Weblog entry #4 for eric
See all weblog entries made by eric.
In one of our site, we got a /23 ip range, and we're getting short of addresses. But we can't really 'simply' change our ip range (decisions about ip addressing aren't in our hands) and don't really want to go physically on each of the nearly-510 machines.
Before we got the money to buy a "real" router (a Cisco/Nortel/... one), i think we can try to do a software based one.
I tried to put an openbsd box (pf is soooo simple...) to route all the traffic, but the SMB file-sharing/mounting doesn't work for the moment.
So : does anyone here know how to route windows networks with all the crappy features and protocols (file sharing, printing, Outlook with MAPI protocol, AD authentication, SUS updates, etc.) with a linux or xBSD box ?
Is it only possible ?
thanks to all.
Comments on this Entry
Linux (the kernel), and associated tools, have pretty much one of the best feature sets for building routers. Cisco IOS may get all the attention, but a Debian install with no fiddling can do stateful firewalling, traffic shaping, bridging, become a wireless access point, so some combination of all these, and supports all major, and not so major, network protocosl.
The main advantage of the routers is solid state boots systems, and you can buy compact flash IDE converters, or boot from USB flash, if you feel the need to spend more money. Me I'd go for software mirroring, and two old IDE disks.
However what is it is are trying to do, as I think you need to explain the problem you are trying to solve a little more clearly.
[ Parent | Reply to this comment ]
Linux (the kernel), and associated tools, have pretty much one of the best feature sets for building routers
I'm ok with you, I know that linux and all the network stack is ok to do much of the things you need.
But is the kernel really at the same nivel than Cisco IOS (it's an example). Aren't they some features that you can't do ? (I'm thinking about some articles I read, but I can't remember exactly the features in question, maybe something like 'dynamic port opening' - sorry if I say something completely stupid !)
I think the advantage of hardware routers are in the ASICS which are fast, and the realiability of the hardware (compared to a PC-based router). I talked about Cisco, because 1) I work in public administration and we can't buy what we want, we can't buy a soekris hardware to put a linux per example and 2) people here (colleagues and chiefs) are used to rely on well-known-material (hard or soft) (nevermind the price... and i'm really sorry about that too !) and not on an obscure linux/BSD router. It's a little bit 'stupid' but I can't do much on that.
I talked about openbsd because i really like PF, but if necessary i'll dig into the obscure (for me) syntax of iptables one more time. Moreover, i don't really know if PF is as complete as NETFILTER.
Now comes a more detailed explanation of my problem :
we got a 192.168.2.0/23 ip range full of pc, printers with an adsl/intranet connection. Win2000 and 2003 domain controllers, file servers, printing servers and f*%! Exchange 2000 are also in this LAN.
we got a 192.168.1.0/24 ip range for administrative use : an adsl/intranet connection only for the technical team (to join the other sites) and network switches are here.
The problem is : we are going out of ip addresses in the main LAN.
The idea is :put 40-60 machines in the 1.0/24 LAN, but let them continue to access all the services (file sharing, printing, and Outlook in MAPI mode, internet of course) like before. The problem is : services must stay in the 2.0/23 LAN. DNS servers are the DCs so they also stay in the 2.0/23 LAN.
So I have started working on that with an openbsd installation. I got two simple rules that let the traffic go in and out from one subnet to the other. DNS works, Internet works, and even Outlook/MAPI works. But the file sharing (and printing i think) don't work !
I have search for a little bit of documentation about this problem but haven't found anything for the moment. I know the problem with pre-win2000 was Netbios and the use of broadcast, but with win2000/XP i thought it had disappeared.
that's my problem, so if someone got an idea...
:eric: http://blog.sietch-tabr.com
[ Parent | Reply to this comment ]
But is the kernel really at the same nivel than Cisco IOS (it's an example). Aren't they some features that you can't do ? (I'm thinking about some articles I read, but I can't remember exactly the features in question, maybe something like 'dynamic port opening' - sorry if I say something completely stupid !)
The kernel design, as I understand it, hands off difficult networking tasks to other software using pointers, so basically the question is "does software exist...", not can the kernel do it.
IOS has some nice security hardening features, but in practice it hasn't proved that much more robust than Linux. Almost invariably it is services running that cause issues, not mere packet shifting, on both platforms.
IOS has some obscure networking features. I once had to explain to a company with a load of certified CISCO people was the DNS_ALG was, how it could solve their problems, and why they should only ever use it as a stop-gap measure.
But I know of a local network test equipment vendor, who were amongst the first to license IOS, who are keenly using embedded Linux these days. Linux is very flexible, and has some excellent firewall products available (both free and commercial), where as CISCOs firewall offerings for IOS use to be terrible, to the point of being a liability rather than an asset.
I think the advantage of hardware routers are in the ASICS which are fast, and the realiability of the hardware.
I think hardware reliability at this level is about removing moving parts. Some PC hardware is very good quality, I've seen IBM PCs make well over 10 years which is likely beyond the useful life of the deployment.
Hardware can be useful in speeding up network links, but these days with sensible ethernet cards and interrupt handling, discarded PCs can easily handle multiple 100Mbps fullduplex interfaces at wire speed. If you are chucking gigabit ethernet around, then designed for purpose hardware is probably worth it, but you might well buy it from someone other than CISCO.
Note that some gigabit ethernet drivers for Linux take advantage of the key features of the ethernet cards, such as hardware checksums. Clever hardware features above that sort of thing, tend to be utterly useless as soon as you have to bail out to do something non-trivial.
Probably the big gain with Linux is familiarity. All our packet handling, on kit we own, is done on Linux boxes, using a familiar tool set. The sames commands and tools as we use for the firewall, the traffic shaper, the webservers, the mail servers, even my desktop box. Cisco expertise is still expensive, and in rare supply, and your organisation would likely mandate a Cisco certified engineer, from an organisation with two or more, before they could even sell you a router (yes I've worked at, and sold to, such organisations).
Horses for courses - but likely if your using 100Mbps networking, can be more than adequately handled by an otherwise discarded PC, with Debian. Sure it may be less reliable, but stick mirrored disks in and keep a couple of other old PCs as standby machines for the once in 5 years that the {CPU|Case} fan fails.
If you feel ambitious build a redundant router, but my experience is such complexity in networks (virtual IP addresses etc) tends to make things less reliable, not more, unless there is an ultra strict configuration management regime, and ultra highly trained personnel (yeah, I've never seen anywhere like that either - the old Digital site at Reading probably came closest).
Windows 2000 and ADS, only gets rid of all that NetBIOS broadcast rubbish if you configure things right. My guess is your fileservers and printer servers are misconfigured, perhaps they lack routing information for the new network? Likely it'll be wrong whatever OS/hardware forwards the packets.
We use filesharing with Windows across a Linux box with two interfaces and ip forwarding enabled at work, and it "just works". Last time I looked the box was running Redhat 6 something, only allows telnet access (everything else is ssh these days), so you can see it gets, and requires, absolutely zilch maintenance. My guess is it predates the current Office by two Office moves, I can probably go find the date on the build instructions if you really want to know. We do have a few old PC boxes around with two network cards, so we can replace it quickly, if and when it fails. Replacing it with Debian and newer hardware is on my "todo" list, but it is a long, long, way down.
[ Parent | Reply to this comment ]
Install Samba server on the Debian. Samba has a built-in WINS server. All windows client machines should be setup to use this WINS server. This can be easily done if the clients use DHCP to get their IP address. Add a line like "option netbios-name-servers ip-address" in your dhcpd.conf file.
The samba WINS server should be set to announce (broadcast) all (windows) clients on both subnets.
Here is an example smb.conf file to configure Samba and its WINS server. You might turn to the smb.conf man-page to get into more details.
[global] workgroup = MyGroup netbios name = Chaos security = share encrypt passwords = yes interfaces = 192.168.151.255/24 192.168.150.255/24 remote announce = 192.168.151.255 192.168.150.255 wins support = yes wins proxy = yes ; Don't set wins server if wins support is activated ; Wins server is Chaos ; wins server = commented out because he is us domain logons = no domain master = yes preferred master = yes local master = yes ; Max os level is 255 (NT is 32) os level = 65 public = yes browseable = yes lm announce = yes browse list = yes auto services = yes
This worked for me.
Erik Tromp
www.avantec.nl
[ Parent | Reply to this comment ]