SDB:DSL Gateway for Private Networks in SuSE Linux 8.0 or Higher

Version: 8.0

Situation

Your computer has a DSL connection via PPPoE and you want to use it as an Internet gateway for your local network.

Procedure

Issues of this complexity exceed the scope of our free-of-charge installation support. However, these brief instructions should help you to set up such a gateway.
This article cannot impart the basics of firewalls and system security. Find some reading material about these subjects at the URL of our publishing house, "SuSE Press", at http://www.susepress.de/.

SuSE shall not be liable for any damages caused to your data or to your local network by the use of a gateway.

Below is a step-by-step guide including some configuration tests.

Note:
In the following lines, the computer that will act as a gateway is known as gateway and the computers on your LAN are called clients.

1. The gateway requires two network cards: one for the DSL connection and the other one for the local network. Use YaST2 to configure these cards: YaST2 -> Network/Base -> Network card configuration. Configure the network card for the LAN first. Assign a static IP address.

IP address: 192.168.0.1 Subnetmask: 255.255.255.0 No changes are necessary in the host name or routing. Save the configuration. Note:
If a local network is already available, select the IP address from it. We recommend using addresses from the space 192.168 for your local network. In this example, the IP addresses for the local network have been taken from the ranges 192.168.0.0 to 192.168.0.255.

Network Card Test for the LAN

Ping the newly configured network card with the command ping -c 2 192.168.0.1. The output will be similar to:

	PING 192.168.0.1 (192.168.0.1) from 192.168.0.1 : 56(84) bytes of data.
	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.655 ms
	64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.329 ms
	--- 192.168.0.1 ping statistics ---
	2 packets transmitted, 2 received, 0% loss, time 1008ms
	rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms

If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong). Abort the command ping anytime by hitting CTRL + C.

1. Now proceed to configure your second network card to address the DSL modem. You can use YaST2 for this purpose: YaST2 -> Network/Base -> Network card configuration. An IP address from a different subnet must be assigned to this card to avoid interferences from the local network.

IP address: 192.168.2.22 Subnetmask: 255.255.255.0 No changes are necessary in the host name or routing. Save the configuration.

Network Card Test for the DSL Modem

Ping the newly configured network card with the command ping -c 2 192.168.2.22. The output will be similar to:

        PING 192.168.0.22 (192.168.2.22) from 192.168.2.22 : 56(84) bytes of data.
        64 bytes from 192.168.2.22: icmp_seq=1 ttl=255 time=0.655 ms
        64 bytes from 192.168.2.22: icmp_seq=2 ttl=255 time=0.329 ms
        --- 192.168.2.22 ping statistics ---
        2 packets transmitted, 2 received, 0% loss, time 1008ms
        rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms

If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong).

Testing the Connection to the LAN

If the network card tests have been successful, proceed now to test if the clients can be reached from the gateway. Use the command ping for this purpose. At least some clients should react to the command ping -c 3 -b 192.168.0.255. The output should be similar to:

	WARNING: pinging broadcast address
	PING 192.168.0.255 (192.168.0.255) from 192.168.0.1 : 56(84) bytes of data.
	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.774 ms
	64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.19 ms (DUP!)
	64 bytes from 192.168.0.3: icmp_seq=1 ttl=255 time=1.30 ms (DUP!)
	64 bytes from 192.168.0.4: icmp_seq=1 ttl=64 time=1.57 ms (DUP!)
	--- 192.168.0.255 ping statistics ---
	2 packets transmitted, 2 received, +3 duplicates, 0% loss, time 1010ms
	rtt min/avg/max/mdev = 0.325/1.033/1.573/0.438 ms

In this example, the machines with the IP addresses 192.168.0.1 (gateway) and 192.168.0.2 to 192.168.0.4 (clients) have replied. If you know the IP address of a client, ping it directly to test the connection. It is essential that the clients can be reached from the gateway and vice versa. If this connection does not work, solve the problem within the LAN before trying to connect the LAN to the Internet.

1. Configure the DSL access on the gateway as described in the Reference manual, page 391, or in the Basics manual (Personal Edition), page 89. Use eth1 as the ethernet card and do not activate the firewall. If Dial on Demand is activated, the gateway will set up a connection to the Internet as soon as the gateway or a client sends a request to the Internet. This is only advisable if you have a flat rate Internet connection.

Testing the Connection to the Internet

Test the Internet connection from the gateway. The command cinternet enables you to start (cinternet -start) or stop (cinternet -stop) the connection manually. Set up the connection, wait for 30 seconds, and test it again with the command ping. For example, ping our web server www.suse.de with ping -c 4 www.suse.de. The output should be similar to:

	 ping -c 4 www.suse.de
	PING www.suse.de (213.95.15.200) from 217.225.119.194 : 56(84) bytes of data.
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=1 ttl=251 time=23.9 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=2 ttl=251 time=23.7 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=3 ttl=251 time=24.0 ms
	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=4 ttl=251 time=24.0 ms
	--- www.suse.de ping statistics ---
	4 packets transmitted, 4 received, 0% loss, time 3030ms
	rtt min/avg/max/mdev = 23.775/23.941/24.035/0.184 ms

As in the case above, it is essential that this connection works. Otherwise, solve the problem with the Internet connection before trying to connect the LAN to the Internet.

1. Now prepare the gateway to forward requests from the LAN to the Internet. The easiest way is by using the SuSE personal-firewall, a simple iptables-based package filter that rejects all unauthorized packages from the Internet and is in charge of forwarding the requests from the LAN to the Internet. The configuration file of SuSE personal-firewall

/etc/sysconfig/personal-firewall contains a configuration variable REJECT_ALL_INCOMING_CONNECTIONS. Edit this file as follows: REJECT_ALL_INCOMING_CONNECTIONS="ppp0 masq" In addition, inform the kernel that you want to be able to forward packages. To do this, edit the file /etc/sysconfig/sysctl by changing the variable IP_FORWARD to IP_FORWARD="yes" Finally, make sure the SuSE personal-firewall is started when the gateway is booted. This can be done with the commands: insserv personal-firewall.initial
insserv personal-firewall.final Execute the following commands to apply these settings without having to reboot first:

	echo "1" > /proc/sys/net/ipv4/ip_forward
	rcpersonal-firewall start

From SuSE Linux 8.1 on :
The SuSE personal-firewall was dropped from the distribution in SuSE Linux 8.1. Its functionality was added to SuSEfirewall2 as a personal-firewall legacy mode. This means that instead of ensuring that the SuSE personal-firewall is started at boot time, you must ensure that SuSEfirewall2 is started. Do this with the following commands: insserv SuSEfirewall2_final
insserv SuSEfirewall2_init
insserv SuSEfirewall2_setup Start the SuSEfirewall2 with this command: rcSuSEfirewall2 start

Connection Test to the Internet with the SuSE personal-firewall

Launch the connection to the Internet with the command cinternet -start and test it with the command ping as described above.

1. The last step consists of informing the clients that, from now on, the gateway will provide the Internet connections. On a SuSE Linux 8.0 client, this can be done by entering the gateway's IP address as standard gateway in YaST2 -> Network/Advanced -> Routing. In this case: >/p> Standard gateway: 192.168.0.1

In addition, the clients must know how to contact a name server to resolve domain names to IP addresses. For this purpose, read out the name servers from the file /etc/resolv.conf on the gateway during an Internet connection. In our example, we have used a T-Online name server. Enter the name server on the clients. For example, on SuSE Linux 8.0 clients: YaST2 -> Network/Advanced -> Host name and DNS. Host name and domain name do not need to be changed. Name server list: 217.89.23.137
Domain search list: .de

Connection Test to the Internet from a Client

After setting the standard gateway and name server on the clients, test the connection to the Internet with the command ping as described above.

If all these tests have been successful, the clients are now ready to use the Internet connection provided by the gateway.

<keyword>ROUTER,GATEWAY,TDSL,ADSL,MASQUERADING,FIREWALL,CLIENT,NETWORK,MSSCLAMPFW,PPPOED,MTU,MRU</keyword>