With the advent of high-speed Internet services such as fibre-to-the-premises, WAN connection through a proprietary or ISP-supplied router is another option, along with dialup, PPP and PPPoE, that is available these days.
Such a WAN connection is usually configured as a standard ethernet connection to the WAN router. If firewalling or masquerading on this connection is desirable, the NARC packetfilter/firewall can be deployed. A WAN connection script such as the following will prove useful:
/etc/init.d/wanconnect:
#!/bin/sh
#
# wanconnect This script starts or stops a WAN connection, via the primary
# server in the cluster, over the local LAN, or via an ISP's
# WAN modem.
#
# chkconfig: 2345 11 89
# description: Connects to the Internet, over the LAN, via the primary \
# server in the cluster or an ISP's local router.
#
# Revision History:
# ewilde 2008Mar24 Initial coding.
# ewilde 2010Apr17 Connect to the WAN via an ISP's router.
#
#
# Define the install path for the binaries, etc.
#
INSTALL_PATH="/sbin"
#
# Define the paths to the programs used herein.
#
ARPING=${INSTALL_PATH}/arping
IP=${INSTALL_PATH}/ip
ROUTE=${INSTALL_PATH}/route
#
# Define the network prefix length to use when setting up a local network
# address to be used with an ISP's WAN router. Nearly all WAN routers use
# some variation of a local IP address like 192.168.x.y, which implies a
# 24-bit network prefix (i.e. 255.255.255.0). You can set this value to
# something else, if your router is so defined, but this should work for
# pretty much everyone.
#
PREFIX=24
#
# Load the function library if it exists.
#
if [ -f /etc/rc.d/init.d/functions ]; then
. /etc/rc.d/init.d/functions
fi
#
# Source the clustering configuration.
#
if [ -f /etc/sysconfig/clustering ]; then
. /etc/sysconfig/clustering
else
WANCONNECTION=ADSL
fi
#
# If this cluster uses ADSL or Diald for its WAN connection, we're outta here.
#
if [ x"$WANCONNECTION" == xADSL ] || [ x"$WANCONNECTION" == xDiald ]; then
exit 0
fi
#
# The user can configure a single IP address as the WAN gateway, in which
# case we simply route all WAN traffic to that address over the LAN.
#
# Alternately, the user can specify a tuple consisting of the address of a
# dedicated network device that connects to a WAN gateway router, an IP
# address for that local network device, and an IP address for the WAN
# gateway router. Typically, the WAN gateway router will be an ISP's router
# (such as an EVDO or FIOS router) that is set to bridge packets, sent to it
# on one of its ports, to the WAN.
#
DEVICE=`echo $WANCONNECTION | grep -e "eth[0-9]\+," -o`
if [ -n "$DEVICE" ]; then
DEVICE=${DEVICE%,}
LOCALADDR=`echo $WANCONNECTION | grep -e ",[^,]\+," -o`
LOCALADDR=${LOCALADDR#,}
LOCALADDR=${LOCALADDR%,}
WANADDR=`echo $WANCONNECTION | grep -e ",[^,]\+\$" -o`
WANADDR=${WANADDR#,}
else
DEVICE=""
LOCALADDR=""
WANADDR=$WANCONNECTION
fi
#
# If a local network device is used to talk to a WAN, we need to bring it up
# and assign an IP address to it.
#
# Note that we must do this because we assume that the dedicated network
# device is not brought up at boot time, nor is it assigned an IP address,
# because the intention was to use the device for PPP or some other, as yet
# undefined, purpose.
#
# Incidentally, much of this code was cribbed from the device startup code in
# /etc/sysconfig/network-scripts/ifup-eth. So, you should check there for
# changes, if this code fails to bring the device up properly.
#
StartEth()
{
#
# Bring up the network device.
#
if ! $IP link set dev $1 up ; then
echo $"Failed to bring up $1."
return 1
fi
#
# Make sure that there's no other host already using our local IP
# address.
#
if ! $ARPING -q -c 2 -w 3 -D -I $1 $2 ; then
echo $"Error, some other host already uses address $2."
return 1
fi
#
# Set the IP address into the network device.
#
if ! $IP addr add $2/${PREFIX} brd + dev $1 scope link label $1 ; then
echo $"Error adding address $2 for $1."
return 1
fi
#
# Update the ARP cache of the ISP's WAN router.
#
$ARPING -q -A -c 1 -I $1 $2
( sleep 2; $arping -q -U -c 1 -I $1 $2 ) >/dev/null 2>&1 < /dev/null &
#
# Looks like everything went well.
#
return 0
}
#
# Routine to start up the WAN connection.
#
start()
{
#
# If need be, bring up the local network device and assign an
# address to it.
#
ASSIGNOK=1
if [ x"$DEVICE" != x ]; then
echo -n "Assigning local IP address $LOCALADDR to $DEVICE "
StartEth $DEVICE $LOCALADDR
if [ $? = 0 ]; then
echo_success
else
echo_failure
ASSIGNOK=0
fi
echo ""
fi
#
# Bring up the WAN connection.
#
ROUTEOK=0
if [ $ASSIGNOK ]; then
echo -n "Bringing up an Internet connection via $WANADDR "
$ROUTE add default gw $WANADDR >/dev/null 2>&1
if [ $? = 0 ]; then
echo_success
ROUTEOK=1
else
echo_failure
fi
echo ""
fi
#
# If need be, bring up the local network device and assign an
# address to it.
#
FIREWALLOK=1
if [ $ROUTEOK ] && [ x"$DEVICE" != x ]; then
echo -n "Bringing up firewall on $DEVICE, SNAT IP address $LOCALADDR "
/etc/init.d/iptables start $DEVICE $LOCALADDR >/dev/null 2>&1
if [ $? = 0 ]; then
echo_success
else
echo_failure
FIREWALLOK=0
fi
echo ""
fi
#
# If everything went OK, create a lock file.
#
if [ $ASSIGNOK ] && [ $ROUTEOK ] && [ $FIREWALLOK ]; then
touch /var/lock/subsys/wanconnect
fi
}
#
# Routine to stop the WAN connection.
#
stop()
{
#
# If need be, shut down the firewall.
#
if [ x"$DEVICE" != x ]; then
echo -n "Shutting down the firewall "
/etc/init.d/iptables stop >/dev/null 2>&1
if [ $? = 0 ]; then
rm -f /var/lock/subsys/wanconnect
echo_success
else
echo_failure
fi
echo ""
fi
#
# Clear out the routing table.
#
echo -n "Shutting down connection to the Internet via $WANADDR "
$ROUTE del default gw $WANADDR >/dev/null 2>&1
if [ $? = 0 ]; then
rm -f /var/lock/subsys/wanconnect
echo_success
else
echo_failure
fi
echo ""
#
# If need be, shut down the local network device.
#
if [ x"$DEVICE" != x ]; then
echo -n "Shutting down device $DEVICE "
$IP addr flush dev $DEVICE >/dev/null 2>&1
$IP link set dev $DEVICE down >/dev/null 2>&1
if [ $? = 0 ]; then
rm -f /var/lock/subsys/wanconnect
echo_success
else
echo_failure
fi
echo ""
fi
}
#
# Based on which operation we were asked to perform, have at it.
#
case "$1" in
#
# Fire up the Great Link (thanks, Odo).
#
start)
start
;;
#
# Bye, bye Great Link.
#
stop)
stop
;;
#
# Refresh the Great Link.
#
restart)
echo "Restarting WAN connection to the Internet"
stop
start
;;
#
# Waaaaa 'sappenin'?
#
status)
if [ -f /var/lock/subsys/wanconnect ]; then
echo "Connected to the Internet through $WANADDR"
else
echo "Not connected to the Internet"
fi
;;
#
# Help text.
#
*)
echo "Usage: wanconnect {start|stop|restart|status}"
exit 1
esac
#
# Heading home.
#
exit 0
This script should be enabled to start at boot time with the following commands:
chkconfig --add wanconnect
chkconfig wanconnect on
/etc/sysconfig/network-scripts/ifcfg-ethx:
/etc/sysconfig/networking/devices/ifcfg-ethx:
/etc/sysconfig/networking/profiles/default/ifcfg-ethx:
To use this WAN connection script, the basic ifcfg-ethx file should look like this:
DEVICE=ethx
TYPE=Ethernet
USERCTL=no
BOOTPROTO=none
ONBOOT=yes|no
By defining the ethernet interface in this manner, it can be used as a PPPoE interface to bring up an ADSL connection or it can be used as a connection to a WAN router. If the connection is to a WAN router, the wanconnect script will configure the WAN connection, through the ethernet interface, using the information provided by the WANCONNECTION parameter in the clustering configuration file. You should set it something like this:
/etc/sysconfig/clustering:
WANCONNECTION=eth1,192.168.5.2,192.168.5.1
This tells wanconnect to set up the WAN connection on eth1. This interface will be given an IP address of 192.168.5.2. The routing table will be set to route all packets through the gateway at 192.168.5.1 (which is presumably the WAN router). The IP address 192.168.5.2 will be used to snat all packets that pass through to the WAN router.
Note that you must use iptables/NARC as your firewall/packetfilter and you'll need to make the changes, mentioned in the firewall/packetfilter section that deals with iptables, that allow the external device address and IP address to be passed to the iptables and NARC scripts.
The WAN router should be set up in the usual manner. In all probability, the router will be delivered by the ISP properly set up. You can leave it as is or switch it to bridge mode but note that, if you do switch it to bridge mode, you may need to handle the remote WAN protocol (such as PPPoE) yourself. If you don't switch it to bridge mode, you may want to punch through the firewall so that it delivers all packets from/to the WAN to/from the internal LAN. Otherwise, you need to set up the WAN router's firewall to allow the proper external services through to the LAN side.
The Linux system is plugged into one of the LAN ports of the WAN router. The IP address of the WAN router should be set to one that is in the same subnet as that used for the Linux system's external IP interface. This address should also match that set as the gateway address in the clustering configuration. In the above example, if WANCONNECTION was set to "eth1,192.168.5.2,192.168.5.1", the IP address of the WAN router's LAN interface would be set to "192.168.5.1".