[nos-bbs] tun0 and more Linux routing commands

[Bill V WA7NWP]

One of the first configuration lines in every autoexec.nos I've worked
on has a 'ipaddress' entry.  Every one of these has been set to either
a 44 net address or a local LAN (usually 192.168) address.

Then when the ports are set up, each gets assigned an appropriate 44
or 192.168 address.  Sometimes the same as the overall system address
and sometimes different.

So, why don't we use the 127.0.0.1 local host address for the base
address of the JNOS system as is the case on Nix and other systems?
Or are other folks doing this and I just missed it?


Second, in response to the notes on putting JNOS directly on the INET
- this is scary but since I know have the ability to do it - I'm
looking forward to trying it at least for a while just to see how it
works.  Eventually I can see it going back behind a decent Linux
firewall..   The same even applies to a 44 net address - which I
believe are far from 'safe' these days.

Bill - WA7NWP



On Tue, Feb 15, 2011 at 8:53 AM, Jay Nugent <jjn at nuge.com> wrote:
> Greetings,

Great explanation Jay.  thanks!   It's interesting that the
pointopoint operation with tun0 automatically sets up ARP to handle
the remote requests.

>> > Can anyone educate me on why I see so many people putting this arp
>> > thing in ? Is there some functionality that I am missing out of this ?
>
>   When a link (TUN) between two points is defined, it can be done in two
> ways.  First, as two IP addresses including a 'net' address and a
> 'broadcast' address.  This eats up 4 IP addresses and is *totally*
> unnecessary.  *WHY* on a link with only TWO ends would there ever be the
> need to ARP to determine the MAC address of the far end?  Insane...
>
>   The second (and better) method is to define the TUN link as
> "point-to-point".  With this method the two ends KNOW about each other and
> NO need to ARP the far ends MAC address before passing layer-2 packets
> over it.  And, this only uses up two IP addresses.  I might add that there
> is NO reason these end-point addresses even be within the same subnet.
> They can, and in large scale networking often are, on completely different
> subnets.
>
>
>   Suggestion:
>      - Assign the Linux box an IP on your LAN (192.168.1.88)
>      - Assign the Linux end of the TUN interface another IP on your LAN
>        (192.168.1.44)
>
>      On your gateway router to the Internet:
>         - Port forward SSH to the Linux address (192.168.1.88)
>           In this way you can remotely log onto your Linux machine to
>           read mail, perform maintenance, play around.
>
>         - Assign the JNOS address (192.168.1.44) as the "DMZ Host".
>           This lets everything *other* than SSH (which has been port
>           forwarded elsewhere) to be automatically directed to the JNOS
>           application (and into its own TCP/IP stack).  In this way ALL
>           protocols including "IPIP Encapsulation (Protocol-4)" to go
>           directly to JNOS.
>           You can now Telnet and FTP and Finger the JNOS application from
>           anywhere on the Internet :)
>           (WARNING! Block inbound SMTP(25) with the "tcp access" tools or
>                     you *will* be flooded with spam!)