LAN Routing Basics

In this section, we’ll look at what a network admin will need to know to set up a local area network. Setting up a LAN with Linux is very simple these days.We can recall a time when the tools weren’t quite as mature as they are today, but Linux has come a long way in the last three or four years. Linux has always been very good at networking, but the set-up and configuration tools have gotten better over time.

Linux’s routing capabilities, however, have really come to the forefront in the 2.4.x kernel series. A lot of the more advanced capabilities aren’t necessary for simple LANs, though you might find the Netfilter framework makes life a lot easier in some ways.

Setting up the One-Part LAN

Setting up a one-part LAN is pretty easy, whether you have a router/gateway between one computer and the Internet or a router/gateway that sits between 100 computers and the Internet. As long as you don’t want to break your LAN into subnets, then your configuration is the same no matter how many clients live behind your router.

For simple LANs, all you’ll need to do is set up a box with IP Masquerading or possibly NAT. (For a full discussion on the differences between IP Masquerading and NAT see Chapter 14, “Security and NAT Issues.”

For a simple one-part LAN that’s using IP Masquerading through a single router/gateway, there’s not a whole lot to setting up routing at all. Simply setting up IP Masq and IP Forwarding is all that it takes; the kernel does the rest automatically. Again, all that is covered in Chapter 14.

Static or Dynamic IP Addresses

One of the first issues you’ll have to deal with is whether to set up static or dynamic IPs for your hosts. If you have a very small LAN, fewer than 20 computers, then using static IP addresses won’t be too big a chore. As long as there aren’t too many hosts on your network, using static IPs is easier than setting up DHCP. If you can remember the names and IP addresses of every computer in your network, there’s no reason to fuss with DHCP.

On the other hand, if you find yourself adding new hosts to the network on a regular basis or have more than 20 or 30 machines, you’d probably save yourself some headaches by configuring a DHCP server. This is especially true if more than one person sets up new machines. Murphy’s Law will rear its ugly head if multiple folks are assigning static IPs at the same time. You can use your router as the DHCP server or use an old 486 or Pentium computer dedicated just to serving DHCP.

Some applications perform authentication using IP addresses.This is true of NFS, printing, mail transfer, and NAT to name a few. If DHCP is improperly configured, it can cause major problems with printing, file sharing, and other tasks.

You can mix and match, though. If you have a few work areas for telecommuters who pay an occasional visit to the office, for instance, you can have DHCP set up for “visiting” computers while other hosts on the network have static IPs. In fact, in just about any office setting it’s probably a good idea to plan for the occasional visitor with a laptop who is going to need to plug it in to check email and whatnot.

Setting up DHCP is uniformly easy on client computers, whether you’re using Linux,Windows, MacOS, or one of the BSDs.We won’t go into setting up a DHCP server or client here given that most distros provide their own interfaces for configuring a DHCP service. Suffice it to say that it’s relatively easy.

Another benefit of DHCP is the fact that you can “recycle” IP addresses. By that we mean that you can use DHCP to maximize your available IP addresses by requiring machines to “lease” the IP addresses and put the IP addresses back in the pool after a set amount of time. This way, when a visiting manager plugs in his laptop and uses an IP address while in the office, it will be reclaimed after they leave for another machine to use.

Don’t Make Your Router a Moving Target Just in case this isn’t obvious, you don’t want to allocate a router’s IP address dynamically. For instance, if you’re going to use a private Class C network, give your router an IP such as 192.168.1.1—one that’s easy to remember while setting up new hosts. Things like routers, firewalls, mail servers, or NFS servers, should pretty much always have the same IP address.

Setting up a LAN with Subnets

If you’re dealing with subnets in your LAN, things are going to get a little more complicated, but not to worry—it’s still not that bad.

Considering that we’ve already covered the gory details of subnet mask math in Chapter 4, “IPv4 and IPv6 Addressing,” we won’t boggle your mind with it again here. (Okay, it’s actually not that hard, but anything that smacks of math makes some of our heads spin…)

We will, however, cover the differences between a single-sized subnet and a variable-sized subnet and reasons why you might want to work with subnets on your LAN. You’ll definitely want to have read through Chapter 4 if you don’t already have a strong grasp of IP addressing schemes.

IPv6 Because IPv6 is so rarely implemented, we’re not going to spend any time on discussing IPv6 subnetting here. Considering the abundance of IPv6 addresses, it might never be necessary to consider subnetting IPv6 addresses anyway—even if IPv6 does become commonly used.

Why Subnet?

Subnets are created for a number of reasons. Generally, subnets on a network exist because of physical and geographical logistics, for the purpose of segregating internal networks or making the most of the IP address scheme.

We’ve already covered the physical and geographical logistics of networking earlier in the book; however, segregating networks for security is kind of a new topic. Protecting your data internally is just as important as protecting your data from outside threats. You wouldn’t leave the HR department’s personnel files unlocked in common hallways, would you? Of course not. So it sometimes makes sense to segregate your office’s LAN by department and use your router/firewall as a barrier to keep prying eyes from data they shouldn’t see. For instance, you might wish to create subnets on your network to separate your finance department from the rest of the office. Using ipchains or iptables you can set up rules that will filter certain types of traffic between subnets and possibly log any attempts that may raise eyebrows.

Note that two (or more) subnets can still share common resources. For instance, if you have a subnet for your finance department and a subnet for your graphic arts department, they could still share a networked color laser printer. Both ipchains and iptables allow you to set up access by source IP, destination IP, port, and protocol. The configuration options are nearly limitless, and once you’ve worked with the tools for a while, you’ll find that they’re very flexible and easy to use. We’ll talk more about both ipchains and iptables in Chapter 14.

Performance is one good reason to segregate into subnets. Let’s say you have a LAN with 100 clients. Because of the way that Ethernet works, if all 100 machines are on the same network, all traffic is essentially broadcast to all machines. This creates a high rate of collisions and slows network performance. By subnetting the network into, say, four equal subnets, you’ll drastically reduce the amount of network traffic being seen by each machine and boost network performance.

Subnets also allow segregation of your network to simplify administration issues. Each subnet, or group of subnets, can be administered by an admin or group of admins separately from other subnets. This simplifies administration issues in larger organizations where responsibility might occasionally be unclear.

For the purpose of examples in this chapter, we’ll look at subnetting a private Class C network. It is, however, also possible to subnet Class A or B networks—whether you’re using some of the private IP address ranges set aside in the RFCs or using a real range of IPs.

Single-Size Subnets

Single-size subnets exist when you divide up an IP range into equal-sized subnets. For instance, if you take a Class C network and divide it into four equal subnets, you would have four subnets that could each handle 62 hosts. In some cases you might want to split the network up into equal parts but reserve one subnet for future growth.

With a Class C addressing scheme you can have a network that consists of anywhere from 4 to 64 equal subnets.Though why anyone would want to administer 64 subnets with 2 hosts each is beyond us! But if you’re really weird or have really special needs (or both.…), the option is there.

If you use a Class B addressing scheme you can split your network into anywhere from 4 equal subnets to, get this, 16,384 subnets. If you feel the need to administer 16,384 equal subnets of 2 hosts apiece, we advise that you seek professional help. More than likely, a Class C internal addressing scheme will be plenty for almost any corporation.

Variable-Sized Subnets

A variable-sized subnet is used when you need to break an address range into subnets of different sizes. For instance, in the previous example we divvied up a Class C range of IPs into eight subnets of equal size—that is, each subnet has an equal number of IP addresses. But, what if you need more IP addresses in the IT department’s subnet than in the Finance department’s subnet? You have all those extra servers, workstations and whatnot in that department, but only three people in Finance.

In this case, you would assign each subnet a different subnet mask that would depend on the number of hosts needed on each network. The subnet number would be varied to give as much or as little room necessary for hosts.

Stub Network When two variable-sized subnets are created, the subnet with fewer hosts is referred to as the “stub network.”