thelinuxlink.net

Posted: **Sat Aug 18, 2007 6:01 pm**

This will be an easy question for you sys-admins, but I'm hoping that you could give me some direction. Also if you have some great sources for further reading I would appreciate those also.

After reading Linc's blog post a few days back, I realized that I need to do something about my small network and communicating between computers.

Problem: I'm tired of having to use the ip address for samba shares, ssh, ftp, and rdesktop.

I have the following 8 computers on my peer to peer network:

Office Workstation--Fedora 7 (on sometimes)
Home Workstation--Ubuntu LTS (on sometimes)
File Server--FreeNAS (using because supposed to be easy to set up and administer)
Web Server--DSL (using because a very low powered machine, needs a light distro) Also this computer is in a DMZ.
Fun Workstation--DSL (on only when learning something new on it)
Laptop--WindowsXP (on for work necessary items at times)
Secretary Workstation--Windows98 (on once or twice a week for minor secretarial work)
Audio Workstation--WindowsXP (on only for work related recording, once or twice a week)

From what I understand I have two options:

1. Set up DNS on a computer running all of the time like Linc did. Advantages: everything Linc mentioned and more. Disadvantages: I don't think I can add it to FreeNAS. I don't know if it is wise to put it on a computer that is a webserver, and in a DMZ.

2. Set up the hosts files on every computer. Disadvantage: One change needs to be made 8 times. I have to give static ip addresses to all the computers, I don't know if that is a security disadvantage if you are basically shutting off DHCP on a NAT firewall. Advantages: Can use OpenDNS service and their auto blocking of phishing and porn sites. Can have names for all of the computers.

I'm leaning towards option 2 mostly because of the OpenDNS stuff.

If I go with option 2 are there other disadvantages that I'm not considering?

If I go with option 2 how do you go about naming a local domain like Linc did with $blankname.linc.lan?

Thanks for any guidance, and resources that would be helpful to a hobbyist sysadmin.

Posted: **Sat Aug 18, 2007 7:19 pm**

mowestusa wrote:Thanks for any guidance, and resources that would be helpful to a hobbyist sysadmin.

I had this problem until just recently. My problem is a little bit bigger than yours as I have 16 computers! Remembering IP addresses for so many gets really old really fast! Yeah, a DNS server of some sort is definitely a great idea.
Having gotten a laptop a few months ago, I wanted to get some wireless networking going, so I went and got myself a Linksys WRT54GL (Trying guessing what the "L" stands for) router and threw DD-WRT on there. One of the features I wanted was static IP configuration on the router's side of the world.The idea is setting up static IPs on the router itself by telling it the MAC address of a computer's network interface adapter, so when a DHCP request is made, the router says "Oh that's 01:02:03:04:05:06, he should have the IP 10.0.1.2 and the subnet mask 255.0.0.0", so from the client's side it's all just a standard DHCP request. I noticed that when you configure that in DD-WRT, you can also enter a hostname for that machine. I have almost all my machines set up to receive IP addresses this way, except for my FreeBSD box which runs 6 jails that each have their own IP but no their own MAC address. So I give them a hostname by just putting the info needed for that ("ip hostname") into the router's /etc/hosts file. This is probably a clunky way of doing it, but I found it pretty easy and relatively simple.
I'm sure you could do this with something like m0n0wall or pfSense on a standard x86 box, quite likely in a more elegant way than the way I do it.
All my computer use the router as their DNS server, which will first check to see whether it itself has a record for the requested hostname, and if not it'll forward the request to my ISP.

Posted: **Sat Aug 18, 2007 9:02 pm**

Tsuroerusu wrote:so I went and got myself a Linksys WRT54GL (Trying guessing what the "L" stands for) router and threw DD-WRT on there. One of the features I wanted was static IP configuration on the router's side of the world.

This might work for me. I actually have a WRT-54G that I can load DD-WRT on right now. I did not know that it can be used to give your computers host names too. That would be set it up once and forget it.

Posted: **Sat Aug 18, 2007 9:35 pm**

Check out a program called DnsMasq.
http://www.thekelleys.org.uk/dnsmasq/doc.html

Most distros have it as an installable package. Its a simple DNS/DHCP server. Reads everything from a single config file and the hosts file.

Posted: **Sat Aug 18, 2007 10:01 pm**

mowestusa wrote:
Tsuroerusu wrote:so I went and got myself a Linksys WRT54GL (Trying guessing what the "L" stands for) router and threw DD-WRT on there. One of the features I wanted was static IP configuration on the router's side of the world.
This might work for me. I actually have a WRT-54G that I can load DD-WRT on right now. I did not know that it can be used to give your computers host names too. That would be set it up once and forget it.

Well there you go! I'd say start there first, and see if it's what you need, if you need a more beefy solution, then you can look into running BIND.

Karl wrote:Check out a program called DnsMasq.
http://www.thekelleys.org.uk/dnsmasq/doc.html

Most distros have it as an installable package. Its a simple DNS/DHCP server. Reads everything from a single config file and the hosts file.

It's funny you mention DnsMasq, because this is what DD-WRT uses for it's default DHCP and DNS server!

Posted: **Sat Aug 18, 2007 11:24 pm**

Karl wrote:Check out a program called DnsMasq.
http://www.thekelleys.org.uk/dnsmasq/doc.html

Most distros have it as an installable package. Its a simple DNS/DHCP server. Reads everything from a single config file and the hosts file.

dnsmasq also works with opendns, so you can end up with the best of both worlds.

I am using dd-wrt as a NAT firewall only. It's really a personal preference, but I don't like to have LAN services running on my border.

I had a little bit of trouble with dnsmasq on my Ubuntu LTS server. I started resetting it with cron every hour to keep it responsive. Haven't touched the thing since. It's been up for over a month.

My only other advice if you do choose dnsmasq is make sure it's also the DHCP server. This will make the hostnames of your dns clients available.

/mike

Posted: **Sun Aug 19, 2007 4:28 pm**

I would recommend using Fedora or CentOS and the BIND tool to setup BIND to run DNS and setup a DHCP server on that system to do static IP addressing for those that need it. For the static systems, just have it be convention similar to this:

system24.domainname.com
192.168.2.24

system76.domainname.com
192.168.2.76

The configuration is quite simple and I am sure if it were to be too much, for cheap you could hire one of the DNS gods here to ssh in and hook ya up real good. But seriously, its not that hard. The Red Hat documentations is just awesome and will get you totally through BIND and dhcpd.

Posted: **Tue Aug 21, 2007 8:43 pm**

Well, I used Troel's idea for DNS.

I have two Linksys WRT-54G's version 4 routers. I had one running the stock Linksys firmware, and the other with v23 of DD-WRT. The DD-WRT was set up as a client bridge so that I can share a network across the street between my house and my office building. It was working great.

Now both routers have DD-WRT, but the main router at the office has version 23-SP2 installed on it. This is the one that has DNS running on it. So far everything is working great. In fact, I seem to be getting a stronger and faster connection between the two routers now with the version 23-SP2 on one and the version 23 on the other. I have always had two cantennas on them pointed at each other.

I have name resolution on my internal domain of .mowestusa.lan. I have the router giving out the ip addresses on the basis of the MAC addresses.

Two things I still don't know how to do, but haven't looked to deep yet.

1. I would like to block all MAC addresses that I have not put into my router. (I have a neighbor that sometimes steals my bandwidth, unknowingly, she is a grandma who is not very techno savvy, because her computer connects to my network instead of her own Linksys router.) I know that I can block her MAC address the next time it jumps on with restrictions, but I don't know if there is a way to block all other MAC addresses.

2. I plan to set up a webserver and I don't know if I can set up its IP on the DD-WRT. I have a DSL router that acts as my gateway, and has DHCP enabled, so that my DD-WRT router can get an IP address and give internet access to all the rest of my network. So really I have two NAT's running. The DSL router is my first hardware firewall, and then my DD-WRT Linksys router is my second hardware firewall. I had planned on hooking up the webserver to the DSL router directly which would effectively put it into a DMZ because I would be able to access it from my other computers on the network, but it would not be able to access any of the computers that are attached to my DD-WRT Linksys router. I don't know if it would work to add the webserver to the list in DD-WRT because it would not be handing out the ip to the webserver, the DSL modem/router would be doing that.

Finally, I have just finished setting up FreeNAS, so that I have my first ever dedicated file server. I love it. Anyone else tried it. I'm surprised at the copying speeds though. I have two drives in it. One is an old drive that was used in my old work desktop which also acted as my file server too. The second drive is a brand new one on the same channel. I'm copying over the data files that I want to keep from the one hard disk to the other, but I'm only getting about 2.3meg/second which seems a little slow, but that might be because both hard drives are on the same channel.

Anyway, thanks for the different ideas. I'm really happy with how things are turning out tonight.

Posted: **Tue Aug 21, 2007 11:05 pm**

mowestusa wrote:Well, I used Troel's idea for DNS.

MUAHAHAHAAAA!!!! T Mind Control.... Patent Pending.

mowestusa wrote:1. I would like to block all MAC addresses that I have not put into my router. (I have a neighbor that sometimes steals my bandwidth, unknowingly, she is a grandma who is not very techno savvy, because her computer connects to my network instead of her own Linksys router.) I know that I can block her MAC address the next time it jumps on with restrictions, but I don't know if there is a way to block all other MAC addresses.

This is called MAC address filtering, and is absolutely USELESS, for security. Sure, it will prevent casual, inadvertent misuse by you neighbor, but it's really a huge false sense of security, because it is NOT even in the same universe as the word "security".
Why is this the case? Very simple, wireless network is built on top of the basic ideas of ethernet, so every packet sent has a packet header contain a "To:" and "From:" MAC address. So as an attacker I just have to capture ONE SINGLE PACKET, and this could even be an encrypted one, and then I have a MAC address that I can spoof, and log onto your network. Let me emphasize how easy this is:

Code: Select all

su -c "airodump -w 0 wlan0"

In a few seconds it'll print a list of active authorized MAC addresses, and it hasn't even cracked anything, it just shows information that litterally is "out there". My school uses WEP and MAC address filtering, and I cracked their network during my first week there almost a year ago.
OK, security talk over! How to secure your WiFi? ... WPA! With a good password, because ANY encryption can be cracked if it's done with a weak password/phrase.

mowestusa wrote:2. I plan to set up a webserver and I don't know if I can set up its IP on the DD-WRT. I have a DSL router that acts as my gateway, and has DHCP enabled, so that my DD-WRT router can get an IP address and give internet access to all the rest of my network. So really I have two NAT's running. The DSL router is my first hardware firewall, and then my DD-WRT Linksys router is my second hardware firewall. I had planned on hooking up the webserver to the DSL router directly which would effectively put it into a DMZ because I would be able to access it from my other computers on the network, but it would not be able to access any of the computers that are attached to my DD-WRT Linksys router. I don't know if it would work to add the webserver to the list in DD-WRT because it would not be handing out the ip to the webserver, the DSL modem/router would be doing that.

Let's say your first router gives out IPs in the 192.168.*.* range, and your first WRT54G router gives out IPs in the 10..*.*.* range. Then the WRT54G router will have an IP in the 192.168.*.* range, which is like the server being on the WAN. Think about this for a second, the web server is on the WAN, which is precisely like every other web server on the internet if you only had one router. So no port forwarding needed, you just enter the IP or hostname of the web server and it shouldn't be a problem. NAT routers block every unrequested incoming packet, it does not however block requested incoming traffic (Like web browsing) by default.

mowestusa wrote:Finally, I have just finished setting up FreeNAS, so that I have my first ever dedicated file server. I love it. Anyone else tried it. I'm surprised at the copying speeds though. I have two drives in it. One is an old drive that was used in my old work desktop which also acted as my file server too. The second drive is a brand new one on the same channel. I'm copying over the data files that I want to keep from the one hard disk to the other, but I'm only getting about 2.3meg/second which seems a little slow, but that might be because both hard drives are on the same channel.

If you like FreeNAS, you may want to have a look at pfSense as well, really cool stuff.

mowestusa wrote:Anyway, thanks for the different ideas. I'm really happy with how things are turning out tonight.

I'd recommend going to Administration --> Backup in DD-WRT and backing up your settings once you've got 'em all set up. DD-WRT stores these in NVRAM, so your router will essentially be reset if it's ever unplugged. This bit me once, but now I have a backup, which I can just restore. This may seem like a big problem, however I havn't t use my backup to restore settings yet. Because I rarily unplug my router.

Posted: **Wed Aug 22, 2007 11:36 am**

Tsuroerusu wrote: I'd recommend going to Administration --> Backup in DD-WRT and backing up your settings once you've got 'em all set up. DD-WRT stores these in NVRAM, so your router will essentially be reset if it's ever unplugged. This bit me once, but now I have a backup, which I can just restore. This may seem like a big problem, however I havn't t use my backup to restore settings yet. Because I rarily unplug my router.

Really? I have the one DD-WRT at version 23 router that I have unpluged and plugged in again and it never lost any of its settings. Passwords remained the same, client bridge set up with the proper ssid, and I never had to reset any of that information. Perhaps it is just some settings that need to be backed up. Thanks for the advice, I will do it since you said so

.

thelinuxlink.net

Networking and Computer Name Question

Networking and Computer Name Question

Re: Networking and Computer Name Question

Re: Networking and Computer Name Question