Guide IndexQuick Links
For someone wanting to put together their own internal network complete with a separate router with DNS and DHCP services, there's quite a number of ways to go about it. Originally I had been using Windows 2000 for the job since such services were readily available in the same package that let me set up a domain controller, but it hasn't exactly been something I could count on. I've since brought down those services on the domain controller, and now I use dnsmasq and iptables on a Debian virtual machine for the job.
It's actually really easy to set up such services in Linux, better than doing it the Windows way. Assuming you haven't set something wrong, you'll be up and running in a matter of minutes.
To get started, you will need:
First, get Debian installed. When prompted for a hostname and domain, you should specify that upfront, though you can always change it later. Since this assumes you're using an internal network, you can make up whatever domain name you want (for instance, hornet.storm, with "hornet" being the hostname and "storm" being the domain name), no registration necessary. Do not use a domain ending in .local, as that is known to introduce conflicts between Windows and Mac OS X systems.
Don't install a desktop environment; you don't need it here. You may wish to mark the SSH server for installation if you want the convenience of being able to use another terminal to manage your server from another location. Once the installation is complete, log in as root and run the following commands:
# apt-get update # apt-get -y upgrade # apt-get -y install sudo dnsmasq iptables-persistent
On the third line, you may also wish to include vim or your preferred text editor, and tftpd-hpa if you want to get TFTP running as well (useful for PXE boots). The sudo package is for letting regular users run commands as root whenever needed if they are given permission to do so, which can be safer than simply logging in as root to do everything. If you created a normal user account, you can grant it sudo privileges by typing:
# usermod -a -G sudo [your_username]
With all of that out of the way, let's get the server configured.
Configure Interfaces and Hosts
On a fresh installation, it's very likely that your interfaces will be configured to use DHCP to get IP addresses. Since this is going to be a DNS/DHCP server and router, this is definitely not something we want. Edit /etc/network/interfaces so the two network adapters use static IP addresses. It should look a little something like this:
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # Goes outward to your main router # (I'm using a VM with a NAT interface, # so I just use the IP addresses for that) allow-hotplug enp1s0 iface enp1s0 inet static address 192.168.122.3 netmask 255.255.255.0 gateway 192.168.122.1 # Your devices in the VLAN connect to this allow-hotplug enp7s0 iface enp7s0 inet static address 192.168.10.2 netmask 255.255.255.0 broadcast 192.168.10.255 network 192.168.0.0
Both adapters are given static IPs, one which goes outward to the internet (hence the gateway option is assigned to it. The other adapter does not have a gateway set, because it will be the gateway for all clients connecting to the VLAN. Be mindful of which adapter is connected to where in your network. If you don't know the adapter names being used in your installation, run the ip link or ip addr command. For both interfaces, make sure the netmask is set correctly; addresses starting in 192.168 will have a netmask of 255.255.255.0.
In my case, enp1s0 connects to the internet and provides internet access to the other clients in the VLAN, whereas enp7s0 is the interface which other VLAN clients will go through. The settings you'll need to enter are bound to vary depending on your own network configuration, so make sure you go over the lines and change them as needed.
/etc/hosts also needs to be edited now. dnsmasq will use this file as a list of permanent DNS records to use for the network. Only static IP addresses should be listed here, such as those of important servers.
127.0.0.1 localhost # The DNS/DHCP server we're creating 192.168.10.2 hornet.storm hornet # My domain controller (put other # static IPs you have below) 192.168.10.3 baleen.storm baleen
Add new lines to the file in the format as shown, keeping note of the domain name you're using. You could also add IPv6 addresses, but given most old systems can't utilize IPv6 (and that IPv4 provides more than enough addresses for an internal network), there's not much of a point in doing so for a case like this.
Now that we've got those files taken care of, it's time to set up dnsmasq. To do this, we only need to edit one file: /etc/dnsmasq.conf. If the file already exists, rename it to dnsmasq.conf.old. The sample file provides a good reference with plenty of comments if you need to consult it later.
# DNS bogus-priv strict-order expand-hosts domain=storm local=/storm/ # I prefer to put my router's internal IP here, # but have listed Quad9 here for those who # want that instead. server=18.104.22.168 server=22.214.171.124 # DHCP interface=enp7s0 dhcp-authoritative dhcp-range=192.168.10.10,192.168.10.99,24h dhcp-option=option:router,192.168.10.2 dhcp-option=option:dns-server,192.168.10.2 dhcp-option=option:netmask,255.255.255.0 # TFTP (only needed if running a TFTP server somewhere) dhcp-option=option:tftp-server,192.168.10.2 dhcp-option=option:bootfile-name,"pxelinux.0"
Small, isn't it? Let's break down the more important lines:
DHCP Options for TFTP
These should only be specified if you are running a TFTP server on your network. The TFTP server does not have to reside on the same server as the DHCP server.
Once your configuration file is written down, save it and restart the dnsmasq service with either of the following commands:
# systemctl restart dnsmasq # service dnsmasq restart
Try connecting some clients to it now. If you can ping them by hostname from some other machine on the isolated network, your DNS/DHCP server is working!
Setting Up Routing
If you want to set up your machine as a router to provide internet access to clients in your isolated network, it's really easy to do with two network interfaces installed. The iptables-persistent package will help us set this machine up as a router with only a few lines in a file. Create or edit the /etc/iptables/rules.v4 file with these lines in place:
*nat -A POSTROUTING -o enp1s0 -j MASQUERADE COMMIT *filter -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i enp1s0 -j DROP COMMIT
Replace enp1s0 with the interface that is connecting outward to the internet. The line in the nat table is what will be used to provide the clients with internet access, and the filter table acts as a sort of firewall that can cut off undesirable traffic not part of your network. Assuming you will be accessing all of your machines from within your household, this is all that you should need. You don't have to understand it thoroughly, this is just a bare minimum configuration.
After saving this file, you need to tell iptables-persistent to use the new rules. This can be done with the following command:
# iptables-restore < /etc/iptables/rules.v4
Job done. You should probably reboot the server for good measure.
Configuring tftpd-hpa is also really easy. After installing the package, edit /etc/default/tftpd-hpa. The line TFTP_ADDRESS should be set to the IP address your TFTP server is running on, followed by port 69. In my case, it would look like:
You can also change TFTP_DIRECTORY to something else if you like, but I'll keep it on the default of /srv/tftp. Restart the tftpd-hpa service, then load up the directory with the files you need for PXE booting. Just hang in there, I'll make a guide for this whenever I can.