Hi Our firewall (fw) running bering 1.1 shorewall v1.4.2 has an external IP address on eth0(fw) X.X.X.44/24, the internal interfaces eth1(fw) 192.168.100.53/30 is an aironet pci 350 series. eth1 talks to another box bering(B), without shorewall, again with an aironet card eth0(B) 192.168.100.54/30. The internal interfaces eth1(B) 192.168.0.1/24 connects to the hub and our workstations, all with (192.168.0.n/24). workstations-------router-------fw----net It all works fine, thanks to leaf and shorewall team, and others. Today, we acquired an additional IP address from our ISP x.x.x.45, which We would like to use it for VoIP by creating a dmz on an additional ethernet interface on B within our premises. workstations-------router-------fw----net | VoIP-----------------| If the workstations and the VoIP were connected directly to the fw, it would not have been a problem. We would simply add a line like x.x.x.45 eth1 eth0 no in (fw)/etc/shorewall/proxyarp But the fact that we have an additional router is making it difficult for us. We can not see the clear picture how we should configure the fw, B and VoIP. Please help. regards Mila __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-May-07 06:51 UTC
[Shorewall-users] Re: [leaf-user] routing an additional IP address
On Wed, 7 May 2003 00:02:54 -0500, Lynn Avants <avants@guitarlynn.homelinux.org> wrote:> On Wednesday 07 May 2003 12:32 am, Milla Yegurku wrote: > [...] >> Today, we acquired an additional IP address from our >> ISP x.x.x.45, which We would like to use it for VoIP >> by >> creating a dmz on an additional ethernet interface on >> B within our premises. > [...] >> But the fact that we have an additional router is >> making it difficult for us. We can not see the clear >> picture how we should configure the fw, B and VoIP. > > Well, there isn''t any masq''ing with the additional router. > Assuming that the DMZ is on a seperate subnet, you can build a static > route on both routers and configure the > VoIP-clients to use the static address of the VoIP-server. > You can filter the allowed traffic to the VoIP-server from the internal > nets via the ruleset on the firewall/primary router.He needs his fw to respond to ARP requests for the second IP address so he won''t be able to simply use routing. That problem may be solved using Proxy ARP on the firewall. I would set the HAVEROUTE column to Yes then using Bering the appropriate Bering config file, I would add a static host route to the VoIP-server via the backend router. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Milla Yegurku
2003-May-07 10:21 UTC
[Shorewall-users] Re: [leaf-user] routing an additional IP address
I agree. Please tell me the netmask and the gw IP for the VoIP box. regards Mila --- Tom Eastep <teastep@shorewall.net> wrote:> On Wed, 7 May 2003 00:02:54 -0500, Lynn Avants > <avants@guitarlynn.homelinux.org> wrote: > > > On Wednesday 07 May 2003 12:32 am, Milla Yegurku > wrote: > > [...] > >> Today, we acquired an additional IP address from > our > >> ISP x.x.x.45, which We would like to use it for > VoIP > >> by > >> creating a dmz on an additional ethernet > interface on > >> B within our premises. > > [...] > >> But the fact that we have an additional router is > >> making it difficult for us. We can not see the > clear > >> picture how we should configure the fw, B and > VoIP. > > > > Well, there isn''t any masq''ing with the additional > router. > > Assuming that the DMZ is on a seperate subnet, you > can build a static > > route on both routers and configure the > > VoIP-clients to use the static address of the > VoIP-server. > > You can filter the allowed traffic to the > VoIP-server from the internal > > nets via the ruleset on the firewall/primary > router. > > He needs his fw to respond to ARP requests for the > second IP address so he > won''t be able to simply use routing. > > That problem may be solved using Proxy ARP on the > firewall. I would set the > HAVEROUTE column to Yes then using Bering the > appropriate Bering config > file, I would add a static host route to the > VoIP-server via the backend > router. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-May-07 11:38 UTC
[Shorewall-users] Re: [leaf-user] routing an additional IP address
On Wed, 7 May 2003 10:21:29 -0700 (PDT), Milla Yegurku <presroo@yahoo.com> wrote:> I agree. > Please tell me the netmask and the gw IP for the VoIP > box. >Milla, just pick some class A from the RFC 1918 space that doesn''t conflict with what you are currently using. See http://www.shorewall.net/shorewall_setup_guide.htm -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Milla Yegurku
2003-May-07 14:33 UTC
[Shorewall-users] Re: [leaf-user] routing an additional IP address
Tom, thanks for your time. I hope i am not cluttering the list too much. may be the solution is so evident to every one, that you are missing my point :-) (IspGetWay)x.x.x.1--(fw_eth0)(fw_eth1)--(router_eth0)(rouer_eth1)---(VoIP_eth0) (fw_eth0): IP x.x.x.44/24, gw x.x.x.1 (fw_eth1): 10.10.10.56/30, route 192.168.100.0/24 via 10.10.10.54 masqerade 192.168.100.0/24 via eth0 (router_eth0): 10.10.10.54/30, gw: 10.10.10.53 (rouer_eth1): 192.168.2.1/24 workstations: 192.168.100.2/24 and up, gw: 192.168.2.1 now i want to grab ip packets for x.x.x.45 at fw_eth0 and route them to VoIP box. on fw should i ip neigh add proxy x.x.x.45 dev eth0 ip route add x.x.x.45 via 10.10.10.54 (i use ip commands, for i am not sure eth1 is the right entry for INTERFACE in /etc/shorewall/proxyarp) on router ip route add x.x.x.45 dev eth1 now finally, the (infamous) VoIP box IP x.x.x.45/24, gw x.x.x.44 ??? I do not see how that is possible. To make this question complete, The VoIP box is a win98se with a QuickNet LineJack card and i will be using microtelco services for outgoing calls and my incoming calls will be mostly from people using MS NetMeeting. And because the h323 is so complicated, I think it best to get a separate IP address with all ports open, and avoide any NAT. I just forgot to mention that I will add a third ethernet interface to my router to separate it physically from the 192.168.100.0 network. I hope i am not making you just as confused as i am, and :-) once again. Mila thank you for your patia(e)nce --- Tom Eastep <teastep@shorewall.net> wrote:> On Wed, 7 May 2003 10:21:29 -0700 (PDT), Milla > Yegurku <presroo@yahoo.com> > wrote: > > > I agree. > > Please tell me the netmask and the gw IP for the > VoIP > > box. > > > > Milla, just pick some class A from the RFC 1918 > space that doesn''t conflict > with what you are currently using. See > http://www.shorewall.net/shorewall_setup_guide.htm > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net >__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-May-07 16:14 UTC
[Shorewall-users] Re: [leaf-user] routing an additional IP address
On Wed, 7 May 2003 14:33:35 -0700 (PDT), Milla Yegurku <presroo@yahoo.com> wrote:> Tom, thanks for your time. I hope i am not cluttering > the list too much. > >Milla -- your problem has nothing to do with Shorewall and the time that I have avaliable for Shorewall just doesn''t permit me to be a free consultant to people trying to do basic routing. Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net