No DHCP address to the DMZ :-(

Thread: No DHCP address to the DMZ :-(

Search this list only Search all lists
No DHCP address to the DMZ :-(
	2006-12-23 21:02:29
Hi Craig, > > Wow, thanks everyone. > > > I like kp's idea of creating a separate subnet for the DMZ (e.g: > 192.168.2.0). > > > Do I do that all through dnsmasq.conf?...or are there changes I need to > make to shorewall as well? > You have to make them in /etc/network/interfaces: auto eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 And if you want to have dhcp on both networks you have to do something like this in dnsmasq.conf: dhcp-range=192.168.1.1,192.168.1.199,12h dhcp-range=192.168.2.1,192.168.2.199,12h In shorewall it's important in above case to have both loc eth1 detect dhcp and dmz eth2 detect dhcp in the shorewall/interfaces file. Eric > Thank you, > Craig > > > -----Original Message----- > From: Eric Spakman [mailto:E.Spakmaninter.nl.net] > Sent: Saturday, December 23, 2006 11:24 AM > To: Craig Caughlin > Subject: Re: [leaf-user] No DHCP address to the DMZ :-( > > > Hi Craig, > > >> Unfortunately, no. :-( >> >> >> I've even tried changing cables to be sure it wasn't a simple problem >> like that (even though they're brand new cables). >> >> Suggestions? >> >> > A few things to check: > Do you have an ip connection at all? Try to give the system a fixed > ip address and run ping. If that works, enable dhcp on that system again > and look if dhcp traffic isn't blocked. This can be done with 'shorewall > hits', but it's better to use tcpdump to 'snif' the traffic. > >> Thank you, >> Craig >> >> > Eric > > >> -----Original Message----- >> From: Eric Spakman [mailto:E.Spakmaninter.nl.net] >> Sent: Saturday, December 23, 2006 11:07 AM >> To: Craig Caughlin >> Cc: leaf-userlists.sourceforge.net >> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >> >> >> Hi Craig, >> >> >>> Hi Eric, >>> The only thing I have done to get things up and running is: >>> >>> >>> I've uncommented "dhcp-range=192.168.1.1,192.168.1.199,12h" in the >>> /etc/dnsmasq.conf file. Do I need to do something different? >>> >>> >> No, that's enough to serve dhcp addresses. >> >> >>> Also, should I add another interface in /etc/dhcpc/config ? I see at >>> the bottom it says, # Add other interfaces here ) >>> ;; >>> >>> >>> Should I add eth2? What does the syntax look like?: >>> >>> >>> # Add other interfaces here >>> ) >>> eth2 ;; >>> >>> >>> Is that right (and/or do I even need to worry about it?)? >>> >>> >> This is the configuration of dhcpcd, the dhcp client. You don't need >> to worry about that. >> >>> Thank you! >>> >>> >> Is it working now in the dmz? >> >> >>> Craig >>> >>> >> Eric >> >> >>> -----Original Message----- >>> From: Eric Spakman [mailto:E.Spakmaninter.nl.net] >>> Sent: Saturday, December 23, 2006 10:35 AM >>> To: Craig Caughlin >>> Cc: leaf-userlists.sourceforge.net >>> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >>> >>> >>> Hi Craig, >>> >>> >>>> Hi folks, >>>> Happy Holidays. >>>> >>>> >>> Happy Holidays to you >>> >>> >>>> I'm using the new, Bering uClibc 3.0, and my LAN connections >>>> to/from the web, etc. work great. >>>> >>>> Now, I'm trying to set up a wireless router in my DMZ, and it's not >>>> >> getting >>>> a dynamic IP address (I have confirmed this by connecting a laptop >>>> via crossover cable directly to the DMZ NIC). Here's my scenario: >>>> >>>> 1. I'm using the new, Bering uClibc 3.0 >>>> 2. ip addr show displays: >>>> >>>> >>>> eth0: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:1d:e2:a5 brd ff:ff:ff:ff:ff:ff inet >>>> 67.164.217.61/23 brd 255.255.255.255 scope global eth0 >>>> >>>> >>>> eth1: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:23:c1:1f brd ff:ff:ff:ff:ff:ff inet >>>> 192.168.1.254/24 brd 192.168.1.255 scope global eth1 >>>> >>>> >>>> eth2: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:22:a0:51 brd ff:ff:ff:ff:ff:ff inet >>>> 192.168.1.100/24 brd 192.168.1.255 scope global eth2 >>>> >>>> >>>> 3. I uncommented the DMZ section of /etc/network/interfaces >>>> 4. I have the following changes to Shorewall: >>>> >>>> >>>> /etc/shorewall/zones - Uncommented the DMZ line >>>> /etc/shorewall/policy - DMZ > NET > ACCEPT >>>> /etc/shorewall/rules - DNS/ACCEPT dmz > fw, Ping/ACCEPT dmz > fw, >>>> and >>> ACCEPT >>> >>>> fw dmz > icmp /etc/shorewall/interfaces - dmz eth2 detect dhcp >>>> /etc/shorewall/masq - Unchanged >>>> /etc/shorewall/routestopped - Unchanged >>>> > > > ------------------------------------------------------------ ------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys - and earn > cash > http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------ ------------ > leaf-user mailing list: leaf-userlists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------ ------------ leaf-user mailing list: leaf-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/

No DHCP address to the DMZ :-( Solved!!!
	2006-12-23 21:32:53
Hi folks, Yippee!!! That solved it!!! Thank you Eric, KP, and Brett. One final question, if I may. Rather than having my wireless router "hanging out there as the proverbial low hanging fruit", I'd like to "protect" it just like my internal LAN. Which shorewall config settings of the LAN do I need to duplicate for the DMZ to achieve this??? Thank you all for your continued help! Craig -----Original Message----- From: leaf-user-bounceslists.sourceforge.net [mailto:leaf-user-bounceslists.sourceforge.net] On Behalf Of Eric Spakman Sent: Saturday, December 23, 2006 1:02 PM To: Craig Caughlin Cc: leaf-userlists.sourceforge.net Subject: Re: [leaf-user] No DHCP address to the DMZ :-( Hi Craig, > > Wow, thanks everyone. > > > I like kp's idea of creating a separate subnet for the DMZ (e.g: > 192.168.2.0). > > > Do I do that all through dnsmasq.conf?...or are there changes I need to > make to shorewall as well? > You have to make them in /etc/network/interfaces: auto eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 And if you want to have dhcp on both networks you have to do something like this in dnsmasq.conf: dhcp-range=192.168.1.1,192.168.1.199,12h dhcp-range=192.168.2.1,192.168.2.199,12h In shorewall it's important in above case to have both loc eth1 detect dhcp and dmz eth2 detect dhcp in the shorewall/interfaces file. Eric > Thank you, > Craig > > > -----Original Message----- > From: Eric Spakman [mailto:E.Spakmaninter.nl.net] > Sent: Saturday, December 23, 2006 11:24 AM > To: Craig Caughlin > Subject: Re: [leaf-user] No DHCP address to the DMZ :-( > > > Hi Craig, > > >> Unfortunately, no. :-( >> >> >> I've even tried changing cables to be sure it wasn't a simple problem >> like that (even though they're brand new cables). >> >> Suggestions? >> >> > A few things to check: > Do you have an ip connection at all? Try to give the system a fixed > ip address and run ping. If that works, enable dhcp on that system again > and look if dhcp traffic isn't blocked. This can be done with 'shorewall > hits', but it's better to use tcpdump to 'snif' the traffic. > >> Thank you, >> Craig >> >> > Eric > > >> -----Original Message----- >> From: Eric Spakman [mailto:E.Spakmaninter.nl.net] >> Sent: Saturday, December 23, 2006 11:07 AM >> To: Craig Caughlin >> Cc: leaf-userlists.sourceforge.net >> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >> >> >> Hi Craig, >> >> >>> Hi Eric, >>> The only thing I have done to get things up and running is: >>> >>> >>> I've uncommented "dhcp-range=192.168.1.1,192.168.1.199,12h" in the >>> /etc/dnsmasq.conf file. Do I need to do something different? >>> >>> >> No, that's enough to serve dhcp addresses. >> >> >>> Also, should I add another interface in /etc/dhcpc/config ? I see at >>> the bottom it says, # Add other interfaces here ) >>> ;; >>> >>> >>> Should I add eth2? What does the syntax look like?: >>> >>> >>> # Add other interfaces here >>> ) >>> eth2 ;; >>> >>> >>> Is that right (and/or do I even need to worry about it?)? >>> >>> >> This is the configuration of dhcpcd, the dhcp client. You don't need >> to worry about that. >> >>> Thank you! >>> >>> >> Is it working now in the dmz? >> >> >>> Craig >>> >>> >> Eric >> >> >>> -----Original Message----- >>> From: Eric Spakman [mailto:E.Spakmaninter.nl.net] >>> Sent: Saturday, December 23, 2006 10:35 AM >>> To: Craig Caughlin >>> Cc: leaf-userlists.sourceforge.net >>> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >>> >>> >>> Hi Craig, >>> >>> >>>> Hi folks, >>>> Happy Holidays. >>>> >>>> >>> Happy Holidays to you >>> >>> >>>> I'm using the new, Bering uClibc 3.0, and my LAN connections >>>> to/from the web, etc. work great. >>>> >>>> Now, I'm trying to set up a wireless router in my DMZ, and it's not >>>> >> getting >>>> a dynamic IP address (I have confirmed this by connecting a laptop >>>> via crossover cable directly to the DMZ NIC). Here's my scenario: >>>> >>>> 1. I'm using the new, Bering uClibc 3.0 >>>> 2. ip addr show displays: >>>> >>>> >>>> eth0: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:1d:e2:a5 brd ff:ff:ff:ff:ff:ff inet >>>> 67.164.217.61/23 brd 255.255.255.255 scope global eth0 >>>> >>>> >>>> eth1: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:23:c1:1f brd ff:ff:ff:ff:ff:ff inet >>>> 192.168.1.254/24 brd 192.168.1.255 scope global eth1 >>>> >>>> >>>> eth2: mtu 1500 qdisc pfifo_fast qlen 1000 >>>> link/ether 00:02:e3:22:a0:51 brd ff:ff:ff:ff:ff:ff inet >>>> 192.168.1.100/24 brd 192.168.1.255 scope global eth2 >>>> >>>> >>>> 3. I uncommented the DMZ section of /etc/network/interfaces >>>> 4. I have the following changes to Shorewall: >>>> >>>> >>>> /etc/shorewall/zones - Uncommented the DMZ line >>>> /etc/shorewall/policy - DMZ > NET > ACCEPT >>>> /etc/shorewall/rules - DNS/ACCEPT dmz > fw, Ping/ACCEPT dmz > fw, >>>> and >>> ACCEPT >>> >>>> fw dmz > icmp /etc/shorewall/interfaces - dmz eth2 detect dhcp >>>> /etc/shorewall/masq - Unchanged >>>> /etc/shorewall/routestopped - Unchanged >>>> > > > ------------------------------------------------------------ ------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys - and earn > cash > http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------ ------------ > leaf-user mailing list: leaf-userlists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------ ------------ leaf-user mailing list: leaf-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------ ------------ leaf-user mailing list: leaf-userlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )