Date: Thu, 25 May 2000 22:50:47 -0500 From: Jeffrey Dunitz <orpheus@lemieux.hockey.net> To: Keith Longman <kblguy@ispchannel.com> Cc: questions@FreeBSD.ORG Subject: Re: how to configure a dhcp based network to gain access to the internet via a cable modem Message-ID: <20000525225047.A13530@lemieux.condolan.asn> In-Reply-To: <000801bfc6ce$d81e72e0$161f83d0@sparldil.mediacom.ispchannel.com> References: <000801bfc6ce$d81e72e0$161f83d0@sparldil.mediacom.ispchannel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Vers Thu, May 25, 2000 at 09:57:05PM -0700, Keith Longman disait quelque chose comme: > Hello my name is Keith and i am a cable modem installer.I have run into a > couple of installations where i am hooking into a small residential hub and > trying to gain access to the internet with multiple machines. Our isp > provider uses DHCP to gain a ip address. How do you configure this?.My com > wants us to just configure one pc to gain access but I want to learn more > about this topic. can it be done easily or at all?. Help if you can > thank you keith Normally, the easiest--and most secure--way to do this is to set up one machine as a NAT router and firewall/proxy for the others. Have the external ethernet interface on this firewall get it's DHCP address from the ISP, and have the inside address either serve its own range of DIFFERENT DHCP addresses, or use static addresses in the private range. Here's a diagram: 192.168.1.64 pc1 __ le0____le1 \ | | dhcp ( i ) [hub]---| FW |----- ( n ) / |_____| ( e ) 192.168.1.65 pc2 __/ ( t) So now note the following: le0 (internal interface on the firewall) is 192.168.1.1 All the PC's use 192.168.1.1 as their default gateway le1 on the firewall, is connected to the cable modem with the crossover cable--NOT plugged into the hub with the rest of the stuff. using ipf and NAT (documented elsewhere), you establish the following general rules: all 192.168.1.xxx addresses are translated to whatever is on the le1 side of the network no connections from the outside are allowed in (unless you want that...) Now, as far as the cable modem ISP is concerned, everything from the two PC's inside looks like it's coming from the outside interface of the firewall. If you turn on the firewall and it acquires the address 204.71.106.211, all traffic from 192.168.1.65 looks like it's coming from 204.71.106.211. OK, I'll break down, and give you the NAT rule to accommplish that: (these rules are from a NetBSD box, and may not be exactly right) map le0 192.168.1.0/24 -> le1 portmap tcp/udp 10000:40000 map le0 192.168.1.0/24 -> le1 proxy port http http/tcp map le0 192.168.1.0/24 -> le1 proxy port ftp ftp/tcp ----------- That pretty much does the outgoing stuff. Now, on my home net, I'm running my own DNS, which does two things: allows me to connect to machines at home by name when I'm not dialed up to the internet, and caches internet DNS requests, saving a little bandwidth. This is easy to set up, and I think it's worth it. Not necessary, though. However, one thing I consider to BE a necessity is a local caching web proxy. I use apache, simply because I'm too lazy to switch to squid. If I had to do it again, I'd use squid. This saves a TON of bandwidth. All you do is uncomment like 4 lines of stuff and tweak a couple numbers in the httpd.conf file (for apache). Squid is a little more involved, but not much. I allocate a couple hundred megs of cache at least. My formula is: cache size = (number of megabytes per hour the link is capable of * 24) That way, I can mirror entire websites, and beat on stuff all day long and it'll still be cached. Chances are I'm not going to be sucking stuff down full bore for 24 solid hours, so the cache actually retains a couple days worth of stuff. I hope that gives you a good introduction to the concepts; read up on the natd manpage (which gives a step by step tutorial using a method slightly different from mine) and also the manpages for ipf, httpd, and squid. Also, get the book "Building Linux and OpenBSD Firewalls", which gets mentioned on this list ocassionally. Of course, you're always encouraged to hire ENRGi to handle any kind of network/firewall situation. :) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Jeffrey Dunitz | *** ENRGi.com *** | orpheus@avalon.net BOFH Emeritus, Avalon Networks | Network Engineer | (651) 686-9974 / http://www.avalon.net/~orpheus | Net/Sec/Dev/Arch | Eagan, MN _ / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000525225047.A13530>