/[gentoo]/xml/htdocs/doc/en/home-router-howto.xml
Gentoo

Diff of /xml/htdocs/doc/en/home-router-howto.xml

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.59 Revision 1.60
1<?xml version='1.0' encoding='UTF-8'?> 1<?xml version='1.0' encoding='UTF-8'?>
2<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> 2<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
3<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.59 2007/07/27 17:50:59 nightmorph Exp $ --> 3<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/home-router-howto.xml,v 1.60 2008/05/20 18:57:45 swift Exp $ -->
4 4
5<guide link="/doc/en/home-router-howto.xml" lang="en"> 5<guide link="/doc/en/home-router-howto.xml" lang="en">
6<title>Home Router Guide</title> 6<title>Home Router Guide</title>
7 7
8<author title="Author"> 8<author title="Author">
9 <mail link="vapier@gentoo.org">Mike Frysinger</mail> 9 <mail link="vapier@gentoo.org">Mike Frysinger</mail>
10</author> 10</author>
11 11
12<abstract> 12<abstract>
13This document details how to turn an old Gentoo machine into a router 13This document details how to turn an old Gentoo machine into a router
14for connecting your home network to the internet. 14for connecting your home network to the internet.
15</abstract> 15</abstract>
16 16
17<!-- The content of this document is released into the public domain --> 17<!-- The content of this document is released into the public domain -->
18<license/> 18<license/>
25<section> 25<section>
26<body> 26<body>
27 27
28<p> 28<p>
29Building your own router out of old spare parts has many advantages over buying 29Building your own router out of old spare parts has many advantages over buying
30a pre-made canned router by say Linksys. The biggest one by far is control 30a pre-made canned router by say Linksys. The biggest one by far is control
31over the connection. The other advantages are left up to your imagination; 31over the connection. The other advantages are left up to your imagination;
32just about anything can be done in this scenario, it's just a matter of needing 32just about anything can be done in this scenario, it's just a matter of needing
33it. 33it.
34</p> 34</p>
35 35
36<p> 36<p>
40with more elaborate and fun things that can be done (port forwarding, traffic 40with more elaborate and fun things that can be done (port forwarding, traffic
41shaping, proxies/caching, etc...). 41shaping, proxies/caching, etc...).
42</p> 42</p>
43 43
44<p> 44<p>
45Before getting started, there's a few basic requirements you must meet. First, 45Before getting started, there's a few basic requirements you must meet. First,
46you'll need a computer that has at least 2 Network Interface Cards (NICs) in 46you'll need a computer that has at least 2 Network Interface Cards (NICs) in
47it. Next, you'll need the configuration settings for your internet connection 47it. Next, you'll need the configuration settings for your internet connection
48(may include things like IP/DNS/Gateway/username/password). Finally, you'll 48(may include things like IP/DNS/Gateway/username/password). Finally, you'll
49need a bit of spare time and some Gentoo loving. 49need a bit of spare time and some Gentoo loving.
50</p> 50</p>
51 51
52<p> 52<p>
53The conventions used in this guide are: 53The conventions used in this guide are:
62</ul> 62</ul>
63 63
64<impo> 64<impo>
65Due to security precautions, I would highly suggest you shut down any unneeded 65Due to security precautions, I would highly suggest you shut down any unneeded
66services on the router until we have a chance to get the firewall up and 66services on the router until we have a chance to get the firewall up and
67rolling. To view the currently running services, just run <c>rc-status</c>. 67rolling. To view the currently running services, just run <c>rc-status</c>.
68</impo> 68</impo>
69 69
70</body> 70</body>
71</section> 71</section>
72</chapter> 72</chapter>
75<title>Kernel setup (know thyself first)</title> 75<title>Kernel setup (know thyself first)</title>
76<section> 76<section>
77<body> 77<body>
78 78
79<p> 79<p>
80Your kernel needs to have the drivers running for both your NICs. To see if 80Your kernel needs to have the drivers running for both your NICs. To see if
81your cards are already setup, just run <c>ifconfig</c>. Your output may differ 81your cards are already setup, just run <c>ifconfig</c>. Your output may differ
82slightly from the following, that's fine. What matters is that the interface 82slightly from the following, that's fine. What matters is that the interface
83shows up at all. 83shows up at all.
84</p> 84</p>
85 85
86<pre caption="Checking NICs"> 86<pre caption="Checking NICs">
87# <i>ifconfig -a</i> 87# <i>ifconfig -a</i>
88eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8 88eth0 Link encap:Ethernet HWaddr 00:60:F5:07:07:B8
89 BROADCAST MULTICAST MTU:1500 Metric:1 89 BROADCAST MULTICAST MTU:1500 Metric:1
90 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 90 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
91 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 91 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
92 collisions:0 txqueuelen:1000 92 collisions:0 txqueuelen:1000
93 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 93 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
94 Interrupt:11 Base address:0x9800 94 Interrupt:11 Base address:0x9800
95 95
96eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9 96eth1 Link encap:Ethernet HWaddr 00:60:F5:07:07:B9
97 BROADCAST MULTICAST MTU:1500 Metric:1 97 BROADCAST MULTICAST MTU:1500 Metric:1
98 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 98 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
99 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 99 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
100 collisions:0 txqueuelen:1000 100 collisions:0 txqueuelen:1000
101 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 101 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
102 Interrupt:10 Base address:0x9400 102 Interrupt:10 Base address:0x9400
103</pre> 103</pre>
104 104
105<p> 105<p>
106If you do not see your two cards showing up and you're not sure what kind of 106If you do not see your two cards showing up and you're not sure what kind of
107cards you have, try running <c>lspci | grep Ethernet</c>. You can get that 107cards you have, try running <c>lspci | grep Ethernet</c>. You can get that
108from <c>emerge pciutils</c>. Once you have this information, go into your 108from <c>emerge pciutils</c>. Once you have this information, go into your
109kernel and add support for the correct drivers. 109kernel and add support for the correct drivers.
110</p> 110</p>
111 111
112<p> 112<p>
113The next thing you'll need is support for iptables and NAT (and packet shaping 113The next thing you'll need is support for iptables and NAT (and packet shaping
114if you want). The following list is split up into always required (*), 114if you want). The following list is split up into always required (*),
115required only for adsl via PPPoE (a), suggested for everyone (x), and only 115required only for adsl via PPPoE (a), suggested for everyone (x), and only
116for shaper (s) features. It does not matter whether you build the features 116for shaper (s) features. It does not matter whether you build the features
117into the kernel or as a module so long as when the feature is needed, the 117into the kernel or as a module so long as when the feature is needed, the
118correct module(s) are loaded (module loading is left to the reader as a fun 118correct module(s) are loaded (module loading is left to the reader as a fun
119exercise however). 119exercise however).
120</p> 120</p>
121 121
122<pre caption="Network Options"> 122<pre caption="Network Options">
123Networking options ---&gt; 123Networking options ---&gt;
124 [*] TCP/IP networking 124 [*] TCP/IP networking
125 [*] IP: advanced router 125 [*] IP: advanced router
126 [*] Network packet filtering (replaces ipchains) 126 [*] Network packet filtering (replaces ipchains)
127<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment> 127<comment>If you use 2.4.x, you have to enable the following for DHCP:</comment>
128 [*] Socket Filtering 128 [*] Socket Filtering
129 129
130 IP: Netfilter Configuration ---&gt; 130 IP: Netfilter Configuration ---&gt;
131 [*] Connection tracking (required for masq/NAT) 131 [*] Connection tracking (required for masq/NAT)
132 [x] FTP protocol support 132 [x] FTP protocol support
133 [x] IRC protocol support 133 [x] IRC protocol support
134 [*] IP tables support (required for filtering/masq/NAT) 134 [*] IP tables support (required for filtering/masq/NAT)
135 [*] IP range match support 135 [*] IP range match support
136 [x] MAC address match support 136 [x] MAC address match support
137 [*] Multiple port match support 137 [*] Multiple port match support
138 [*] Packet filtering 138 [*] Packet filtering
139 [*] REJECT target support 139 [*] REJECT target support
140 [x] REDIRECT target support 140 [x] REDIRECT target support
141 [*] Full NAT 141 [*] Full NAT
142 [*] MASQUERADE target support 142 [*] MASQUERADE target support
143 [s] Packet mangling 143 [s] Packet mangling
144 [s] MARK target support 144 [s] MARK target support
145 [x] LOG target support 145 [x] LOG target support
146 146
147 QoS and/or fair queueing ---&gt; 147 QoS and/or fair queueing ---&gt;
148 [s] QoS and/or fair queueing 148 [s] QoS and/or fair queueing
149 [s] HTB packet scheduler 149 [s] HTB packet scheduler
150 [s] Ingress Qdisc 150 [s] Ingress Qdisc
151 151
152 [a] PPP (point-to-point protocol) support 152 [a] PPP (point-to-point protocol) support
153 [a] PPP filtering 153 [a] PPP filtering
154 [a] PPP support for async serial ports 154 [a] PPP support for async serial ports
155 [a] PPP support for sync tty ports 155 [a] PPP support for sync tty ports
156 [a] PPP Deflate compression 156 [a] PPP Deflate compression
157 [a] PPP BSD-Compress compression 157 [a] PPP BSD-Compress compression
158 [a] PPP over Ethernet 158 [a] PPP over Ethernet
159</pre> 159</pre>
160 160
161<note> 161<note>
162Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be 162Some things may be slightly different in a 2.4 vs 2.6 kernel, but you should be
163able to figure it out :). Even among 2.6 kernels, these options have a 163able to figure it out :). Even among 2.6 kernels, these options have a
164tendency to move around. Good luck! 164tendency to move around. Good luck!
165</note> 165</note>
166 166
167</body> 167</body>
168</section> 168</section>
169</chapter> 169</chapter>
175<title>Intro</title> 175<title>Intro</title>
176<body> 176<body>
177 177
178<p> 178<p>
179There are many ways to connect to the internet so I'll just cover the ones I'm 179There are many ways to connect to the internet so I'll just cover the ones I'm
180familiar with. That leaves us with ADSL (PPPoE) and cable modems 180familiar with. That leaves us with ADSL (PPPoE) and cable modems
181(static/dynamic). If there are other methods out there, feel free to write up 181(static/dynamic). If there are other methods out there, feel free to write up
182a little blurb and e-mail me. Feel free to skip any of the following sections 182a little blurb and e-mail me. Feel free to skip any of the following sections
183in this chapter that don't apply to you. This chapter is just about getting 183in this chapter that don't apply to you. This chapter is just about getting
184the router connected to the internet via eth1. 184the router connected to the internet via eth1.
185</p> 185</p>
186 186
187</body> 187</body>
188</section> 188</section>
189<section> 189<section>
190<title>ADSL and PPPoE</title> 190<title>ADSL and PPPoE</title>
191<body> 191<body>
192 192
193<p> 193<p>
194All the fancy PPPoE software that used to be provided by rp-pppoe 194All the fancy PPPoE software that used to be provided by rp-pppoe
195(<uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>) has been 195(<uri link="http://www.roaringpenguin.com/">Roaring Penguin</uri>) has been
196integrated into the <uri link="http://samba.org/ppp/">standard PPP 196integrated into the <uri link="http://samba.org/ppp/">standard PPP
197package</uri>. Simply <c>emerge ppp</c> and you'll be on your way. Remember 197package</uri>. Simply <c>emerge ppp</c> and you'll be on your way. Remember
198how I said you'll need username/password information? Well I wasn't lying so 198how I said you'll need username/password information? Well I wasn't lying so
199I hope you have it now! Load up <path>/etc/conf.d/net</path> in your favorite 199I hope you have it now! Load up <path>/etc/conf.d/net</path> in your favorite
200editor and set it up. 200editor and set it up.
201</p> 201</p>
202 202
203<note> 203<note>
204In order for the following net settings to work, you must have 204In order for the following net settings to work, you must have
205baselayout-1.12.9 or later installed on your system. 205baselayout-1.12.9 or later installed on your system.
206</note> 206</note>
207 207
208<pre caption="Setting up eth1"> 208<pre caption="Setting up eth1">
209<comment>(Replace 'vla9h924' with your username and 'boogie' with your password)</comment> 209<comment>(Replace 'vla9h924' with your username and 'boogie' with your password)</comment>
212<comment>Tell baselayout to use adsl over eth1 for ppp0:</comment> 212<comment>Tell baselayout to use adsl over eth1 for ppp0:</comment>
213config_ppp0=( "ppp" ) 213config_ppp0=( "ppp" )
214link_ppp0="eth1" 214link_ppp0="eth1"
215plugins_ppp0=( "pppoe" ) 215plugins_ppp0=( "pppoe" )
216pppd_ppp0=( 216pppd_ppp0=(
217 "defaultroute" 217 "defaultroute"
218 "usepeerdns" 218 "usepeerdns"
219 <comment>There may be other settings you want, see /etc/conf.d/net.example</comment> 219 <comment>There may be other settings you want, see /etc/conf.d/net.example</comment>
220) 220)
221username_ppp0="vla9h924" 221username_ppp0="vla9h924"
222password_ppp0="boogie" 222password_ppp0="boogie"
223 223
224# <i>ln -s net.lo /etc/init.d/net.ppp0</i> 224# <i>ln -s net.lo /etc/init.d/net.ppp0</i>
225# <i>rc-update add net.ppp0 default</i> 225# <i>rc-update add net.ppp0 default</i>
226# <i>/etc/init.d/net.ppp0 start</i> 226# <i>/etc/init.d/net.ppp0 start</i>
227</pre> 227</pre>
228 228
229<warn> 229<warn>
230When the DSL interface comes up, it will create ppp0. Although your NIC is 230When the DSL interface comes up, it will create ppp0. Although your NIC is
231called eth1, the IP is actually bound to ppp0. From now on, when you see 231called eth1, the IP is actually bound to ppp0. From now on, when you see
232examples that utilize 'eth1', substitute with 'ppp0'. 232examples that utilize 'eth1', substitute with 'ppp0'.
233</warn> 233</warn>
234 234
235<warn> 235<warn>
236Make sure you change the permissions of the /etc/conf.d/net file so that only 236Make sure you change the permissions of the /etc/conf.d/net file so that only
237root can read/write it since you're sticking your username/password in it. 237root can read/write it since you're sticking your username/password in it.
238</warn> 238</warn>
239 239
240<warn> 240<warn>
241For people transitioning from the <c>rp-pppoe</c> package, or for people who 241For people transitioning from the <c>rp-pppoe</c> package, or for people who
242hit weird connection resets, see the MTU section in the Troubleshooting 242hit weird connection resets, see the MTU section in the Troubleshooting
243chapter. 243chapter.
244</warn> 244</warn>
245 245
246</body> 246</body>
247</section> 247</section>
249<section> 249<section>
250<title>Cable and/or dynamic/static IP</title> 250<title>Cable and/or dynamic/static IP</title>
251<body> 251<body>
252 252
253<p> 253<p>
254If you have a static IP then you will need a few more details than if 254If you have a static IP then you will need a few more details than if
255you have a dynamic IP. For static users, you will need your IP, 255you have a dynamic IP. For static users, you will need your IP,
256gateway, and DNS servers. 256gateway, and DNS servers.
257</p> 257</p>
258 258
259<pre caption="Setting up eth1"> 259<pre caption="Setting up eth1">
260<comment>Dynamic IP Users:</comment> 260<comment>Dynamic IP Users:</comment>
314<title>DHCP Server</title> 314<title>DHCP Server</title>
315<body> 315<body>
316 316
317<p> 317<p>
318I bet it'd be nice if everyone else in your house could just plug their 318I bet it'd be nice if everyone else in your house could just plug their
319computers into the network and things would just work. No need to remember 319computers into the network and things would just work. No need to remember
320mind-numbing details or make them stare at confusing configuration screens! 320mind-numbing details or make them stare at confusing configuration screens!
321Life would be grand eh? Introducing the Dynamic Host Configuration Protocol 321Life would be grand eh? Introducing the Dynamic Host Configuration Protocol
322(DHCP) and why you should care. 322(DHCP) and why you should care.
323</p> 323</p>
324 324
325<p> 325<p>
326DHCP is exactly what its name implies. It's a protocol that allows you 326DHCP is exactly what its name implies. It's a protocol that allows you
327to dynamically configure other hosts automatically. You run a DHCP server on 327to dynamically configure other hosts automatically. You run a DHCP server on
328the router, give it all the information about your network (valid IPs, 328the router, give it all the information about your network (valid IPs,
329DNS servers, gateways, etc...), and then when the other hosts start up, they 329DNS servers, gateways, etc...), and then when the other hosts start up, they
330run a DHCP client to automatically configure themselves. No fuss, no muss! 330run a DHCP client to automatically configure themselves. No fuss, no muss!
331For more information about DHCP, you can always visit <uri 331For more information about DHCP, you can always visit <uri
332link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>. 332link="http://en.wikipedia.org/wiki/DHCP">Wikipedia</uri>.
333</p> 333</p>
334 334
335<p> 335<p>
336We'll use a package called dnsmasq which provides both DHCP and DNS services. 336We'll use a package called dnsmasq which provides both DHCP and DNS services.
337For now lets just focus on the DHCP aspect. Note that if you want to run a 337For now lets just focus on the DHCP aspect. Note that if you want to run a
338different DHCP server, you can find another example in the Fun Things chapter. 338different DHCP server, you can find another example in the Fun Things chapter.
339Also, if you wish to tinker with the DHCP server settings, just read the 339Also, if you wish to tinker with the DHCP server settings, just read the
340comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine 340comments in <path>/etc/dnsmasq.conf</path>. All the defaults should work fine
341though. 341though.
342</p> 342</p>
343 343
344<pre caption="Setting up a DHCP server"> 344<pre caption="Setting up a DHCP server">
345# <i>emerge dnsmasq</i> 345# <i>emerge dnsmasq</i>
352# <i>rc-update add dnsmasq default</i> 352# <i>rc-update add dnsmasq default</i>
353# <i>/etc/init.d/dnsmasq start</i> 353# <i>/etc/init.d/dnsmasq start</i>
354</pre> 354</pre>
355 355
356<p> 356<p>
357Now your little router is a bona-fide DHCP server! Plugin those computers and 357Now your little router is a bona-fide DHCP server! Plugin those computers and
358watch them work! With Windows systems you should go into the TCP/IP Properties 358watch them work! With Windows systems you should go into the TCP/IP Properties
359and select the 'Obtain an IP address automatically' and 'Obtain DNS server 359and select the 'Obtain an IP address automatically' and 'Obtain DNS server
360address automatically' options. Sometimes the changes aren't instantaneous, so 360address automatically' options. Sometimes the changes aren't instantaneous, so
361you may have to open a command prompt and run <c>ipconfig /release</c> and 361you may have to open a command prompt and run <c>ipconfig /release</c> and
362<c>ipconfig /renew</c>. But enough about Windows, let's get back to our 362<c>ipconfig /renew</c>. But enough about Windows, let's get back to our
363favorite penguin. 363favorite penguin.
364</p> 364</p>
365 365
366</body> 366</body>
367</section> 367</section>
370<title>DNS Server</title> 370<title>DNS Server</title>
371<body> 371<body>
372 372
373<p> 373<p>
374When people want to visit a place on the internet, they remember names, not a 374When people want to visit a place on the internet, they remember names, not a
375string of funky numbers. After all, what's easier to remember, ebay.com or 375string of funky numbers. After all, what's easier to remember, ebay.com or
37666.135.192.87? This is where the DNS steps in. DNS servers run all over the 37666.135.192.87? This is where the DNS steps in. DNS servers run all over the
377internet, and whenever someone wants to visit 'ebay.com', these servers turn 377internet, and whenever someone wants to visit 'ebay.com', these servers turn
378'ebay.com' (what we understand) into '66.135.192.87' (what our computers 378'ebay.com' (what we understand) into '66.135.192.87' (what our computers
379understand). For more information about DNS, you can always visit <uri 379understand). For more information about DNS, you can always visit <uri
380link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>. 380link="http://en.wikipedia.org/wiki/DNS">Wikipedia</uri>.
381</p> 381</p>
382 382
383<p> 383<p>
384Since we're using dnsmasq for our DHCP server, and it includes a DNS server, 384Since we're using dnsmasq for our DHCP server, and it includes a DNS server,
385you've got nothing left to do here! Your little router is already providing 385you've got nothing left to do here! Your little router is already providing
386DNS to its DHCP clients. Bet you wish everything was this easy ;). 386DNS to its DHCP clients. Bet you wish everything was this easy ;).
387</p>
388
389<p> 387</p>
388
389<p>
390You're welcome to choose other DNS servers if you're more comfortable with 390You're welcome to choose other DNS servers if you're more comfortable with
391them, but the reason dnsmasq is great is because it was designed to do exactly 391them, but the reason dnsmasq is great is because it was designed to do exactly
392what we want and nothing more. It's a little DNS caching/forwarding server for 392what we want and nothing more. It's a little DNS caching/forwarding server for
393local networks. We're not looking to provide DNS for our own domain here, just 393local networks. We're not looking to provide DNS for our own domain here, just
394offer simple DNS services to everyone else on our LAN. 394offer simple DNS services to everyone else on our LAN.
395</p> 395</p>
396 396
397</body> 397</body>
398</section> 398</section>
407While you may think that's great (more bandwidth for you!), I bet they're not 407While you may think that's great (more bandwidth for you!), I bet they're not
408too happy just yet. 408too happy just yet.
409</p> 409</p>
410 410
411<p> 411<p>
412This is where Network Address Translation (NAT) steps in. NAT is a way of 412This is where Network Address Translation (NAT) steps in. NAT is a way of
413connecting multiple computers in a private LAN to the internet when you have a 413connecting multiple computers in a private LAN to the internet when you have a
414smaller number of public IP addresses available to you. Typically you are given 414smaller number of public IP addresses available to you. Typically you are given
4151 IP by your ISP, but you want to let your whole house connect to the internet. 4151 IP by your ISP, but you want to let your whole house connect to the internet.
416NAT is the magic that makes this possible. For more information about NAT, you 416NAT is the magic that makes this possible. For more information about NAT, you
417can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>. 417can always visit <uri link="http://en.wikipedia.org/wiki/NAT">Wikipedia</uri>.
418</p> 418</p>
419 419
420<note> 420<note>
421Before we get started, make sure you have iptables on your system. Although it 421Before we get started, make sure you have iptables on your system. Although it
422is automatically installed on most systems, you may not have it. If you don't, 422is automatically installed on most systems, you may not have it. If you don't,
423just run <c>emerge iptables</c>. 423just run <c>emerge iptables</c>.
424</note> 424</note>
425 425
426<pre caption="Setting up iptables"> 426<pre caption="Setting up iptables">
427<comment>First we flush our current rules</comment> 427<comment>First we flush our current rules</comment>
471net.ipv4.ip_dynaddr = 1 471net.ipv4.ip_dynaddr = 1
472</pre> 472</pre>
473 473
474<p> 474<p>
475Once you've typed out all of that, the rest of your network should now be able 475Once you've typed out all of that, the rest of your network should now be able
476to use the internet as if they were directly connected themselves. 476to use the internet as if they were directly connected themselves.
477</p> 477</p>
478 478
479<p> 479<p>
480The ip_dynaddr option is useful for dial on demand systems or when your ISP 480The ip_dynaddr option is useful for dial on demand systems or when your ISP
481gives out dynamic addresses. This works around the problem where a connection 481gives out dynamic addresses. This works around the problem where a connection
482is attempted before the internet interface is fully setup. Really this just 482is attempted before the internet interface is fully setup. Really this just
483provides for a smoother network experience for users behind your router. 483provides for a smoother network experience for users behind your router.
484</p> 484</p>
485 485
486</body> 486</body>
487</section> 487</section>
493<section> 493<section>
494<title>Intro</title> 494<title>Intro</title>
495<body> 495<body>
496 496
497<p> 497<p>
498Believe it or not, you're done :). From here on out, I'll cover a bunch of 498Believe it or not, you're done :). From here on out, I'll cover a bunch of
499common topics that may interest you. Everything in this chapter is completely 499common topics that may interest you. Everything in this chapter is completely
500optional. 500optional.
501</p> 501</p>
502 502
503</body> 503</body>
504</section> 504</section>
507<title>Port Forwarding</title> 507<title>Port Forwarding</title>
508<body> 508<body>
509 509
510<p> 510<p>
511Sometimes you would like to be able to host services on a computer behind the 511Sometimes you would like to be able to host services on a computer behind the
512router, or just to make your life easier when connecting remotely. Perhaps you 512router, or just to make your life easier when connecting remotely. Perhaps you
513want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your 513want to run a FTP, HTTP, SSH, or VNC server on one or more machines behind your
514router and be able to connect to them all. The only caveat is that you can 514router and be able to connect to them all. The only caveat is that you can
515only have one service/machine combo per port. For example, there is no 515only have one service/machine combo per port. For example, there is no
516practical way to setup three FTP servers behind your router and then try to 516practical way to setup three FTP servers behind your router and then try to
517connect to them all through port 21; only one can be on port 21 while the 517connect to them all through port 21; only one can be on port 21 while the
518others would have to be on say port 123 and port 567. 518others would have to be on say port 123 and port 567.
519</p> 519</p>
520 520
521<p> 521<p>
522All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING 522All the port forwarding rules are of the form <c>iptables -t nat -A PREROUTING
523[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port 523[-p protocol] --dport [external port on router] -i ${WAN} -j DNAT --to [ip/port
524to forward to]</c>. Unfortunately, iptables does not accept hostnames when port 524to forward to]</c>. Unfortunately, iptables does not accept hostnames when port
525forwarding. If you are forwarding an external port to the same port on the 525forwarding. If you are forwarding an external port to the same port on the
526internal machine, you can omit the destination port. See the iptables(8) man 526internal machine, you can omit the destination port. See the iptables(8) man
527page for more information. 527page for more information.
528</p> 528</p>
529 529
530<pre caption="Running the iptables commands"> 530<pre caption="Running the iptables commands">
531<comment>Copy and paste these examples ...</comment> 531<comment>Copy and paste these examples ...</comment>
583<section> 583<section>
584<title>Identd (for IRC)</title> 584<title>Identd (for IRC)</title>
585<body> 585<body>
586 586
587<p> 587<p>
588Internet Relay Chat utilizes the ident service pretty heavily. Now that the 588Internet Relay Chat utilizes the ident service pretty heavily. Now that the
589IRC clients are behind the router, we need a way to host ident for both the 589IRC clients are behind the router, we need a way to host ident for both the
590router and the clients. One such server has been created called 590router and the clients. One such server has been created called
591<c>midentd</c>. 591<c>midentd</c>.
592</p> 592</p>
593 593
594<pre caption="Setting up ident"> 594<pre caption="Setting up ident">
595# <i>emerge midentd</i> 595# <i>emerge midentd</i>
596# <i>rc-update add midentd default</i> 596# <i>rc-update add midentd default</i>
597# <i>/etc/init.d/midentd start</i> 597# <i>/etc/init.d/midentd start</i>
598</pre> 598</pre>
599 599
600<p> 600<p>
601There are a few other ident servers in portage. Depending on your needs, I 601There are a few other ident servers in portage. Depending on your needs, I
602would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>. 602would recommend checking out <c>oidentd</c> and <c>fakeidentd</c>.
603</p> 603</p>
604 604
605</body> 605</body>
606</section> 606</section>
608<!-- 608<!--
609<section> 609<section>
610<title>Traffic Shaping</title> 610<title>Traffic Shaping</title>
611<body> 611<body>
612<p> 612<p>
613This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri> 613This is an attempt to simply and Gentooify the <uri link="http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/">ADSL Bandwidth Management HOWTO</uri>
614found over at the TLDP. Feel free to refer to the original document 614found over at the TLDP. Feel free to refer to the original document
615for more details. 615for more details.
616</p> 616</p>
617 617
618<p> 618<p>
619Here we will be setting up what some people refer to as a "Packet Shaper", 619Here we will be setting up what some people refer to as a "Packet Shaper",
620<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>, 620<uri link="http://en.wikipedia.org/wiki/Traffic_shaping">"Traffic Shaping"</uri>,
621or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>. 621or <uri link="http://en.wikipedia.org/wiki/QoS">"Quality of Service"</uri>.
622Simply put, we want to setup rules on our router that will slow down 622Simply put, we want to setup rules on our router that will slow down
623certain activities (like sending large e-mails or downloading from P2P 623certain activities (like sending large e-mails or downloading from P2P
624networks) while keeping other activities (like browsing the web or playing 624networks) while keeping other activities (like browsing the web or playing
625online video games) reasonably fast. A 30 second difference in a video 625online video games) reasonably fast. A 30 second difference in a video
626game is a lot worse than a 30 second difference in downloading large 626game is a lot worse than a 30 second difference in downloading large
627files :). 627files :).
628</p> 628</p>
629 629
630<p> 630<p>
631The first thing is to make sure your kernel has all the features added to 631The first thing is to make sure your kernel has all the features added to
632it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more 632it. See the chapter on <uri link="#doc_chap2">Kernel setup</uri> for more
633information. Next, you will need to <c>emerge iptables iputils</c> so that 633information. Next, you will need to <c>emerge iptables iputils</c> so that
634you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c> 634you will have access to the <c>iptables</c>, <c>ip</c>, and <c>tc</c>
635commands. 635commands.
636</p> 636</p>
637 637
638<p> 638<p>
639Before we jump into the commands, let's cover a little of the theory. The 639Before we jump into the commands, let's cover a little of the theory. The
640way this whole system works is to classify common network streams and then 640way this whole system works is to classify common network streams and then
641to prioritize them. You use iptables to classify network streams, iputils 641to prioritize them. You use iptables to classify network streams, iputils
642to define the different priority levels, and the kernel to adjust speeds. 642to define the different priority levels, and the kernel to adjust speeds.
643Just remember that although you can control outbound traffic pretty tightly 643Just remember that although you can control outbound traffic pretty tightly
644(from the LAN to the WAN), your ability to control inbound traffic (from 644(from the LAN to the WAN), your ability to control inbound traffic (from
645the WAN to the LAN) is somewhat limited. Just remember that the following 645the WAN to the LAN) is somewhat limited. Just remember that the following
646examples are to get your feet wet; if you want more then I'd suggest 646examples are to get your feet wet; if you want more then I'd suggest
647reading up on the subject. In this example, we will be using the 647reading up on the subject. In this example, we will be using the
648<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri> 648<uri link="http://luxik.cdi.cz/~devik/qos/htb/">Hierarchical Token Buckets (HTB)</uri>
649packet scheduling algorithm. Still with me? Great, let's start shaping :). 649packet scheduling algorithm. Still with me? Great, let's start shaping :).
650</p> 650</p>
651 651
652<pre caption="Setup"> 652<pre caption="Setup">
653DEV=eth1 <comment>NIC connected to WAN</comment> 653DEV=eth1 <comment>NIC connected to WAN</comment>
654RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment> 654RATE_OUT=100 <comment>Available outbound bandwidth (in kilobits [kb])</comment>
655RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment> 655RATE_IN=1400 <comment>Available inbound bandwidth (in kb)</comment>
656 656
657<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment> 657<comment>Here we initialize the priority system. The 45 is used to set the default classification level.</comment>
658ip link set dev ${DEV} qlen 30 658ip link set dev ${DEV} qlen 30
659tc qdisc add dev ${DEV} root handle 1: htb default 45 659tc qdisc add dev ${DEV} root handle 1: htb default 45
660tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit 660tc class add dev ${DEV} parent 1: classid 1:1 htb rate ${RATE_OUT}kbit
661</pre> 661</pre>
662 662
663<p> 663<p>
664Here we initialized the system which will be used to prioritize all of 664Here we initialized the system which will be used to prioritize all of
665our network traffic. We created our queue, told it to use the HTB 665our network traffic. We created our queue, told it to use the HTB
666algorithm, and set the default classification level to '45'. The 666algorithm, and set the default classification level to '45'. The
667default is completely arbitrary, as are the levels we choose from 667default is completely arbitrary, as are the levels we choose from
668here on out. The only thing that matters is how the levels compare 668here on out. The only thing that matters is how the levels compare
669relatively; a level '10' packet will be given preference over a 669relatively; a level '10' packet will be given preference over a
670level '45' packet. Let's move on to declaring different levels. 670level '45' packet. Let's move on to declaring different levels.
671</p> 671</p>
672 672
673<pre caption="Declaring levels"> 673<pre caption="Declaring levels">
674tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p 674tc class add dev $DEV parent 1:1 classid 1:10 htb rate $rkbit ceil $tkbit prio $p
675tc qdisc add dev $DEV parent 1:10 handle 10: sfq 675tc qdisc add dev $DEV parent 1:10 handle 10: sfq
688Protocol (NTP) and the ntp package (which provides implementations for both 688Protocol (NTP) and the ntp package (which provides implementations for both
689server and client). 689server and client).
690</p> 690</p>
691 691
692<p> 692<p>
693Many people run ntp clients on their computers. Obviously, the more clients in 693Many people run ntp clients on their computers. Obviously, the more clients in
694the world, the larger the load the ntp servers need to shoulder. In 694the world, the larger the load the ntp servers need to shoulder. In
695environments like home networks though, we can help keep the load down on 695environments like home networks though, we can help keep the load down on
696public servers while still providing the proper time to all our computers. As 696public servers while still providing the proper time to all our computers. As
697an added bonus, our private updates will be a lot faster for the clients too! 697an added bonus, our private updates will be a lot faster for the clients too!
698All we have to do is run a ntp server on our router that synchronizes itself 698All we have to do is run a ntp server on our router that synchronizes itself
699with the public internet servers while providing the time to the rest of the 699with the public internet servers while providing the time to the rest of the
700computers in the network. To get started, simply <c>emerge ntp</c> on the 700computers in the network. To get started, simply <c>emerge ntp</c> on the
701router. 701router.
702</p> 702</p>
703 703
704<pre caption="Setting up the NTP server"> 704<pre caption="Setting up the NTP server">
705# <i>nano /etc/conf.d/ntp-client</i> 705# <i>nano /etc/conf.d/ntp-client</i>
720# <i>/etc/init.d/ntpd start</i> 720# <i>/etc/init.d/ntpd start</i>
721</pre> 721</pre>
722 722
723<note> 723<note>
724You should make sure that you allow inbound and outbound communication on the 724You should make sure that you allow inbound and outbound communication on the
725ntp port (123/udp) when setting up the server. The client just needs outbound 725ntp port (123/udp) when setting up the server. The client just needs outbound
726access on port 123 over udp. 726access on port 123 over udp.
727</note> 727</note>
728 728
729<p> 729<p>
730Now, on your clients, have them <c>emerge ntp</c> also. However, we will just 730Now, on your clients, have them <c>emerge ntp</c> also. However, we will just
731run the ntp client so setup is a lot simpler. 731run the ntp client so setup is a lot simpler.
732</p> 732</p>
733 733
734<pre caption="Setting up a NTP client"> 734<pre caption="Setting up a NTP client">
735# <i>nano /etc/conf.d/ntp-client</i> 735# <i>nano /etc/conf.d/ntp-client</i>
744<section> 744<section>
745<title>Rsync Server</title> 745<title>Rsync Server</title>
746<body> 746<body>
747 747
748<p> 748<p>
749For those who run multiple Gentoo boxes on the same lan, you often want to 749For those who run multiple Gentoo boxes on the same lan, you often want to
750keep from having every machine running <c>emerge sync</c> with remote 750keep from having every machine running <c>emerge sync</c> with remote
751servers. By setting up a local rsync, you save on both your bandwidth and 751servers. By setting up a local rsync, you save on both your bandwidth and
752the Gentoo rsync servers' bandwidth. It's pretty simple to do. 752the Gentoo rsync servers' bandwidth. It's pretty simple to do.
753</p> 753</p>
754 754
755<note> 755<note>
756For a much more in-depth rsync guide, please see the official <uri 756For a much more in-depth rsync guide, please see the official <uri
757link="/doc/en/rsync.xml#local">rsync guide</uri>. 757link="/doc/en/rsync.xml#local">rsync guide</uri>.
758</note> 758</note>
759 759
760<p> 760<p>
761Since every Gentoo machine requires rsync, theres no need to emerge it. Edit 761Since every Gentoo machine requires rsync, theres no need to emerge it. Edit
762the default <path>/etc/rsyncd.conf</path> config file, uncomment the 762the default <path>/etc/rsyncd.conf</path> config file, uncomment the
763<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c> 763<c>[gentoo-portage]</c> section, and make sure you add an <c>address</c>
764option. All the other defaults should be fine. 764option. All the other defaults should be fine.
765</p> 765</p>
766 766
767<pre caption="Rsync server config"> 767<pre caption="Rsync server config">
768pid file = /var/run/rsyncd.pid 768pid file = /var/run/rsyncd.pid
769use chroot = yes 769use chroot = yes
770read only = yes 770read only = yes
771address = 192.168.0.1 771address = 192.168.0.1
772 772
773[gentoo-portage] 773[gentoo-portage]
774 path = /mnt/space/portage 774 path = /mnt/space/portage
775 comment = Gentoo Linux Portage tree 775 comment = Gentoo Linux Portage tree
776 exclude = /distfiles /packages 776 exclude = /distfiles /packages
777</pre> 777</pre>
778 778
779<p> 779<p>
780Then you need to start the service (again, the defaults are OK). 780Then you need to start the service (again, the defaults are OK).
781</p> 781</p>
800<title>Mail Server</title> 800<title>Mail Server</title>
801<body> 801<body>
802 802
803<p> 803<p>
804Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server 804Sometimes it's nice to run your own Simple Mail Transfer Protocol (SMTP) server
805on the router. You may have your own reason for wanting to do so, but I run it 805on the router. You may have your own reason for wanting to do so, but I run it
806so that the users see mail as being sent instantly and the work of 806so that the users see mail as being sent instantly and the work of
807retrying/routing is left up to the mail server. Some ISPs also don't allow for 807retrying/routing is left up to the mail server. Some ISPs also don't allow for
808mail relaying for accounts that aren't part of their network (like Verizon). 808mail relaying for accounts that aren't part of their network (like Verizon).
809Also, you can easily throttle the delivery of mail so that large attachments 809Also, you can easily throttle the delivery of mail so that large attachments
810won't seriously lag your connection for half an hour. 810won't seriously lag your connection for half an hour.
811</p> 811</p>
812 812
833# <i>rc-update add svscan default</i> 833# <i>rc-update add svscan default</i>
834# <i>/etc/init.d/svscan start</i> 834# <i>/etc/init.d/svscan start</i>
835</pre> 835</pre>
836 836
837<p> 837<p>
838I'm a huge fan of qmail, but you're free to use a different mta :). When you 838I'm a huge fan of qmail, but you're free to use a different mta :). When you
839setup e-mail on the hosts in your network, tell them that their SMTP server is 839setup e-mail on the hosts in your network, tell them that their SMTP server is
840192.168.0.1 and everything should be peachy. You might want to visit the <uri 840192.168.0.1 and everything should be peachy. You might want to visit the <uri
841link="http://netqmail.org/">netqmail homepage</uri> for more documentation. 841link="http://netqmail.org/">netqmail homepage</uri> for more documentation.
842</p> 842</p>
843 843
844</body> 844</body>
845</section> 845</section>
847<!-- 847<!--
848<section> 848<section>
849<title>E-mail Virus Scanning</title> 849<title>E-mail Virus Scanning</title>
850<body> 850<body>
851<p> 851<p>
852If you'd like to provide e-mail virus scanning for your users, but 852If you'd like to provide e-mail virus scanning for your users, but
853don't want to have to install a virus scanner on every single machine, 853don't want to have to install a virus scanner on every single machine,
854then <c>pop3vscan</c> may just be the thing for you; a transparent 854then <c>pop3vscan</c> may just be the thing for you; a transparent
855Post Office Protocol (POP) scanner. 855Post Office Protocol (POP) scanner.
856</p> 856</p>
857 857
858<pre caption="Setting up pop3vscan"> 858<pre caption="Setting up pop3vscan">
859TODO 859TODO
866<section> 866<section>
867<title>Full DHCP Server</title> 867<title>Full DHCP Server</title>
868<body> 868<body>
869 869
870<p> 870<p>
871Earlier we used dnsmasq to provide DHCP service to all our clients. For most 871Earlier we used dnsmasq to provide DHCP service to all our clients. For most
872people with a simple small LAN, this is perfect. But you may need something 872people with a simple small LAN, this is perfect. But you may need something
873with more features. Thus we turn to a full-featured DHCP server as provided 873with more features. Thus we turn to a full-featured DHCP server as provided
874by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks. 874by the <uri link="http://www.isc.org/products/DHCP">ISC</uri> folks.
875</p> 875</p>
876 876
877<pre caption="Setting up dhcpd"> 877<pre caption="Setting up dhcpd">
878# <i>emerge dhcp</i> 878# <i>emerge dhcp</i>
879# <i>nano /etc/dhcp/dhcpd.conf</i> 879# <i>nano /etc/dhcp/dhcpd.conf</i>
880<comment>(Here is a sample configuration file:)</comment> 880<comment>(Here is a sample configuration file:)</comment>
881authoritative; 881authoritative;
882ddns-update-style interim; 882ddns-update-style interim;
883subnet 192.168.0.0 netmask 255.255.255.0 { 883subnet 192.168.0.0 netmask 255.255.255.0 {
884 range 192.168.0.100 192.168.0.250; 884 range 192.168.0.100 192.168.0.250;
885 default-lease-time 259200; 885 default-lease-time 259200;
886 max-lease-time 518400; 886 max-lease-time 518400;
887 option subnet-mask 255.255.255.0; 887 option subnet-mask 255.255.255.0;
888 option broadcast-address 192.168.0.255; 888 option broadcast-address 192.168.0.255;
889 option routers 192.168.0.1; 889 option routers 192.168.0.1;
890 option domain-name-servers 192.168.0.1; 890 option domain-name-servers 192.168.0.1;
891} 891}
892# <i>nano /etc/conf.d/dhcpd</i> 892# <i>nano /etc/conf.d/dhcpd</i>
893<comment>(Set IFACE="eth0")</comment> 893<comment>(Set IFACE="eth0")</comment>
894# <i>rc-update add dhcpd default</i> 894# <i>rc-update add dhcpd default</i>
895# <i>/etc/init.d/dhcpd start</i> 895# <i>/etc/init.d/dhcpd start</i>
896</pre> 896</pre>
897 897
898<p> 898<p>
899This is the minimal setup required to replace the dnsmasq DHCP functionality 899This is the minimal setup required to replace the dnsmasq DHCP functionality
900that we used earlier. Speaking of which, you did remember to disable the DHCP 900that we used earlier. Speaking of which, you did remember to disable the DHCP
901features in dnsmasq didn't you? If not, you should do so now (just comment 901features in dnsmasq didn't you? If not, you should do so now (just comment
902out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart 902out the <c>dhcp-range</c> setting in <path>/etc/dnsmasq.conf</path> and restart
903the service). 903the service).
904</p> 904</p>
905 905
906</body> 906</body>
909<section> 909<section>
910<title>Connect Another LAN (or two or three or ...)</title> 910<title>Connect Another LAN (or two or three or ...)</title>
911<body> 911<body>
912 912
913<p> 913<p>
914Sometimes you have need of connecting the router to another LAN. Maybe you 914Sometimes you have need of connecting the router to another LAN. Maybe you
915want to hook up a group of friends temporarily, or you're a neat freak and 915want to hook up a group of friends temporarily, or you're a neat freak and
916want to section off different groups of computers, or you're just really 916want to section off different groups of computers, or you're just really
917really bored. Whatever the reasons, extending the router to other LAN 917really bored. Whatever the reasons, extending the router to other LAN
918networks should be pretty straightforward. In the following examples, I will 918networks should be pretty straightforward. In the following examples, I will
919assume that this new network is connected via a third ethernet card, namely 919assume that this new network is connected via a third ethernet card, namely
920<c>eth2</c>. 920<c>eth2</c>.
921</p> 921</p>
922 922
923<p> 923<p>
924First you need to configure the interface. Just take the instructions in the 924First you need to configure the interface. Just take the instructions in the
925<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c> 925<uri link="#doc_chap4_pre1">4.1 code listing</uri> and replace <c>eth0</c>
926with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>. 926with <c>eth2</c> and <c>192.168.0</c> with <c>192.168.1</c>.
927</p> 927</p>
928 928
929<p> 929<p>
930Then you need to tweak dnsmasq to service the new interface. Just edit the 930Then you need to tweak dnsmasq to service the new interface. Just edit the
931<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to 931<path>/etc/conf.d/dnsmasq</path> file again and append <c>-i eth2</c> to
932DNSMASQ_OPTS; using -i multiple times is OK. Then edit 932DNSMASQ_OPTS; using -i multiple times is OK. Then edit
933<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line 933<path>/etc/dnsmasq.conf</path> and add another line like the dhcp-range line
934in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing 934in the <uri link="#doc_chap5_pre1">5.1 code listing</uri>, replacing
935<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is 935<c>192.168.0</c> with <c>192.168.1</c>. Having multiple dhcp-range lines is
936OK too. 936OK too.
937</p> 937</p>
938 938
939<p> 939<p>
940Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code 940Finally, see the rules in the <uri link="#doc_chap5_pre2">5.2 code
941listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You 941listing</uri> and duplicate the rules that have <c>-i ${LAN}</c> in them. You
942may want to create another variable, say <c>LAN2</c>, to make things easier. 942may want to create another variable, say <c>LAN2</c>, to make things easier.
943</p> 943</p>
944 944
945</body> 945</body>
946</section> 946</section>
953<section> 953<section>
954<title>Useful Tools</title> 954<title>Useful Tools</title>
955<body> 955<body>
956 956
957<p> 957<p>
958If you're having trouble getting your computers to communicate, you may way to 958If you're having trouble getting your computers to communicate, you may way to
959try out the following tools (they can all be found in the <c>net-analyzer</c> 959try out the following tools (they can all be found in the <c>net-analyzer</c>
960portage category): 960portage category):
961</p> 961</p>
962 962
963<table> 963<table>
964<tr> 964<tr>
965 <th>Utility</th> 965 <th>Utility</th>
966 <th>Description</th> 966 <th>Description</th>
967</tr> 967</tr>
968<tr> 968<tr>
969 <ti>wireshark</ti> 969 <ti>wireshark</ti>
970 <ti>GUI tool to view all raw network data according to filters</ti> 970 <ti>GUI tool to view all raw network data according to filters</ti>
971</tr> 971</tr>
972<tr> 972<tr>
973 <ti>tcpdump</ti> 973 <ti>tcpdump</ti>
974 <ti>Console tool to dump all raw network data according to filters</ti> 974 <ti>Console tool to dump all raw network data according to filters</ti>
975</tr> 975</tr>
976<tr> 976<tr>
977 <ti>iptraf</ti> 977 <ti>iptraf</ti>
978 <ti>ncurses based IP LAN monitor</ti> 978 <ti>ncurses based IP LAN monitor</ti>
979</tr> 979</tr>
980<tr> 980<tr>
981 <ti>ettercap</ti> 981 <ti>ettercap</ti>
982 <ti>ncurses based network monitor/control</ti> 982 <ti>ncurses based network monitor/control</ti>
983</tr> 983</tr>
984</table> 984</table>
985 985
986</body> 986</body>
987</section> 987</section>
989<section> 989<section>
990<title>DHCP Fails To Start</title> 990<title>DHCP Fails To Start</title>
991<body> 991<body>
992 992
993<p> 993<p>
994When starting the dhcp init.d script for the first time, it may fail to load 994When starting the dhcp init.d script for the first time, it may fail to load
995but neglect to give you any useful info. 995but neglect to give you any useful info.
996</p> 996</p>
997 997
998<pre caption="DHCP Failing Example"> 998<pre caption="DHCP Failing Example">
999# <i>/etc/init.d/dhcp start</i> 999# <i>/etc/init.d/dhcp start</i>
1000 * Setting ownership on dhcp.leases ... [ ok ] 1000 * Setting ownership on dhcp.leases ... [ ok ]
1001 * Starting dhcpd ... [ !! ] 1001 * Starting dhcpd ... [ !! ]
1002</pre> 1002</pre>
1003 1003
1004<p> 1004<p>
1005The trick is to know where dhcpd is sending its output. Simply browse to 1005The trick is to know where dhcpd is sending its output. Simply browse to
1006<path>/var/log</path> and read the log files. Since the exact log file depends 1006<path>/var/log</path> and read the log files. Since the exact log file depends
1007on the package you are using as a syslog, try running <c>grep -Rl dhcpd 1007on the package you are using as a syslog, try running <c>grep -Rl dhcpd
1008/var/log</c> to narrow down the possibilities. Chances are you made a typo in 1008/var/log</c> to narrow down the possibilities. Chances are you made a typo in
1009your config file. You could also try running <c>dhcpd -d -f</c> (short for 1009your config file. You could also try running <c>dhcpd -d -f</c> (short for
1010debug / foreground) and debug the error based upon the output. 1010debug / foreground) and debug the error based upon the output.
1011</p> 1011</p>
1012 1012
1013</body> 1013</body>
1014</section> 1014</section>
1017<title>Incorrect MTU Value</title> 1017<title>Incorrect MTU Value</title>
1018<body> 1018<body>
1019 1019
1020<p> 1020<p>
1021If you experience odd errors (such as not being able to access some webpages 1021If you experience odd errors (such as not being able to access some webpages
1022while others load fine), you may be having Path MTU Discovery trouble. The 1022while others load fine), you may be having Path MTU Discovery trouble. The
1023quick way to test is to run this iptables command: 1023quick way to test is to run this iptables command:
1024</p> 1024</p>
1025 1025
1026<pre caption="Circumvent MTU issues"> 1026<pre caption="Circumvent MTU issues">
1027# <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i> 1027# <i>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</i>
1042<section> 1042<section>
1043<title>Unable to connect two machines directly</title> 1043<title>Unable to connect two machines directly</title>
1044<body> 1044<body>
1045 1045
1046<p> 1046<p>
1047If (for whatever reason) you want to connect two machines directly together 1047If (for whatever reason) you want to connect two machines directly together
1048without a hub or switch, a regular ethernet cable will likely not work, unless 1048without a hub or switch, a regular ethernet cable will likely not work, unless
1049you have an Auto MDI/MDI-X (also known as "autosensing") capable network 1049you have an Auto MDI/MDI-X (also known as "autosensing") capable network
1050adapter. You will need a different cable called a crossover cable. This <uri 1050adapter. You will need a different cable called a crossover cable. This <uri
1051link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri> 1051link="http://en.wikipedia.org/wiki/Ethernet_crossover_cable">Wikipedia</uri>
1052page explains the low level details. 1052page explains the low level details.
1053</p> 1053</p>
1054 1054
1055</body> 1055</body>
1063<body> 1063<body>
1064 1064
1065<p> 1065<p>
1066I have no final notes other than if you experience any troubles with the guide, 1066I have no final notes other than if you experience any troubles with the guide,
1067please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri 1067please contact <mail link="vapier@gentoo.org">me</mail> or file a bug with <uri
1068link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have 1068link="http://bugs.gentoo.org/">Gentoo's Bugtracking Website</uri>. If you have
1069some interesting bits you think would enhance this guide, by all means send it 1069some interesting bits you think would enhance this guide, by all means send it
1070my way for inclusion. 1070my way for inclusion.
1071</p> 1071</p>
1072 1072
1073</body> 1073</body>

Legend:
Removed from v.1.59  
changed lines
  Added in v.1.60

  ViewVC Help
Powered by ViewVC 1.1.20