurations, both would ping the modem at 192.168.1.1, but neither could load that address from the browser.  I have decide it is time to give up on this one.  Anyone care to suggest a wireless router/switch that is Linux friendly?  Thanks for all the help.

Fred

----------

## NeddySeagoon

Fred Krogh,

Do you really need a router or would you rather use an accees point?

An access point has less to fiddle with and get right.

----------

## Fred Krogh

I don't really need or even want a router, but I need wireless.  I thought maybe their were switches that would put out a wireless signal, but the little looking I've done did not reveal such a thing.  Thanks.

----------

## WWWW

This is interesting:

A system can have two interfaces with different subnets?

eth1 192.168.1.3

eth2 192.168.2.3

How do programs not get confused? I certainly can see this being useful. But won't get programs confuzzled?

Would it be possible to expand this?

eth1 192.168.1.3

eth2 192.168.2.3

eth3 192.168.3.3

And what it is the difference as opposed to have this?

eth1 192.168.1.2

eth2 192.168.1.3

eth3 192.168.1.4

Thanks!

----------

## depontius

Believe it or not, you've just asked a mouthful.

Really, subnets are defined by the "subnet mask", and in the case of the RFC-1918 network for 192.168.*.* the subnet mask is conventionally 255.255.255.0.  You map that 255.255.255.0 over top of the 192.168.*.*, and what it really means is that for a given subnet, only the fourth number, the one after the last dot, is allowed to vary.  So using your first/second examples, 192.168.1.3 and 192.168.2.3 are on different subnets, assuming you've got the normal 255.255.255.0 subnet mask.  With your third example, 192.168.1.2 and 192.168.1.3 are both on the same subnet, and that applies pretty much regardless of the subnet mask.  (I've used subnet masks to define very small subnets before on my home network, but it's not common.)

Why might you want multiple subnets?  My home network currently has three subnets.  I have a cable modem, and my appliance router plugs into that - first subnet.  The back side of my appliance router is an 8-port switch, and 2 of those ports plug into a pair of (redundnat) bastion hosts, running secondary firewalls - second (DMZ) subnet.  The back side of my redundant bastion hosts is my LAN, where the rest of the stuff on the home network connects.  Right now my wireless router is plugged in as an access point on my LAN - so it's only using the wireless function, not the routing.

I'm thinking of changing things a bit in the near future, prompted by the Internet Of Things.  I kind of want to get some of those Things, but it seems that they all need to phone home, and at least some of them (L.G. Smart TVs) phone home with information harvested from the LAN they're connected to.  I want stuff like that on its very on subnet, that routes only to the internet, and not to my LAN.  So that would probably mean plugging a wireless router into my DMZ with only a default route to the internet and its own subnet for my I.O.T.

----------

## NeddySeagoon

WWWW,

My KVM router has four subnets.

ppp0 is the big bad internet.  PPPoE on eth0

eth1 is my DMZ on 192.168.10.0/24

eth2 is wy WAP on 192.168.54.0/24

eth3 is my wired protected network on 192.168.100.0/24

Apps don't get confused because the kernel looks after the interconnectivity.

I have separate wireless and wired networks 

a) because I am paranoid

b) wireless is not permitted to connect to wired but it is allowed to respond if wired asks.

I have a few things an my wired network that like to phone home. They are all blocked by filtering on the destination port they try to connect to.

That results in logspam in wy firewall logs.

Did I mention that I'm paranoid?

Hmm maybe it actually has another subnet too. Being a KVM, its console is VNC on another subnet. 192.168.122.0/24 or something like that.

----------

## WWWW

 *NeddySeagoon wrote:*   

> 
> 
> Did I mention that I'm paranoid?
> 
> 

 

Please stop excusing yourself, this set up is perfectly sane and it helps understanding the clear separation of areas and also helps implementing. I think your could be used in an office environment.

Now I only need to find out the commands to set up all that.

I kept thinking about separating traffic but I wasn't sure how to configure this. For instance one thing that was nagging me was a couple UDP traffic mixed with regular network. My idea was to have a different network for the internal UDP connections. Perhaps is not needed but for the sake of separating roles I wanted to do it.

thanks.Last edited by WWWW on Thu Dec 11, 2014 7:22 pm; edited 1 time in total

----------

## Fred Krogh

I'm back, sorry!  I've learned a lot from the help already given.

Using a Windows 7 machine I finally got the router configured.  The only ethernet connection my main computer has now is eth0.  All seems to work, except apache is messed up.  Thus

```
# /etc/init.d/apache2 start

 * Bringing up interface eth1

 *   config_eth1 not specified; defaulting to DHCP

 *   dhcp ...

 *     Running udhcpc ...

 *     start-stop-daemon: failed to start `/bin/busybox'                       [ !! ]

 * ERROR: net.eth1 failed to start

 * Bringing up interface eth2

 *   config_eth2 not specified; defaulting to DHCP

 *   dhcp ...

 *     Running udhcpc ...

 *     start-stop-daemon: failed to start `/bin/busybox'                       [ !! ]

 * ERROR: net.eth2 failed to start

 * ERROR: cannot start apache2 as net.eth1 would not start

```

I have looked and looked, and I can't see why apache would be looking for eth1 and eth2.  Maybe things would all work if I could resolve this.  Any ideas?  Thanks.

----------

## Fred Krogh

I have another problem.  That windows 7 machine will not fetch mail, but gives no sign of the problem.  It can access the web just fine.  I have set it up to fetch from my server at 192.168.1.2.  It will also not fetch from my site mathalacarte.com at 216.86.203.11.  Is there something that needs to be said in the wireless router to make this work?

----------

## NeddySeagoon

Fred Krogh,

If you have interfaces that you are not using, they may be required to be up so that the net service, which apache needs is considered up.

Read the comments in /etc/rc.conf and maybe adjust the rc_depend_strict setting.

----------

## Fred Krogh

Thanks Neddy!  I was just in the process of posting the following when I got your last comment.

More info.  The computers on the subnet can send mail, but can't access the pop-3 server on the same subnet.  Some problems I had were only fixed by removing net.eth1 and net.eth2 from the default run level.  It apparently was not sufficient to stop them as both postfix and apache were trying to access these access points.  My web server now appears to be working, including with virutal hosts.  So down to one problem only.  The pop-3 part.

I note that /etc/init.d/postfix restart will not work.  Postfix seems to think it is already stopped and it fails to start.  postfix-reload does have the effect of changing the job numbers of the running postfix programs.  At the moment I have no idea whether the problem is in postfix, or in the wireless router. or perhaps in dovecot.   In the wireless router, I have had "Enable Port Trigger" set to no and to yes and in the latter case I have

```
25     TCP 25     TCP smtp

80     TCP 80     TCP http

50776  TCP 50776  TCP skype

110    TCP 110    TCP pop-3
```

In the virtual server section, I have

```
20:21  192.168.1.2  20:21  TCP  FTP Server(20:21)

25     192.168.1.2  25     TCP  SMTP Server(25)

80     192.168.1.2  80     TCP  HTTP Server(80)

110    192.168.1.2  110    TCP  POP3 Server(110)

22     192.168.1.2  22     TCP  ssh

50776  192.168.1.2  50776  TCP  skype
```

Perhaps something here will suggest why the mail can't be fetched?  Thanks.

----------

## Fred Krogh

Maybe enough progress to get this over the hump?  But I'm still having problems with mail.  I'm currently trying to set up a new account in my laptop that matches one on a Windows machine that will send but can't get mail.  In the wireless router, I have set: Enable multicast routing to yes.  That seems to be necessary.  I have also enabled Port Trigger which now has the following data

```
Trigger Port Protocol Incoming Port Protocol Description

          25      TCP            25      TCP  smtp

          80      TCP            80      TCP  http

       50776      TCP         50776      TCP  skype

         110      TCP           110      TCP  pop-3

         106      TCP           106      TCP  pop-password
```

The virtual sever now has

```
Port Range    Local IP Local Port Protocol Description

        20 192.168.1.2         20      TCP ftp-data

        21 192.168.1.2         21      TCP ftp

        22 192.168.1.2         22      TCP SSH

        25 192.168.1.2         25      TCP SMTP Server

        80 192.168.1.2         80      TCP HTTP Server

       106 192.168.1.2        106      TCP POP3 Password

       110 192.168.1.2        110      TCP POP3 Server

     50776 192.168.1.2      50776      TCP skype
```

When trying to verify the password for the email account I'm seeing on my server things like this using wireshark

```
No. Time      Source         Destination  Protocol  Length              Info.

 12 8.16..  192.168.1.4   192.168.1.2     TCP       74      60031-110 [SYN} Seq=0 Win=29200 Len=0 MSS=1460 ...

 13 9.16..  192.168.1.4   192.168.1.2     TCP       74      [TCP Retransmission] 60031-110 [Syn] Seq=0 ...

 ...
```

Similar data shows up on the laptop, execpt with the source and destination data interchanged.  Since the problem seems to be that the password could not be verified, I was expecting to see some 106 packets instead of the 110 packets, but maybe those need to go though first?

At this point, I don't know if I have a configuration problem in the router, or in dovecot or perhaps postfix.  I would be very happy to provide more of the data from wireshark, if I had a better idea of what might be useful.  Note that there is no problem in sending mail, just a problem in fetching it.  The configuration of Thunderbird as far as the POP mail server is concerned are the same in all 3 cases, but it is only on my primary machine (where the mail server resides) that mail can be fetched.

----------

