Date: Thu, 25 May 2000 22:50:47 -0500 From: Jeffrey Dunitz <orpheus@lemieux.hockey.net> To: Keith Longman <kblguy@ispchannel.com> Cc: questions@FreeBSD.ORG Subject: Re: how to configure a dhcp based network to gain access to the internet via a cable modem Message-ID: <20000525225047.A13530@lemieux.condolan.asn> In-Reply-To: <000801bfc6ce$d81e72e0$161f83d0@sparldil.mediacom.ispchannel.com> References: <000801bfc6ce$d81e72e0$161f83d0@sparldil.mediacom.ispchannel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Vers Thu, May 25, 2000 at 09:57:05PM -0700, Keith Longman disait quelque chose comme:
> Hello my name is Keith and i am a cable modem installer.I have run into a
> couple of installations where i am hooking into a small residential hub and
> trying to gain access to the internet with multiple machines. Our isp
> provider uses DHCP to gain a ip address. How do you configure this?.My com
> wants us to just configure one pc to gain access but I want to learn more
> about this topic. can it be done easily or at all?. Help if you can
> thank you keith
Normally, the easiest--and most secure--way to do this is to set up
one machine as a NAT router and firewall/proxy for the others. Have the
external ethernet interface on this firewall get it's DHCP address from the
ISP, and have the inside address either serve its own range of DIFFERENT
DHCP addresses, or use static addresses in the private range. Here's a
diagram:
192.168.1.64 pc1 __ le0____le1
\ | | dhcp ( i )
[hub]---| FW |----- ( n )
/ |_____| ( e )
192.168.1.65 pc2 __/ ( t)
So now note the following:
le0 (internal interface on the firewall) is 192.168.1.1
All the PC's use 192.168.1.1 as their default gateway
le1 on the firewall, is connected to the cable modem with the crossover
cable--NOT plugged into the hub with the rest of the stuff.
using ipf and NAT (documented elsewhere), you establish the following
general rules:
all 192.168.1.xxx addresses are translated to whatever is on the le1
side of the network
no connections from the outside are allowed in (unless you want that...)
Now, as far as the cable modem ISP is concerned, everything from the two
PC's inside looks like it's coming from the outside interface of the
firewall. If you turn on the firewall and it acquires the address
204.71.106.211, all traffic from 192.168.1.65 looks like it's coming from
204.71.106.211.
OK, I'll break down, and give you the NAT rule to accommplish that:
(these rules are from a NetBSD box, and may not be exactly right)
map le0 192.168.1.0/24 -> le1 portmap tcp/udp 10000:40000
map le0 192.168.1.0/24 -> le1 proxy port http http/tcp
map le0 192.168.1.0/24 -> le1 proxy port ftp ftp/tcp
-----------
That pretty much does the outgoing stuff.
Now, on my home net, I'm running my own DNS, which does two things:
allows me to connect to machines at home by name when I'm not dialed up
to the internet, and caches internet DNS requests, saving a little
bandwidth. This is easy to set up, and I think it's worth it. Not
necessary, though.
However, one thing I consider to BE a necessity is a local caching
web proxy. I use apache, simply because I'm too lazy to switch to squid.
If I had to do it again, I'd use squid. This saves a TON of bandwidth.
All you do is uncomment like 4 lines of stuff and tweak a couple
numbers in the httpd.conf file (for apache). Squid is a little more
involved, but not much. I allocate a couple hundred megs of cache at
least. My formula is:
cache size = (number of megabytes per hour the link is capable of * 24)
That way, I can mirror entire websites, and beat on stuff all day long and
it'll still be cached. Chances are I'm not going to be sucking stuff down
full bore for 24 solid hours, so the cache actually retains a couple days
worth of stuff.
I hope that gives you a good introduction to the concepts; read up on
the natd manpage (which gives a step by step tutorial using a method
slightly different from mine) and also the manpages for ipf, httpd, and
squid. Also, get the book "Building Linux and OpenBSD Firewalls", which
gets mentioned on this list ocassionally.
Of course, you're always encouraged to hire ENRGi to handle any kind
of network/firewall situation. :)
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jeffrey Dunitz | *** ENRGi.com *** | orpheus@avalon.net
BOFH Emeritus, Avalon Networks | Network Engineer | (651) 686-9974 /
http://www.avalon.net/~orpheus | Net/Sec/Dev/Arch | Eagan, MN _ /
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000525225047.A13530>