ISDN Gateway for Private Networks in SuSE Linux 8.0 or Higher

Support knowledgebase (isdn_masq80)
Applies to

SuSE Linux: Version 8.0

Situation

Your computer has an ISDN connection and you want to use it as an Internet gateway for your local network.

Procedure

Issues of this complexity exceed the scope of our free-of-charge installation support. Therefore, these brief instructions should help you to set up such a gateway.
Please note that this article cannot impart the basics of firewalls and system security. You can find some reading material on these subjects e.g. at the URL of our publishing house, "SuSE Press" at http://www.susepress.de/

SuSE shall not be liable for any damages caused to your data or to your local network by the utilization of a gateway.

Below is a step-by-step guide including some configuration tests.

Note:
In the following lines, the computer that will act as a gateway is known as gateway and the computers on your LAN are called clients.

  1. The gateway requires a network cards and a ISDN card. Use YaST2 to configure these cards: YaST2 -> Network/Base -> ISDN configuration or YaST2 -> Network/Base -> Network card configuration. Configure the network card for the LAN first. Assign an static IP address to it.

    IP address: 192.168.0.1 Subnetmask: 255.255.255.0

    No changes are required in the host name or routing. Save the configuration.

    Note:
    If a local network is already available, select the IP address from it. We recommend you to use addresses from the space 192.168 for your local network. In this example, the IP addresses for the local network have been taken from the ranges 192.168.0.0 to 192.168.0.255.

    Network card test for the LAN

    Ping the newly configured network card with the command ping -c 2 192.168.0.1. The output will be similar to:

    	PING 192.168.0.1 (192.168.0.1) from 192.168.0.1 : 56(84) bytes of data.
    	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.655 ms
    	64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.329 ms
    
    	--- 192.168.0.1 ping statistics ---
    	2 packets transmitted, 2 received, 0% loss, time 1008ms
    	rtt min/avg/max/mdev = 0.329/0.492/0.655/0.163 ms
    	

    If your output is not similar to this, repeat the configuration process of the network card (something has gone wrong). You can abort the command ping anytime by hitting CTRL + C.

    Testing the connection to the LAN

    If the network card test have been successful, proceed now to test if the clients can be reached from the gateway. Use the command ping for this purpose. At least some clients shall react to the command ping -c 3 -b 192.168.0.255. The output should be similar to:

    	WARNING: pinging broadcast address
    	PING 192.168.0.255 (192.168.0.255) from 192.168.0.1 : 56(84) bytes of data.
    	64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.774 ms
    	64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=1.19 ms (DUP!)
    	64 bytes from 192.168.0.3: icmp_seq=1 ttl=255 time=1.30 ms (DUP!)
    	64 bytes from 192.168.0.4: icmp_seq=1 ttl=64 time=1.57 ms (DUP!)
    
    	--- 192.168.0.255 ping statistics ---
    	2 packets transmitted, 2 received, +3 duplicates, 0% loss, time 1010ms
    	rtt min/avg/max/mdev = 0.325/1.033/1.573/0.438 ms
    	

    As you can see, the machines with the IP addresses 192.168.0.1 (gateway) and 192.168.0.2 to 192.168.0.4 (clients) have replied. If you know the IP address of a client, you can ping it directly to test the connection.

    It is essential that the clients can be reached from the gateway and vice versa. If this connection does not work, you have to solve the problem within the LAN before trying to connect the LAN to the Internet.

  2. Configure the ISDN access on the gateway as described in the Basics manual, page 85. Do not activate the firewall. Please note that if Dial on Demand is activated, the gateway will set up a connection to the Internet as soon as the gateway or a client send a request to the Internet. This is only advisable if you have a flat rate.

    Testing the connection to the Internet

    Test the Internet connection from the gateway. The command cinternet enables you to manually start (cinternet -start) or stop (cinternet -stop) the connection. Set up the connection, wait 30 seconds, and test it again with the command ping. For example, you can ping our web server www.suse.de with ping -c 4 www.suse.de. The output should be similar to:

    	 ping -c 4 www.suse.de
    	PING www.suse.de (213.95.15.200) from 217.225.119.194 : 56(84) bytes of data.
    	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=1 ttl=251 time=23.9 ms
    	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=2 ttl=251 time=23.7 ms
    	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=3 ttl=251 time=24.0 ms
    	64 bytes from Turing.suse.de (213.95.15.200): icmp_seq=4 ttl=251 time=24.0 ms
    
    	--- www.suse.de ping statistics ---
    	4 packets transmitted, 4 received, 0% loss, time 3030ms
    	rtt min/avg/max/mdev = 23.775/23.941/24.035/0.184 ms
    	

    As above, it is essential that this connection works. Otherwise, you have to solve the problem with the Internet connection before trying to connect the LAN to the Internet.

  3. Now prepare the gateway to forward requests from the LAN to the Internet. The easiest way is by using the SuSE b>personal-firewall, a simple iptables-based package filter that rejects all unauthorized packages from the Internet and is in charge of forwarding the requests from the LAN to the Internet. The configuration file of SuSE personal-firewall

    /etc/sysconfig/personal-firewall

    contains a configuration variable REJECT_ALL_INCOMING_CONNECTIONS. Edit this file as follows:

    REJECT_ALL_INCOMING_CONNECTIONS="ippp0 masq"

    In addition, you must inform the kernel that you want to be able to forward packages. To do this, edit the file

    /etc/sysconfig/sysctl

    by changing the variable IP_FORWARD to

    IP_FORWARD="yes"

    Finally, make sure that the SuSE personal-firewall is started when the gateway is booted. This can be done with the commands:

    insserv personal-firewall.initial
    insserv personal-firewall.final

    Execute the following commands to apply these settings without having to reboot first:

    	echo "1" > /proc/sys/net/ipv4/ip_forward
    	
    	rcpersonal-firewall start
    	

    Connection test to the Internet with the SuSE personal-firewall

    Launch the connection to the Internet with the command cinternet -start and test it with the command ping as described above.

  4. The last step consists of informing the clients that, from now on, the gateway will provide the Internet connections. On a SuSE Linux 8.0 client, this can be done by entering the gateway's IP address as standard gateway in YaST2 -> Network/Advanced -> Routing. In this case:

    Standardgateway: 192.168.0.1

    In addition, the clients must know how to contact a name server in order to resolve domain names in IP addresses. For this purpose, read out the name servers from the file

    /etc/resolv.conf

    on the gateway during an Internet connection. In our example, we have used a T-Online name server. Enter the name server on the clients. For example, on SuSE Linux 8.0 clients: YaST2 -> Network/Advanced -> Host name and DNS. Host name and domain name do not have to be changed.

    Name server list: 217.89.23.137
    Domain search list: .de

    Connection test to the Internet from a client

    After having set the standard gateway and name server on the clients, test the connection to the Internet with the command ping as described above.

If all these tests have been successful, the clients are now ready to use the Internet connection provided by the gateway.


See also:
o DSL Gateway for Private Networks in SuSE Linux 8.0 or Higher
o ADSL Gateway for Private Networks

Keywords: ROUTER, GATEWAY, ISDN, I4L, MASQUERADING, FIREWALL, CLIENT, NETWORK, MTU, MRU

Categories: Configuration

SDB-isdn_masq80, Copyright SuSE Linux AG, Nürnberg, Germany - Version: 23. Jul 2002
SuSE Linux AG - Last generated: 23. Jul 2002 by ip (sdb_gen 1.40.0)