Hi James, and others,
On 03/31/2017 07:40 AM, James M. Pulver wrote:
> Shouldn't we all take a step back here and ask why your IT support
> isn't providing the resources you need to run the experiment? I
> certainly would not want a user to set up an ad-hoc linux router that
> they didn't really understand, and hook that to my network. I also
> wouldn't want WiFi interference from an ad hoc wifi access point
> potentially causing issues with users of the IT wifi service.
>
> All that "big picture" stuff set aside, it's not obvious to me if you
> can do this without either IT help or a local router and DHCP server,
> because at least for me, most Android tablets assume DHCP - I don't
> even know if I can manually set an IP address. I also don't know - can
> this unified remote product connect to a bare IP address, does it use
> broadcasts to find the server, do they use a cloud service in the
> background?
>
I can replace the switch with an edgerouter I have available. It was
carelessness to write 'switch'. Anyway, that will give me dhcp, which
seems to simplify my situation significantly.
As for IT, well, they have gone as far as OK'ing this project. They told
me I could do it as long as I agree not to port-share (no switch or
router on a university port).
I think I am getting closer to a solution. Plenty of helpful advice
here, both technical and cautionary. I may go with what I think is a
more conservative approach: only one network adapter, with internet
access as typical. Then when it is time to run an experiment, I pull the
cable, plug it in to the router, and open the ports I need.
Thanks everyone. I will let you all know if I have trouble.
Chris
> Again, if you're at home and want to play around with this, I think
> you can use the instructions here to potentially get it going. At
> work? I'd seriously make sure I'm not going to interact with the
> production network and cause a lot of unhappy people accidentally
> (accidential rogue DHCP server, incorrect routing broadcasts, wifi to
> nowhere or wifi interference depending on location, wifi range,
> configuration etc).
>
>
> James Pulver
> CLASSE Computer Group
> Cornell University
>
> On 03/30/2017 04:50 PM, David Sommerseth wrote:
>> On 30/03/17 22:22, Brown, Christopher A wrote:
>>> Hi David,
>>>
>>>
>>> On 03/30/2017 04:03 PM, David Sommerseth wrote:
>>>> On 30/03/17 20:53, Brown, Christopher A wrote:
>>>>> Hi list users,
>>>>>
>>>>> I am not a network administrator and know only a little bit about the
>>>>> topic. I need to set up a switch in my lab, so that I can have a wifi
>>>>> access point and an SL7 desktop computer on the same network, as I
>>>>> need
>>>>> to be able to connect to the pc using a tablet. My administrator does
>>>>> not allow switches to be on the network, so I need two network
>>>>> adapters
>>>>> on my desktop, one for internet, and on on the local switch.
>>>>>
>>>>> I tried a nominal setup at home first, with my home wifi access
>>>>> point,
>>>>> router/switch and using only a single adapter. I managed to open the
>>>>> required ports using firewalld, and my setup works great at home,
>>>>> where
>>>>> I can connect a tablet over wifi and access my desktop as I need. The
>>>>> only problem I see there is that the ports I opened are open to the
>>>>> world, but since that was temporary for testing, it was fine. They
>>>>> are
>>>>> now closed.
>>>>>
>>>>> I bought a usb ethernet adapter, which shows up as a network
>>>>> interface
>>>>> on my lab computer. I now need to configure my lab computer as
>>>>> follows.
>>>>> I would like the onboard network adapter to be the default (used
>>>>> for web
>>>>> browsing etc), and use default settings (public zone, etc). And I
>>>>> would
>>>>> like the new usb network adapter to have the required ports open, so
>>>>> that I can access that computer over wifi with my local switch.
>>>>>
>>>>> As I said, I have used firewall-cmd to open and close ports. I know a
>>>>> little bit, but not enough to accomplish what I describe above.
>>>>>
>>>>> Can anyone help with this? Just let me know if more information is
>>>>> needed.
>>>> As you are not allowed to add a switch on your network, I do not
>>>> recommend a bridged setup, where the "internet" interface you already
>>>> have is joined together with the USB ethernet adapter. This would in
>>>> effect function just like a switch managed by the Linux kernel.
>>>>
>>>> So you basically need configure your computer as a router. There are a
>>>> few steps needed to manage this.
>>>
>>> I don't think I explained my needs clearly. I don't need the tablet to
>>> have internet access, only to have access to the pc. So I don't (think
>>> I) need the pc to be a router. I just need it to be accessible by the
>>> tablet. I am using an android app called unified remote to access the
>>> pc, and there is a server app to install on the pc. The tablet will
>>> control experiments that will be running on the pc. That is the only
>>> access the table will need. I was hoping that by using two network
>>> interfaces, I could still access the internet from the pc as normal
>>> with
>>> the second interface.
>>
>> Ahh, in that case you can skip step 1) and 2), the rest is basically the
>> same. You will however need to do something with the "option
>> domain-name-servers" in the dhcpd.conf (try removing it). Then you need
>> to use IP addresses to connect to your computer, using 192.168.33.1.
>>
>>
>> David S.
>>
>>
>>
>>>>
>>>>
>>>> 1) Enable IP forwarding. This is done through sysctl. To make it
>>>> persistent you need to add the following setting into a file in
>>>> /etc/sysctl.d (or just update the 99-sysctl.conf).
>>>>
>>>> # sysctl net.ipv4.ip_forward=1
>>>>
>>>>
>>>> 2) Enable firewalling and NAT. You mention you've looked at
>>>> firewall-cmd. My experience with that tool in a routing/gateway setup
>>>> is not too ideall. But you need a few iptables rules. I will let you
>>>> figure out how to do this via firewall-cmd.
>>>>
>>>> I will here presume your "internet" NIC is named eth0 and your USB
>>>> interface is named usb0. I also presume usb0 is given the IP address
>>>> 192.168.33.1/24.
>>>>
>>>> # Allow traffic to be initiated from the USB interface to
>>>> # anywhere else. And allow established connections to
>>>> # flow freely and unrestricted.
>>>> # iptables -I FORWARD -i usb0 -m conntrack --ctstate NEW \
>>>> -j ACCEPT
>>>> # iptables -I FORWARD -m conntrack --ctstate
>>>> RELATED,ESTABLISHED \
>>>> -j ACCEPT
>>>>
>>>> # Enable NAT for the usb0 interface, restrict the NAT to
>>>> # the 192.168.33.0/24 subnet
>>>> # iptables -t nat -I POSTROUTING -o eth0 -s 192.168.33.0/24 \
>>>> -j MASQUERADE
>>>>
>>>> This masquerading will make all your devices connected to usb0 look
>>>> like
>>>> they are coming from your "internet connected computer".
>>>>
>>>> These rules will be wiped upon boot, so it is important you find a way
>>>> how to make this persistent and activated at boot. On my SL/RHEL
>>>> based
>>>> firewalls, I don't use firewalld but have installed iptables-services
>>>> which brings back the old iptables tools (so you can do: service
>>>> iptables save). But be careful using iptables-services and
>>>> firewalld at
>>>> the same time - they will interfere with each other. (On
>>>> non-firewalls/gateways/routers, I use only firewalld - which works
>>>> fine
>>>> in those roles)
>>>>
>>>>
>>>> 3) Configure the usb0 interface ... this is done through
>>>> NetworkManager
>>>> tools or /etc/sysconfig/network-scripts/ifcfg-usb0. For a minimal
>>>> ifcfg-usb0 file you need something like:
>>>>
>>>> DEVICE="usb0"
>>>> TYPE="Ethernet"
>>>> ONBOOT="yes"
>>>> NOZEROCONF="yes"
>>>> HWADDR="xx:xx:xx:xx:xx:xx"
>>>> BOOTPROTO="static"
>>>> IPADDR="192.168.33.1"
>>>> PREFIX="24"
>>>> NAME="usb0"
>>>>
>>>> See /usr/share/doc/initscripts-*/sysconfig.txt for more information
>>>> about these sysconfig files.
>>>>
>>>>
>>>> 4) (optional) Configure a DHCP server to serve on usb0. This enables
>>>> automatic network configuration of your clients connected to usb0.
>>>> Without this, you need to resort to manually configuring each device.
>>>>
>>>> I like dhcpd, as that's what I've become used too. But dnsmasq can
>>>> also
>>>> do this job well.
>>>>
>>>> A very simple dhcpd.conf can be something like this:
>>>>
>>>> ddns-update-style none;
>>>> authoritative;
>>>> group {
>>>> option routers 192.168.33.1;
>>>> option domain-name-servers 8.8.8.8;
>>>>
>>>> subnet 192.168.33.0 netmask 255.255.255.0 {
>>>> range 192.168.33.100 92.168.33.199;
>>>> default-lease-time 86400;
>>>> }
>>>> }
>>>>
>>>> (this config is not tested, just something put together on-the-fly).
>>>> See more details in /etc/sysconfig/dhcpd too.
>>>>
>>>> Be careful not to start dhcpd listening and responding to DHCP
>>>> requests
>>>> on your internet interface, that will make a lot of users
>>>> complain. But
>>>> unless the "subnet" section does not overlap with a subnet on your
>>>> "internet" interface, you should be safe.
>>>>
>>>> Then it is just to start the dhcpd service.
>>>>
>>>> # systemctl start dhcpd
>>>>
>>>>
>>>> This should in most cases get you started. And again, I have not
>>>> tested
>>>> this exact example - it is pulled together on-the-fly now for this
>>>> e-mail. There might be silly mistakes or other kinds of typos here.
>>>>
>>>>
|
