--On Monday, November 04, 2002 1:38 PM -0500 Scott Sharkey
<ssharkey@linuxunlimited.com> wrote:
> Hi All,
>
> I''ve been using Shorewall version 1.2.x for some time, and have
just
> started looking at the 1.3 versions. I''ve got a customer who has
> three locations that they want to tie together with VPN''s.
I''m currently
> using YAVIPIND as the tunnelling technology, and Shorewall as the
> firewall. (Can''t use IPSEC - one of the sites has a proprietary
router
> that does NAT and won''t support it).
>
> The sites look like this:
>
> Main Site External 65.x.x.x address.
> Internal 192.168.1.x local addresses
>
> Site 1 External 65.x.x.x address (proprietary firewall)
> Internal 192.168.2.x local addresses
>
> Site 2 External 65.x.x.x address
> Internal 192.168.3.x local addresses
>
> The YAVIPIND uses the tun0, tun1 devices with IP addresses in
> 192.168.254.x range. There is a tun0 device at the
> main location connected to a tun0 at Site 1, and
> a tun1 device on the main connected to tun0 on Site
> 2.
>
> What''s the best way to configure the firewall to pass traffic from
> any local host to any of the others? With 1.2, I''m using a hosts
> entry for the tun nets and the Site 1 LAN, but I''m pretty sure
> there''s an easier way. There is one File Server (Win2k) in the
> main site that needs to be accessible by both remote sites. I know
> I''ll need to run Samba/WINS to get the browsing to work, but need
> some tips on the best way to set up.
>
I would simply create one zone for the remote subnets and associate it with
the local tunnel device(s). Allow unlimited intra-zone traffic on the zone
through a policy and allow the zone access to any local services that you
need to.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net