[lug] cable modem network topology
stimits at idcomm.com
Fri Jul 19 17:39:17 MDT 2002
Jonathan Briggs wrote:
> Look into setting up your firewall as a bridge. I think you'll need a
> kernel patch to allow firewall to work with bridging.
> Bridging is nice because it turns your firewall into a switch instead of
> a router. It won't need an IP address and you won't need to run DHCP on
> the firewall. This is good because the only ways that I can imagine
> getting 3 DHCP IP addresses on one computer involve horrible hacks.
> This link looks promising:
> I have to say I've only heard about this. I've never done it myself.
This is exactly what I am looking for. The biggest problem here is that
the kernel patch is for 2.2.x kernels only. There are bridging options
in 2.4.x kernels (I'm using 2.4.19-rc2), but I have not yet determined
whether the 2.4.x kernels (the doc was written long before 2.4.x and
iptables) can filter over bridges without a patch. If 2.4.x kernels can
use iptables or ipchains and filter without patches, it'll make my day.
If I can also implement some form of shaping to give my machine low
latency and the others good bandwidth, I'll be even more happy. Does
anyone here have experience with bridging on 2.4.x kernels, and if so,
have you used filtering at the same time, or shaping (or QoS)?
D. Stimits, stimits @ idcomm.com
> On Fri, 2002-07-19 at 10:26, D. Stimits wrote:
>>Within the last two weeks, my telephone line quality went permanently
>>downhill. Not only is it between 25% and 33% slower, latency seems to
>>have doubled. The phone company is not interested until it drops below
>>14.4kbps. Within roughly the last week, cable modems became available
>>for a good price (especially compared to DSL).
>>What I want to do is use an old P166 as the firewall/router/gateway, but
>>it is complicated by the need for 3 IP addresses, all of which are
>>dhcp/non-static. Each dynamic address beyond the first costs $5 each,
>>but that is fine for 3 computers that might run at the same time. The
>>gateway/router/firewall does not need a routable IP as far as I am
>>concerned. What I wanted was something like this:
>> | (eth0)
>> P166 firewall/gate/router
>> | (eth1)
>> 8 port switch
>> |- Machine 1
>> |- Machine 2
>> |- Machine 3
>>But how to actually do this is a mystery, it seems as though the P166
>>would need eth0 to respond to multiple dhcp IP's, and then transparently
>>forward them to whichever machine booted up, while still allowing rules
>>to stop things like port 137-139 from passing through. I have never set
>>up a DHCP system, which seems easy if only one machine touches the cable
>>modem, but becomes problematic if the P166 must simply pass through DHCP
>> packets, then do the right firewalling for each machine. Can this be done?
>>D. Stimits, stimits @ idcomm.com
>>Web Page: http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
More information about the LUG