[vox-tech] 2-nics question

Dave Margolis vox-tech@lists.lugod.org
Sat, 13 Dec 2003 02:27:26 -0800 (PST)


On Sat, 13 Dec 2003, Jeff Newmiller wrote:

> On Fri, 12 Dec 2003, Dave Margolis wrote:

> This is not a bridge.  That is not to say you should be bridging, but
> bridging implies extension of a single network across media.
>
> The problem with wireless bridging is that it exposes your internal
> network to any passers-by.  With routing, firewalling is much more
> straightforward.
>

I guess I mis-spoke here.  By saying bridge, I meant to differentiate this
router, whose external nic is a wireless card, from what I would normally
call a _wireless router_.
>
> Hmm.  I will leave it to you to read HOWTOs and Google for details on
> these topics, but...
>
> a) "pump" or "dhcpcd" to request dhcp leases from the wireless router.  I
> use Debian, which uses the "ifupdown" package to manage interface
> configuration, so I don't know what you will be using in Slackware.

I've got dhcpcd working on the laptop in question.  That's eth1.  eth0 is
the internal network (on which dhcpd is answering).  One of my problems,
before I wrote this e-mail was that I think that after a reboot, my two
pcmcia cards switched network ids on me.  When editing a sample firewall
script, i had internal and external swapped.

>
> b) The wireless router hands out private IP addresses, and "stands in" for
> any of your machines that want to access the internet using the single
> public IP address your ISP provides to you... this is called masquerading
> or network address translation (NAT).
>
> c) The laptop can be configured to plain route or to do NAT.  Since
> regular routing requires that you add a special routing entry to the
> wireless router ("send stuff headed for 192.168.1.0/24 to 192.168.0.10"
> where .10 is your laptop wireless address), and that option may not be
> provided to you, so you may be required to NAT on the laptop so the
> wireless router doesn't need to know 192.168.1.0/24 exists.
>
> d) NAT on the laptop may be a good thing anyway, since that goes
> hand-in-hand with firewalling, and wireless networks are hardly secure.
>

I get all that.  The routing and nat concepts I'm
familiar with, but i've never configured a box to do them before. What I'm
going to end up with is a a 1-client nat network inside my regular network
(transparent nat, provided by off-the-shelf linksys router).

> e) There is a kernel parameter that can be adjusted in your startup
> scripts on the laptop to enable routing.  This is commonly a part of
> normal firewall scripts anyway, but it is good to know the setting has to
> be changed by something.  I use the "shorewall" firewall scripts these
> days.
>
> f) Note that pre-defined firewalls like Shorewall often have an option
> (possibly a default option) to block routing of private addresses across
> the firewall... in your case, you would NOT want to block private
> addresses.

This is what I'm really the furthest away from.  Installing a iptables
ruleset from an online example is one thing.  Paring it down so it's
secure and meets my specific needs is another matter.  I've got plenty of
reading to do.

>
> g) You can use static network configuration on the ethernet segment at
> first, for simplicity.

Nah, setting up dhcpd was the easy part.  I'm ok with that.

>
> h) The trickiest part in the end may be threading external tcp/udp
> connection requests back to your Gamecube... many games assume they can
> open a port and accept requests from your gaming compatriots.  You ought
> to be able to interact with the internet to some degree from the Gamecube
> before you begin to worry about this step, but it is likely to come up
> eventually.  You have to know which ports you want to open up (probably
> game specific), and if possible configure the laptop wireless card with a
> static ip address so you can tell the wireless router where to redirect
> those connection requests (at your laptop).  Then the (NATing) laptop has
> to do the same thing to point the connections back to the GameCube.
>

This really is a good question.  I've helped a couple buddies get their
x-boxes talking through their off-the-shelf routers.  There is some trial
and error with what ports need to be available for what games and/or game
service providers. I haven't done any investigation into actually playing
an online game with the gamecube.  Assuming I'll be learning plenty about
iptables in the next few days, I'm sure I'll be able to tweak a config to
meet whatever needs I come across.  And you're right: I'll need to port
forward from my linksys router to the laptop, and then again to the
gamecube.

>
> if no hub, crossover between network cards.  If hub, two straight-through
> cables.  Actually, some switches these days will automatically figure out
> whether you are using crossover or straight-through cables.  If you use
> 100BaseT or better, be sure to use good quality cables to avoid hair
> pulling.

Ok, well it looks like I'll be heading out for a crossover cable tomorrow
morning.

Well Jeff, thanks a ton for your very thorough answers!

> ---------------------------------------------------------------------------
> Jeff Newmiller                        The     .....       .....  Go Live...
> DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
>                                       Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
> ---------------------------------------------------------------------------
>
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>