Prepping A SOHO IP Network To Connect To The Net
Steps And Tools For Linking To The Internet
By Trevor Marshall
January 17, 2000
Over the past six months, I have described how to build your own Linux gateway so you can link your home or office network to the Internet. This month, I have prepared another distribution diskette (that you can download from my Web server). I have added a Client DHCP daemon for cable and DSL modems, a Web Server (thttpd), and a professional FTP server (proftpd).
One of the most consistent problems reported to me by readers is, in order for the gateway to be of some use, there needs to be a local network to connect it to. So first, let us look at just how you configure a simple SOHO network so it can be coupled to the Internet with the Linux gateway.
What Is A SOHO Network?
SOHO has become commonly used as the acronym for Small Office Home Office, the catch-all term used by salesmen to discriminate SOHO products from those intended for the "Fortune 500" or "Fortune 100" corporate marketplaces. It is not a term I particularly like, but we are stuck with it.
Configuring a TCP/IP SOHO network initially seems quite confusing. You will have to decide on an IP address to use for each computer, a Netmask, DNS servers, and a lot of other Internet nomenclature. But it is really not too difficult. The Internet infrastructure is logical and well documented. Once the concepts start falling into place, the pace at which you learn will accelerate exponentially.
How Do IP Addresses Work?
Normally, when you set up a computer on the Internet, it is assigned an IP address by the hosting ISP. Most IP addresses are associated with a particular Domain Name. For example, Byte.com is a registered domain name. A human would search for the information about registered domain names using Network Solutions' WHOIS database, or one of the more universal WHOIS sites such as ALLWHOIS.COM. But when your browser is looking for www.byte.com it first goes to one of the root name servers at Network Solutions and finds the Domain Name Server (DNS) address where it in turn can find the actual IP address of your computer (I have already described how a DNS lookup works in my May 99 column.)
On a large Internet-based network each computer has its own name, and its own IP address. The IP addresses are allocated to you by your ISP. For example, if you do a WHOIS search of Internic for CMP.com you will find that it lists VULCAN.CMP.com and KEYSTONE.CMP.com, both of which are functioning as DNS name servers for CMP.com. And each has its own IP address registered on the Internet. VULCAN is at 184.108.40.206 and KEYSTONE is at 220.127.116.11
Both of VULCAN and KEYSTONE are on a subnet, a very small part of the overall TCP/IP address space.
IP addresses are read from left to right, and consist of four numbers each from 0 to 255. In this case both servers are on the subnetwork 18.104.22.168, which means any address in the range specified by the Netmask 255.255.255.240 (22.214.171.124 to 126.96.36.199) will be routed over the Internet to CMP.com
If you draw out the binary form of the Netmask it is easier to see how it works. Basically, only those binary bits of the 32-bit TCP/IP address for which the netmask is 0 can be used to select which computer on the subnet will respond.
255 . 255 . 255 . 240 = 11111111 11111111 11111111 11110000
CERF.net is the ISP for CMP.com. Obviously, CMP.com has been allocated a much larger subnet by CERF than just the 16 addresses in this netmask. But whether small or large, the mathematics governing computer IP address selection follow the same rules.
Luckily, a small home-office network does not have to worry too much about how IPs are assigned on the Internet, because several blocks of IP addresses have been set aside specially for private networks. These are where your SOHO will typically be configured.
Selecting An IP Address For Your Own Network Since a SOHO network is a network intended for a home or small-office environment it will usually have only a few computers connected to it, typically less than 10. These machines will not have IP addresses assigned by Internic, but will connect to one of the private IP address spaces described in RFC 1918.
Three blocks of subnet addresses have been set aside for use by private networks. Most routers on the Internet backbone will fail to respond to requests for these addresses, and the addresses will fail to propagate over the Internet. That is why they are called private or local addresses. These three address blocks are:
10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255
The private subnet you will find on my Linux gateway diskettes is 192.168.1.0 to 192.168.1.255 (netmask 255.255.255.0). If your Gateway machine is at 192.168.1.1 and the broadcast address is 192.168.1.255 then there are 253 possible IP locations that you could use for computers on your SOHO. These are from 192.168.1.2 to 192.168.1.254. Unless you have any specific reason to change from this subnet I suggest you leave it alone until after you have gotten your gateway up and running properly.
What If You Already Have A TCP/IP Network With Non-Standard Addresses? If you have a SOHO network set up in any other IP address blocks than the three named above, then you will have to change it or ensure the IP addresses you are using have not been allocated to anybody else, anywhere in the world.
In years past, software consultants sometimes did not follow the Internet's IP rules because they did not anticipate such a fast rate of growth for the Internet infrastructure. I have personally seen several sloppily set up commercial SOHO networks and I can tell you in advance that they are not worth the trouble they cause. Start again, using IP addresses from the private blocks.
Your ISP will provide you with a global IP address for use during any session on the Internet. You may be able to request several IP addresses from an ISP providing DSL or cable modem access. These addresses will either be static or dynamic.
A static IP is one that never changes. It is allocated to you, and you alone. Others can use your static IP to contact the Thttp Web server in your LRP gateway.
A dynamic IP changes every time you dial into the server. Dynamic IPs let an ISP create more dial-up accounts than there are available IP addresses. Provided not more than a certain percentage of users want to connect to the Internet at the same time, the ISP can sell, for example, 5000 dial-up accounts when there are only 2000 IP slots actually available. If more than 2000 users dial at once then some will receive busy signals.
DSL and cable modem connections are 24/7 connections (24 hours a day, 7 days a week) and so a static IP is usually provided. But some ISPs have found by giving you a dynamic IP it will make it harder for you to run a Web server from your DSL connection. If you have DSL and have not been given a static IP, I recommend you seek out an alternative, more cooperative DSL provider.
When you initiate a dial-up connection with the PPP module on the Linux gateway it will automatically download the IP address for your current session from the ISP. PPP uses a protocol called Dynamic Host Configuration Protocol to do this. A DHCP client is built into the PPP module software. There is a separate DHCP server module (dhcpd.lrp) on the disk to provide IPs dynamically to your SOHO network computers.
You will also be given the addresses of two name servers, DNS1 and DNS2, that are under contract to supply name services to your ISP. If you don't worry about things like contracts you can actually set up your network to point at any name server that might be convenient. Technically, each DNS performs the equivalent function of URL name lookup, but name servers of the larger ISPs can be quite slow, and an advanced user might get a performance boost by looking around for some name servers that respond more quickly.
Finally, you will be given a gateway address.
All these parameters need to be entered into the configuration menus when you boot up your LRP gateway.
DHCPCD, The DHCP Cable/DSL Client Daemon
This new distribution has the DHCP client daemon for those of you who have DSL or cable modems, and need to resolve a dynamic IP. By default it will look for a server on eth0, but you can edit the start-up file /etc/init.d/dhcpcd to change the defaults if you have trouble.
If this module does not find a DHCP server via eth0 when you boot up, then the boot process will hang. Consequently, I have not included "dhcpcd.lrp" in the list of start-up files in "Syslinux.cfg."
If you need to use DHCPCD, I suggest you boot the gateway, alter the configuration parameters, and check that everything is running correctly before you change the Syslinux.cfg load list to look like:
Make sure you have backed up any configuration changes to the floppy before you reboot your system, and use a Unix compatible editor such as 'joe,' or the gateway's own 'ae.' Note that I have assumed you will not need the PPP "dialout.lrp" module, and deleted it from the list.
When I first started this gateway project I had no idea how much could be achieved from a Linux system that booted off a single floppy and executed from the system's internal 16 meg of DRAM. Late last year I read a message on linuxrouter.org posted by Eric Soroos, talking about his LRP configuration, which includes both an FTP server and a filesystem on a hard disk to store the FTP data. The floppy based boot is still an advantage, for if something crashes, or somebody hacks the system, you can be sure that the Linux will boot up fresh again each time, regardless of how the hacker has attempted to alter the system files (you did remember to write-protect your boot floppy, didn't you?).
Eric sent me a copy of his Proftpd.lrp package, and I have included it in this distribution. It is version 1.2.0pre8, the latest version, with a minor change to the /etc/init.d/proftpd script so that it works properly with LRP. You can find out more about this FTP server, and its configuration, from www.proftpd.org.
Like DHCPCD, the FTP server will not boot cleanly unless everything is already running properly. In particular, it tries to use "bind" (the local name server) to resolve the hostname IP. If you include proftpd.lrp in your syslinux.cfg boot list before you have properly configured "bind," then the system will hang on bootup, waiting for the host name resolution that never comes. So, once you have the rest of the gateway running smoothly you can add the FTP server by changing the load list to
Thttpd, The Tiny/Turbo/Throttling HTTP Server
There is also a copy of Jef Poskanzer's Thttpd Web server on this month's distribution diskette.
Thttpd is a simple, small, portable, fast, and secure HTTP server that only takes a few kilobytes of disk space, yet has some features that even Apache cannot match. You can access Thttpd by pointing your browser to 192.168.1.1 from the SOHO network. The documentation for Thttpd is at Jef Poskanzer's website.
One of its best features is you can specify what fraction of your server bandwidth you wish to allow for any particular file type. This is called "throttling," and it lets you specify that, for example, MP3 file downloads should not take up more than 50 percent of your total bandwidth. Just what the doctor ordered.
Firewalls And Security
I am not an expert in Linux firewalls and security, but David Ranch, the maintainer of the Linux IP Masquerade HOWTO sites, most certainly is. He has written Trinity OS, a step-by-step guide to configuring a powerful and secure Linux server, as well as Securing Linux: Step by Step.
Those of you for whom server security is important need to visit his site and take advantage of the material he has published there.
David tells me the correct links to the latest IP Masquerading HOWTO documents are:
http://ipmasq.cjb.net and http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
When I put together the first Linux router project boot floppy back in August, I really had no idea how much we would eventually be able to squeeze onto that single diskette. Although I have tried to keep up with the pace at which you were all evolving specific configurations of the gateway, I have fallen a little behind. I still need to describe the specific configuration files for the multi-NIC configurations, and how to use the the gateway to bridge two networks. Next month, I will clean up these remaining issues.
Trevor Marshall is an engineering management consultant, with interests ranging from RF and Hardware design to Linux internals, Internet infrastructure, MPEG, and Digital Video. He started his career in the '70s, designing the Maplin Electronic Music Synthesizers. When the Microcomputer came along, he got sidetracked into computer software, programming the 2650, 8080, Z80, Z8000, 8048, 8306, 6805, 80x86, and Power PC families. Along the way, he also picked up a little expertise in RF system design, biomedical engineering, and the printing industry. His web site is www.trevormarshall.com. Page 1 of 1
A list of all 75 papers Trevor has published is available at this link.
All information published at this website is (C)Copyright 1995-2003 Trevor G Marshall.
Link to "Trevors View" image Copyright (C) 1999-2003 CMP Media Inc
All rights are expressly reserved. Click to email webmaster