You can set a network with several sub-networks isolated from one another. In this way, each sub-net will access the Internet but it will not have access to the computers in the other sub-nets. Let’s see how this can be done:
First, it is necessary to update your system (in case you have Coyote 2.24 or earlier) with the package “dnsmasq.tgz”. With this file, all the previous issues with the creation of sub-nets are solved. You will need to add the new sub-nets in the basic firewall rules, save and reload both the firewall and the DNS to validate the sub-nets that have been created.
Não é mais necessária a gambiarra no arquivo rc.inet, nem as linhas no rc.dnsmasq (que não tinham funcionado mesmo), basta atualizar o dnsmasq.tgz e só. (in translation yet)
Reloading the DNS will be enough for the daemon (dnsmasq) to detect the prescence of a new IP and to respond to its request.
Then, add the following line at the bottom of the file rc.local:
dns.reload
Now edit the file "Custom Firewall Rules":
edit/etc/coyote/firewall.local
Add these two lines for each extra IP:
- Código: Selecionar todos
ip addr add xxx.xxx.xxx.xxx/yy broadcast + dev eth0
- Código: Selecionar todos
iptables -t nat -I POSTROUTING -s xxx.xxx.xxx.xxx/yy -o eth1 -j MASQUERADE
The string xxx.xxx.xxx.xxx is the IP address and yy is the masq (usually = 24 representing the well known 255.255.255.0)
If you use PPPoE, replace eth1 in the second line with ppp0.
The first line adds the new IP and the second one links it to the NAT so that the computers connected to the sub-nets can use the Internet.
The gateway must be within the range of IPs of the sub-net.
Example: For the computers that have an IP in the range 192.168.3.x, the gateway must be: 192.168.3.1
Observation: If you configure these new settings through the Webadmin remember to click on “Basic Firewall Rules” and not on “Firewall settings”
Now save and reload the firewall. Then set a computer to use the new IP.
It is recommended to enable the BrazilFW DNS cache and specify its IP as DNS. Remember that this number will change according to the gateway. You only need to check in the main page of the Webadmin if the DNS cache is enabled and if so, the DNS will appear in the main screen.
It is not necessary to change anything in the main configuration file, unless you want to create the first two sub-nets through the Webadmin.
One of the advantages of doing everything through the firewall is that you do not need to reboot the router, it is only a matter of saving the configuration and reload the firewall and the DNS/DHCP server.
Set the DNS address (the same as the gateway) on each computer, that for only this time will appear as a new DNS host.
If you use Tinyproxy you need to know that it loads the file /etc/tinyproxy/tinyproxy.conf, based on a model called tinyproxy.conf.template.
The person who wrote this script was the great Steve Einsner, the same who gave us the chance to have a second or third IP in Coyote.
In order for Tinyproxy to work, it is necessary to add a line:
- Código: Selecionar todos
allow 192.168.0.0/24
This ‘allow’ tells Tinyproxy to which IPs it must respond. This is useful to avoid that anyone out in the Internet or in the DMZ uses your BrazilFW, and since Steve’s script only allows the first three sub-nets the users in the fourth will be rejected by Tinyproxy.
A solution to this would be to edit /etc/tinyproxy/tinyproxy.conf.template and add a line
- Código: Selecionar todos
Allow
for each of the sub-nets.
Examples:
1)
I added ONE new sub-net to my BrazilFW with the following commands:
- Código: Selecionar todos
ip addr add 192.168.3.1/24 broadcast + dev eth0
- Código: Selecionar todos
iptables -t nat -I POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
Then, I changed one of my computers to the IP 192.168.3.10 using the IP 192.168.3.1 as gateway and DNS.
2)
In /etc/coyote/firewall.local I edited the lines
- Código: Selecionar todos
ip addr add 192.168.3.0/255.255.255.0 broadcast + dev eth0
- Código: Selecionar todos
iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.255.0 -o eth1 -j MASQUERADE
- Código: Selecionar todos
ip addr add 192.168.4.0/255.255.240.0 broadcast + dev eth0
- Código: Selecionar todos
iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.240.0 -o eth1 -j MASQUERADE
In the file /etc/rc.d/rc.inet at line number 143.
- Código: Selecionar todos
ip addr add 192.168.3.0/255.255.255.0 broadcast + dev eth0
- Código: Selecionar todos
ip addr add 192.168.4.0/255.255.240.0 broadcast + dev eth0
The clients in the IP range 162.198.3.x were configured with the masquerade 255.255.255.0 and those with the IP range 192.168.4.x too.
In that way, the computers will not be able to “ping” among sub-nets.
I think that with different IPs and masquerades the computers will behave as if they were not in the same physical network and therefore they will not have communications.
Observation:
This is an observation as well as a doubt about binary division of sub-net masquerades. I know little about this and used masquerades that are known to work, since the number of clients in my sub-nets are very few.