Home / user-46754

Ville's questions

Martin Hope
Ville
Asked: 2013-01-29 21:26:53 +0800 CST
  • 2

I'm setting up Shorewall (4.4.26.1), and have been trying to figure out routing between two LAN segments for the good part of the afternoon. It's time to ask for help.

 ((INTERNET))
      |
      |
 [shorewall]
   |     |
   |     |
(LAN1) (LAN2)

I have three NICs: WAN (Internet), LAN1, and LAN2. WAN-to-LAN is working inbound through NAT, and outbound through DNAT (set in masq). LAN2 should not (and currently does not) have access to the Internet, but it should be accessible from LAN1. I'm currently able to get to LAN2 from the firewall, but not from the servers in LAN1 (which is the problem). The necessary rules are in place, but apparently routing isn't working (when I disable the firewall rules, I get immediate "connection refused" on SSH connection from a server in LAN1; when the rules are enabled, SSH simply hangs and traceroute doesn't go beyond the firewall). LAN1 is in 172.0.0.0 address space and LAN2 is in 10.0.0.0 address space.

I currently have:

$LAN2_IF                 10.0.0.0/24

..in masq, but that's not working ($LAN2_IF resolves to eth2 which is the LAN2 interface).

My question is: What is the simplest Shorewall configuration to forward traffic between two differently addressed LAN segments that are connected to separate NICs? A pointer to documentation or other reference would help, a bare-bones config example would be even better. I've been sifting through the Shorewall documentation on routing, but haven't yet found a matching description (for instance, I would rather not have to bridge the LAN interfaces since they need to remain separated: LAN2 should not have access either to the Internet or LAN1).

Thanks for any advice!

linux
Martin Hope
Ville
Asked: 2011-05-12 20:32:00 +0800 CST
  • 1

Let's say a colo assigns me an IP range 111.222.1.0/26. 111.222.1.1 is the gateway for my usable IP range 111.222.1.2 - 111.222.1.62.

I'm using pfSense firewall and have configured its external interface as 111.222.1.2/26.

I would like to have couple of IPs usable outside of the router/firewall in order to connect a remote console access device and a remote power switch outside of the pfSense appliance for the best chance of recovering from error conditions remotely (including, if necessary, restart of and console access to the pfSense appliance).

I would like to know if it's possible to use, for example, the IPs 111.222.1.61 and 111.222.1.62 of the given IP range outside of the firewall's external interface (split by a switch outside of the firewall's WAN interface), assuming I've configured those two IPs to be blocked in the router?

Would I get collisions? Would this work reliably? If this doesn't work, I'll have to request the smallest available IP segment to be used with the 'external' devices, and not include it in the firewall's configuration.

Thanks for any advice!

router networking ip
Martin Hope
Ville
Asked: 2011-03-29 11:03:43 +0800 CST
  • 1

Someone asked earlier whether it would be possible to direct connect two systems with 10GbE CX4 ports here: is it possible to direct connect a client and server with 10GBASE CX4 copper cables?.

My question is the same, but with the SPF+ ports. I assume this would work, but before ordering the pricey interconnect cable, I thought of confirming whether it is at least likely that it will work.

networking gigabit