Jump to content

proxy/filter/networking


Recommended Posts

My proxy/webfilter is running great. Just thought it might be better to have it set for all devices connected on my internet network. So that I don't have to set it up mannually for every device. I have Linksys WRT160N, and I read that the standard linksys router software does not allow setting up a proxy. But that I need to use dd-wrt . I found an instruction on how to do it and it doesn't look that hard. But how smart is it to do. Cuz I always go by the saying for computer stuff: "don't fix what ain't broke" or I could buy a second network card, have my internet connection on it so that I could filter/proxy it and connect another router too it, and to the second router I could connect all my devices. or something like that? Not too great in networking. That acuatually sounds better if it is possible. Because I don't really like messing with router firmware if it's running fine.

 

So if I wanted to do it without messing with the firmware I would probably want to setup like this?

 

 

Downstairs(modem)-->router1--mypc(nic1)---proxy/filter-->mypc(nic2)--->router2(make this gateway for all connecting devices)

 

Does that sound correct? But I have no idea how I would be able to connect two nic's. would have to do some research on that.

 

http://www.alternate...Netwerkadapters

http://www.alternate...+LAN&l3=Routers

Link to post
Share on other sites

When you say "router" are you actually routing between two networks, or is it acting as a hub?

 

I have a similar configuration in my home, the difference is that whilst my (NetGear) router acts as a wireless access point, it's my server that issues the IP (running DHCP on it) and also acts as the gateway/proxy. To achieve this, I have denied outbound traffic to port 80 from anywhere but my server, and instructed all client machines to use the server as a proxy.

 

I did this a number of years ago to prevent services "dialing home" - I could check the router logs to see what traffic had been denied, then whitelist specific sites on the server to permit them. As well as filtering out banners and popups, the other benefit of running all traffic through the proxy was the caching aspect - commonly-fetched files (masthead images, forum stylesheets, etc) would only be fetched once and retained for all machines on the LAN to use.

 

To get back to your question: if you have two NICs in your machine, they will appear as "eth0" and "eth1" - you'll just need to assign IP address in different networks to them. It may help if you drew a network diagram showing the distinct networks with their IP ranges so that it clarifies what domain each device belongs to, and thus assign IPs correctly. (for an example of some, try this site - "rate my network diagram" )

 

Note that it *is* possible to have everything coming off one router, just that your gateway will need two IP address bound to the single card (eth0 and eth0:1) with the modem being on one range and other machines being on another - your single physical network will contain two logical networks with the device IPs determining which they belong to. It is a simpler model and involves less cabling, but also means reduced security in some regards, so you'll need to add filtering rules to the modem to permit traffic from the gateway machine and deny all else.

 

Hope that helps, but ultimately what you're after IS possible. It's more a matter of how you go about it.

Link to post
Share on other sites

I think as I understood from your explanation more as a hub because I only have one network at home.. Basic idea is I want al internet traffic on my network getting filtered first. If I am able to do that with one router(my current one) and just have to purchase a nic the better. What I don't understand is how can I filter/proxy all my internet traffic using two nic's and then rerout it back to my router?

 

current setup

modem(isp device) connects to my WRT160N-4poorts,+1 internet poort 4 other ports connect to my pc/other pc/laptop.

 

If I want internet traffic going through my pc(proxy/filter first) then going through nic2 en going into my router again so that internet traffic is filtered?

 

It would be setup like this if I understand you correctly: isp modem---router wan(wlan/lan)---nic1-filter/proxy--nic2 --- and then back to router?

 

But what I don't understand is then my second nic2 would connect to a normal lan port would have no effect on the other 3 lan ports.

 

So how then would then would I be able to do it without a second router. or you saying that I should get a hub or switch? instead of a second router?

But I also want to keep my wireless router connection and have that filtered.

 

 

 

http://www.alternate...bs+%26+Switches

Link to post
Share on other sites

It would be setup like this if I understand you correctly: isp modem---router wan(wlan/lan)---nic1-filter/proxy--nic2 --- and then back to router?

No. Either have:

- two switches, one on each NIC, with the gateway sitting between them (two physically separate networks)

- one switch connected to the gateway NIC but with two IP address on that NIC (two logical networks).

 

That way traffic can be filtered through the gateway.

 

The former means that devices on the LAN side are completely separated and are "forced" to pass through the gateway.

 

The latter (my model) means that devices on the logical LAN are still physically connected to external-facing devices, but the IP ranges mean that the internet link is invisible to them - they need to route through my server to reach "outside".

 

I'll knock up a network diagram to illustrate what I mean.

Link to post
Share on other sites

ok cool smile.png thanks alot mate! I'll think I'll go for the second one, cuz it's a cheaper option. Mean I'll only have to buy a switch smile.png

 

logical networks is network-aliasing right? also mentioned here under networking aliasing section

Link to post
Share on other sites

logical networks is network-aliasing right?

Well, network-aliasing is more "IP multiplexing" but it's creating another logical network within a physical network. You can have several logical networks within a physical one without doing network aliasing, but if you want a machine to see more than one network you'll need to do aliasing.

Link to post
Share on other sites

logical networks is network-aliasing right?

Well, network-aliasing is more "IP multiplexing" but it's creating another logical network within a physical network. You can have several logical networks within a physical one without doing network aliasing, but if you want a machine to see more than one network you'll need to do aliasing.

 

I think I would go for the cheaper one, which is the second. But what are the main differences between the two?

- two switches, one on each NIC, with the gateway sitting between them (two physically separate networks)

- one switch connected to the gateway NIC but with two IP address on that NIC (two logical networks).

 

One having more security and one having less cabling?

Link to post
Share on other sites

Wait that diagram wouldn't make sense cuz a network card only has one physical port. Then it would be my router connecting to a different port on a the switch right?

Like this then?

 

sketch2.jpg

Link to post
Share on other sites

logical networks is network-aliasing right?

Well, network-aliasing is more "IP multiplexing" but it's creating another logical network within a physical network. You can have several logical networks within a physical one without doing network aliasing, but if you want a machine to see more than one network you'll need to do aliasing.

 

I think I would go for the cheaper one, which is the second. But what are the main differences between the two?

- two switches, one on each NIC, with the gateway sitting between them (two physically separate networks)

- one switch connected to the gateway NIC but with two IP address on that NIC (two logical networks).

 

One having more security and one having less cabling?

 

Yes, but also that the first option will involve two physically-separate switches/hubs, so more cabling and higher expense.

Link to post
Share on other sites

Correct - physically, ALL machines would connect to the switch, but the modem and first IP address of the gateway will be on one network range, the other machines (and second IP of the gateway) will be on another range.

 

Although it looks like any machine can connect out directly through the modem, it will only listen to requests made from the gateway machine, so traffic will have to flow through that.

Link to post
Share on other sites

Correct - physically, ALL machines would connect to the switch, but the modem and first IP address of the gateway will be on one network range, the other machines (and second IP of the gateway) will be on another range.

 

Although it looks like any machine can connect out directly through the modem, it will only listen to requests made from the gateway machine, so traffic will have to flow through that.

 

Sounds like a plan. So I'll do the second option cuz it's cheaper and since I have a limited amount of space. Will order the switch then do some research and see how far I get. I already have my internet forcing to go through my proxy and being filtered by dansguardian. So I did these changes to my iptables

 

Actually fun trying to plan out what I'm going to do and then how I can put it into home production and then continue building from there where it comes of use :)

Look foward to it.

Link to post
Share on other sites

I found out how to setup two ip's on one nic. Doesn't look to hard. I don't know much about networks/subnetmasks etc so will have to do some research on that too. Hardest part will be configuring my firewall.

Link to post
Share on other sites

UMLet, or ArgoUML I've used for diagrams. I've also tried Dia too.

 

OpenDraw is the OpenOffice version of "Visio", and it produced some pretty good diagrams for me.

Link to post
Share on other sites

I don't know much about networks/subnetmasks etc so will have to do some research on that too.

USe a private network range, either:

10.x.y.z (netmask 255.0.0.0) - Class A

172.16 - 172.31.x.y (netmask 255.255.0.0) - class B - 65000-odd hosts

192.168.x.y (netmask 255.255.255.0) - class C - 253 hosts

 

 

Most networks are on 192.168.0 - I'd advise changing the third octet (1-254); I've configured a friend't network to use 192.168.200.x (netmask 255.255.255.0)

 

My works I configured on 172.16 (LAN), 172.20 (segregated training LAN) and 172.17 as the backbone between LAN and routers (DMZ).

 

My home network uses 172.16/255.255.0.0; I use the third digit as an indication of the node use (200 = servers, 100 = clients) but I don't have 65000 hosts so I may reduce it to a class-C network when I redo my networking.

 

Hardest part will be configuring my firewall.

Having a decent diagram to describe your setup helps tremendously. I've advised many friends to begin documenting their home networks - it reduces a lost of troubleshooting time.

Link to post
Share on other sites

Thanks for the advise. Once I get my switch, I'll see how far I'll get on my own. Yeah you've taught me that from the beginning here that documenting is important. So I always keep that in the back of my head now that I need to take notes on what I do :)

Link to post
Share on other sites

My situation is kind of different, cuz I don't have my own house. I have my own internet connection and it comes in through a phoneline and connects to my ISP box

 

TG789v2.jpg

 

I pulled a network cable all the way up to my room and have that cable plugged into LAN port 1 of my ISP box.

In my room I have a router WRT160N

 

brezzicni_usmerjevalnik_wl_linksys_wifi_wrt160n_ee.gif

 

The network cable coming from my isp box that I pulled up to my room is I put in the internet port

of my router. And I connect my pc with a cable to this router and I use the wireless for my laptop.

 

WRT160N: 192.168.1.1

ISP Box: has a different ip

 

So I could just use my router as a switch?

but don't get how that would work without a switch?That'd be great thoug if I didn't even have to purchase a seperate switch.

 

ISP-Box-->connected to RouterWan(192.168.1.1)(1 2 3 4), 1 connected to my nic(ip1:192.1.1.2) connected to nic(ip2:10.0.0.1) but how does it get rerouted to ports 2 3 4+wlan?

Link to post
Share on other sites

ports 1-4 are the switch on your router.

 

The DSL part is the phone point that connects out to the world.

 

(I think...)

 

ISP-Box(contects to phoneline for outside world)(gives an ip to router wan port via LAN1 in isp box)--> (192.168.1.1)(1 2 3 4), 1 connected to my nic(ip1:192.1.1.2) connected to nic(ip2:10.0.0.1) but how does it get rerouted to ports 2 3 4+wlan so that my pc acts as a proxy.

 

 

What you said about two ip's on one network card s done like this right?

Link to post
Share on other sites

ports 1-4 are the switch on your router.

 

The DSL part is the phone point that connects out to the world.

 

(I think...)

 

ISP-Box(contects to phoneline for outside world)(gives an ip to router wan port via LAN1 in isp box)--> (192.168.1.1)(1 2 3 4), 1 connected to my nic(ip1:192.1.1.2) connected to nic(ip2:10.0.0.1) but how does it get rerouted to ports 2 3 4+wlan so that my pc acts as a proxy.

okay - it looks like you're running two networks together already - I think we need a network diagram to clarify this.

 

What you said about two ip's on one network card s done like this right?

Link to post
Share on other sites

Current Setup

 

hand-sketch2.jpg

 

 

This next sketch doesn't make sense to me, but that's what I'm getting the idea you were talking about?

How does traffic get rerouted to ports 2 3 4 on my router if network card only has 1 physical port?

 

 

hand-sketch.jpg

Link to post
Share on other sites

okay.. I was thinking that your ISP box *could* plug directly into port 1 and have NIC1 on port 2.

 

You then have your IP-facing IP address (11.22.33.44 or so) on eth0 and your private IP (192.168.1.2) on eth0:1.

 

Any machines plugged into port 3 & 4 on your switch will need to obtain a 192.168.1 IP and be told that 192.168.1.2 (your machine) is the proxy.

 

However, this is a somewhat dangerous setup because it will have *all* machines potentially internet-facing, and one wrong IP change could expose something unprotected.

 

Is there a firewall on the ISP box ?

Link to post
Share on other sites

okay.. I was thinking that your ISP box *could* plug directly into port 1 and have NIC1 on port 2.

 

You then have your IP-facing IP address (11.22.33.44 or so) on eth0 and your private IP (192.168.1.2) on eth0:1.

 

Any machines plugged into port 3 & 4 on your switch will need to obtain a 192.168.1 IP and be told that 192.168.1.2 (your machine) is the proxy.

 

However, this is a somewhat dangerous setup because it will have *all* machines potentially internet-facing, and one wrong IP change could expose something unprotected.

 

Is there a firewall on the ISP box ?

 

I think so. I'd have to check that. I'll look it up. But when I setup port fowarding on the box it doesn't even work. Called the ISP and they don't support port fowarding. They just provide internet. Anything other then that they don't suppport.

It's a worthless piece of shit.

Link to post
Share on other sites

I checked online and it said that it has a firewall but that you can't turned it off. You can foward ports, but I tried it but no matter how you do it the fowards don't work.

But will be able to check it for sure once I get home this evening.

Link to post
Share on other sites

okay.. I was thinking that your ISP box *could* plug directly into port 1 and have NIC1 on port 2.

 

You then have your IP-facing IP address (11.22.33.44 or so) on eth0 and your private IP (192.168.1.2) on eth0:1.

 

Any machines plugged into port 3 & 4 on your switch will need to obtain a 192.168.1 IP and be told that 192.168.1.2 (your machine) is the proxy.

 

However, this is a somewhat dangerous setup because it will have *all* machines potentially internet-facing, and one wrong IP change could expose something unprotected.

 

Is there a firewall on the ISP box ?

 

I could try it but then I don't understand how I would have internet?

 

hand-sketch3.jpg

 

Do you mean that because my isp box is connected to port 1 and my NIC to port 2. In order to get internet

port 3 and 4 would have to go through port 2 first which is (x.x.x.x and 192.168.1.2) Also being my proxy?

nic:ip1 talking to port 1(connected to internet) and nicip2 talking to port 3 and 4 on my router?

 

But wouldn't this be much easier by just adding a second network card in my pc?

 

hand-sketch4.jpg

Link to post
Share on other sites

I'm starting to get more and more lost with this whole networking thing. I've been trying to think it out using the sketches I made.

and rereading the posts you made but I still don't quite understand.

 

Had a talk with a colleage and he explained some things. Gonna think it through this evening and post.

Link to post
Share on other sites

I thought it through what you said and as far as far as my understanding goes it wouldn't work. I'll have to write it out cuz I don't have a scanner here.

 

ISP box--connects to port 1 on router, port 2 router connects to nic:ip1, connects to nic:ip2. The problem with this is my router is running dhcp, and it gives the ip's the the four ports through the internet port. So in this case only port1 on the router would get an ip. If I then connected port 2 to my nic. I wouldn't get an ip and have no internet connection and my internet traffic wouldn't get filtered/proxy.

 

I thought well then I could do it like this:

 

ISP box--connects to internet port router, then router gives 1-4 ports an ip, and I can connect port 1 to my nic. problem with this is. the router is giving ip's to all four ports. So traffic isn't getting filter and not going through a proxy.

 

The only logical solution I found is the following with 2 NIC's:

 

ISP box--connects to NIC1(192.168.2.254), is bridged/connects to NIC2(10.0.0.1). in between here traffic gets proxy/filtered. I also run dhcp service on machine and connect NIC2 to port 1 on router. port 1 gets an ip(10.0.0.100) from my dhcp service. Also ports 2 3 4. And I shut off my dhcp on my router so it now acts like a switch. Now my traffic is proxy/filtered. Only I see 2 things that concern me. 1 is that I'm not sure wlan would be filtered? and two is my pc would be directly connected to the isp box. How safe it this. I went into the interface of my isp box. I couldn't find anything of a firewall, but I read on the net it's built in and you can't turn it off. So I would think it wouldn't be too much of a problem. Port fowarding doesn't seem to work on it. I could try it again though. And lastly, I don't see how it could be possible with only one NIC even if it has two ips. ? That's how a colleage of mine explained it to me. I have thought it through like 100 times, and this is the conclusion I came to. I don't think running a dhcp service would be too hard I suppose. So then if my pc would be directly connected to my isp box, and run dhcp it would be just as is functioning as a router.

 

What do you think of my brainstorming and conclusions on this?

 

 

And about me not liking my own pc connect directly to the internet I was thinking the following. I'm hobbying/learning alot with this so I might as well invest some in it because it's worth it. So I was thinking of maybe

buying a server at the end of the year(adding a network card) and then using as a proxy/filter/gateway for my private network. That way I keep my desktop as a desktop and have my server to control my network and I'll learn from it and enjoy it :) And I'll have a nice starters home network setup and can experiment more. How does that sound?

Link to post
Share on other sites
And about me not liking my own pc connect directly to the internet I was thinking the following. I'm hobbying/learning alot with this so I might as well invest some in it because it's worth it. So I was thinking of maybe

buying a server at the end of the year(adding a network card) and then using as a proxy/filter/gateway for my private network. That way I keep my desktop as a desktop and have my server to control my network and I'll learn from it and enjoy it smile.png And I'll have a nice starters home network setup and can experiment more. How does that sound?

 

That sounds like an interesting idea. My server on my local network serves both my public website to anyone who visits it, but it also acts as DHCP server, DNS server and provides a few other services for the local network only. It sounds like a great way to learn. :)

Link to post
Share on other sites

Yup - hunting around for some decent diagramming tool to draw a few net diags. Annoyed I don't have one to hand...

 

ah ok cool cool.png

 

I did a bit of searching on someone on another site recommended these two:

 

http://projects.gnome.org/dia/

ftp://ftp.x.org/contrib/applications/drawing_tools/xfig/

Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...