This information HAS errors and is made available WITHOUT ANY WARRANTY OF ANY KIND and without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. It is not permissible to be read by anyone who has ever met a lawyer or attorney. Use is confined to Engineers with more than 370 course hours of engineering.
If you see an error contact:
+1(785) 841 3089
inform@xtronics.com
This was accomplished on Debian 5.0.2 running the default kernel 2.6.26 using a single physical NIC card connected to the gateway using an ethernet cable.
I have not tested these instructions on any other variant of linux or kernel so I do not know what results there would be. I can state that these instructions do work for the above setup, however.
Perform all steps in this document as root user (or using sudo)
Step 1. Make node for tun
mercury:~# mknod /dev/tun c 10 220
Step 2. Load required kernel module
mercury:~# modprobe tun
Test if the module loaded successfully:
mercury:~# lsmod | grep tun tun 8356 19
If it did not, you will need to recompile the kernel with this module <<Universal TUN/TAP driver>>
Step 3. Identify a single NIC card that will be used as your physical NIC card
This is the only NIC card that needs to be plugged into the gateway.
The easiest way to identify this is by using ifconfig to find which ethernet device is currently connected to the internet.
mercury:~# ifconfig eth2 Link encap:Ethernet HWaddr 00:40:05:0c:53:2e
inet addr:XX.XX.XXX.XXX Bcast:XX.XX.XXX.XXX Mask:255.255.255.128 inet6 addr: XXXXXXXXXXXXXX Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:672795 errors:0 dropped:0 overruns:0 frame:0 TX packets:650968 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:43883797 (41.8 MiB) TX bytes:43102269 (41.1 MiB) Interrupt:3 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3279 errors:0 dropped:0 overruns:0 frame:0 TX packets:3279 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:338942 (330.9 KiB) TX bytes:338942 (330.9 KiB)
In this case, I want to use eth2. If there are more than one ethernet device connected, you should just choose one. I recommend disconnecting the cables from all other ethernet cards except the chosen card to avoid conflict.
If you do not see a device here (other than lo), you can find one with trial and error in Step 4.
Step 4. Edit /etc/network/interfaces with your favorite editor
Empty the entire contents of this file and replace it with the following:
auto lo iface lo inet loopback
auto eth2 allow-hotplug eth2 iface eth2 inet static address XX.XX.XXX.XXX gateway XX.XX.XXX.XXX netmask XXX.XXX.XXX.XXX broadcast XXX.XXX.XXX.XXX
Of course, you need to replace eth2 with the name of the interface you chose in Step 3. If you did not choose one, disconnect cables from all ethernet cards except one and start with eth1. You will repeat this step until you can connect to google.com.
Replace address with the IP address you want to assign to this NIC card. This IP will be a public, not private, IP.
Replace gateway with the gateway public IP address (not private) that you assigned when you setup the IP addresses in the gateway.
Replace netmask with the appropriate netmask. 255.255.255.248 for a block of 8, 255.255.255.128 for a block of 128, look online for other blocks.
Replace broadcast with the broadcast address. This would be the first three numbers of your IP address followed by 255. So if you were assigned 99.65.240.XXX you would use 99.65.240.255 as your broadcast.
Save the file and exit back to the command prompt.
Restart networking
mercury:~# /etc/init.d/networking restart
Run ifconfig and you should get output just like Step 3. Just one ethernet device and a loopback device.
Attempt to ping google.com.
mercury:~# ping google.com
If it works, you can move on.
If it does not, edit the file replacing with a higher eth number. For example eth2, eth3, or eth4 and restart networking again. Once you can ping google.com, you are ready to move on.
Step 5. Preparing to make virtual ethernet devices
Download and extract vethd from: http://www.geocities.com/nestorjpg/veth/
change into the newly extracted directory and type 'make' to compile.
Once compiled do:
cp vethd /bin/vethd && chmod 700 /bin/vethd
Download easymac from http://www.easyvmx.com/software/easymac.sh
copy the script to /bin/easymac and chmod 700 (remove the .sh extension when copying)
Create a new file called /bin/genmacaddr that contains the following lines:
/bin/easymac -r | awk '{print $5}'
chmod 700 genmacaddr
typing genmacaddr should now display a unique mac address.
You are now officially setup to create additional network connections so let's get started.
Step 6. Create new if-up.d script
For this step, we need to add our new virtual ethernet devices to a special script that gets ran everytime a new interface is brought online. The reason for this is because once the actual interface goes down all virtual ethernet devices are destroyed.
To get around this, we check to see if the physical ethernet device was just brought up. If it was, we create our virtual devices again.
So create a new file called /etc/network/if-up.d/veth
Inside this file add the following lines:
if [ "$IFACE" = eth2 ]; then
/bin/vethd -v veth1 -e eth2 -m 00:ff:29:b2:04:fd; /bin/vethd -v veth2 -e eth2 -m 00:0c:29:59:57:72; /usr/sbin/arping -q -i eth2 XX.XX.XX.XX &>/dev/null &
fi
if [ "$IFACE" = veth1 ]; then
/usr/sbin/arping -q -i veth1 XX.XX.XX.XX &>/dev/null &
fi
if [ "$IFACE" = veth2 ]; then
/usr/sbin/arping -q -i veth2 XX.XX.XX.XX &>/dev/null &
fi
Replace 'eth2' with the appropriate name for your physical device. Then add a new /bin/vethd line for each IP you want to add. Change 'eth2' on these lines to be the name of your physical device. Make sure you assign a unique mac address (use genmacaddr created in the previous step) to each one and keep the same veth naming scheme. veth1, veth2, veth3, etc... there is no veth0. Replace 'eth2' in the arping line with your physical device name. You may also need to change the path to arping if it complains. Change XX.XX.XX.XX to your gateway's public IP.
Add a new 'if' block for each veth device setup above. Don't forget to change XX.XX.XX.XX to your gateway's public IP.
Save and exit this file.
chmod 755 /etc/network/if-up.d/veth
This script runs after every interface is brought up. Once the physical device is brought up, it creates the veth devices again with the same information each time. It then begins arping the gateway's public IP in the background.
After each veth is brought up it starts arping from that device as well in the background.
Step 7. Modify /etc/network/interfaces
Open /etc/network/interfaces in your favorite editor.
At the END of the file, add the below block of text for each veth device you created in Step 6.
auto veth1 allow-hotplug veth1 iface veth1 inet static
address XX.XX.XX.XX gateway XX.XX.XX.XX netmask XX.XX.XX.XX broadcast XX.XX.XX.XX
The gateway, netmask, and broadcast will be the same for every block and should match that of the physical device. Only the address and veth device name will change.
Save the file and exit.
Step 8. Shutting down
Don't forget we have arping running in the background. We want these arping processes to stop once networking is shut down.
Create a new script /etc/network/if-post-down.d/veth
Add the following contents:
for i in `pgrep arping` do kill -9 $i; done
Save and exit.
chmod 755 /etc/network/if-post-down.d/veth
Step 9. Checking for arping
Sometimes arping is missing from debian. Type apt-get install arping to ensure you have this package installed as it is mandatory.
Step 10. Restart networking
Restart networking with /etc/init.d/networking restart
Some errors may appear but these are normal. It is also common for this process to take a few minutes on slower machines. Please be patient.
Once this process is completed, type ifconfig.
You should see your physical device, local loopback, and each veth device you setup with their public IPs listed.
Test them.
ping -I eth2 google.com ping -I veth1 google.com ping -I veth2 google.com
It will say "pinging FROM XX.XX.XX.XX" check that XX.XX.XX.XX is the expected IP for that interface. Also check that you are receiving responses from google.com
Congratulations, you now have outgoing connections.
Step 11. Test incoming connections
There are two ways to perform this test properly. This test will NOT produce accurate results if ran from within the network. IE, you MUST use a computer that is NOT connected to the gateway in any way or you must use a proxy.
Method 1. Proxy
Visit http://www.pagewash.com and type each of your IPs in (uncheck all 4 boxes) one at a time. You should see a webpage pop up. If you do, that IP works for all incoming connections (assuming you don't have iptables setup). You will, of course, need a webserver to test with. If you do not plan on running a webserver just do apt-get install lighttpd during the test then remove it.
Method 2. External network
Visit another computer in a different physical location (not connected to your gateway in any way) and try to SSH into your server. If it works, that IP works.
Regardless of your chosen method, test each IP. They should all work.
Conclusion / Summary
vethd + tun module allows the creation of virtual ethernet devices with unique mac addresses that are bridged to a physical device. These virtual devices are broadcast as physical devices to the outside world.
Using vethd + tun will get you static IPs for outgoing connections but not incoming connections (the router will be confused).
The way to get the incoming connections enabled is to arping the router from each interface. By arping, the router realizes you are connected. This is not permanent, however, so we have to arp every second for as long as the connection is online.
This will take a small amount of bandwidth over the network but should not heavily affect external connections (just LAN traffic being used).
By creating two custom scripts and modifying the interfaces file we have automated the setup.
To add a new interface, you just have to edit /etc/network/if-up.d/veth and /etc/network/interfaces then restart networking.
| Top Page | wiki Index |