One IP for multiple machines

[mikebw at bilow.bilow.uu.ids.net (Mike Bilow)]

Rich Braun wrote in a message to Mike Bilow:

 RB> I'm looking for suggestions on using my Linux box as a LAN 
 RB> network address translator for one of those cable-modem 
 RB> services.

This subject came up a few months ago.  I thought it was on this list, but I
may have been wrong.  Someone else may have a better memory.

First, you should know that cable modems are usually configured as Dynamic Host
Configuration Protocol (DHCP) agents, which means that they provide an IP
address dynamically.  The DHCP "lease" term for a particular assignment might
change once a year, once a month, or once a day, depending upon how much your
cable modem provider chooses to torture you.  As a result, your IP address may
change suddenly.

There are several ways to handle this.  The simplest is to run a standard DHCP
client, such as the Windows 95 TCP/IP stack, get the IP address assigned,
reboot into Linux, and then type in the IP address by hand.  This has several
serious disadvantages, but it has been reported to work.

There is DHCP client support available for Linux.  Considerable confusion has
resulted on this issue, since the development of a DHCP server daemon for Linux
has been a non-trivial project, but you only care about the client daemon for
this purpose.  You can get it from (primary/secondary):

   ftp://ftp.kobe-u.ac.jp/pub/PC-UNIX/Linux/network/dhcp/dhcpcd-0.65.tar.gz
   http://sunsite.unc.edu/pub/Linux/system/network/daemons/dhcpcd-0.65.tar.gz

Although the DHCP mini-HOWTO is concerned with the server daemon and is
therefore of no use to you, there is a Dynamic IP Hacks mini-HOWTO.  At 75 KB
it is not "mini," but it is available at (primary/secondary):

   http://frob.base.org/howto.txt
   ftp://sunsite.unc.edu/LDP/HOWTO/mini/Dynamic-IP-Hacks

In the specific case of cable modems, my understanding is that the hardware
(MAC) address of the Ethernet card is checked by the cable modem, probably to
prevent you from using more than the one card authorized.  Of course, you can
override the MAC address of an Ethernet card with "ifconfig" and fake it to
anything you need, although this probably will not be necessary.

 RB> Typically, those services give you only one IP address unless 
 RB> you're willing to pay business rates (as a former ISP, I have 
 RB> first-hand experience with how much higher those are!)  I have 
 RB> a couple of Windoze boxes which I use for browsing & telnet.  
 RB> There are commercial products like Instant Internet and Firefox 
 RB> for setting up a LAN full of PC's with a single IP address, but 
 RB> none of them are priced for home use. 

What you want is what Linux calls "IP Masquerading."  There is a fairly
extensive resource available at:

   http://www.wwonline.com/~achau/ipmasq/

The primary site is supposed to be "http://ipmasq.home.ml.org";, but it never
seems to respond to me.  The site is maintained by the author of the official
mini-HOWTO (about 50 KB), and he has links to the mini-HOWTO in HTML, ASCII,
and Postscript format.

Except for PPTP support discussed below, IP Masquerading is fully supported in
the standard 2.0.30 kernel.

One important issue that should probably be emphasized in the mini-HOWTO is
which IP addresses you should use for your private LAN.  Many people just make
up numbers, but this is bad practice.  RFC1918 (superseding RFC1597) reserves
three contiguous blocks of addresses for doing exactly this sort of thing, and
you should use them:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Personally, I recommend the 192.168.x.x block because it will likely be the
easiest to configure.  Using the officially sanctioned RFC1918 address blocks
will give you slightly more security in case they leak out of your LAN, since
these addresses are guaranteed to be unrouteable on the public Internet.

For the sake of completeness, I should say that may boxes which are fairly
inexpensive will do the same kind of address translation as Linux.  Included in
this class are products from Arescom, OpenRoute, and WebRamp, sometimes in the
under-$400 price range.  If you have the necessary experience with Linux
administration already, it will give you a more powerful set of tools.

 RB> I'm wondering if there's a way to set up a set of 
 RB> pseudo-addresses behind a Linux firewall, or a tunneling method 
 RB> like PPTP or something like that to allow the PC's to use a 
 RB> cable-modem service.

PPTP support through IP Masquerading is under development.  There are some
restrictions based on the inherent architecture of PPTP itself, particularly
that only one PPTP connection per server can be supported at a time.  You can
read more information at "http://www.wwonline.com/~achau/ipmasq/pptp.html";, and
the source diffs (considered alpha test) against kernel 2.0.30 are available at
"http://www.wwonline.com/~achau/ipmasq/ip_masq_pptp.patch.gz";.
 
-- Mike