pavement

Network Configuration (Advanced)

From FreeBSDwiki
Revision as of 19:16, 15 September 2007 by Jimbo (Talk | contribs)
Jump to: navigation, search

This page contains examples of advanced network configurations. Many of these may be useful in corporate networked environments where more complex network configurations are used.

Contents

Introduction

Simple Networking

A home network or a small office LAN will typically have one subnet and a single router with which to connect to the internet. This router is referred to as the 'default gateway' since any IP addresses not local to the LAN is sent to it for routing onto the appropriate destination. This setup is fairly straight-forward and most configuration for this type of network can be done from the Network Configuration (basic) guide.

Note: the configuration name for the 'default gateway' is 'defaultrouter' within the rc.conf file.

Advanced Networking

In contrast to this simplicity a larger organization will often have multiple offices, spanning cities or whole jurisdictions. These offices will each have a LAN that has a different subnet and connect to at least one other office using wide-area network (WAN) or virtual private network (VPN) links.

A WAN link connects to an office using a router and it is possible for an office to have more than one connecting to it. This may be a 'head office' that plays a central role to the other (possibly smaller 'branch' or 'satellite') offices (star topology) or it may be a setup where each office can connect to any of the other offices directly (web topology).


Static Routing

In the Simple Networking example above any IP traffic that does not belong to the subnet is sent to the same router address. this default gateway is typically attached directly to an internet connection. In the Advanced Networking example, IP traffic that does not belong to the local subnet may need to be sent to another subnet via a WAN or VPN link instead of the being sent directly to the internet. Typically, there will still be a single default gateway for all clients, but that default gateway will then decide whether to forward the packets it receives out to the internet, or to a router connected to a private WAN or VPN link elsewhere within the organization. (It is also possible to program routes to different subnets directly into individual client machines, but that involves considerably more to maintain and possibly go wrong, especially in large networks.)

When the routes to other subnets across private WAN or VPN links are manually pre-programmed into the gateway or the clients, it is known as static routing. (Dynamic routing involves systems which can automatically detect and utilize available routes broadcast by other network devices and pick the best route to a given destination on the fly.)

Scenario (example use, star topology)

An offshore financial institution operates across four jurisdictions; Cayman Islands, Guernsey, Isle of Man and Jersey.

Guernsey hosts the 'head office' and is central to the other offices and connects to the internet for web and email and hosts the corporate email server. Each office has its own network subnet and a file and print server.

The office subnets are configured as follows: 172.22.20.0/255.255.252.0 in Guernsey 172.22.40.0/255.255.252.0 in Jersey 172.22.60.0/255.255.252.0 in Isle of Man 172.22.80.0/255/255/252/0 in Cayman Islands

The WAN routers for each office are configured as follows: 172.22.20.2 in Guernsey 172.22.40.2 in Jersey 172.22.60.2 in Isle of Man 172.22.80.2 in Cayman Islands In this example the Guernsey router is a single device that connects to the three WAN links. The internet connection is handled by another router (more specifically a firewall) on 172.22.20.1.

If computer on the Guernsey LAN needs to access the file server on the Jersey LAN will need to know how to get from 172.22.20.0 to 172.22.40.0.

This is possible because the computer knows that the Jersey subnet is accessible by sending IP traffic to 172.22.20.2. The Guernsey router knows to forward traffic on that subnet through the Jersey WAN link.

Conversely a network-attached system on the Jersey LAN will know to route IP traffic for another office subnet to 172.22.40.2.

With the correct router and static routing configuration it is possible for every office to connect to each other and to further permit surfing the web using the Guernsey internet connection regardless of which office a user is in.

Configuration (based on the example)

Static routing can be configured on FreeBSD by editing rc.conf and either running /etc/netstart, or rebooting. Static routing may also be configured by manual use of the route command from the shell, though any changes to the route table made from the shell will not persist through a reboot or running of /etc/netstart.

Using the above example the following configuration would be used within the Guernsey office:

defaultrouter="172.22.20.1"
static_routes="gsyjsy gsyiom gsycmi"
route_gsyjsy="-net 172.22.40.0/22 172.22.20.2"
route_gsyiom="-net 172.22.60.0/22 172.22.20.2"
route_gsycmi="-net 172.22.80.0/22 172.22.20.2"

Note that while there are four routes defined above, there are only two actual destinations: an edge router which handles internet traffic, and a single WAN or VPN router handling all traffic for the other offices. The /22 ('slash twenty-two') used after the offices' network addresses is CIDR notation for the subnet mask 255.255.252.0. A more typical network subnet mask of 255.255.255.0 would use /24, 255.255.0.0 would use /16, and so on.

And within the Jersey office:

defaultrouter="172.22.40.2"
# static_routes="jsygsy jsyiom jsycmi"
# route_jsygsy="-net 172.22.20.0/22 172.22.40.2"
# route_jsyiom="-net 172.22.60.0/22 172.22.40.2"
# route_jsycmi="-net 172.22.80.0/22 172.22.40.2"

Notice that in this case, the static routes have actually been commented out - that is because our example here uses a star topology with a single internet connection, and all traffic between offices must go through the "hub" Guernsey office. So our satellite offices have only the single WAN router, which routes all traffic to Guernsey, and the Guernsey router then decides what is routed out to the internet, what is routed to another satellite office, and what is delivered locally to one of its own clients in Guernsey.

In some cases, however, you will see individual offices each have their own Internet connection as well as a WAN or VPN connection to the home office. In this case, you would see a defaultrouter parameter directing traffic to the ISP, and one or more static routes defined directing interoffice traffic to the home office for further routing elsewhere. In the case of virtual private networks, it is also common to see a "web" topology in which each office not only has its own internet connection, but also routes directly to any other office without need to go through a central "home" or hub office along the way.

If we were using a web topology, Jersey's configuration would not have the static routes commented out, and its defaultrouter would likely be .1 (for its own internet edge device) while leaving the routes to the other offices through .2 (its own private WAN router or VPN server).

see also: OpenVPN

Personal tools