Transcript Unix System Administration

Small NAT Routers
• Objectives
– to learn how to setup NAT routers basic settings
• Contents
–
–
–
–
WAN configuration
LAN configuration
Firewall & DMZ
VPN
• Practicals
– working with NAT routers
• Summary
Overview of NAT routers
• NAT router basic functions
–
–
–
–
–
Ethernet WAN port to public network gateway
Ethernet LAN clients through builtin NAT to ISP
Simple firewall functionallity
DHCP for LAN clients/hosts
Limited PortForwarding/Adress forwarding translation
• NAT router extended functions
DMZ – Virtual demilitirased zone configuration
VPN – client and or server services for private interconnection
SNMP – Remote managed through SNMP standard 1 or 2
ROUTING – Private network routing
WAN – mediaconverter
NAT Router
ISP gateway
hosts
Setting up NAT router, variants
• Usally NAT routers is equipped with WEB interface
– Most ”SOHO” NAT routers are equipped with WEB interface control panels
– Wizard for help connecting to public gateway
• Use telnet and command lines
–
–
–
–
More qualified routers lack, or have a weak web interface
You have to know their unix like OS which is text based
Some smaller SOHO devices like Zyxel and Cisco have textbased
Terminal settings is usally VT100 (using hyperterminal)
• From LAN/WAN or serial console port
– LAN port address is usally 192.168.0.1 for small routers
– LAN port address is printed on router or in manual if other
– Serial port configuration using: 9600bps 8N1
• More qualified routers can use SNMP after setup
• Configuration files using TFTP
The first steps, SOHO device
• Connecting WAN and LAN
– Connect your NAT router WAN port to public link
– Connect your PC client to LAN port
– Power up your NAT router then power up your PC client
• Login through NAT router WEB interface
– Check the delivered DHCP parameters to your PC
In command line, type: ipconfig /all
Look after line say: Default Gateway . . . . . . . . . : 192.168.0.1
– Type default gateway IP address in Address field of web-browser
(found in documentation)
Use login name: admin
Login without entering any password
• The security avare person note that entire config is in clear
html post and gets
– Usally not a problem this time, because nobody more than you are
connected to router
WAN settings of NAT router
• DI804HV as an example of SOHO NAT router
• First is to setup WAN configuration
– You can use wizards or manual (recomended for endusers)
• Common WAN settings:
–
–
–
–
–
Dynamic
Static
PPPoE
Dial-up Network
Others
• Exercise 1:
–
–
–
–
–
–
Connect your WAN port to LAN switch in lab (dhcp from lab server)
Connect you client to LAN port of NAT router, start router, start client
Access your router with WEB and WAN settings with DYNAMIC adress
Goto STATUS and click on DEVICE info
Click on DHCP renew, see if you have an IP address
Try to go out on internet with your client
LAN settings of NAT router
• You can change router LAN IP address
– If you change router LAN IP address, the subnet it si in will be calculated.
– This will be the default gateway for all connected LAN clients
– You can leave as is, for single subnets without VPN’s
• You can use any subnetmask
– This must be set accordingly to your subnet class
Standard subnet masks Or any calculated
A 255.0.0.0
My 255.255.255.240
B 255.255.0.0
C 255.255.255.0
• Add domain name if you have one
– This is mostly for eye only, but can be essential for authentication
DHCP server settings
• DHCP On or Off ?
– For comfort of users it can be a good idea to have it on
– Can rupture DMZ or virtual servers in LAN side of router
• DHCP scope
–
–
–
–
Follow NAT router internal IP LAN address setting
Standard for most NAT routers is 192.168.0.100 to 192.168.0.199
Any range can be used, dont deliver broadcast addresses!
Bevare of overlapping scopes if more than one DHCP server in same
subnet
• DHCP lease times
– Some routers can have leasetimes forever
– The settings must reflect number of stimultanious clients.
– Standard is for most settings 1 Week
• Static DHCP settings
– Used for clients who shuld recieve same IP address all the time based on
their MAC address.
Advanced settings
• Most NAT routers will have all nitty-gritty for firewall and
various DMZ settings below Advanced meny.
• We are looking on the DI804HV which have most of the
posibilities that the proffessional big routers have
• Virtual server
– Do portforwarding and port translating to deligated LAN client address
• Application
– Open ports in the firewall settings dynamically, trigged by traffic on WAN
port
• Filter
– Allowing/Denying LAN clients to access outside WAN
• Firewall
– Traditional stateful firewall settings to allow certaini traffic to pass or not
• SNMP
– Network management protocol for control and statistical data
Dynamic DNS, DDNS
•
What is dynamic dns?
– A special service which annonces the NAT router public WAN IP address
onto a dns.
– Same mechanism as Master and Slave DNS, a zone transfer.
– It is a limited DNS service, companies have permanet public IP addresses
– This has the negative side of service interruptions depending on DNS
worldwide replication of new IP address.
•
Provider
– The slave DNS you have contract with
•
Hostanme is your ddns hostname
•
DDNS need account information
– Username
– Password
Routing
• Static routing for your private network’s
– Makes VPN, local routers, failover gateways work
– Control your traffic flow
– Increase security
• Dynamic routing protocols
Recieve and send Routing information:
RIP v1 & RIP v2
• Destination
– Network to reach
• Subnet Mask
– The network to reach subnet mask
• Gateway
– The gateway to send traffic to in order to reach the destination
• HOP
– The distans in network hop towards destination
Basic DMZ
• The DMZ
– Used to open the firewall fully for traffic to and from LAN clients
• Basic DMZ
– This router we are study can only handle one LAN client, stateless DMZ.
– Virtual servers and Application is also a form of DMZ, but only for deligated
services.
– Comes in two variants, stateful and stateless
• Statefull DMZ
– Can handle several LAN clients even if thry have private IP addresses
• Full DMZ (traditional)
– Is used then client have public IP addresses
– Can serve several clients in the protected zone with DMZ
• DMZ is used for bastion hosts or public servers
– Last resort of regular Virtual server does not work.
Summary