# Building a router/firewall...

## FcukThisGame

I'm about to take a stab at building my own home router with gentoo. Here's my ideal setup:

Cable modem to eth3 (WAN)

old router (AP and switch) to eth2 (LAN)

roommate's switch to eth1 (LAN)

I want to have four subnets. One for myself, one for my roommate, one for common areas, and one for wireless. I'd also like an VLAN or something for isolated guest wireless access. The issue here is that my wireless device is a linksys router, running in switch/ap mode.

My question is: is it possible to route two different subnets through the same device? Specifically, can iptables or something differenciate traffic from a switch vs an AP? My room is wired through the switch on the Linksys router, and I want my room to be assigned different IPs from that of the wireless.

Is that doable?

----------

## kpsyran

If you can get the Linksys router to support VLANs, you can do it. If you can't get it to support it, you probably will not. If you have a cpl bucks, maybe install a cheap gigE switch for your stuff, and forgo the inter-switch vlanning.

----------

## NeddySeagoon

FcukThisGame,

Try Smoothwall - it does what you want out of the box and does not provide a toolchain.

I use in in 4 nic mode.

It has a fork (a long time ago) called IPCop, which I only know because I was a Smoothwall user at the time of the fork.  That may well be worth looking at too.

Be warned that both of these are complete distros in their own right and will take over any machine you install them on.

To answer your original question, you can have several subnets on the same physical wire if you want to but you don't get the physical separation then.

----------

## FcukThisGame

 *kpsyran wrote:*   

> If you can get the Linksys router to support VLANs, you can do it.

 

I'm running dd-wrt on it. That should support them, right?

----------

## Veldrin

Looks like...

----------

## FcukThisGame

The router box has four NICs. One is only 10/100, the other 3 are gigabit. 

I have a NAS box (10/100) that will connect to the slower NIC on the router. Although it's not gigabit, it can support jumbo frame MTUs. I'd like to take advantage of that, if possible. 

I'm a bit lost as to how my /etc/conf.d/net file is supposed to look. I'm pretty sure this is completely wrong, but hopefully you can see what I'm trying to do:

```
# eth3: WAN

config_eth3=( "dhcp" )

# eth2: To Chris's room, 10.10.2.X

config_eth2=("10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" )

# eth1 To Miguel's room, 10.10.1.X

config_eth1=( "10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" )

# eth0 Server subnet (to NAS) , 10.10.0.X (INCREASE MTU)

config_eth0=( "10.10.0.1 broadcast 10.10.255.255 netmask 255.255.255.0" )
```

I want all eth0, eth1, and eth2 to be on separate subnets, but still able to communicate. As such, am I right to set the IP to the same address for all three?

EDIT: Next question, as my network stands right now, I'm behind the linksys router, which is 10.10.10.1. Is there any way I can still set it up behind my router somehow? Should I change it to a 192.168.x.x network first and then change it back later?

----------

## Veldrin

erm you said different subnets - this means they cannot have the same ip-address. put the each interface in its own subnet (like below).

```
# eth3: WAN 

config_eth3=( "dhcp" ) 

# eth2: To Chris's room, 10.10.2.X 

config_eth2=("10.10.2.1 broadcast 10.10.2.255 netmask 255.255.255.0" ) 

# eth1 To Miguel's room, 10.10.1.X 

config_eth1=( "10.10.1.1 broadcast 10.10.1.255 netmask 255.255.255.0" ) 

# eth0 Server subnet (to NAS) , 10.10.0.X (INCREASE MTU) 

config_eth0=( "10.10.0.1 broadcast 10.10.0.255 netmask 255.255.255.0" )
```

next you need ip forwarding active (and built) to get routing working, and iptables setup that they allow forwarding.

 *Quote:*   

> EDIT: Next question, as my network stands right now, I'm behind the linksys router, which is 10.10.10.1. Is there any way I can still set it up behind my router somehow? Should I change it to a 192.168.x.x network first and then change it back later?

  This is completely up to you how you want to segment your network. I suggest you start with pen and paper and draw the setup first - including all specified ip addresses. 

It might make sense to used different private address ranges for different types of your network - e.g 10.10.1.0/24 and 10.10.2.0/24 for the LAN (i.e both rooms), 192.168.10.0/24 for WLAN, and 172.16.10.0/24 for the NAS network. (but as said before this is up to you.)

----------

## FcukThisGame

 *Veldrin wrote:*   

> erm you said different subnets - this means they cannot have the same ip-address.

 

My knowledge of networking isn't much better than basic, but I'm trying to learn... At work we have a class B subnet, and the router is at the same IP address no matter which subnet you're on. Am I correct to assume that would not work like that if I use the IPs you gave?

----------

## Veldrin

 *Quote:*   

> At work we have a class B subnet, and the router is at the same IP address no matter which subnet you're on.

  Recheck that one - this cannot be - unless there is a misunderstanding of what a subnet is.

no - exactly the other way round. what you trying to achieve requires network segmentation. For simplicity, assume that you have 4 Class-C networks available (192.168.1.0/24, 192.168.3.0/24, 192.168.3.0/24, 192.168.4.0/24 - for simplicity call them segments 1-4).

you assign a segment to each of your nets (eg. segment1 to you net, segment2 to your friends, 3 to NAS, 4 to WLAN)

The Router/Firewalls tasks is to act as connection between those nets. (In other words: the Router/Firewall is the Crossroad, the LAN is the street in from of your house, you house is the PC, and the IP Address it you Address (number+street)).

For a crossroad to e connected to a street, it must have an address in the street, for simplicity just take the 1. Router/Firewall address for you Net would be 192.168.1.1, for the NAS Net 192.168.3.1.

I am still assuming that you Router/Firewall has 5 Interface (one for each Net + 1 for the "internet"). If you have less, you could do the same segmentation with VLAN and virtual interfaces on the Router/Firewall. But to get this working properly a smart switch over a generic one is preferred.

just my input

V.

I am currently thinking about more simple solution to your network issue....

----------

## FcukThisGame

 *Veldrin wrote:*   

>  Recheck that one - this cannot be - unless there is a misunderstanding of what a subnet is.

 

I could definitely be misunderstood. At the least, I know that our gateway is one set address (our router is the gateway I believe)

At the very least, so long as the different subnets can communicate, I don't care. 

Also, Veldrin, to answer your question, unfortunately I only have four NICs on the box (ran out of PCI slots). One of them is going to have to use VLANs to distinguish wireless (two different SSIDs, separate from each other, guest wireless being isolated from the rest of the network.) from wired (to my room).

I think I'm going to draw a diagram and upload it... I'm pretty sure explaining it in words does nothing but confuse  :Razz: 

----------

## FcukThisGame

Diagram Here

----------

## Veldrin

nice - that definitely helps

(what software are you using?)

eth0, eth1 and eth3 should no be a problem - interface with a single subnet attached.

eth3 OTOH could cause some problems.

for starters, if would ignore the isolated wlan, and attach wlan to you mates lan - that way you can proceed, and do some testing. (in addition, i am not that familiar with dd-wrt)

next create an additional vlan (virtual lan) on eth2, and get the wlan router talk to it, but keep it talking to your mates switch (or more precisely to the attached computers behind). 

I assume that you broadband router assigns a public IP to your firewall. In that case you have to configure NAT too.

As alternative, the NATting could be done on the router, that work, if the router assigns a private IP address.

HTH

V.

----------

## FcukThisGame

 *Veldrin wrote:*   

> eth0, eth1 and eth3 should no be a problem - interface with a single subnet attached.
> 
> eth3 OTOH could cause some problems.

 

You mean eth2?  :Razz: 

Made the diagram on gliffy.com. It seems like a web-2.0 version of Visio.

On another note, let's see if I understand subnets correctly. Let's imagine just the subnets for eth0 and eth1 (10.10.0.X and 10.10.1.X). In that case, the router would have internal IPs of 10.10.0.1 and 10.10.1.1. NAS at 10.10.0.2. My computer on the eth1 subnet would have an IP of say 10.10.1.5. If I wanted to access the NAS, I could do that by connecting to 10.10.0.2, right?

My subnet mask for this is 255.255.0.0, correct? 

Also, I think I might have an idea about my network at work. I think it's actually a class A subnet, but the routable addresses are within a class B.

----------

## FcukThisGame

Just thought of another question. Will I gain any performance boost if I set the MTU on eth0 to 9000 along with the NAS (it supports up to 9000)? Being as it's only a 10/100, can the router convert 100MBit/9000MTU to gigabit/1500?

----------

## Veldrin

 *Quote:*   

> You mean eth2?  

 

Indeed - I thought, that I correct that   :Embarassed: 

 *Quote:*   

> My subnet mask for this is 255.255.0.0, correct? 

 

No, you would need a /24 subnetmask, or 255.255.255.0. this bothered my before, but i seems to have forgotten to mention it.

Basically you take a Class A Network, and segment it into Class C networks. Since CIDR those classes are not longer hard contraints. (i.e you could use smaller (or larger subnets), but /24 seems reasonable for a average access net)

cheers

V.

----------

## FcukThisGame

Is my subnet mask 255.255.0.0 anywhere?

EDIT: I realized the NAS has gigabit ethernet. Unless I would see a performance boost by increasing the MTU, we can forget about that. Also, we can eliminate eth0 and its subnet as it's only 10/100.

I think I've pretty much got this about right. I've added a vlan for the living room, and some addresses have changed, so let me post my current configs (everything is explained as 10.1.X.Y but written as 192.168.X.Y because I'm currently on a 10.1 network... it will be changed once the router is in place):

```
# /etc/conf.d/net

# eth3: WAN

        config_eth3=( "dhcp" )

# eth2: To AP(10.1.4.X and 10.1.5.X) , then Roommate's room (10.1.2.X) and Living Room (10.1.3.X)

        vlans_eth2="1 2 3 4"

        vconfig_eth2=( "set_name_type VLAN_PLUS_VID_NO_PAD" )

        #vlan1: Roommate's Room (10.1.2.X)

        vconfig_vlan1=( "192.168.2.1 broadcast 192.168.255.255 netmask 255.255.0.0" )

        #vlan2: Living Room (10.1.3.X)

        vconfig_vlan2=( "192.168.3.1 broadcast 192.168.255.255 netmask 255.255.0.0" )

        #vlan3: Home Wireless (10.1.4.X)

        vconfig_vlan3=( "192.168.4.1 broadcast 192.168.255.255 netmask 255.255.0.0" )

        #vlan4: Guest Wireless (isolated, 10.1.5.X)

        vconfig_vlan4=( "192.168.5.1 broadcast 192.168.255.255 netmask 255.255.0.0" )

# eth1: To my room, 10.1.1.X

        config_eth1=( "192.168.1.1 broadcast 192.168.255.255 netmask 255.255.0.0" )
```

```
# /etc/dhcp/dhcpd.conf

authoritative;

ddns-update-style interim;

#My subnet, eth1

subnet 192.168.1.0 netmask 255.255.255.0 {

    range 192.168.1.100 192.168.1.250;

    default-lease-time 86400;

    max-lease-time 86400;

    option subnet-mask 255.255.255.0;

    option broadcast-address 192.168.1.255;

    option routers 192.168.1.1;

    option domain-name-servers 192.168.1.1;

}

#Roommate's subnet, eth2 vlan1

subnet 192.168.2.0 netmask 255.255.255.0 {

    range 192.168.2.100 192.168.2.250;

    default-lease-time 86400;

    max-lease-time 86400;

    option subnet-mask 255.255.255.0;

    option broadcast-address 192.168.2.255;

    option routers 192.168.2.1;

    option domain-name-servers 192.168.2.1;

}

#Living Room subnet, eth2 vlan2

subnet 192.168.3.0 netmask 255.255.255.0 {

    range 192.168.3.50 192.168.3.250;

    default-lease-time 86400;

    max-lease-time 86400;

    option subnet-mask 255.255.255.0;

    option broadcast-address 192.168.3.255;

    option routers 192.168.3.1;

    option domain-name-servers 192.168.3.1;

}

#Trusted Wireless, eth2 vlan3

subnet 192.168.4.0 netmask 255.255.255.0 {

    range 192.168.4.50 192.168.4.250;

    default-lease-time 86400;

    max-lease-time 86400;

    option subnet-mask 255.255.255.0;

    option broadcast-address 192.168.4.255;

    option routers 192.168.4.1;

    option domain-name-servers 192.168.4.1;

}

#Guest Wireless, eth2 vlan4

subnet 192.168.5.0 netmask 255.255.255.0 {

    range 192.168.5.1 192.168.5.250;

    default-lease-time 86400;

    max-lease-time 86400;

    option subnet-mask 255.255.255.0;

    option broadcast-address 192.168.5.255;

    option routers 192.168.5.1;

    option domain-name-servers 192.168.5.1;

}

```

```
#!/bin/bash

# /etc/scripts/reset-iptables-rules.sh

# This script flushes current iptables rules, creates new ones as specified below, then saves them.

# First we flush our current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Set variables

export LAN1=eth1

export LAN2=eth2

export WAN=eth3

# Lock services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN1} -j ACCEPT

iptables -I INPUT 1 -i ${LAN2} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN1} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN1} -j REJECT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN2} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN2} -j REJECT

# Allow access to ssh server from the WAN

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

# Drop TCP / UDP packets to privileged ports

iptables -A INPUT -p TCP ! -i ${LAN1} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN1} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p TCP ! -i ${LAN2} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN2} -d 0/0 --dport 0:1023 -j DROP

# Add the rules for NAT

iptables -I FORWARD -i ${LAN1} -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i ${LAN1} -s 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -I FORWARD -i ${LAN2} -d 192.168.0.0/255.255.0.0 -j DROP

iptables -A FORWARD -i ${LAN2} -s 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Port forwarding

#(nothing set up yet) 

# Save 

/etc/init.d/iptables save
```

Updated Diagram

Current questions:

1) EDIT: The NAS supports gigabit ethernet. Forget crazy MTUs. It goes on the 10.1.3.X subnet.

2) All gig-e ports do auto-switching, right? I shouldn't need a crossover cable for anything, should I?

3) What do I have to do to isolate vlan4 (guest wireless) from the rest of the network but still give internet access?

4) Is port forwarding over a vlan any different from regular port forwarding?

5) Do my iptables rules look right? Any dhcp client i've hooked up hasn't had internet access.

----------

