f



Network configuration with a IPFire firewall and some wifi routers

Hi.

I think some of you are going to think I'm crazy, please feel free to
tell me if you do :-)

OK, here's the configuration of my personal (family) network :

                      -------------
                      |  ISP Box  |
                      | (Freebox) |
                      |   Bridge  |
                      -------------
                            |
                            | fixed IP
                            |
                    -------------------
                    | IPFire firewall |
                    -------------------       -------- Computer1
                            |                 |      (192.168.10.8)
                            | 192.168.10.1    |------- Computer2
                            |                 |      (192.168.10.9)
                      --------------          |--------  ...
                      | Switch(es) |-----------
                      --------------          |-------- Printer
                                              |      (192.168.10.45)
                                              |-------- Wifi router 1
                                              |      (192.168.10.99)
                                              |-------- Wifi router 2
                                                     (192.168.10.135)

So all this works on the 192.168.10 network. I fix all the addresses
because I'm not intelligent enough to process the necessary
configuration for DHCP : my personal PC needs (or so I think) a fixed
IP to perform some of the administrative and networking tasks
(P2P, ...).

My problem is about the 2 wifi routers. They are Netgear wifi routers,
2010 generation. The usual way to use them is to connect them directly
on the DSL box, but then I lose the protection of my firewall, which I
don't want. So I connect them to a (in fact, 2) switch after the
firewall. My first problem is : do I connect them through the WLAN
port, or some LAN port. That I haven't figured yet, and I think one is
connected through WLAN (it works, don't ask me why), the other on LAN
(it used to work, now it doesn't...).

Then is the configuration step. I managed to work out a configuration
for one of the routers, giving a 192.168.10.99 IP, using the IPFire as
a gateway and DNS server. The "LAN configuration" of this one tells me
its LAN adress is 192.168.2.1, and it forwards via DHCP adresses to
wireless connections from 192.168.2.2 to 192.168.2.254.

Now this (the fact that the network is different from 192.168.10) is a
problem when I want to use for example Airdroid to access files from a
phone or a tablet on my network : I can't seem to find a way to reroute
traffic from those two networks. Maybe configure correctly the
wifi router with a route, but the documentation is quite vague on the
subject (if not completely quite !).

The second wifi router use a 192.168.1 network, this is even more bad
(I have thick old brick walls that don't transfer well the waves :-(,
because it creates more networks to link... But the main problem is
that this router, which used to work, doesn't anymore...

I hope you understand correctly my problems. What I would like is some
advice from people using the same kind a configuration that I use
myself. If your answer is "Use DHCP, dude", or "Trust the Wizard",
well, thank you for reading so far, but this doesn't work well for
me :-)

Hope you're not disappointed you spent so much time reading all this,
and thanks by advance for all the help you can provide :-)

\bye

-- 

                   Nicolas FRANCOIS
            http://nicolas.francois.free.fr
 A TRUE Klingon programmer does NOT comment his code

0
Nicolas
7/9/2016 2:16:26 PM
comp.os.linux.networking 15677 articles. 0 followers. Post Follow

4 Replies
192 Views

Similar Articles

[PageSpeed] 17

Le 09/07/2016 � 16:16, Nicolas FRANCOIS (AKA El Bofo) a �crit :
>
> My problem is about the 2 wifi routers. They are Netgear wifi routers,
> 2010 generation. The usual way to use them is to connect them directly
> on the DSL box, but then I lose the protection of my firewall, which I
> don't want. So I connect them to a (in fact, 2) switch after the
> firewall. My first problem is : do I connect them through the WLAN
> port, or some LAN port.

I guess you mean the WAN port, not WLAN.

It depends whether you want to use them as bridges (through a LAN port) 
or as routers (through the WAN port, usually with NAT). A bridge means 
that the wireless network is part of the mail LAN, with the same IP 
subnet and parameters. A router means that the wireless network is a 
separate network. When used as a bridge, make sure the embedded DHCP 
server is disabled.

> Now this (the fact that the network is different from 192.168.10) is a
> problem when I want to use for example Airdroid to access files from a
> phone or a tablet on my network : I can't seem to find a way to reroute
> traffic from those two networks. Maybe configure correctly the
> wifi router with a route

The wireless router has all the needed routes.
To be able to forward communications from the main LAN to the wireless 
network, you must add the proper route (and filtering rules) on the 
IPfire router, or configure port forwarding on the wireless router, just 
as you would do to allow a communication from the internet through the 
internet gateway to a LAN host.
0
Pascal
7/9/2016 7:26:13 PM
Le Sat, 9 Jul 2016 21:26:13 +0200,
Pascal Hambourg <pascal@plouf.fr.eu.org> a =C3=A9crit :

> Le 09/07/2016 =C3=A0 16:16, Nicolas FRANCOIS (AKA El Bofo) a =C3=A9crit :
> >
> > My problem is about the 2 wifi routers. They are Netgear wifi
> > routers, 2010 generation. The usual way to use them is to connect
> > them directly on the DSL box, but then I lose the protection of my
> > firewall, which I don't want. So I connect them to a (in fact, 2)
> > switch after the firewall. My first problem is : do I connect them
> > through the WLAN port, or some LAN port.
>=20
> I guess you mean the WAN port, not WLAN.

Yes I do.

One thing that confuses me is that I have to provide an IP address in
the Internet section of the configuration, which has to be different
from the address in the LAN section. I wonder if I can give an address
in the same network, in the bridge option...
=20
> It depends whether you want to use them as bridges (through a LAN
> port) or as routers (through the WAN port, usually with NAT). A
> bridge means that the wireless network is part of the mail LAN, with
> the same IP subnet and parameters. A router means that the wireless
> network is a separate network. When used as a bridge, make sure the
> embedded DHCP server is disabled.

So who's going to give an IP address to the devices connecting via
wifi ?
=20
> > Now this (the fact that the network is different from 192.168.10)
> > is a problem when I want to use for example Airdroid to access
> > files from a phone or a tablet on my network : I can't seem to find
> > a way to reroute traffic from those two networks. Maybe configure
> > correctly the wifi router with a route
>=20
> The wireless router has all the needed routes.
> To be able to forward communications from the main LAN to the
> wireless network, you must add the proper route (and filtering rules)
> on the IPfire router, or configure port forwarding on the wireless
> router, just as you would do to allow a communication from the
> internet through the internet gateway to a LAN host.

OK.

For now I have one router working "correctly", in router mode. One
thing I didn't saw before is that I can configure the second router in
"repeater mode". I tried this, but something went wrong... And the
problem is that I can't access the routers from inside the network, I
have to plug them in a laptop, and disable wifi connection... Quite
unnerving :-P

Another problem is that I thought the Netgear documentation was in
english, but it's actually written in some foreign language, maybe
martian, and it's completely useless. No "Howto" for different
configurations, no explanations of the terms used... I thought I
understand english (but as you can see, my english is quite poor), but
this is complete chinese for me :-(

Anyway, thanks for your explanations, and so sorry for all the dumb
questions. I'll give all this a second=20

\bye

--=20

                   Nicolas FRANCOIS
            http://nicolas.francois.free.fr
 A TRUE Klingon programmer does NOT comment his code

0
Nicolas
7/12/2016 11:38:14 AM
Le 12/07/2016 à 13:38, Nicolas FRANCOIS (AKA El Bofo) a écrit :
>
> One thing that confuses me is that I have to provide an IP address in
> the Internet section of the configuration, which has to be different
> from the address in the LAN section.

Yes. It is a router, and the purpose of a router is to interconnect 
between otherwise separated networks. Usually, each interface has an 
address in the network it is connected to.

> I wonder if I can give an address
> in the same network, in the bridge option...

I strongly warn against doing so. If the configuration interface does 
not prohibit it, it can cause trouble because the address will work only 
on one interface and Murphy's law states that it will be the wrong one. 
If you use the device as a router and don't connect anything to the WAN 
interface, just give it an address from an unused subnet.

>> It depends whether you want to use them as bridges (through a LAN
>> port) or as routers (through the WAN port, usually with NAT). A
>> bridge means that the wireless network is part of the mail LAN, with
>> the same IP subnet and parameters. A router means that the wireless
>> network is a separate network. When used as a bridge, make sure the
>> embedded DHCP server is disabled.
>
> So who's going to give an IP address to the devices connecting via
> wifi ?

A DHCP server you set up on the main LAN. It can run on the IPFire box.
Actually you could even use the DHCP server embedded in the access point 
if it allows to configure the default router and DNS addresses in the 
DHCP options (by default it uses its own address, which is wrong for you).

> For now I have one router working "correctly", in router mode. One
> thing I didn't saw before is that I can configure the second router in
> "repeater mode".

Repeater mode is for wireless networks, to extend the range of a primary 
access point. You don't want this.

Bridge mode does not require specific support in the device firmware, 
only the ability to disable the DHCP server if it does not suit your needs.
0
Pascal
7/12/2016 1:04:50 PM
On Sat, 09 Jul 2016 16:16:26 +0200, Nicolas FRANCOIS (AKA El Bofo) wrote:

> OK, here's the configuration of my personal (family) network :
> 
>                       -------------
>                       |  ISP Box  |
>                       | (Freebox) |
>                       |   Bridge  |
>                       -------------
>                             |
>                             | fixed IP |
>                     -------------------
>                     | IPFire firewall |
>                     -------------------       -------- Computer1
>                             |                 |      (192.168.10.8)
>                             | 192.168.10.1    |------- Computer2 |      
>                                       |      (192.168.10.9)
>                       --------------          |--------  ...
>                       | Switch(es) |-----------
>                       --------------          |-------- Printer
>                                               |      (192.168.10.45)
>                                               |-------- Wifi router 1 | 
>                                                   (192.168.10.99)
>                                               |-------- Wifi router 2
>                                                      (192.168.10.135)

At some point, you decide whether you want to go further into the dark 
art of connecting everything with everything your way or just stay within 
the confines of "consumer electronics". Since you seem intent on doing 
things your way, why not go all in and install OpenWRT on the two WiFi 
routers? That way, you can route everything just the way you want to. :)

Notice the cost in time and effort.
0
Aleksandar
7/15/2016 4:23:56 PM
Reply: