Hi, My network is 10.215.0.0/255.255.0.0. I set it up this way for convenience only. Actually, all my hosts are within 10.215.144-147.xxx and 10.215.246-248.xxx (shorewall zone ''loc''). I have a router linking me to another location (shorewall zone net2) where there are other hosts within, say, 10.215.0.xxx and 10.215.147.xxx (and more). I only require 10.215.144-145.xxx and 10.215.246-248.xxx hosts in ''loc'' to communicate with any hosts within ''net2'' unless the ranges collide. In other words, ''loc'' hosts do NOT require to talk to ''net2'' hosts 10.215.146-147.xxx (but they need to talk to ''loc'' hosts 10.215.146-147.xxx) and ''net2'' hosts do NOT require to talk to ''loc'' hosts 10.215.146-147.xxx. So this is why I simply setup a "wide" netmask for the ''loc'' zone (255.255.0.0) and defined routes to all the ''net2'' hosts through the remote router. eg.: routes to remote router 172.20.11.49: "10.215.0.0 netmask 255.255.128.0 gw 172.20.11.49" "10.215.128.0 netmask 255.255.240.0 gw 172.20.11.49" "10.215.148.0 netmask 255.255.252.0 gw 172.20.11.49" "10.215.152.0 netmask 255.255.248.0 gw 172.20.11.49" "10.215.160.0 netmask 255.255.224.0 gw 172.20.11.49" "10.215.192.0 netmask 255.255.224.0 gw 172.20.11.49" "10.215.224.0 netmask 255.255.240.0 gw 172.20.11.49" "10.215.240.0 netmask 255.255.252.0 gw 172.20.11.49" "10.215.244.0 netmask 255.255.254.0 gw 172.20.11.49" "10.215.249.0 netmask 255.255.255.0 gw 172.20.11.49" "10.215.250.0 netmask 255.255.254.0 gw 172.20.11.49" "10.215.252.0 netmask 255.255.252.0 gw 172.20.11.49" Then I configured Shorewall''s policy to DROP everything from ''loc'' to ''net2'' and added ALLOW rules from loc:10.215.144-145.0,10.215.246-248.0 to ''net2''. All "works well" from my standpoint (the ''loc'' zone) which means that: * hosts such as 10.215.147.101 can communicate with the rest of the ''loc'' hosts but not with ''net2'' (Shorewall drops the packets). * ''loc'' hosts can communicate with hosts such as 10.215.147.101 just as long as they''re in ''loc'', not ''net2'' * ''net2'' host 10.215.147.101 cannot communicate with hosts in ''loc'' (no way back in the routing table and besides Shorewall drops net2:10.215.147.0 to loc) * any hosts in loc:10.215.144-145.0,10.215.246-248.0 can talk to any ''net2'' hosts and vice versa just as long as their IP addresses are within the routing table definition above. My concern is with broadcasts. Does the shorewall DROP policy loc->net2 also drop broadcasts? Or should I use the dropBcast action? Normally, no request should come from ''net2'' to a ''loc'' host with IP address 10.215.147.101. If it did, wouldn''t Shorewall block the broadcast from loc:10.215.147.101 to net2 anyway? Thanks, Vieri ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Vieri Di Paola wrote:>My network is 10.215.0.0/255.255.0.0. >I set it up this way for convenience only. Actually, all my hosts >are within 10.215.144-147.xxx and 10.215.246-248.xxx (shorewall zone >''loc''). > >I have a router linking me to another location (shorewall zone net2) >where there are other hosts within, say, 10.215.0.xxx and >10.215.147.xxx (and more).Unfortunately, that is a broken network. You will *always* have problems as long you leave it like that. Rule #1 of IP address, all addresses must be globally* unique, and that means all subnets must be non-overlapping. By far the best way to deal with it is to renumber one or other of the networks. 10.215.246.0/22 covers 10.215.246.0 to 10.215.247.255, so if that is enough for that network then it would allow you to renumber without having to change IP addresses on many of your devices - you''d only need to change the router (if it''s not already in that range) and the netmask. That does simplify things, plus you can get away with parallel running (with some devices on the /16 and some on the /22) mask while you are sorting things out - provided all IPs are actually within the same /22. Going to a 21 bit mask gives you 10.215.240-247.x, 20 bits gives you 10.215.240-255.x Alternatively, you may have to consider introducing a layer of NAT between the two networks. I can''t remember how to do it, but it''s possible to map one range to a different range while keeping the addressing unique. Eg, you could map the second network so that you see it as 10.216.x.y from your first network - where x.y is retained by a 1:1 mapping between address ranges. * In these days of NAT (NAT==broken), change that to "all addresses must be globally unique from your point of reference" - which means any networks you have to communicate with (and which aren''t NATed from you) must have unique addresses. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
Thanks for taking the time to reply!
Please let me rephrase my query (and simplify it) because it''s not easy
for me to explain so I''ll try to lay it out straight.
loc: my local LAN with just 2 hosts: 10.215.147.1 and 10.215.144.1 with default
gateway 10.215.144.91. Let''s just suppose for a moment that these 2
hosts MUST have netmask /16.
net2: remote network I can''t control and has just 2 hosts: 10.215.147.1
and 10.215.0.1.
$FW: shorewall firewall controls loc <-> net2 and other zones.
$FW''s LAN IP addr (facing ''loc''):
10.215.144.91/16 ;
$FW''s IP addr facing ''net2'': 172.20.11.62
netmask 255.255.255.240
$FW''s only routing rule regarding traffic loc<->net2:
"10.215.0.0 netmask 255.255.255.0 gw 172.20.11.49" ; all other traffic
routed to another interface.
shorewall policy:
net2 loc DROP
loc net2 DROP
shorewall rules:
ACCEPT loc:10.215.144.1 net2 all
ACCEPT net2:10.215.0.1 loc all
shorewal interfaces:
loc $IF_LOC detect routeback,proxyarp=1,arp_filter=1
net2 $IF_NET2 detect arp_filter=1
So in this simplified setup both hosts in ''loc'' can
communicate. Also, 10.215.144.1 in ''loc'' and 10.215.0.1 in
''net2'' can communicate.
I do NOT require 10.215.144.1 in ''loc'' to talk to 10.215.147.1
in ''net2''.
Also, I do NOT require 10.215.147.1 in ''loc'' and 10.215.0.1 in
''net2'' to talk to each other.
So with the above setup everything works fine because I don''t need
hosts with overlapping IP addresses in different zones to talk to each other.
However, a tech from the remote network has stated (without explaining why) that
having a /16 netmask in ''loc'' instead of a more narrow mask
would generate too many broadcasts in his network (net2).
I''d like to know:
1) if this statement is correct given the above setup description.
2) if a higher broadcast is a "significant" network load.
Of course it would be better to have non-overlapping IP addresses and
finer-defined netmasks but my assumption is that I don''t want/need
hosts with overlapping IP addresses to communicate (routing + shorewall iptables
rules). On the other hand, I''d like to fully understand the broadcast
issue and determine if it really is an "issue" or not.
Thanks,
Vieri
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
Vieri Di Paola wrote:>However, a tech from the remote network has stated (without >explaining why) that having a /16 netmask in ''loc'' instead of a more >narrow mask would generate too many broadcasts in his network (net2). >I''d like to know: >1) if this statement is correct given the above setup description.I can''t see how>2) if a higher broadcast is a "significant" network load.It might be, it might not be ! It all depends on the nature of the network and the volume of broadcasts. Bear in mind that ethernet used to be a purely broadcast medium (where every station saw all traffic from every other station - the downside being that this severely limited throughput. On a fast network that''s lightly loaded, a bit of broadcast traffic won''t be noticed. On a slow network that''s heavily loaded, it may make a different if there''s a lot of it. Back to your situation. You have a router between your network and the foreign network - this means no broadcast traffic from your network will be seen on the foreign network - if the tech believes otherwise then he''s an idiot (sadly, there are lots of idiots running networks). With the right settings, it is possible for a device on your network to send a directed broadcast. Ie, you would send a packet from one of your devices to 10.215.0.255, and the router would broadcast it on the foreign network. This is usually blocked for what should be obvious reasons - but can be a useful network tool. For example, Retrospect (a backup tool) uses broadcasts to find clients. If you network supports directed broadcasts then it can use this to find clients in remote networks - one directed broadcast packet will elicit responses from all clients in that remote network. Without directed broadcasts, the server must try every possible address in the remote network to find clients - thus 254 packets sent instead of one for a /24. This is both irrelevant to you (I assume you aren''t using them) and is also completely unconnected with the size of your network. The only possible reason I can see for making the statement is that if you have a lot of devices on a network then there will naturally be a lot more broadcast traffic than if you have only a few devices. This is independent of length of subnet mask - ie 2 devices will create the same broadcast traffic on a /16 as they would on a /24. Though if you have something trying to contact lots of IP addresses, it will do more ARP lookups rather than directing the packets via the default gateway when they aren''t on the same subnet. This is still invisible to a network the other side of a router. Perhaps you should ask the tech what sort of broadcast traffic he expects to see from your network - bearing in mind there is a router in between and you aren''t on the same broadcast domain. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
--- On Tue, 11/27/12, Simon Hobson <linux@thehobsons.co.uk> wrote:> if you have a lot of devices on a network then there will > naturally > be a lot more broadcast traffic than if you have only a few > devices. > This is independent of length of subnet mask - ie 2 devices > will > create the same broadcast traffic on a /16 as they would on > a /24.That''s exactly what I thought and I wanted someone to confirm this.> This is still invisible to a network the other side of a > router.I also wanted to clear this up. At least now I''m more confident regarding this issue. Hopefully the remote tech and I will be able to understand each other someday. Thank you very much Simon. Your help is appreciated. Vieri ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net
--- On Tue, 11/27/12, Simon Hobson <linux@thehobsons.co.uk> wrote:> Though if you have something trying to contact lots of IP > addresses, > it will do more ARP lookups rather than directing the > packets via the > default gateway when they aren''t on the same subnet.Now that you mention it, in my simplified example, if I ping from ''loc'' host at 10.215.144.1 to ''net2'' host at 10.215.0.1 and run this on the shorewall firewall (''loc'' interface): tcpdump -n -i $IF_LOC "broadcast" 20:37:20.270910 arp who-has 10.215.0.1 tell 10.215.144.1 So maybe this is what the tech guy meant. It doesn''t affect his ''net2'' network but may affect mine (''loc'' is a mixed 1G-100Mbps network). A basic question: should I expect an "arp who-has" on Shorewall''s $IF_LOC (eth0) for an IP address that according to the firewall''s routing table should be found via $IF_NET2 (eth2)? If 10.215.144.1 didn''t have netmask /16 then I guess the "arp who-has" wouldn''t take place and it could still talk to 10.215.0.1 via the shorewall box/router. Am I right? Vieri ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net