Hey guys, I have a question regarding shorewall and vrf functionality. I have shorewall 3.4.8 and kernel 2.6.24-gentoo-r8 I have tried to use iproute2 (ip route and ip rule) to establish multiple routing tables. The biggest problem seems to be, that I cannot add interfaces such as vlan interfaces to the routing table. My target is that linux takes attention of on which vlan interface traffic is arriving so that kernel can decide which routing table it has to use. For example if traffic arrives on vlan1 use table 1, vlan2 table 2 and so on. I am using such environments a thousands on Cisco and Juniper but I am for sure that linux or shorewall must have a solution, too. Do you have any idea how to cover that with shorewall and linux kernel itself? I know that there is linux-vrf and the latest patch seems to be for kernel 2.6.18. But that seems to be not the right solution. I am interested in a solution with a combination of shorewall and kernel and I don´t want to believe that Cisco is able and linux/shorewall not :-) Thanks a lot for your response. Cheers Michael ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Michael Weickel - iQom Business wrote:> Hey guys, > > I have a question regarding shorewall and vrf functionality. > > I have shorewall 3.4.8 and kernel 2.6.24-gentoo-r8 > > I have tried to use iproute2 (ip route and ip rule) to establish multiple > routing tables. The biggest problem seems to be, that I cannot add > interfaces such as vlan interfaces to the routing table. > > My target is that linux takes attention of on which vlan interface traffic > is arriving so that kernel can decide which routing table it has to use. > > For example if traffic arrives on vlan1 use table 1, vlan2 table 2 and so > on.Please have a look at http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks a lot for your response but this seems to be not running form my issues. I´ll try to give an example. Subnet A 10.0.0.0/24 connected to switch I port 1 (vlan 5) Host A 10.0.0.1/24 belongs to subnet A Subnet B 10.0.0.0/24 connected to switch I port 2 (vlan 10) Host B 10.0.0.1/24 belongs to subnet B Switch I port 3 is a trunk which gives the both subnets to shorewall eth2. Eth2 is virtualized into interface vlan5 (10.0.0.254) and interface vlan10 (10.0.0.254). Both vlan interfaces belong to eth2. Vlan5 has an own routing table 2, vlan10 has an own routing table 3. Host A and Host B can ping vlan5 and vlan10 on shorewall with "ip rule add from 10.0.0.254 table 2" and "ip rule add from 10.0.0.254 table 3". This seems to be one problem to me. Linux and shorewall does not recognize that the one ip belongs to vlan5 and the other to vlan10. In addition there is a default route in each table which belongs to shorewall eth1 but it does not work?! I have a hope that shorewall has a hint to solve my problem, due to the fact that I believe that ip tools are not able to. Normally I would say for sure, that ip is able to, but I don´t know how to go on. If you have any idea how shorewall could help it would be really great. Thanks a lot four your support. Cheers Michael -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] Im Auftrag von Tom Eastep Gesendet: Freitag, 30. Mai 2008 02:45 An: Shorewall Users Betreff: Re: [Shorewall-users] shorewall vrf support Michael Weickel - iQom Business wrote:> Hey guys, > > I have a question regarding shorewall and vrf functionality. > > I have shorewall 3.4.8 and kernel 2.6.24-gentoo-r8 > > I have tried to use iproute2 (ip route and ip rule) to establish multiple > routing tables. The biggest problem seems to be, that I cannot add > interfaces such as vlan interfaces to the routing table. > > My target is that linux takes attention of on which vlan interface traffic > is arriving so that kernel can decide which routing table it has to use. > > For example if traffic arrives on vlan1 use table 1, vlan2 table 2 and so > on.Please have a look at http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Michael Weickel - iQom Business wrote:> Thanks a lot for your response but this seems to be not running form my > issues. > > I´ll try to give an example. > > Subnet A 10.0.0.0/24 connected to switch I port 1 (vlan 5) > Host A 10.0.0.1/24 belongs to subnet A > > Subnet B 10.0.0.0/24 connected to switch I port 2 (vlan 10) > Host B 10.0.0.1/24 belongs to subnet B > > Switch I port 3 is a trunk which gives the both subnets to shorewall eth2. > > Eth2 is virtualized into interface vlan5 (10.0.0.254) and interface vlan10 > (10.0.0.254). Both vlan interfaces belong to eth2. > > Vlan5 has an own routing table 2, vlan10 has an own routing table 3. > > Host A and Host B can ping vlan5 and vlan10 on shorewall with "ip rule add > from 10.0.0.254 table 2" and "ip rule add from 10.0.0.254 table 3". This > seems to be one problem to me. Linux and shorewall does not recognize that > the one ip belongs to vlan5 and the other to vlan10.Why don''t you "ip rule add iif vlan5 table 2" and "ip rule add iif vlan10 table 3"?> I have a hope that shorewall has a hint to solve my problem, due to the fact > that I believe that ip tools are not able to. Normally I would say for sure, > that ip is able to, but I don´t know how to go on.Shorewall is just a configuration tool that uses the ip tools to activate the configuration. There is nothing magic about Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/