Setting up a private subnet behind a cable modem (or DSL) and a firewall. My equipment: ------------- Basic RCA Cable modem, coax in / ethernet out Linksys BEFSR11 firewall/router 3 8-port switches 1 200MHz Pentium MMX file/mail/web/dhcp/dns server w/ Gentoo Linux 1.2 Assorted other Linux/Windows clients Connections: ------------ To cable company ^ | Coax link V [RCA cable modem] ^ | Ethernet link V [Linksys BEFSR11 firewall/router] ^ WAN IP=www.xxx.yyy.zzz (DHCP assigned by cable company) | LAN IP=192.168.2.2 (fixed) | | 192.168.2.0 subnet V [8-port switch] | | | | | | | | | | | | | | | +--> Pentium server (mail/file/web/DHCP/DNS, Fixed IP) | | | | | | +----> | | | | | +------> | | | | +--------> | | | +----------> Various network connections in the house | | +------------> | +--------------> V [8-port switch] | | | | | | | | | | | | | | | +--> | | | | | | +----> | | | | | +------> | | | | +--------> Various network connections in the house | | | +----------> | | +------------> | +--------------> V [8-port switch] | | | | | | | | | | | | | | | +--> | | | | | | +----> | | | | | +------> | | | | +--------> Various network connections in the house | | | +----------> | | +------------> | +--------------> +----------------> Cable modem setup ================= Nothing special here. Just followed the cable company's instructions and got a link up and running. Cable modem should provide a DCHP server for the WAN side of the Linksys firewall/router. Theoretically, the IP address could change at any time, which would only affect people trying to reach your private network via that Internet address (i.e. if you had a domain registered to that address). Linksys BEFSR11 setup ===================== Set your LAN IP address to a fixed location. You will need to know this when setting up your DHCP server later. I recommend using 192.168.x.1 or 192.168.x.2, where 'x' is any number between 1 and 254. The number you pick for 'x' will determine your local subnet. Set your subnet mask to 255.255.255.0. Set your WAN connection type to 'Obtain and IP automatically' if you receive dynamic IP addresses from your cable modem, otherwise select the connection type you use (i.e. static IP or PPOE). Disable the DHCP server on your firewall/router. You will be configuring your own DHCP server later. Security settings are up to you. For 'Forwarding', enable whatever ports you want to expose to the rest of the world and enter the *fixed* IP address that you will use for your primary server. Under 'Dynamic Routing', select 'Gateway' working mode. Linux server setup ================== The key to a good local network is getting your local server configured correctly for DHCP and DNS. This server will be the only system that will need a static IP address (unless you count the static IP consumed by your Linksys router). Decide how you want to partition the address space for your subnet between fixed and dynamic IPs. In general, you shouldn't need more than two static IPs as mentioned above, but you might want to save several more for dumb equipment that doesn't support DHCP. For some reason, I split my IP address space in half: addresses 1-127 are fixed, and addresses 128-254 are dynamic. I have no need for 127 static IPs, but it works and I'm in no danger of running out of addresses, so I haven't bothered to reconfigure it. Note that the static IP you assigned to the Linksys must be in the range of reserved static IPs. Now that you've decided what addresses you're going to save for static IPs, make sure your server is using one of them. Something like 192.168.2.1 might be a good choice if you chose 192.168.2.2 above for your Linksys. Pretty much everything from here on out requires 'root' access... Edit the following lines in your /etc/conf.d/net. The first sets the static IP address for your server and the second tells your server the static IP for your Linksys. iface_eth0="192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0" gateway="eth0/192.168.2.2" DHCP on the Linux server ------------------------ If you're running a Gentoo server, emerge the net-misc/dhcp package. Edit the /etc/dhcp/dhcpd.conf file to be something like the following (My domain name is vandogh.com, you should replace the appropriate fields with your own domain name and router & server static IP addresses). #----------------start of file----------------- option domain-name "vandogh.com"; option domain-name-servers 192.168.2.1; ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; authoritative; log-facility local7; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.128 192.168.2.254; option domain-name-servers 192.168.2.1; option domain-name "vandogh.com"; option routers 192.168.2.2; option broadcast-address 192.168.2.255; default-lease-time 7200; max-lease-time 7200; } #----------------end of file------------------- DNS on the Linux server ----------------------- I use what might be considered a strange configuration for DNS. It sort of evolved this way, and may be slightly redundant in what it provides, but I've combined a DNS server with a DNS cache which runs on the same system. The DNS server will only provide name resolution for hosts on your local network (i.e. in your local domain). This allows you to have as many host names as you'd like without needing to register them with some outside name server. You can pick any domain name(s) that you want, but if you pick something like yahoo.com, then nobody in your private network will be able to access the REAL yahoo.com. I've registered vandogh.com with one of the many domain name providers, but only one host name (www.vandogh.com) is registered in external name servers to allow outsiders to access my server (through the forwarded ports in the firewall). However, internal to my network, I have several other host names which are accessible from other systems in my network via my local name server. 127.0.0.1 - DNS server which responds to DNS lookups for the DNS cache. It only responds to lookups to 'vandogh.com'. 192.168.2.1 - DNS cache which looks up addresses in local server and provides results to rest of local network. If not found in local server, will search external servers. These instructions assume that you have the svscan daemon running; if not, you should add it to the default list of services which run during normal operation (rc-update add default svscan) and make sure it is running (/etc/init.d/svscan start). % emerge net-dns/djbdns If you don't have an /etc/dns/dnscache directory, run the following commands. I can't remember if I had to run these or if the ebuild set it up for me this way...it's been too long since I set it up. Much of this info can be found at: http://cr.yp.to/djbdns.html % useradd dnscache % useradd dnslog % useradd tinydns % dnscache-conf dnscache dnslog /etc/dns/dnscache % tinydns-conf tinydns dnslog /etc/dns/tinydns 127.0.0.1 Edit /etc/dns/dnscache/root/servers/@ to contain a list of DNS nameservers for handing requests that your local server won't handle. For example: 128.9.0.107 192.33.4.12 192.203.230.10 192.5.5.241 128.63.2.53 192.36.148.17 193.0.14.129 202.12.27.33 Edit /etc/dns/dnscache/root/servers/vandogh.com (replace with your own domain name) to contain the following line: 127.0.0.1 Enable the dnscache to be handled by svscan. % ln -s /etc/dns/dnscache /service/dnscache % sleep 5 % svstat /service/dnscache Edit /etc/resolv.conf to contain your domain name and static IP address of your server: domain vandogh.com nameserver 192.168.2.1 Set up your DNS server as follows (with appropriate substitutions): % cd /etc/dns/tinydns/root % ./add-ns vandogh.com 127.0.0.1 % ./add-host www.vandogh.com 192.168.2.1 % cp data static.vandogh.com Enable tinydns to be handled by svscan: % ln -s /etc/dns/tinydns /service/tinydns % sleep 5 % svstat /service/dnscache Get the daemons to re-read the configuration files whenever you change anything: % /usr/bin/svc -h /service/tinydns % /usr/bin/svc -h /service/dnscache Test your DHCP and DNS service without dynamic DNS updates ---------------------------------------------------------- From your server. Check to see if: a) The server can access itself by the name you specified in the add-host line above (e.g. www.vandogh.com) b) The server can access external hosts by name (e.g. www.yahoo.com) on the internet You should see activity in the /service/tinydns/log/main/current and /service/dnscache/log/main/current files for step (b) (and maybe step (a) as well). If not, then you'll have to diagnose it by verifying that the /etc/resolv.conf file is correct, the dnscache and tinydns daemons are running, and all of the associated config files are right. Please let me know if you find anything that I neglected to explain fully. Reboot one of your clients (or ipconfig -release and ipconfig -renew if you're running windoze) to see if: c) The client gets a valid IP address from your DHCP server. It will appear in your /var/db/dhcpd.leases file. d) The client can access your server by the name you specified in the add-host line above (e.g. www.vandogh.com) e) The client can access hosts by name (e.g. www.yahoo.com) on the internet If you've made it this far and things are working, then you're in good shape (and probably at least as well off as you were before you started). DHCP+DNS -------- Save a copy of your entire /etc/dns/tinydns tree somewhere, since we'll be modifying it. Download a version of dhcp_dns from http://www.thismetalsky.org/files/dhcp_dns/. I'm currently using version 1.0.4. I'm not sure what's new in the more recent versions. Untar the dhcp_dns package in a temp directory and cd to that directory. Read the README file and edit the Makefile. Here's what the top of mine looks like: PREFIX = /usr DOMAIN = vandogh.com TINYDNSPATH = /service/tinydns DNSCACHEPATH = /service/dnscache LEASEFILE = /var/db/dhcpd.leases Run 'make' in the current directory to update your tinydns/root directory area with some support files and a new Makefile. I'm not sure if I had to edit anything in /service/tinydns/root/ after this step. Here's what the interesting files in my directory look like: #---------------------Makefile----------------------- data.cdb: data /usr/bin/tinydns-data /usr/bin/svc -h /service/dnscache db.vandogh.com: static.vandogh.com dhcp.vandogh.com @echo "# DO NOT EDIT THIS FILE DIRECTLY" > db.vandogh.com cat static.vandogh.com dhcp.vandogh.com >> db.vandogh.com data: db.* @echo "# DO NOT EDIT THIS FILE DIRECTLY" > data cat db.* >> data #---------------------end of file-------------------- #-----------------static.vandogh.com----------------- .vandogh.com:127.0.0.1:a:259200 =www.vandogh.com:192.168.2.1:86400 #---------------------end of file----------------- Add the following line to your /etc/conf.d/local.start file: djb_update.pl > /var/log/djb_update 2>&1 & And the following lines to your /etc/conf.d/local.stop. You might want to double check that the .pid file path that I show here is the same as the default for djb_update.pl. I may have edited the script to use the path below. if [ -f /var/run/djb_update.pid ] ; then kill `cat /var/run/djb_update.pid` rm /var/run/djb_update.pid fi And then start the djb_update.pl script manually so you don't have to reboot your server: % djb_update.pl > /var/log/djb_update 2>&1 & If that works, then you should be completely up and running with dynamic DNS updates from your DHCP server. Let me know if you come up with any improvements to this or if you need some info that I didn't provide.