Linux based n-way router?

Fri Sep 24 16:54:22 UTC 2004

On Fri, Sep 24, 2004 at 08:09:32AM -0400, Scott Allen wrote:
> 
> The IS department of the company I work for is looking into revamping 
> our ancient network setup. They would like to put each department on 
> its own IP network (all private addresses). The department networks 
> would each be routed to a backbone network containing servers. The 
> department networks would be 100MB ethernet and the backbone would be 
> 1GB ethernet. There would also have to be some restricted access from 
> some deparment networks to others.
> 
> Rather than using individual routers for each network link, I've 
> suggested using a single box, with the required 5 to 8 ethernet 
> interfaces, to do all the routing and firewalling. I'm thinking that 
> this could be a linux based PC with one or two quad port ethernet 
> adapters. The ethernet adapters would only have to be 100MB if the 
> motherboard had a Gigabit interface.
> 
> I'm thinking of using Slackware Linux and the FireHOL iptables 
> generator script, since my experience with both has been quite 
> positive. FireHOL looks like it would make it easy to set up and 
> maintain all the "virtual" routers required (see: 
> <http://firehol.sourceforge.net/> ).
> 
> We would like to have all workstations configured from a DHCP server 
> (plus whatever Windows domain configuration is required) on the 
> backbone. This means the router whould have to be a DHCP relay agent 
> (and more?).

It means running a dhcp server on each subnet (since that is the point
of seperating them with a router).  dhcpd on linux can easily run
seperate settings per interface so it could be a great dhcp server for
that use.

> Note that a separate router/firewall (possibly based on the same 
> software) would link the backbone servers to the real internet as 
> required.

Or it could be the same machine.  I can't see why having two machines
increates security.

> So, does this look to be possible and is it a good idea, or am I 
> crazy for
> suggesting it?
> 
> Has anyone attempted anything similar?

No, haven't attempted that myself, but it sure sound perfectly doable.

A more common (and maybe cheaper in some cases) solution to getting many
subnets into one router, is to get a switch with vlan support, and then
run one subnet per port and set a vlan id on each port, and trunk them
to one port on which the linux box is connected with a single (maybe
gig) ethernet port which then has an ip assigned for itself on each
vlan.  This keeps the traffic from each subnet seperated by the switch
from each other, but all the traffic makes it to the linux box if it has
to.  For large number of subnets, a vlan enabled switch would be cheaper
than just buying lots of ethernet ports for the router.  And one gig
ethernet port can easily handle 10 or 20 100mbit subnets in general.
They aren't all going to be at 100% all the time after all.

> Any suggestions on what hardware would be required? There seems to be 
> a few sources of quad and 6 port ethernet adapters, and I've read 
> that at least Intel and D-Link ones have Linux drivers.

I think I have seen quad port cards advertised in Linux Journal.  They
certainly exist and some have linxu drivers.  I believe most are
actually just one card with 4 ethernet chips, and since most common pci
ethernet chips work in linux, a quad port card ought to as well, but it
may not be quite that simple.

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml