My home-network is somewhat complex. I have a cable-modem which via a switch is connected to my router/firewall for serving internet to my actual LAN, but the same switch also connects via powerlan several set-top-boxes to the same cable-modem. This means that near some TVs I have two powerlan adapters, one serving the needed connection to the set-top-box and another giving internet access to PS3, Wii, XBox, ...

The cable-modem itself gives different IP addresses based on the MAC address of the client. As such the set-top-boxes get a 10.x.x.x address and other clients (my Linux firewall) get actual global internet addresses. So, there are already two IP ranges going over the same network at the end of the cable-modem, but since I'm not sure of the safety of that part of the network (read: I don't trust the cable company), I want the rest of my network behind the Linux firewall ...

So, to finally come to the question: is there a way to have the cable-modem connect directly to my Linux firewall (so getting rid of the switch inbetween) and then have the Linux firewall pass traffic for the set-top-boxes (so specific MAC addresses) as-is to the LAN, including that those devices would then get a DHCP address directly from the cable-modem (through the Linux "bridge"), while at the same time for all other devices in the LAN the Linux firewall actually acts as firewall, proxy, dhcp server, etc. giving out 192.168.0.x addresses and having itself one single real internet address which it gets via DHCP from the cable-mode?

If I setup a bridge between WAN and LAN, I assume I can still filter on that bridge via iptables, but can I run a dhcp client on one end of the bridge and a dhcp server on the other? If so, how? Anyone able to give me a clear description on how to get something like this up? I'm going to run Ubuntu Server on the firewall (which also acts as home-server and controller for my solar-panels, so a full-fledged Linux is wanted), but if I can get general instructions to get me on the road, I probably can figure out the Ubuntu specifics myself...

Thanks in advance, K

asked 14 Nov '12, 02:37

MisterK's gravatar image

accept rate: 0%

It should be possible. You should be able to pass an interface name to the dhcp client so that it only configures that interface. For example, using the isc-dhcp-client, start the client like

$ dhclient eth1

(I'll assume eth1 is connected to the modem and eth0 to the local network in these examples) The dhcp server should also have such an option: on Debian using the isc-dhcp-server, "/etc/defaults/isc-dhcp-server" contains a line like


but check the particular server's documentation. You'll also need to turn on ip forwarding: in "/etc/sysctl.conf", put


Finally, you'll probably need to configure ip masquerading using iptables (this tutorial might be useful):

$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


answered 21 Nov '12, 22:04

KJ4TIP's gravatar image

accept rate: 12%

edited 21 Nov '12, 22:05

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 14 Nov '12, 02:37

Seen: 1,632 times

Last updated: 21 Nov '12, 22:05

powered by OSQA