Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: thedude on December 17, 2004, 04:19:07 AM
-
I have an sme box and I want to enable multiple ip ranges on the lan side, i.e. 192.168.0.x, 192.168.1.x, 192.168.2.x .
I also have an ip cop box and used this in the /etc/rc.d/rc.local and achieved what I wanted (With more addresses obviously)
ip addr add 192.168.2.1/24 broadcast 192.168.2.255 dev eth0
ip addr add 192.168.3.1/24 broadcast 192.168.3.255 dev eth0
I wanted to ask about this before I used my server as a testing ground. Could it be this simple?
Thanks
chris
-
What about server manager - local networks?
-
That doesn't seem to allow the machine to route the other ip ranges, I tried it.
-
Isn't this a simple netmask issue? For your particular example, a netmask of 255.255.252.0 would allow a consecutive block of 3 /24 addresses.
-
The networks are using the same subnet mask (255.255.255.0), just different ip's. They plug into a switch, and then will hopefully go into an sme server to be routed to the internet.
I tried it with my sme server and it didn't work, but it does work with my ipcop server.
-
thedude,
I use SME at my primary site for proxy and email filtering. IPCop is my WAN IPSEC router to connect 5 sites.
SME 192.168.1.0
IPcop 192.168.1.254
To make SME available to my local & remote IPCop IPSEC VPN connected LANS, I entered a local network (server-manager): 192.168.0.0/255.255.0.0 and the router is 192.168.1.254. All clients in 5 different locations can ping and access SME for proxy. Any client can ping any other client in any location with this setup.
I have a questions regarding your IPCop as LAN router with multiple lan subnets....adding networks on IPCop using rc.local, will IPCop correctly route traffic that comes from a remote subnet through a IPSec VPN Tunnel to the various subnets defined in rc.local?
Can a client on Green ping any client on either subnet on blue (assuming your rc.local is configured for blue)?
ryan
-
Actually, I don't know for sure, I'm not setup for vpn. I would imagine it would route the vpn clients. I can ping other clients on the network with different ranges.
My setup only uses 2 nics (Red & Green), with the green being the nic supporting multiple ranges. So far it seems to be working quite well. It supports at least 6 separate offices in my building, and quite a few computers.
-
Thanks for responding.
I set up a test box at work and was able to ping from home thru an IPSEC tunnel to the subnet added at the command line...only issue is IPCop 1.4.2 did not like the 'ip addr' syntax...so I used ifconfig instead. I added an alias network to the green and all services appeared to be available to the PC on the alias network...worked great...
ryan
-
Post your syntax for ifconfig. I'll probably be using 1.4.2 soon, and I'm sure others would really like to know as well.
I've seen this topic several times on these forums, but no answers. The only thing that seems to work is ipcop
-
I am not a linux guru, but using man pages on a different box (sme), I was able to figure out ifconfig in a few minutes...
To add a network to the Green nic (eth0 on my server):
ifconfig eth0:0 192.168.2.0 netmask 255.255.255.0 broadcast 192.168.2.255
(not sure if it is necessary to include the broadcast portion)
eth0:0 will then appear in the web manager under network status and the routing table. IPcop handled routing correctly for incoming traffic from a VPN tunnel (site to site) and port forwarding (vnc) from red.
ryan
-
I have an sme box and I want to enable multiple ip ranges on the lan side, i.e. 192.168.0.x, 192.168.1.x, 192.168.2.x .
I also have an ip cop box and used this in the /etc/rc.d/rc.local and achieved what I wanted (With more addresses obviously)
ip addr add 192.168.2.1/24 broadcast 192.168.2.255 dev eth0
ip addr add 192.168.3.1/24 broadcast 192.168.3.255 dev eth0
I wanted to ask about this before I used my server as a testing ground. Could it be this simple?
Thanks
chris
I think the term to use here is 'ip aliasing'. I found this quick howto - the section called "Multiple IP Addresses on a Single NIC" :
http://www.siliconvalleyccie.com/linux-hn/network-linux.htm
I assume this can be done w/o any problem with SME. Ryan says that, after running the ifconfig command, it eth0:0 appears in the web manager, but will it be persistent?
I also want to make another subnet w/o adding another NIC. I assume I should edit a template to do this, right? I worry because I want SME to serve both subnets with DHCP, DNS, SMB, etc etc.
(I'm fairly new to the SME way of doing things)
Thanks for any advice.
Max.
-
Max,
The previous discussion dealt with ip-aliases using IPCop. To make the additions permenant, the statements would have to be added to rc.local (on IPCop).
With IPCop, DHCP did not work for the additional green network, but other services like routing, proxy and port forwarding did work.
It is likely this will work with SME, but you will only know if you test it on a test server.
ryan
-
Max,
The previous discussion dealt with ip-aliases using IPCop. To make the additions permenant, the statements would have to be added to rc.local (on IPCop).
With IPCop, DHCP did not work for the additional green network, but other services like routing, proxy and port forwarding did work.
It is likely this will work with SME, but you will only know if you test it on a test server.
ryan
I don't think the initial question was how to do it on ip cop - I think he was saying he could do it on ip cop already, and wanted to know how to do it on SME instead - like I want to do.
In any case, unfortunately, I don't have a 'test server'; I'd have to try it on the real thing after everyone has gone home - it seems I do a lot of late nights as a sys-admin :(
Max.
-
Well, I created a second network on my lan, but dhcp doesn't work - and, thinking about it, how could it?
I guess I would have to tell dhcpd all the mac addresses on the second network and have it assign appropriate ip addresses. That might work, I suppose. Doesn't sound very flexible though.
I'm starting to think a second, or third (for our third network) nic might be preferable. They're cheap...
Max.
-
I shy away from dhcp, mainly because it adds a failure point, and with windbloz computers who needs another? I like static!
-
I shy away from dhcp, mainly because it adds a failure point, and with windbloz computers who needs another? I like static!
I take your point, though I like it because it moves the failure point from me to the computer :)
Max.
-
I have an sme box and I want to enable multiple ip ranges on the lan side, i.e. 192.168.0.x, 192.168.1.x, 192.168.2.x .
Why do you want multiple ip addresses? Why not one larger network, which includes all the addresses you list (IOW, just change the netmask you configure)?
-
Because the box is going to handle a T1 connection, split among several different offices. We don't want the offices on the same network, mainly to keep people from snooping.
-
Would it not be easier to isolate each office with a hardware router. Even with different subnets on the same physical network, people can still snoop with ethereal or other software sniffers. I do it all the time to check our networks.
HTH
-
We don't want the offices on the same network, mainly to keep people from snooping.
You'll need a router then. Period.
-
You'll need a router then. Period.
We have a cisco router (not firewall). We want to control the firewall, and not have individual firewall/routers for each office. It used to be that way and there were problems with offices running without firewalls, etc. It brought the whole network down several times. This way if someone screws up, I can track who did what. I can just delete their network from the interface and be done with them.
There are also other things on the network that need this setup.
Would it not be easier to isolate each office with a hardware router. Even with different subnets on the same physical network, people can still snoop with ethereal or other software sniffers. I do it all the time to check our networks.
We don't want multiple routers, and none of these users would have a clue what a packet sniffer is, or how to snoop.