peasth...@shaw.ca wrote: > Bob Proulx wrote: > > So dalton has address 172.24.2.1 in the RFC1918 private address space. > > Dalton has external address 142.103.107.137 and several internal addresses > including 172.24.2.1. > > Here is an old sketch. Dalton is on the left. We're not concerned with > Joule. > http://members.shaw.ca:80/peasthope/Network.jpg
Excellent diagram! Thank you very much for sharing it. > Until my current tinkering, Carnot and Dalton were both connected to the > network through an old Allied Telesis CentreCOM 3612TR not in the sketch. > The current objective is to eliminate the 3612TR and route to Carnot through > Dalton. Two benefits: less machinery running; faster communication to > Dalton. The 3612TR is 10BASE-T. And it is a hub instead of a switch too. Good box in its day though. > > If you want a point to point network between two machines on a > > crossover cable then both hosts should be on the same subnet. > > "Both ends of a cable must be on one subnet." is an axiom of networking? > That's crucial. Yes. Keep both ends of the cable on the same subnet. > > Instead define a subnet for both hosts and put each host on that subnet. > > For example, Carnot gets address 172.24.2.2 connecting to Dalton at > 172.24.2.1. Yes. Exactly. > Still, the outside world expects to find Carnot at > 142.103.107.138. Continued below. I see and note that that address is one over from dalton's public IP address. > > Is dalton a router on the public Internet? (It would help to know if > > it is a WRT54G type of router or if it is a full functionality Debian > > host.) > > Dalton is a Linux router running Debian Squeeze with public address > 142.103.107.137. Good to know. It opens up additional possibilities. > The firewall will prevent a response by ping. "ssh 142.103.107.137" > should indicate it exists. Yes. Note that you can get one level lower and connect to the ssh port 22 directly. I like to use 'connect' but others will use 'nc' or 'socat' or other favorite tools. But everyone has telnet. $ telnet example.com 22 Escape character is '^]'. SSH-2.0-OpenSSH_5.1p1 Debian-5 However to exit telnet you have to be able to read the message "Escape character is '^]'." and then type that in and then q or quit to get out. You would be surprised at how many times I have had people have trouble there. So I like 'connect' which is 8-bit clean and can be interrupted. apt-get install connect-proxy $ connect example.com 22 SSH-2.0-OpenSSH_5.1p1 Debian-5 > > Is carnot a machine on your private network that you want to > > actually host the public Internet service (HTTP, SMTP, SSH)? > > Correct. HTTP & SSH are sufficient. Oh good. > > ... dalton that should get the public IP address. ... have it > > port forward to carnot for the services that you want to host on > > carnot. > > Dalton gets 142.103.107.138 while carnot has only a local address; > neither machine uses 142.103.107.137. The .137 is in the diagram as attached to dalton. I know you said that was an old diagram. But is that perhaps reversed with .138? It doesn't really matter since you know which is wich but just trying to keep up here. I will make the assumption for now and move on. > > There are several different ways. And each of them have > > subtle things that if not configured correctly will cause things not > > to work as desired. > > OK. It's a learning exercise for now. There are two main directions that I would suggest, and one of those main directions has two sub-directions. (grin) One way is to have dalton configured for *both* addresses and then tunnel the ports over to carnot through ssh. That has the advantage of being simple and easy to put together in parts. But the use of ssh isn't the most efficient and some people find ssh confusing. Another way would be to use the Linux netfilter interface to port forward the desired ports. My favorite netfilter tool is Shorewall. Using the Linux netfilter with Shorewall seems the most attractive. But it can be the most confusing to debug and get working correctly so isn't the easiest either. But I think you probably want a Proxy ARP configuration. Look at this documentation for one way of how to set this up. http://www.shorewall.net/shorewall_setup_guide.htm http://www.shorewall.net/ProxyARP.htm Good luck! I would be interested to know how this turns out. Bob
signature.asc
Description: Digital signature
