Martinez, Mike (MHS-ACS)
2002-Aug-05 16:44 UTC
[Shorewall-users] RE: New Proxyarp Question and Multiple Class C subnets on the sa me LAN
Tom\Kristof\Everyone, We currently have a Full Class "C" (207.207.19.0/24). We are adding a second Class "C" (216.166.26.0/24). We currently have shorewall setup with three interfaces. We are using proxyarp and have 254 ip''s in the proxyarp file. We are not doing any nat\dnat or masquerading. My current interface file is set up like this: ############################################################################ ## #ZONE INTERFACE BROADCAST OPTIONS net eth0 207.207.19.255 norfc1918,routestopped loc eth1 192.168.1.255 routestopped dmz eth2 192.168.2.255 routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 1. Will I need to add the multi option on all three interfaces??? 2. Will I change interface eth0 broadcast to include this class c broadcast IE: #ZONE INTERFACE BROADCAST OPTIONS net eth0 207.207.19.255;216.166.26.255 norfc1918,routestopped,multi 3. AND to implement the new proxyarp feature in version 1.3.5 do I add the proxyarp option to eth0 interface and\or all 3 interfaces and empty my proxyarp file vs adding another 254 ip to my proxyarp file? 4. Do I need to change anything else? Any help on this would be greatly appreciated. Mike -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, July 17, 2002 11:00 AM To: Kristof Hardy Cc: shorewall-users@shorewall.net Subject: Re[2]: [Shorewall-users] performance considerations? On Mon, 15 Jul 2002, Kristof Hardy wrote:> > TE> I hope that you aren''t using Shorewall to define the Proxy ARP. > TE> With that many IPs, it''s much better done by simply setting the > TE> proxy-arp flag on the internal and external interfaces. > > Mm, we are using shorewall to define the Proxy ARP. I found were to > set the flag on the interfaces but what is the advantage/difference of > this compared to the Shorewall-way? > > I do need to split up our ip range in 2 subnets if I want to turn on > the ProxyARP flag on the interfaces, right? >That''s correct!> TE> Since I only have one ADSL line here, I haven''t been able to > TE> experiment with multiple uplinks -- possibly someone else can > TE> offer some experience. > > Just to let you know. It seems to work. I have been playing around > with the "Advanced Routing & Traffic Control HOWTO" and it seems to > work pretty good. >Thanks! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Aug-05 16:53 UTC
[Shorewall-users] RE: New Proxyarp Question and Multiple Class C subnets on the sa me LAN
On Mon, 5 Aug 2002, Martinez, Mike (MHS-ACS) wrote:> Tom\Kristof\Everyone, > > We currently have a Full Class "C" (207.207.19.0/24). We are adding a second > Class "C" (216.166.26.0/24). > > We currently have shorewall setup with three interfaces. We are using > proxyarp and have 254 ip''s in the proxyarp file. We are not doing any > nat\dnat or masquerading. > > My current interface file is set up like this: > > ############################################################################ > ## > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 207.207.19.255 norfc1918,routestopped > loc eth1 192.168.1.255 routestopped > dmz eth2 192.168.2.255 routestopped > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > 1. Will I need to add the multi option on all three interfaces???No.> > 2. Will I change interface eth0 broadcast to include this class c broadcast > IE: > > #ZONE INTERFACE BROADCAST > OPTIONS > net eth0 207.207.19.255;216.166.26.255 > norfc1918,routestopped,multi >You''ll want to use "," as a separator rather than ";".> 3. AND to implement the new proxyarp feature in version 1.3.5 do I add the > proxyarp option to eth0 interface and\or all 3 interfaces and empty my > proxyarp file vs adding another 254 ip to my proxyarp file? >Be sure to download and install the corrected firewall script from the errata page. You will want to include the option on all three interfaces and you can empty your proxyarp file.> 4. Do I need to change anything else?Shouldn''t have to but I''m speaking from theory :-) If Kristof has actual experience, his input is probably more valuable to you... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net