About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store
InfoWorld HomeNewsTest CenterOpinionsProduct GuideTechIndex
 COLUMN ARCHIVE  FORUMS
 

COLUMN

 
The Open Source
Nicholas Petreley

Replacing a Linux gateway with a cheap appliance

I DEMONSTRATED LAST week that I'm almost as ignorant about networking as my network cards. In case you missed that column, I'll summarize. Thanks to at least one broken 3Com 3C905B card and what I suspect are some broken Linux Intel Ethernet Pro/100 network card drivers, most of my network cards auto-negotiate their connections to be full-duplex on my Ethernet hubs. That wouldn't be so bad if it weren't for the fact that all my hubs are half-duplex.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

Try Sun servers, workstations and storage products free for 60-days.

Sponsored by Sun Microsystems

RELATED LINKS
»  Taiwan group expects PRAM chips in three years
»  DRAM price falls 25 percent
»  Sun delivers first UltraSparc T2-based servers
»  Hardware RSS feed 

IDG ENTERPRISE NETWORK
More Desktops News...  (ComputerWorld)
Juniper enhances routers for IP TV  (ComputerWorld)

TOP NEWS 


IT SOLUTION SEARCH
What I didn't realize at the time is that the reason my hubs are half-duplex is because all Ethernet hubs are half-duplex. Only Ethernet switches are full-duplex. This seems embarrassingly obvious now, but the flub cost me the propeller on my beanie.

It was a lesson worth learning, because the first thing I did this week was purchase a couple of Ethernet switches. I put a $50 Hawking PN205ES auto-sensing 100/10BaseT switch between my two servers and my DSL router. The Cayman 3220 DSL router that came with my Pacific Bell ADSL service has a built-in 10BaseT hub, which is fast enough when the servers communicate with the Internet. My ADSL (Asymmetrical DSL) connection is only 1.5 Mbps downlink and 384kbps uplink.

I also added a $179 SOHOware NBG800 Cable/DSL Router to the system to provide all my workstations with shielded access to the Internet. You might be wondering why I'd add a router to a network that already has one. This takes a bit of explaining.

The Cayman 3220H router is a 4-port 10BaseT hub with a built-in DSL modem and routing services. You can set up the Cayman router to provide NAT (Network Address Translation) to your home network, which is normally what I would use. NAT turns the router into a pseudo-firewall, because it lets your workstations on the inside get out to the Internet, but it doesn't allow anyone on the Internet to get to your workstations. On the inside, your workstations use a set of special reserved IP addresses that the Internet never sees. The Internet only sees the single IP address of your NAT gateway, regardless of the number of workstations you have attached to that gateway.

But I can't use the NAT features of the Cayman router because I need to use it to bridge the Internet to the static IP addresses for my name servers, Web servers, e-mail servers, and the like. The Cayman can't do both NAT and the kind of bridging I need at the same time. (Strictly speaking, the Cayman can provide both services by using something called "pinholes" if your requirements are light, but pinholes aren't sufficient for my needs.) In retrospect, I would have been better off getting a plain DSL modem and adding a router that did everything I need. But right now I'm building on what I have.

Because I can't use the Cayman for NAT, I've been using one of my Linux servers to provide NAT services to my workstations along with Web, file, print, and other services. I'm planning to replace that server with a better machine. I was thinking of using the old machine as a simple router to provide NAT access. One of Linux's big strengths has always been its capability of using cheap hardware to create a firewall or gateway. But now it seems like a waste of time, resources, and electric power considering how cheap off-the-shelf NAT routers are these days. For example, the Linksys BEFSR41 cable/DSL router provides NAT and has a four-port auto-sensing 100/10BaseT switch for only $149. I bought the slightly more expensive SOHOware NBG800 because it has everything the Linksys model has, but adds some firewall features beyond simple NAT.

The actual configuration I have is a bit more complex than necessary because I'm taking advantage of my existing cable modem until I decide to cancel that service. But the concept is simple. The four-port Ethernet switch side of my SOHOware router hooks up to my workstations and also to a server that runs the Squid proxy and Web cache. The other side of the router connects to the cable modem right now, but it could just as easily connect to the Cayman router to reach the Internet.

In my final configuration, my workstations are configured to go through the Squid proxy on my server for Web access, because I use the SquidGuard redirector to filter out porn. Everything else, including my son's beloved Everquest, Tribes2, and other network games, goes straight through the SOHOware router to the cable modem. This takes a load off the Linux server during heavy game sessions and, best of all, now the boxes behind the Cayman router talk to each other at 100BaseT full-duplex through Ethernet switches. The only tricky part of this conversion was that I had to undo the changes to my Linux servers that forced the network cards into 100BaseT half-duplex mode. On that, I have a word of advice. If you do the same, don't force these cards to run full-duplex. Let them auto-negotiate their connections. In this case, they will almost always negotiate the connection correctly (unlike how they behaved using the Ethernet hubs).

I noticed these cards perform better when they are allowed to auto-negotiate a full-duplex connection. I'm not sure why that should make a difference, because they should end up in the same state whether they auto-negotiate or are forced into 100BaseT full-duplex.

But in practice, there is definitely a difference. Some of the cards were getting frame errors when they were forced into full-duplex mode. But they did not get these frame errors when they were allowed to negotiate the full-duplex mode.

Anyway, I must point out that Linux can still do more sophisticated firewalling than any of the appliances such as the SOHOware and Linksys boxes. I still use the firewall capabilities of Linux for the servers that are connected directly to the Internet. But for many situations these simple units make Linux, BSD, or even Windows firewalling gateways obsolete. And who knows, perhaps one or more of these cheap devices is running embedded Linux anyway.

Get The Open Source via e-mail. Go to www.iwsubscribe.com/newsletters and click The Open Source to receive this column every Monday, free via e-mail.

Related Forum

Discuss this article with Nick and others in this week's "Open Source" forum.


Nicholas Petreley is the founding editor of VarLinux.org ( www.varlinux.org ) and works with nonprofit Linux projects. Reach him at nicholas@petreley.com.




RELATED SUBJECTS

Network Hardware
Network/System Management
Operating Systems
Discuss this article in our online forums

MORE >


SPONSORED WHITE PAPERS
EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:


SPONSORED LINKS

INFOWORLD MARKETPLACE


» IT Solutions Providers: Make room for more profit.
Find out how Seagate helps you satisfy customer needs and boost profits. Visit Seagate now.
» Find IT Consultant
Post Your Project for Free. Get Bids from Thousands of Pre-Screened Consultants. Register Now!
» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.
» Register for your FREE Desktop Virtualization kit.
Take command of the desktop with VMware desktop virtualization  Register today for your FREE kit.
» Six Best Practices in Storage Consolidation
Six best practices can ensure the success of your consolidation project. Read this NEW storage ...

 HOME  NEWS  TEST CENTER  OPINIONS  PRODUCT GUIDE  TECHINDEX   About : Advertise : Subscribe : Contact Us : Awards : Events 

Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no