Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Need Linux Router
22 views
Skip to first unread message
Leslie Rhorer
Dec 11, 2020, 1:00:27 AM12/11/20
to
I have a Debian Linux box on a network that needs to act as a simple router with a couple of extra features. Network A is on the main LAN interface. LAN A has an internet router whose address is set as the default gateway for the Linux box. Network B will be on a secondary LAN interface with a small handful of devices. I need all traffic between the two LANs to be freely forwarded, but I need traffic from LAN B to the internet to be completely restricted to the hours between midnight and 5:30 AM. My client has a metered internet service that is free between those hours, but carries a fee outside those hours.
I need the router not only to restrict all traffic to the internet between those hours, but to also log any attempts to engage in traffic outside those hours and to meter all traffic to and from the internet at all times on LAN B.
I need the router not only to restrict all traffic to the internet between those hours, but to also log any attempts to engage in traffic outside those hours and to meter all traffic to and from the internet at all times on LAN B.
Grant Taylor
Dec 14, 2020, 2:22:13 AM12/14/20
to
On 12/10/20 11:00 PM, Leslie Rhorer wrote:
> I have a Debian Linux box on a network that needs to act as a simple
> router with a couple of extra features. Network A is on the main LAN
> interface. LAN A has an internet router whose address is set as the
> default gateway for the Linux box. Network B will be on a secondary
> LAN interface with a small handful of devices. I need all traffic
> between the two LANs to be freely forwarded,
Okay.
> I have a Debian Linux box on a network that needs to act as a simple
> router with a couple of extra features. Network A is on the main LAN
> interface. LAN A has an internet router whose address is set as the
> default gateway for the Linux box. Network B will be on a secondary
> LAN interface with a small handful of devices. I need all traffic
> between the two LANs to be freely forwarded,
What route do the devices on LAN A used to reach the devices on LAN B?
Do they rely on the default gateway knowing to route traffic to LAN B
via your Debian box? Or do the devices on LAN A have a route to LAN B
via your Debian box and thus bypass the default gateway?
> but I need traffic from LAN B to the internet to be completely
> restricted to the hours between midnight and 5:30 AM. My client
> has a metered internet service that is free between those hours,
> but carries a fee outside those hours.
>
> I need the router not only to restrict all traffic to the internet
> between those hours, but to also log any attempts to engage in traffic
> outside those hours and to meter all traffic to and from the internet
> at all times on LAN B.
With the time match, it should be simple enough to construct rule logic
to either allow the traffic. Logging can be done via another rule after
the previous rule allowing the traffic during the open window. Or you
could have another rule very similar to the first rule with the logic
inverted and routing the traffic to a log.
--
Grant. . . .
unix || die
Leslie Rhorer
Dec 14, 2020, 12:49:10 PM12/14/20
to
On Monday, December 14, 2020 at 1:22:13 AM UTC-6, Grant Taylor wrote:
> On 12/10/20 11:00 PM, Leslie Rhorer wrote:
> > I have a Debian Linux box on a network that needs to act as a simple
> > router with a couple of extra features. Network A is on the main LAN
> > interface. LAN A has an internet router whose address is set as the
> > default gateway for the Linux box. Network B will be on a secondary
> > LAN interface with a small handful of devices. I need all traffic
> > between the two LANs to be freely forwarded,
> Okay.
>
> What route do the devices on LAN A used to reach the devices on LAN B?
They will route from LAN A to LAN B through the router.
> On 12/10/20 11:00 PM, Leslie Rhorer wrote:
> > I have a Debian Linux box on a network that needs to act as a simple
> > router with a couple of extra features. Network A is on the main LAN
> > interface. LAN A has an internet router whose address is set as the
> > default gateway for the Linux box. Network B will be on a secondary
> > LAN interface with a small handful of devices. I need all traffic
> > between the two LANs to be freely forwarded,
> Okay.
>
> What route do the devices on LAN A used to reach the devices on LAN B?
> Do they rely on the default gateway knowing to route traffic to LAN B
> via your Debian box?
> Or do the devices on LAN A have a route to LAN B
> via your Debian box and thus bypass the default gateway?
> > but I need traffic from LAN B to the internet to be completely
> > restricted to the hours between midnight and 5:30 AM. My client
> > has a metered internet service that is free between those hours,
> > but carries a fee outside those hours.
> >
> > I need the router not only to restrict all traffic to the internet
> > between those hours, but to also log any attempts to engage in traffic
> > outside those hours and to meter all traffic to and from the internet
> > at all times on LAN B.
> Check out the "time" iptables match extension. man iptables-extensions
>
> With the time match, it should be simple enough to construct rule logic
> to either allow the traffic. Logging can be done via another rule after
> the previous rule allowing the traffic during the open window. Or you
> could have another rule very similar to the first rule with the logic
> inverted and routing the traffic to a log.
> Grant. . . .
Thanks!
Grant Taylor
Dec 14, 2020, 3:56:56 PM12/14/20
to
On 12/14/20 10:49 AM, Leslie Rhorer wrote:
> They will route from LAN A to LAN B through the router.
>
> They will route from LAN A to LAN B through the router.
>
> Obviously I have to configure a specific route to LAN B on the gateway
> router, unless I employ NAT on the Linux box, so it could work that
> way,
ACK
> router, unless I employ NAT on the Linux box, so it could work that
> way,
I would add the route to LAN B via the Debian box and avoid NAT if I could.
> but the non-internet traffic between LAN A and LAN B is quite limited.
> Putting a specific route on those boxes is no big deal.
include the route to LAN B.
ISC DHCPd calls the options "cidr-static-route" and "ms-static-route".
I have the following configured:
subnet 192.0.2.0 netmask 255.255.255.0 {
...
option cidr-static-route 10, 100, 64, 192, 0, 2, 251, 0, 192, 0, 2, 254;
option ms-static-route 10, 100, 64, 192, 0, 2, 251, 0, 192, 0, 2, 254;
...
}
The format is a little odd, so refer to documentation. From memory,
it's one or more sets of three parts, <netmask>, <enough of the prefix
to cover the netmask>, <gateway IP>. E.e. 100.64(.0.0)/10 via 192.0.2.251.
The documentation I read suggested including a default gateway in the
*-static-route in case clients ignore the default gateway setting from
DHCP when a *-static-route is present. Hence (0)/0 via 192.0.2.254.
> That is the intent.
ACK
> Alternately, I could bridge LAN A and LAN B, rather than routing
> as separate subnets, or I could employ NAT. All three are viable
> solutions.
I suspect I'd avoid bridging if there is no explicit need to bridge,
meaning all the traffic is capable of being routed.
> I just want to log the traffic details, including the time, date,
> and IP addresses.
> Thanks!
You're welcome.
Phase3
Apr 4, 2021, 12:45:51 AM4/4/21
to
ipFire is a good choice.
Usually gets higher ratings than pfSense and is a lot
easier to set up. You just need two network ports,
preferably three or four.
However, ipFire is a customized DISTRIBUTION.
Ideally you run it on its own old PC and that's your
software-based router/firewall.
Now if you are cheap cheap and want to run the
router on an existing distro, well ... there ARE a
few, but it's not really the best way to do things.
Any garage sale ought to have an old i3 PC you
can score for ten or twenty bucks.
In theory you CAN run ipFire or pfSense on a
virtual machine - kvm or virtualbox - within an
existing distro.
Usually gets higher ratings than pfSense and is a lot
easier to set up. You just need two network ports,
preferably three or four.
However, ipFire is a customized DISTRIBUTION.
Ideally you run it on its own old PC and that's your
software-based router/firewall.
Now if you are cheap cheap and want to run the
router on an existing distro, well ... there ARE a
few, but it's not really the best way to do things.
Any garage sale ought to have an old i3 PC you
can score for ten or twenty bucks.
In theory you CAN run ipFire or pfSense on a
virtual machine - kvm or virtualbox - within an
existing distro.
0 new messages