Navigation

dimas · #1 25th December 2007, 13:28

I'm an old and faithful user of ispconfig, and I've also changed a number of ISPs over the years - and I've never come across anything that wasn't pretty simple and straight-forward to configure.

My new ISP, however, is something that I can't talk about without using swear words. It's tech support is virtually nonexistent. Oh yes, they can answer simple questions about configuring an Internet connection on a windows computer, but if the question is slightly off the beaten track, they are stumped. They have just one administrator (who presumably is the only person responsible for the whole setup), but he's almost like a mythical being that simply can't be reached. He's the kind of person that "has just come out" or "is not available today" whenever I call. I've tried to catch him for three days, without luck.

I'm writing this here with just one purpose - to explain why I can't get support from my ISP and why I have to ask for your advice here.

Well, here is the problem.

Understandably, I need external IPs for my ISPConfig server, so I ordered a sub-net of 16 external IPs from my ISP. At the time I thought that I would be able to simply make aliases in /etc/network/interfaces (I'm using Debian Etch & Perfect Setup), like this:

auto eth0
iface eth0 inet static
address xxx
netmask xxx
gateway xxx

auto eth0:0
iface eth0:0 inet static
address xxx
netmask xxx
gateway xxx

No way, my new ISP has a very strange system of providing external IP addresses.

They say that I need a separate router computer with two network cards. The first card should have IP xxx.yyy.239.50 with netmask 255.255.255.252 & gateway xxx.yyy.239.49. This is the card where I need to plug in the network cable from the ISP. Then I need to connect the second network card to a switch and only then I'll able to connect my computer (or computers) to this switch. The given range of addresses for my computers was xxx.yyy.237.48 - xxx.yyy.237.63 with netmask 255.255.255.240.

Well, that's it. No more information. So I need your help to configure the router computer.

Here's my current interfaces file for the router computer:

-----------------------------------
auto lo
iface lo inet loopback

# This is where the ISP cable goes:
auto eth0
iface eth0 inet static
address xxx.yyy.239.50
netmask 255.255.255.252
gateway xxx.yyy.239.49

# To the switch:
auto eth1
iface eth1 inet static
address xxx.yyy.237.49
netmask 255.255.255.240
-----------------------------------

And here is the configuration of an ispconfig server plugged to a switch (with just one IP at the moment):

-----------------------------------
auto lo
iface lo inet loopback

# From the switch:
auto eth0
iface eth0 inet static
address xxx.yyy.237.50
netmask 255.255.255.240
gateway xxx.yyy.237.49
-----------------------------------

Of course, it doesn't work because as I understand I need to configure eth0 of the router computer to route traffic bound for the IPs in the range xxx.yyy.237.48 - xxx.yyy.237.63 to eth1 of the router computer and then to the switch. And I don't know how to do it.

Any help will be highly appreciated!

Hans · #2 25th December 2007, 16:07

Whell, the setup which your ISP advices, sounds rather weird to me.
In my opinion, what you descibed (adding extra lines to /etc/network/interfaces) is correct. And of course you must add the additional IP-addresses within ISPConfig as well under Management > Server > Settings > IP-list.

dimas · #3 25th December 2007, 16:40

Yes, it is definitely a weird setup... But according to the ISP, the only one which is possible with them. I'm still unsuccessfully trying to get in touch with their administrator...

Merry Christmas to you!

falko · #4 26th December 2007, 09:57

Quote:

Originally Posted by dimas

And here is the configuration of an ispconfig server plugged to a switch (with just one IP at the moment):

-----------------------------------
auto lo
iface lo inet loopback

# From the switch:
auto eth0
iface eth0 inet static
address xxx.yyy.237.50
netmask 255.255.255.240
gateway xxx.yyy.237.49
-----------------------------------

Of course, it doesn't work because as I understand I need to configure eth0 of the router computer to route traffic bound for the IPs in the range xxx.yyy.237.48 - xxx.yyy.237.63 to eth1 of the router computer and then to the switch. And I don't know how to do it.

Any help will be highly appreciated!

Can you try and add this line:

Code:

up route add -net xxx.yyy.237.48 netmask 255.255.255.240 gw xxx.yyy.237.49 eth0

at the end of the file and restart the network?

dimas · #5 5th January 2008, 14:22

Dear Falko, thank you very much for your suggestion, now from eth1 of the router-computer I can ping the whole world, like this:

ping -I eth1 216.109.112.135

that's yahoo.com

to achieve this, I added this line at the end of the router-computer 'interfaces' file:
up route add -net xxx.yyy.237.48 netmask 255.255.255.240 gw xxx.yyy.237.49 eth1

(the only change from your suggestion was to write eth1 instead of eth0, it also works if eth1 is not there at all)

now, however, there is a question how to share this connection with the ISPConfig server (or any other computer attached to the switch, for that matter).

I have a shell script that is used for sharing an Internet connection that should be run on a router computer (well, I actually found this script on the Internet, my ISP is still not helpful at all). BUT - it uses NAT. And my ISP can only say that the connection sharing should NOT use NAT (by the way, that's the reason I can't use a regular router - NAT can't be turned off on the router that I have).

So I guess that in order for everything to function I need to 'exclude' NAT from the following script:

------------------------------------
#!/bin/sh

echo -e "\n\nSETTING UP IPTABLES PROXY..."

INTIF="eth1"
EXTIF="eth0"
EXTIP="xxx.yyy.239.50"

echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading proxy server rules..."

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e " Proxy server rule loading complete\n\n"
------------------------------------

I tried commenting out a few lines in this script and finally got a connection on a second computer - but it was mostly a wild goose chase because I'm not completely sure what relates to NAT in the script and what is not.

So if you could spare me a little of your time I would highly appreciate your advice about what is to be left out (or maybe added) to this script.

As a result I hope to be able to configure the ISPConfig server with all the external IPs, from xxx.yyy.237.50 to xxx.yyy.237.63

Thank you!

dimas · #6 6th January 2008, 11:17

Well, I have finally made it work. Everything works if the script looks like ths (it works even without the 'up route' command I spoke about earlier):

------------------------------------
#!/bin/sh

INTIF="eth1"
EXTIF="eth0"
EXTIP="xxx.yyy.239.50"

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

------------------------------------

There is one interesting thing, however. It so happened that the router computer I was using was also an ISPConfig server. Well, I tried the following setup and pulled all the cables except for the one coming from the ISP:
-----------------------------------
auto lo
iface lo inet loopback

# This is where the ISP cable goes:
auto eth0
iface eth0 inet static
address xxx.yyy.239.50
netmask 255.255.255.252
gateway xxx.yyy.239.49

# Leading nowhere now:
auto eth1
iface eth1 inet static
address xxx.yyy.237.49
netmask 255.255.255.240

auto eth1:0
iface eth1:0 inet static
address xxx.yyy.237.50
netmask 255.255.255.240

auto eth1:1
iface eth1:1 inet static
address xxx.yyy.237.51
netmask 255.255.255.240
...
etc for the rest of the IPs
-----------------------------------

Then I tried to add some sites via ISPConfig - and I found out that all the IPs xxx.yyy.237.49 - xxx.yyy.237.62 were accessible from the outside, and the sites worked! What's more, they worked even without the shell script displayed at the beginning of this post!

Now, however, there is another problem. There is no outbound Internet on the server. It's because the connection with a gateway is eth0, and I can't even ping anything with it, but I can ping everything with eth1, eth1:0 etc - but eth1, eth1:0 etc have no gateway!

I really wonder if it's possible to make a connection without gateway a default Internet connection

Of course my idea behind this is to get rid of the switch and make the whole setup work on one computer.

I'm also thinking about another option - what if I insert a THIRD network adapter in the router computer and then it would receive Internet via eth1 and then switch? Will it work?

Navigation

Facebook

News

Recent comments

Newsletter