Working from Home — Remote NT via Linux
We recently installed a Linux-based email solution for one of our clients. The solution was simple and one that we can quite happily pump out with ease. A month or so later our client came back to us to see if we could help with an idea he'd had. It turns out that he wanted to connect his machine at home to his office network. Having recently had an ISDN line installed which did pretty much nothing all day he wanted to know if we could make use of this. This document describes our solution:
The overall set up looks like this:
Our solution was to set up the two routers to talk to each other and tell the Linux machine to forward IP packets between the two networks, a task is does with considerable ease and since it was also doing pretty much nothing (At the time of writing it reports its load as 0.00 and has been running for around 2 months) it seemed a sensible use of abundantly spare CPU cycles.
Office NT Server
The NT Server simply needed to be set up so that it knows that packets for the 192.168.3 network should go via the Linux Machine as a gateway (On its 192.168.2.2 interface). Nothing else needed to change.
Linux Mail Server
The Linux machine needed to be told to forward IP packets. First we change /etc/sysconfig/network (This, like most of the systems we pump out, was RedHat based) so that it contained:
FORWARD_IPV4=yes
instead of "FORWARD_IPV4=no". This ensured that the machine would forward IP packets the next time it was rebooted. We wanted to turn on IP forwarding without a reboot because like any typical UNIX/Linux people we're protective of our uptime! We did it by executing the following line (As the super-user)
echo "1" > /proc/sys/net/ipv4/ip_forward
The Linux machine would now receive packets for the 192.168.2 network and would know which interface to forward them on to because of its 192.168.2.2 interface. It wouldn't however know what to do with the packets it received from the office server for machines on the 192.168.3 network. To solve this we needed to add a static route. This was configured in /etc/sysconfig/static-routes and looked like this:
eth0 net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.1
This tells the machine that anything destined for the 192.168.3 network should be sent via the interface eth0 (Which is in this case was its 192.168.1.2 interface) to 192.168.1.1 which is the office router. Again this change wouldn't have taken effect until a reboot, but it is possible to add a static route by hand preventing the need for a reboot, by doing the following :
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
Office Router
The office router had already been set up to allow dial in maintenance and to dial a Legend Internet account for web and email services. The only thing we really needed to do to enable the home-office was to set up a new remote node. This enabled dial-in access and sets up a route for the IP addresses involved. We told this node what IP it should receive connections from and it was set up with a username and password.
The Router is sat on the 192.168.1 network and so needed to know what to do with packets for the 192.168.2 network. As with the NT server all we have to do is set a static route that will send all packets for the 192.168.2 network to the Linux Machine which will route them appropriately. The method of doing this will vary according to your router but is generally fairly pain free.
Home Router
The home router was the only new piece of kit involved and had to be configured from scratch. The exact details will depend on the router you're using (We used Zyxel routers (100H))
The first thing we did was to set up a standard router configuration for the Legend account for run-of-the-mill web access. The second part was slightly trickier. We needed to set up a remote node for the office. This was in effect the Linux box (192.168.1.2) and we gave it the relevant phone number and username/password combination. We told this router that it's route to the 192.168.2 network was through 192.168.1.2 (The Linux machine) and everything was almost ready.
Home Machine
The home machine was simply told that its gateway was 192.168.3.1 and eveything would work fine. Or so we thought! It turns out that there's problem with name services through this system and we had to make sure that the home machine had name entries for the server. Once this was fixed then everything started working again. Our client can now quite happily access his office files from the comfort of his own home ...