PC as gateway using one NIC
 

Hi All,

I have one scenerio ,I want to use my Linux PC as residential gateway .I have only one NIC connected to my PC(I cannot connect more) to handle this problem I am using switch . All the devices including my PC are connected using switch (Please refer attached file).

I am not sure how can I achieve this ? I am familiar with NAT and DHCP but do not know is this possible in this case?

Thanks in advance.

completely possible, just have the dhcp server give out that pc's ip address as the gateway and everything will route through it

Kind of slows it down a lot but it can be done all on one slot. I'd consider a cheap usb wired nic. They cost like $8 or so.

What you're looking to do is known as sub-interface, IP alias or child interface. These keywords may help you on your search.

As for this working properly, we need more details. How does your ISP assign addresses? Is your switch managed? Does it support VLANs?

If your ISP assigns your public IP via DHCP, and if you plan on running DHCP on the inside, then you're going to run into conflicts because that one switch puts all devices in the same broadcast domain (DHCP functions on broadcasts).

Statically assigning addresses should work fine however.

You cannot create a gateway without two nics. If you wish to gateway then you should obtain either a nic through expansion slot or USB nic via a dongle. If there's not a second nic then there's nothing to route through and NAT with your internet can't be achieved.

Unless you're creating an ad-hoc wireless network with a laptop and connecting to your ISP using the hardwire ethernet; Again, you'll still be using two different network interfaces.

sag47 you can, I run a 1 nic gateway here at home and it works great. My setup is a little convoluted but only because I like to play with networking. Essentially I wanted to run a squid server and have all traffic go through that. So my gateway box runs dhcp, provides dns, and is running a transparent squid server. Everything uses it as their default route. It also runs a couple of vpns.

Depending on how you set it up and equipment you have it might be difficult to keep a determined user from bypassing that box. But as mentioned before a managed switch with vlan support could prevent that.

Wouldn't that configuration be vulnerable on the internet since there is no NAT? For vlan don't you have to have a local IP? By using a switch isn't your dhcp server directly connected to your ISP network farming out IP addresses?

I'm just having a hard time visualizing how that would be possible with a switch without two interfaces. How would one go about configuring that? Can you give specific instructions or a tut?

Depending on what kind of IPs your ISP modem farms, the result is different when you have a switch directly connected to it.

Anyway, you should not have it that way. You definitely should get an extra nic, so you don't have to worry for possible problems or complex scenarios like implementing vlans.

I think the only way it would be possible is if you had a switch that supported VLANs, and you put each network (ISP and LAN) on a different VLAN. Then you would need to configure the Linux box to use VLAN tagging to figure out which network the traffic should go to. Essentially what you are creating is called a Router on a Stick.

Ultimately I think it could be done, but I would have serious concerns about security (you are now open to a VLAN hoping attack, and VLAN spoofing). Also it would be more difficult (and expensive) than a second interface in the gateway box.

For me Natting happens in two places, once at the gateway box and once at the dsl router. DHCP isn't a problem since it involves use the mac layer with the ip layer. Other then something directly connected (or a bridge connection) you won't see a mac address. In my case it also happens to not be a problem because the dsl router won't pass it.

For me it's like this

physical layout
internet
|
dsl router provided by isp (nat's and has public ip)
|
switch - my gateway computer
|
the other computers on the network

logical layout based on ip
internet
|
dsl router
|
gateway box
|
switch --- other computers

By far the easiest way to do this is to use vlans which means you either need a switch that can handle vlans or everything on a vlan needs to understand vlans. I run my gateway box both tagged and untagged. The untagged interface (eth0) talks with the dsl router (because the dsl router doesn't do vlans). The tagged interfaces (eth0.1, eth0.2, eth0.3) go to other places. eth0.1 is my voip network. eth0.2 is my wireless network, and eth0.3 is my general computer interface. The gateway box is the default route for all the vlans and it says what traffic is allowed to cross-talk or be routed out to the internet. Now if you have a smart switch that understands vlans you can use it to provide real separation and have it not send traffic to ports that don't belong to a particular vlan group, or strip tags so you can attach things like a dsl router that doesn't understand vlans.

I say vlans are the easiest because vlan interfaces (unlike aliases) get treated like a real ethernet interface, so you can do all your normal iptables firewall rules and routing just like you had multiple nics. Since they are treated as real interfaces you can tell your DHCP server to only talk on the vlans you want it to give information out on. In my case the DHCP server only serves out data on eth0.3

NAT would have to be used in this setup, unless his ISP gives him more than one address. And DHCP will cause issues which is why static addresses (either outside, inside, or both) will be necessary.

Even if the switch doesn't support vlans, this setup would still work. A switch will continue to switch frames regardless of the IP addresses or subnets that traverse it, it doesn't care. And like I said before, this one switch puts all machines on the same broadcast domain, which means all ports will receive both IP broadcasts as well as ARP broadcasts, even the ISP connected one. So this also means that this setup would be susceptible to ARP spoofing (in a pretty severe way mind you) in addition to any broadcast related attacks.

As I see it the problem of doing this without VLAN support is that all computers will be connected to the same broadcast domain. Let's assume only a single IP from the ISP as that is fairly standard. There would be no real way to make sure the PC that is acting as the gateway would always get the IP from the ISP.

Also since everything is on the same broadcast domain I would worry that DHCP would be a potential issue, there would be no way to make sure clients get a DHCP response from the gateway. It is possible that they would first get a deny from the ISP, before the gateway DHCP responds.

Either way I think the bottom line is doing this would leave some pretty big security holes, and would be more trouble than it is worth since a second interface would cost next to nothing.