I need help with IPCop.
Eric Shubert
ejs at shubes.net
Tue Aug 4 08:10:52 MST 2009
Matthew A Coulliette wrote:
> Hi Lisa & Eric,
>
>
> Questions:
> Can you just assign an ip number to a computer?
Yes, for the most part. You also need to give it a subnet mask, so it
knows what the network and broadcast addresses are. The network and
broadcast addresses are the first and last address of the subnet.
> Or does something up
> stream of it, (a computer, router, dhcp server, whatever), have to be
> made aware of that computer's ip number.
Not necessarily, but usually a DNS server of some sort will need an
entry for it so that other computers can 'find' it by name.
> Example, when I assign static ip's on the green zone, I always enter the
> ip on both IPCop and the workstation.
You shouldn't need to assign ip addresses on the hosts on the green
subnet. Just specify those hosts as DHCP, and let IPCop divvy out the
addresses. If you want to give a host on green subnet a fixed (static)
addresses (like for a network printer or file server for instance), use
the "Current fixed leases" section of IPCop's DHCP Server page.
To use IPCop as your local DNS server, specify IPCop's green IP address
as the "Primary DNS Server" in the DHCP section of the same page. Then
add entries in the "Edit Hosts" page for the host addresses you need to
reference locally (from the green subnet).
> I setup the network interfaces for
> my data server (192.168.0.2) and it worked like a charm, however, I
> entered the static ip on both IPCop and the data server. Assuming, I
> enter an ip on the web server (192.168.2.2), on what machine upstream of
> the web server do I enter the ip?
Just enter it on the "Edit Hosts" page and you should be fine. I think
your problem was that you weren't using DHCP, so the green hosts didn't
know to look to IPCop for name resolution. You could also add IPCop's
green address to the /etc/resolv.conf file of each green host, but that
sorta defeats the purpose of using DHCP, which will handle this
automagically for you.
>
>
> Eric Shubert wrote:
>>
>> Note, you can add your orange server(s) to the 'hosts' list with it's
>> (orange subnet) address, so that computers on the green network can get
>> it's address via dhcp/dns and access it via its private (orange subnet)
>> address. Make sure that dhcp is configured to specify the ipcop itself
>> as the dns resolver for your green subnet.
> Okay, this helps. But, isn't the 'hosts' list just to help the
> 192.168.0.1 dns name server?
Yes. For servers on the orange subnet, you'll either need to use an
external DNS resolver (as Craig mentioned), or you can install a caching
nameserver on your orange host itself. This is as it should be.
If you choose to use an external resolver, you can use the DNS resolver
provided by your ISP, or you might check http://www.dnsserverlist.org/
for an alternative, or you might use http://opendns.com/. There are many
choices available.
If you choose to simply run a resolving nameserver on your orange host
itself, you can simply
# yum install caching-nameserver bind-chroot
(for RHEL/CentOS for example) on the orange host, then use 127.0.0.1 as
your resolver address (in your /etc/resolv.conf file). It's a good idea
to have one or two additional "nameserver" records in your resolv.conf
file, just in case there's a problem with the primary (first) one.
Once you have a caching nameserver set up on an orange host, any
additional servers on the orange subnet can use that resolver as well.
You might need to tweak the config a little to allow other machines to
query it though - I'm not sure how tight the default configuration is
for caching-nameserver.
>
> Here is what I did. Can you tell me why it did not work?
>
> First, I added the web server's ip (192.168.2.2) to IPCop's 'hosts' list.
>
>
> Then on the Ubuntu Web Server:
> vi /etc/network/interfaces
> #The loopback network interface.
> auto lo
> iface lo inet loopback
>
> #The primary network interface.
> auto eth0
> iface eth0 inet static
> address 192.168.2.2
> gateway 192.168.2.1
> netmask 255.255.255.0
> network 192.168.2.0
> broadcast 192.168.2.255
>
> vi /etc/resolv.conf
> search 25century.org (same as green)
> nameserver 192.168.0.1 (green nic)
> (IPCop says not to use IPCop for the orange DNS. What name server should
> I use?)
Craig and I explained this. It does no good to reference the green
subnet from a machine on the orange subnet, because you can't get to the
green from orange (unless you define a pinhole, but that's generally not
a good/secure practice).
> Any advice?
After making the changes I've described, test again. If it's still not
working, you'll need to describe in more detail what you did to conclude
that "it did not work". That's not very descriptive. ;)
Let us know how you make out.
--
-Eric 'shubes'
More information about the PLUG-discuss
mailing list