pavement

Network Configuration (Advanced)

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(route_name)
Line 9: Line 9:
 
== Advanced Networking ==
 
== Advanced Networking ==
  
In contrast to this simplicity a larger organization will have multiple offices, spanning cities or whole jurisdictions.  These offices will each have a LAN that has a different subnet and connect to at least one other office using wide-area network (WAN) links.
+
In contrast to this simplicity a larger organization will often have multiple offices, spanning cities or whole jurisdictions.  These offices will each have a LAN that has a different subnet and connect to at least one other office using wide-area network (WAN) or virtual private network (VPN) links.
  
A WAN link connects to an office using a router and it is possible for an office to have more then one connecting to it.  This is typically within the 'head office' that plays a central role to the other (possibly smaller 'branch' or 'satellite') offices.
+
A WAN link connects to an office using a router and it is possible for an office to have more than one connecting to it.  This may be a 'head office' that plays a central role to the other (possibly smaller 'branch' or 'satellite') offices (star topology) or it may be a setup where each office can connect to any of the other offices directly (web topology).
  
 
= Static Routing =
 
= Static Routing =
  
In the Simple Networking example above any IP traffic that does not belong to the subnet is sent to the same router address which is known as the default gateway and it is typically attached to an internet connection.  In the Advanced Networking example IP traffic that does not belong to the subnet may need to be sent to another subnet via a WAN link instead of the default gateway which would send it to the internet.
+
In the Simple Networking example above any IP traffic that does not belong to the subnet is sent to the same router address. this default gateway is typically attached directly to an internet connection.  In the Advanced Networking example, IP traffic that does not belong to the local subnet may need to be sent to another subnet via a WAN or VPN link instead of the being sent directly to the internet.  Typically, there will still be a single default gateway for all clients, but that default gateway will then decide whether to forward the packets it receives out to the internet, or to a router connected to a private WAN or VPN link elsewhere within the organization.  (It is also possible to program routes to different subnets directly into individual client machines, but that involves considerably more to maintain and possibly go wrong, especially in large networks.)
  
This process is called static routing, where a known network subnet can be reached through a specific WAN link.
+
When the routes to other subnets across private WAN or VPN links are manually pre-programmed into the gateway or the clients, it is known as '''static routing'''.  ('''Dynamic routing''' involves systems which can automatically detect and utilize available routes broadcast by other network devices and pick the best route to a given destination on the fly.)
  
Each network-attached system is configured with the subnet of another office and the local router address that connects to the WAN for the remote office.
+
== Scenario (example use, star topology) ==
 
+
== Scenario (example use) ==
+
  
 
An offshore financial institution operates across four jurisdictions; Cayman Islands, Guernsey, Isle of Man and Jersey.
 
An offshore financial institution operates across four jurisdictions; Cayman Islands, Guernsey, Isle of Man and Jersey.
Line 48: Line 46:
 
With the correct router and static routing configuration it is possible for every office to connect to each other and to further permit surfing the web using the Guernsey internet connection regardless of which office a user is in.
 
With the correct router and static routing configuration it is possible for every office to connect to each other and to further permit surfing the web using the Guernsey internet connection regardless of which office a user is in.
  
== Configuration (based on the example) ==
+
= Configuration (based on the example) =
  
Static routing is configured on FreeBSD by editing [[rc.conf]] and rebooting the system.
+
Static routing can be configured on FreeBSD by editing [[rc.conf]] and either running /etc/netstart, or rebooting.  Static routing may also be configured by manual use of the [[route]] command from the shell, though any changes to the route table made from the shell will not persist through a reboot or running of /etc/netstart.
  
 
Using the above example the following configuration would be used within the Guernsey office:
 
Using the above example the following configuration would be used within the Guernsey office:
<pre>
 
defaultrouter="172.22.20.1"
 
static_routes="gsyjsy gsyiom gsycmi"
 
route_gsyjsy="-net 172.22.40.0/22 172.22.20.2"
 
route_gsyiom="-net 172.22.60.0/22 172.22.20.2"
 
route_gsycmi="-net 172.22.80.0/22 172.22.20.2"
 
</pre>
 
The /22 ('slash twenty-two') used above is a short-code for the subnet mask 255.255.'''252'''.0.  A more typical network subnet mask of 255.255.'''255'''.0 would use /24 and 255.255.0.0 would use /16, and so on.
 
  
And within the Jersey office:
+
defaultrouter="172.22.20.1"
<pre>
+
static_routes="gsyjsy gsyiom gsycmi"
defaultrouter="172.22.40.2"
+
route_gsyjsy="-net 172.22.40.0/22 172.22.20.2"
static_routes="jsygsy jsyiom jsycmi"
+
route_gsyiom="-net 172.22.60.0/22 172.22.20.2"
route_jsygsy="-net 172.22.20.0/22 172.22.40.2"
+
route_gsycmi="-net 172.22.80.0/22 172.22.20.2"
route_jsyiom="-net 172.22.60.0/22 172.22.40.2"
+
route_jsycmi="-net 172.22.80.0/22 172.22.40.2"
+
</pre>
+
You will notice that the default gateway (the 'defaulrouter' parameter) is set to the Jersey WAN router IP and not the Guernsey default gateway IP.  This is intended because the WAN router in Guernsey will take responsibility of the forwarding of internet based traffic to the default gateway.
+
  
== Breakdown (from the example configuration) ==
+
Note that while there are four routes defined above, there are only two actual destinations: an edge router which handles internet traffic, and a single WAN or VPN router handling all traffic for the other offices.  The /22 ('slash twenty-two') used after the offices' network addresses is [[CIDR]] notation for the subnet mask 255.255.'''252'''.0.  A more typical network subnet mask of 255.255.'''255'''.0 would use /24, 255.255.0.0 would use /16, and so on.
  
=== defaultrouter ===
+
And within the Jersey office:
<pre>
+
defaultrouter="172.22.40.2"
+
</pre>
+
This parameter is the default gateway and is typically used to indicate the IP address of the router that is responsible for internet traffic.  This is used on all network configurations where an internet connection exists.
+
  
It is possible to not use it at all however it is unusual in this day and age to not have or need an internet connection.
+
defaultrouter="172.22.40.2"
 +
# static_routes="jsygsy jsyiom jsycmi"
 +
# route_jsygsy="-net 172.22.20.0/22 172.22.40.2"
 +
# route_jsyiom="-net 172.22.60.0/22 172.22.40.2"
 +
# route_jsycmi="-net 172.22.80.0/22 172.22.40.2"
  
=== static_routes ===
+
Notice that in this case, the static routes have actually been commented out - that is because our example here uses a star topology with a single internet connection, and all traffic between offices must go through the "hub" Guernsey office.  So our satellite offices have only the single WAN router, which routes '''all''' traffic to Guernsey, and the Guernsey router then decides what is routed out to the internet, what is routed to another satellite office, and what is delivered locally to one of its own clients in Guernsey.
<pre>
+
static_routes="jsygsy jsyiom jsycmi"
+
</pre>
+
This parameter is used to list the routes that are needed to connect to other subnets outside the local subnet but not through the default gateway.
+
  
The values within the "quote marks" are textual and would normally be a descriptive name for the static routeThe example above has jsygsy to indicate the static route between Jersey and Guernsey subnets.  
+
In some cases, however, you will see individual offices each have their own Internet connection as well as a WAN or VPN connection to the home office.  In this case, you would see a defaultrouter parameter directing traffic to the ISP, and one or more static routes defined directing interoffice traffic to the home office for further routing elsewhereIn the case of virtual private networks, it is also common to see a "web" topology in which each office not only has its own internet connection, but also routes directly to any other office without need to go through a central "home" or hub office along the way.
  
=== route_name ===
+
If we were using a web topology, Jersey's configuration would not have the static routes commented out, and its defaultrouter would likely be .1 (for its own internet edge device) while leaving the routes to the other offices through .2 (its own private WAN router or VPN server).
<pre>
+
route_jsygsy="-net 172.22.20.0/22 172.22.40.2"
+
route_jsyiom="-net 172.22.60.0/22 172.22.40.2"
+
route_jsycmi="-net 172.22.80.0/22 172.22.40.2"
+
</pre>
+
This parameter is used in conjunction with the static_routes parameter and defines the actual static routes.
+
  
The name following the route_ part is ''free-form'' text and used as a descriptive name for the route being defined.  This name is the part quoted on the 'static_routes="'''name'''"' parameter.
+
see also: [[OpenVPN]]
  
 
[[Category:Configuring FreeBSD]]
 
[[Category:Configuring FreeBSD]]
 
[[Category:FreeBSD for Servers]]
 
[[Category:FreeBSD for Servers]]

Revision as of 18:14, 15 September 2007

This page contains examples of advanced network configurations. Many of these may be useful in corporate networked environments where more complex network configurations are used.

Contents

Introduction

Simple Networking

A home network or a small office LAN will typically have one subnet and a single router with which to connect to the internet. This router is referred to as the 'default gateway' since any IP addresses not local to the LAN is sent to it for routing onto the appropriate destination. This setup is fairly straight-forward and most configuration for this type of network can be done from the Network Configuration (basic) guide.

Note: the configuration name for the 'default gateway' is 'defaultrouter' within the rc.conf file.

Advanced Networking

In contrast to this simplicity a larger organization will often have multiple offices, spanning cities or whole jurisdictions. These offices will each have a LAN that has a different subnet and connect to at least one other office using wide-area network (WAN) or virtual private network (VPN) links.

A WAN link connects to an office using a router and it is possible for an office to have more than one connecting to it. This may be a 'head office' that plays a central role to the other (possibly smaller 'branch' or 'satellite') offices (star topology) or it may be a setup where each office can connect to any of the other offices directly (web topology).

Static Routing

In the Simple Networking example above any IP traffic that does not belong to the subnet is sent to the same router address. this default gateway is typically attached directly to an internet connection. In the Advanced Networking example, IP traffic that does not belong to the local subnet may need to be sent to another subnet via a WAN or VPN link instead of the being sent directly to the internet. Typically, there will still be a single default gateway for all clients, but that default gateway will then decide whether to forward the packets it receives out to the internet, or to a router connected to a private WAN or VPN link elsewhere within the organization. (It is also possible to program routes to different subnets directly into individual client machines, but that involves considerably more to maintain and possibly go wrong, especially in large networks.)

When the routes to other subnets across private WAN or VPN links are manually pre-programmed into the gateway or the clients, it is known as static routing. (Dynamic routing involves systems which can automatically detect and utilize available routes broadcast by other network devices and pick the best route to a given destination on the fly.)

Scenario (example use, star topology)

An offshore financial institution operates across four jurisdictions; Cayman Islands, Guernsey, Isle of Man and Jersey.

Guernsey hosts the 'head office' and is central to the other offices and connects to the internet for web and email and hosts the corporate email server. Each office has its own network subnet and a file and print server.

The office subnets are configured as follows: 172.22.20.0/255.255.252.0 in Guernsey 172.22.40.0/255.255.252.0 in Jersey 172.22.60.0/255.255.252.0 in Isle of Man 172.22.80.0/255/255/252/0 in Cayman Islands

The WAN routers for each office are configured as follows: 172.22.20.2 in Guernsey 172.22.40.2 in Jersey 172.22.60.2 in Isle of Man 172.22.80.2 in Cayman Islands In this example the Guernsey router is a single device that connects to the three WAN links. The internet connection is handled by another router (more specifically a firewall) on 172.22.20.1.

If computer on the Guernsey LAN needs to access the file server on the Jersey LAN will need to know how to get from 172.22.20.0 to 172.22.40.0.

This is possible because the computer knows that the Jersey subnet is accessible by sending IP traffic to 172.22.20.2. The Guernsey router knows to forward traffic on that subnet through the Jersey WAN link.

Conversely a network-attached system on the Jersey LAN will know to route IP traffic for another office subnet to 172.22.40.2.

With the correct router and static routing configuration it is possible for every office to connect to each other and to further permit surfing the web using the Guernsey internet connection regardless of which office a user is in.

Configuration (based on the example)

Static routing can be configured on FreeBSD by editing rc.conf and either running /etc/netstart, or rebooting. Static routing may also be configured by manual use of the route command from the shell, though any changes to the route table made from the shell will not persist through a reboot or running of /etc/netstart.

Using the above example the following configuration would be used within the Guernsey office:

defaultrouter="172.22.20.1"
static_routes="gsyjsy gsyiom gsycmi"
route_gsyjsy="-net 172.22.40.0/22 172.22.20.2"
route_gsyiom="-net 172.22.60.0/22 172.22.20.2"
route_gsycmi="-net 172.22.80.0/22 172.22.20.2"

Note that while there are four routes defined above, there are only two actual destinations: an edge router which handles internet traffic, and a single WAN or VPN router handling all traffic for the other offices. The /22 ('slash twenty-two') used after the offices' network addresses is CIDR notation for the subnet mask 255.255.252.0. A more typical network subnet mask of 255.255.255.0 would use /24, 255.255.0.0 would use /16, and so on.

And within the Jersey office:

defaultrouter="172.22.40.2"
# static_routes="jsygsy jsyiom jsycmi"
# route_jsygsy="-net 172.22.20.0/22 172.22.40.2"
# route_jsyiom="-net 172.22.60.0/22 172.22.40.2"
# route_jsycmi="-net 172.22.80.0/22 172.22.40.2"

Notice that in this case, the static routes have actually been commented out - that is because our example here uses a star topology with a single internet connection, and all traffic between offices must go through the "hub" Guernsey office. So our satellite offices have only the single WAN router, which routes all traffic to Guernsey, and the Guernsey router then decides what is routed out to the internet, what is routed to another satellite office, and what is delivered locally to one of its own clients in Guernsey.

In some cases, however, you will see individual offices each have their own Internet connection as well as a WAN or VPN connection to the home office. In this case, you would see a defaultrouter parameter directing traffic to the ISP, and one or more static routes defined directing interoffice traffic to the home office for further routing elsewhere. In the case of virtual private networks, it is also common to see a "web" topology in which each office not only has its own internet connection, but also routes directly to any other office without need to go through a central "home" or hub office along the way.

If we were using a web topology, Jersey's configuration would not have the static routes commented out, and its defaultrouter would likely be .1 (for its own internet edge device) while leaving the routes to the other offices through .2 (its own private WAN router or VPN server).

see also: OpenVPN

Personal tools