First chapter was written by arielrodriguez007
Chapter 1 Understanding Subnetting
Chapter 2 adding sub-nets to BrazilFW
1.Understanding Subnetting
Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network. If you do not subnet, you will only be able to use one network from your Class A, B, or C network, which is unrealistic. Each data link on a network must have a unique network ID, with every node on that link being a member of the same network. If you break a major network (Class A, B, or C) into smaller subnetworks, it allows you to create a network of interconnecting subnetworks. Each data link on this network would then have a unique network/subnetwork ID. Any device, or gateway, connecting x networks/subnetworks has x distinct IP addresses, one for each network / subnetwork that it interconnects. To subnet a network, extend the natural mask using some of the bits from the host ID portion of the address to create a subnetwork ID. For example, given a Class C network of 192.168.0.0 which has a natural mask of 255.255.255.0, you can create subnets in this manner:
192.168.0.0 − 11000000.10101000.00000000.00000000
255.255.255.224 − 11111111.11111111.11111111.11100000
−−−−−−−−−−−−−−−−−−−−−−−−−−|sub|−−−−
By extending the mask to be 255.255.255.224, you have taken three bits (indicated by "sub") from the original host portion of the address and used them to make subnets. With these three bits, it is possible to create eight subnets. With the remaining five host ID bits, each subnet can have up to 32 host addresses, 30 of which can actually be assigned to a device since host ids of all zeros or all ones are not allowed (it is very important to remember this). So, with this in mind, these subnets have been created.
192.168.0.0 255.255.255.224 host address range 1 to 30
192.168.0.32 255.255.255.224 host address range 33 to 62
192.168.0.64 255.255.255.224 host address range 65 to 94
192.168.0.96 255.255.255.224 host address range 97 to 126
192.168.0.128 255.255.255.224 host address range 129 to 158
192.168.0.160 255.255.255.224 host address range 161 to 190
192.168.0.192 255.255.255.224 host address range 193 to 222
192.168.0.224 255.255.255.224 host address range 225 to 254
Note: There are two ways to denote these masks. First, since you are using three bits more than the "natural" Class C mask, you can denote these addresses as having a 3−bit subnet mask. Or, secondly, the mask of 255.255.255.224 can also be denoted as /27 as there are 27 bits that are set in the mask. This second method is used with CIDR. Using this method, one of these networks can be described with the notation prefix/length.
For example, 192.168.0.32/27 denotes the network 192.168.0.32 255.255.255.224.
The more host bits you use for a subnet mask, the more subnets you have available. However, the more subnets available, the less host addresses available per subnet. For example, a Class C network of 192.168.0.0 and a mask of 255.255.255.224 (/27) allows you to have eight subnets, each with 32 host addresses (30 of which could be assigned to devices). If you use a mask of 255.255.255.240 (/28), the break down is:
192.168.0.0 − 11000000.10101000.00000000.00000000
255.255.255.240 − 11111111.11111111.11111111.11110000
−−−−−−−−−−−−−−−−−−−−−−−−−−|sub |−−−
Since you now have four bits to make subnets with, you only have four bits left for host addresses. So in this case you can have up to 16 subnets, each of which can have up to 16 host addresses (14 of which can be assigned to devices). Take a look at how a Class B network might be subnetted. If you have network 172.16.0.0 ,then you know that its natural mask is 255.255.0.0 or 172.16.0.0/16. Extending the mask to anything beyond 255.255.0.0 means you are subnetting. You can quickly see that you have the ability to create a lot more subnets than with the Class C network. If you use a mask of 255.255.248.0 (/21), how many subnets and hosts per subnet does this allow for?
172.16.0.0 − 10101100.00010000.00000000.00000000
255.255.248.0 − 11111111.11111111.11111000.00000000
−−−−−−−−−−−−−−−−−| sub |−−−−−−−−−−−
You are using five bits from the original host bits for subnets. This will allow you to have 32 subnets (25). After using the five bits for subnetting, you are left with 11 bits for host addresses. This will allow each subnet so have 2048 host addresses (211), 2046 of which could be assigned to devices.
2.Adding sub-nets to BrazilFW
Written by Elton Guedes Rios with material from the forum (translated by Esteban)
You can set a network with several sub-networks isolated from one another. In this way, each sub-net will access the Internet but it will not have access to the computers in the other sub-nets. Let’s see how this can be done:
First, it is necessary to update your system (in case you have Coyote 2.24 or earlier) with the package “dnsmasq.tgz”. With this file, all the previous issues with the creation of sub-nets are solved. You will need to add the new sub-nets in the basic firewall rules, save and reload both the firewall and the DNS to validate the sub-nets that have been created.
There is more necessary in the brazilian rc.inet file, or the lines in rc.dnsmasq (who had not even worked), just update the dnsmasq.tgz and only. (In translation yet)
Reloading the DNS will be enough for the daemon (dnsmasq) to detect the prescence of a new IP and to respond to its request.
Then, add the following line at the bottom of the file rc.local:
dns.reload
Now edit the file "Custom Firewall Rules":
edit/etc/coyote/firewall.local
Add these two lines for each extra IP:
- Código: Selecionar todos
Code:
ip addr add xxx.xxx.xxx.xxx/yy broadcast + dev eth0
- Código: Selecionar todos
Code:
iptables -t nat -I POSTROUTING -s xxx.xxx.xxx.xxx/yy -o eth1 -j MASQUERADE
The string xxx.xxx.xxx.xxx is the IP address and yy is the mask (usually = 24 representing the well known 255.255.255.0)
If you use PPPoE, replace eth1 in the second line with ppp0.
The first line adds the new IP and the second one links it to the NAT so that the computers connected to the sub-nets can use the Internet.
The gateway must be within the range of IPs of the sub-net.
Example: For the computers that have an IP in the range 192.168.3.x, the gateway must be: 192.168.3.1
Observation: If you configure these new settings through the Webadmin remember to click on “Basic Firewall Rules” and not on “Firewall settings”
Now save and reload the firewall. Then set a computer to use the new IP.
It is recommended to enable the BrazilFW DNS cache and specify its IP as DNS. Remember that this number will change according to the gateway. You only need to check in the main page of the Webadmin if the DNS cache is enabled and if so, the DNS will appear in the main screen.
It is not necessary to change anything in the main configuration file, unless you want to create the first two sub-nets through the Webadmin.
One of the advantages of doing everything through the firewall is that you do not need to reboot the router, it is only a matter of saving the configuration and reload the firewall and the DNS/DHCP server.
Set the DNS address (the same as the gateway) on each computer, that for only this time will appear as a new DNS host.
If you use Tinyproxy you need to know that it loads the file /etc/tinyproxy/tinyproxy.conf, based on a model called tinyproxy.conf.template.
The person who wrote this script was the great Steve Einsner, the same who gave us the chance to have a second or third IP in Coyote.
In order for Tinyproxy to work, it is necessary to add a line:
- Código: Selecionar todos
Code:
allow 192.168.0.0/24
This ‘allow’ tells Tinyproxy to which IPs it must respond. This is useful to avoid that anyone out in the Internet or in the DMZ uses your BrazilFW, and since Steve’s script only allows the first three sub-nets the users in the fourth will be rejected by Tinyproxy.
A solution to this would be to edit /etc/tinyproxy/tinyproxy.conf.template and add a line
- Código: Selecionar todos
Code:
Allow
for each of the sub-nets.
Examples:
1)
I added ONE new sub-net to my BrazilFW with the following commands:
- Código: Selecionar todos
Code:
ip addr add 192.168.3.1/24 broadcast + dev eth0
- Código: Selecionar todos
Code:
iptables -t nat -I POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
Then, I changed one of my computers to the IP 192.168.3.10 using the IP 192.168.3.1 as gateway and DNS.
2)
In /etc/coyote/firewall.local I edited the lines
- Código: Selecionar todos
Code:
ip addr add 192.168.3.0/255.255.255.0 broadcast + dev eth0
- Código: Selecionar todos
code:
iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.255.0 -o eth1 -j MASQUERADE
- Código: Selecionar todos
Code:
ip addr add 192.168.4.0/255.255.240.0 broadcast + dev eth0
- Código: Selecionar todos
Code:
iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.240.0 -o eth1 -j MASQUERADE
In the file /etc/rc.d/rc.inet at line number 143.
- Código: Selecionar todos
Code:
ip addr add 192.168.3.0/255.255.255.0 broadcast + dev eth0
- Código: Selecionar todos
Code:
ip addr add 192.168.4.0/255.255.240.0 broadcast + dev eth0
The clients in the IP range 192.168.3.x were configured with the masquerade 255.255.255.0 and those with the IP range 192.168.4.x too.
In that way, the computers will not be able to “ping” among sub-nets.
I think that with different IPs and masquerades the computers will behave as if they were not in the same physical network and therefore they will not have communications.
Observation:
This is an observation as well as a doubt about binary division of sub-net masquerades. I know little about this and used masquerades that are known to work, since the number of clients in my sub-nets are very few.
