Information for use
The theory network in our office has some rather bothersome limitations. These limitations only occasionally become truly limiting, but have gotten in Richard's way since day one.
We have a Linksys WRT54G router which we had used for wireless and unfiltered internet access in the past. To overcome the theory network limitations, Richard has upgraded the firmware on the WRT54G and began customizations to use it to overcome limitations.
The router is now configured as a three-way switch. It now serves as a central bridge between the Columbia internet (unfiltered), the Reichman internal network, and the theory network (a modern-day equivalent of the Berlin Wall).
In the discussion below, the "theory network" is the large 16-port switch we have historically used. The "reichman network" is if you are plugged into the router, and wireless.
Some of the things that you may want to do that you couldn't before:
I want to ssh directly to the nodes
ip route add 192.168.0.0/23 via 192.168.100.ZZ
I want to access the theory network from the reichman wireless network network. This includes printing and ssh'ing to our local machines.
- Just plug into the Reichman network, and you can automatically access the 192.168.100.* theory networks with no extra configuration.
I want to access the Reichman network from the theory network
ip route add 192.168.8.0/24 via 192.168.100.XXXAsk richard what the value of XXX is.
I want to be able to access theory network computers directly from home, without needing to ssh hop.
- We have a VPN setup to access the Reichman network (and by extension, into the theory network). The new VPN setup runs on our router, making it more resilient to computer restarts. This means you won't have to do two ssh hops when transferring files. You can also mount the NFS export from the fileserver over the VPN.
- Ask Richard for your personal VPN keys. These are pre-made OpenVPN files.
- Old keys still work
- Still needs work, as the processor of the router is a bit slow for the decrypting necessary.
I want to be able to directly access ssh (or a web server to share files) on my desktop from anywhere on the internet.
We can port forwarding directly to our workstations . For example, ssh to gw.reichman.zgib.net port 22XXX connects you to your workstation's ssh server. You can also use port forwarding to make a simple web server on your desktop, and share files with any via the URL http://gw.reichman.zgib.net:80XX/ .
- This is another workaround to access your desktop if you don't want to set up the vpn access, or you are connecting from a computer which isn't your own.
- To set this up, ask Richard. For ssh port forwarding, you must ensure that you have a secure password!
I want a static IP address (on the reichman network).
- You can give yourself static IP addresses in the Reichman network. This ensures that even if your computer reboots, you will be able to find and ssh to it (also useful for the SSH forwarding listed above).
- You need your MAC address, and set it up in the router web interface ("static dhcp"). You must switch to the reichman network for this to work.
- You could hypothetically set up a rogue static IP address on the theory network, but you'd have to watch out for conflicts. Try looking at 192.168.100.X where X is less than 100.
I can't access things outside because the network is blocking ports.
- While on the Reichman network, not have outgoing connections blocked like they would be with the theory network.
- Just use the Reichman network and you get this automatically.
I want to be on the theory network but not have outgoing connections blocked.
- With a bit of configuration, it is possible to route blocked ports through the Reichman network, bypassing the theory network's outgoing connection blocks.
- The lines below do this for all ports EXCEPT some ports that Cal doesn't block. Ask richard what the value of XX is. This way, we save on the reichman network's bandwidth quota and let Cal handle the high-traffic. Do this on your computer from the THEORY network.
sudo ip rule add from all fwmark 1 table 1 sudo ip route add 192.168.100.0/24 dev eth0 table 1 sudo ip route add 18.104.22.168 via 192.168.100.1 table 1 # This is for vickyp sudo ip route add default via 192.168.100.XXX table 1 sudo iptables -t mangle -A OUTPUT -o eth0 -p tcp --match multiport ! --dports 22,80,110,143,220,443,465,993,995,8080,5190 -j MARK --set-mark 1 # You likely won't need this one, but is useful for me: sudo iptables -t mangle -A OUTPUT -o eth0 -p udp --match multiport ! --destination-ports 37,53,123 -j MARK --set-mark 1
What ports does Cal block?
He does not block TCP ports 21, 22, 25, 37, 110, 119, 120, 143, 210, 220, 443, 465, 993, 995, 2048-3500, 5000, 5190, 8080, 9003, 12443 as of 2010-05-04.
- Our router is 100 Mbit, which is the same as the internet and theory network uplinks, so under normal usage this will not be a bottleneck. We should monitor it for slowdown under heavy usage (multiple people with full speed transfers).
- Since this is our own internet connection, we should be careful about using excessive bandwidth. We can route high-bandwidth applications through the theory network connection.
Fixing the printer problem
Update: fixed, no need to do anything else. Configuration below will be removed once you reboot, but won't hurt things before then.
Due to conflicting IP address from another computer on the theory network, our printer is currently not accessible. We need to tell our computers which machine the printer's IP address really goes to.
You can fix it by doing this:
# Linux sudo ip neighbour replace to 192.168.100.211 lladdr 00:01:e6:e2:ae:44 dev eth0
You only need this command once each time you boot up, then you should be good to go.
If you use OS X, try (this is untested, it may or may not work)
# OS X sudo arp -s 192.168.100.211 00:01:e6:e2:ae:44
If you use a different operating system, you need to figure out how to "adjust the ARP table" for your operating system (that's the phrase to google for).
A more permanent fix to this problem would be to move our printer to a static IP address that doesn't conflict with those assigned by the DHCP server, but that would require us to change all of our computers' configurations. Another solution would be to get the other machine on the network to change its IP address, but that would only last until the next time someone got that IP address assigned by the DHCP server.
Technical Setup Information
- separate subnet:
- vlan ports:
- Internal port layout:
- We have a 2.2, so 5=internal, LAN=1-4, uplink=0
- vlan#5 = internal
- vlan#1 = wired 1
- Previous setup
- vlan0 - Reichman network (vlan 1-5)
- vlan1 - uplink (0, 5)
lan_ifnames=vlan0 eth1 eth2 eth3 vlan0hwname=et0 vlan0ports=1 2 3 4 5* vlan1hwname=et0 vlan1ports=0 5 wan_iface=vlan1 wan_ifname=vlan1 wan_ifnameX=vlan1 wan_ifnames=vlan1
# brctl show bridge name bridge id STP enabled br0 8000.0013100f98b8 no # ifconfig -a br0 Link encap:Ethernet HWaddr 00:13:10:0F:98:B8 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:352160 errors:0 dropped:0 overruns:0 frame:0 TX packets:493259 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:40135524 (38.2 MiB) TX bytes:372012786 (354.7 MiB) eth0 Link encap:Ethernet HWaddr 00:13:10:0F:98:B8 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1471881 errors:13 dropped:0 overruns:11 frame:11 TX packets:385215 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:469915875 (448.1 MiB) TX bytes:61709636 (58.8 MiB) Interrupt:5 Base address:0x2000 eth1 Link encap:Ethernet HWaddr 00:13:10:0F:98:BA UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:352136 errors:0 dropped:0 overruns:0 frame:19176014 TX packets:493848 errors:158 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:45065284 (42.9 MiB) TX bytes:373772337 (356.4 MiB) Interrupt:4 Base address:0x1000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2717 (2.6 KiB) TX bytes:2717 (2.6 KiB) tun11 Link encap:Point-to-Point Protocol inet addr:10.20.40.4 P-t-P:10.20.40.4 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) vlan0 Link encap:Ethernet HWaddr 00:13:10:0F:98:B8 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:37654 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:15075937 (14.3 MiB) vlan1 Link encap:Ethernet HWaddr 00:13:10:0F:98:B9 inet addr:22.214.171.124 Bcast:126.96.36.199 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1471880 errors:0 dropped:0 overruns:0 frame:0 TX packets:347561 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:443421967 (422.8 MiB) TX bytes:46633699 (44.4 MiB)
- New setup
DHCP. Found from ps: udhcpc -i vlan1 -s dhcpc-event -H unknown
- Doesn't work as we need an event script to do the actual setting of the interface. Using a static IP instead.
- vlan0 - Reichman network - (2,3,4,5)
- vlan1 - internet uplink - (0,5)
- vlan2 - link to theory network, physical port 1 - (1, 5)
- NVRAM changes:
nvram set vlan0ports="2 3 4 5*" nvram set vlan2hwname=et0 nvram set vlan2ports="1 5" nvram commit
- Startup scripts
ifconfig vlan2 192.168.100.XXX iptables -t nat -A POSTROUTING -o vlan2 -j MASQUERADE ip route add 192.168.0.0/23 via 192.168.100.YY iptables -A INPUT -i vlan2 -j ACCEPT iptables -A FORWARD -i vlan2 -j ACCEPT # warning: turning on connection accept/drop logging will mess with the -A INPUT rule.
- Admin setup: local access via http/https/ssh. Remote access via ssh port 2222 and https 4433. No passwords accepted via ssh.