On 20 Jan 2004 at 18:29, Gavin Thomas Nicol wrote:> I''m having trouble setting up shorewall for my home network. I''m > running shorewall on a little EPIA box, which is dedicated to being a > firewall. The machine has 2 interfaces eth0 and eth1, with eth1 > aliased. What I''d like to do is have 2 external IP''s that map to a > machine with the same IP''s on the inside of the firewall, but alsouse> the firewall to provide NAT for my home local home machines. The > configuration looks like this: > > > > Internet > Visible box (eth0 aliased to > 68.x.x.3 and 68.x.x.26) > 68.x.x.3 \ / > eth1 -- firewall (eth0) / > 68.x.x.26 / \ > \ Local Network (192.168.0.x) > > I have the firewall configured so that eth0 has an IP of192.168.0.1,> and eth1 has both 68.x.x.3 and 68.x.x.26. I have masq configuredfrom> 192.168.0.0 on eth0 through eth0 (not eth0:0) and have proxy ARP > configured for the 68.x.x.x pair from eth1 to eth0. Right now, the > externally visible box is complaining that it''s IP''s are alreadyused.> > Do I need another IP, or another card perhaps?Gavin... Your terms of reference to eth0 and eth1 are hopelessly muddled. Your diagram indicate eth0 in both places and never addresses eth1. You can''t maq thru eth0 to eth0 that makes no sense. Repost please... -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
I''m having trouble setting up shorewall for my home network. I''m running shorewall on a little EPIA box, which is dedicated to being a firewall. The machine has 2 interfaces eth0 and eth1, with eth1 aliased. What I''d like to do is have 2 external IP''s that map to a machine with the same IP''s on the inside of the firewall, but also use the firewall to provide NAT for my home local home machines. The configuration looks like this: Internet Visible box (eth0 aliased to 68.x.x.3 and 68.x.x.26) 68.x.x.3 \ / eth1 -- firewall (eth0) / 68.x.x.26 / \ \ Local Network (192.168.0.x) I have the firewall configured so that eth0 has an IP of 192.168.0.1, and eth1 has both 68.x.x.3 and 68.x.x.26. I have masq configured from 192.168.0.0 on eth0 through eth0 (not eth0:0) and have proxy ARP configured for the 68.x.x.x pair from eth1 to eth0. Right now, the externally visible box is complaining that it''s IP''s are already used. Do I need another IP, or another card perhaps?
On Tuesday 20 January 2004 06:29 pm, Gavin Thomas Nicol wrote:> 192.168.0.0 on eth0 through eth0 (not eth0:0) and~~~~~~~~~~~~ eth1 (not eth1:0), sorry.
On Tuesday 20 January 2004 03:29 pm, Gavin Thomas Nicol wrote:> I''m having trouble setting up shorewall for my home network. I''m running > shorewall on a little EPIA box, which is dedicated to being a firewall. The > machine has 2 interfaces eth0 and eth1, with eth1 aliased. What I''d like to > do is have 2 external IP''s that map to a machine with the same IP''s on the > inside of the firewall, but also use the firewall to provide NAT for my > home local home machines. The configuration looks like this: > > > > Internet > Visible box (eth0 aliased > to 68.x.x.3 and 68.x.x.26) 68.x.x.3 \ / > eth1 -- firewall (eth0) / > 68.x.x.26 / \ > \ Local Network > (192.168.0.x) > > I have the firewall configured so that eth0 has an IP of 192.168.0.1, and > eth1 has both 68.x.x.3 and 68.x.x.26. I have masq configured from > 192.168.0.0 on eth0 through eth0 (not eth0:0) and have proxy ARP configured > for the 68.x.x.x pair from eth1 to eth0.With Proxy ARP, you do *not* Cconfigure the firewall''s external IP address with the public address of the internal system!> Right now, the externally visible > box is complaining that it''s IP''s are already used. > > Do I need another IP, or another card perhaps?I think you''ll be happier with one-to-one nat on the "Visible box". Otherwise, getting the "Visible box" to communicate with the rest of the local network is a real headache (unless you add another interface to the firewall). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 20 January 2004 06:36 pm, Tom Eastep wrote:> I think you''ll be happier with one-to-one nat on the "Visible box". > Otherwise, getting the "Visible box" to communicate with the rest of the > local network is a real headache (unless you add another interface to the > firewall).A licensing application running on the "Visible" box requires the external and machine IP''s to match (apparently). In the nat file, can I do something like this: 68.x.x.3 eth1 68.x.x.3 no no 68.x.x.26 eth1:0 68.x.x.26 no no in order to have the packets coming in from eth1 and eth1:0 forwarded to the "Visible" box (which in turn with have eth0 and eth0:0 bound to the addresses)? Sorry if these are newbie questions...
On Tue, 20 Jan 2004, Gavin Thomas Nicol wrote:> On Tuesday 20 January 2004 06:36 pm, Tom Eastep wrote: > > I think you''ll be happier with one-to-one nat on the "Visible box". > > Otherwise, getting the "Visible box" to communicate with the rest of the > > local network is a real headache (unless you add another interface to the > > firewall). > > A licensing application running on the "Visible" box requires the external and > machine IP''s to match (apparently). In the nat file, can I do something like > this: > > 68.x.x.3 eth1 68.x.x.3 no no > 68.x.x.26 eth1:0 68.x.x.26 no no > > in order to have the packets coming in from eth1 and eth1:0 forwarded to the > "Visible" box (which in turn with have eth0 and eth0:0 bound to the > addresses)? >No. If you must have the same address internally and externally for the "visible" system then I suggest that you place it on its own LAN segment. The Shorewall Setup Guide shows how to set up this type of configuration. I have successfully used Proxy ARP and masquerading on the same LAN segment but only with difficulty (and I had to configure the Proxy ARPed system with two IP addresses -- one internal and one external). It took me quite a while to get it to work at all and there were still minor problems when I abandoned the idea. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 20 January 2004 09:00 pm, Tom Eastep wrote:> If you must have the same address internally and externally for the > "visible" system then I suggest that you place it on its own LAN segment. > The Shorewall Setup Guide shows how to set up this type of configuration.So it boils down to a 3-port vs. a 2-port configuration. The EPIA can really only take one PCI slot. If I got a 3rd IP, and masqueraded through one, and used proxy ARP for other two (the "visible" box), I guess that would work too right?
On Tuesday 20 January 2004 08:29 pm, Gavin Thomas Nicol wrote:> On Tuesday 20 January 2004 09:00 pm, Tom Eastep wrote: > > If you must have the same address internally and externally for the > > "visible" system then I suggest that you place it on its own LAN segment. > > The Shorewall Setup Guide shows how to set up this type of configuration. > > So it boils down to a 3-port vs. a 2-port configuration. The EPIA can > really only take one PCI slot.Then you might consider a multi-port card.> If I got a 3rd IP, and masqueraded through > one, and used proxy ARP for other two (the "visible" box), I guess that > would work too right?Getting the ''visible box'' to talk to your other local systems is the interesting part if you do that. How many other local systems are there? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wednesday 21 January 2004 10:20 am, Tom Eastep wrote:> > If I got a 3rd IP, and masqueraded through > > one, and used proxy ARP for other two (the "visible" box), I guess that > > would work too right? > > Getting the ''visible box'' to talk to your other local systems is the > interesting part if you do that. How many other local systems are there?4-6 (varies as I have machines come and go)... if I could FTP/SSH from them to the ''visible'' box, life would be fine. I''ll look around for a multiport card, but I also have a soekris box with 3 ports that might do the trick. The only bad thing about the soekris (apart from the serial console ;-)) is that it isn''t powerful enough to run things like content filtering (which I want for my kids).
On Wednesday 21 January 2004 07:35 am, Gavin Thomas Nicol wrote:> On Wednesday 21 January 2004 10:20 am, Tom Eastep wrote: > > > If I got a 3rd IP, and masqueraded through > > > one, and used proxy ARP for other two (the "visible" box), I guess that > > > would work too right? > > > > Getting the ''visible box'' to talk to your other local systems is the > > interesting part if you do that. How many other local systems are there? > > 4-6 (varies as I have machines come and go)... if I could FTP/SSH from them > to the ''visible'' box, life would be fine. >Then you can probably get the 5-7 systems to communicate by simply adding static host routes. The other boxes needing access to the ''visible box'' need a single static host route (or two if you need access to both ''visible'' IP addresses). The ''visible'' box needs a static host route for each of the other boxes that need access to it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net