=20> I went to install Shorewall on a network today and found the=20 > network had to > segments on it (10.1.2.x and 10.1.1.x) with the firewall at 10.1.1.1.=20 > Shorewall box has two NICs (One public and the 10.1.1.1=20 > private). Shorewall > will be replacing a WinProxy/NT4 box that keeps blue=20 > screening one a day. Is > there any special that needs to be done on the Shorewall=20 > configuration to > accept both IP ranges/segments to browse out to the internet?=20 > Any advance on > the setup would be greatly appreciated.Am wondering -- are you sure they are really separate networks? What netmask is being used on each? If you really have two networks, are the networks connected (routed) to each other? What default gateway is in use on hosts on the 10.1.2.x network? In any case, there shouldn''t be any special problems. Shorewall will support any number of interfaces, and/or multiple IP''s (network addresses) per interface, if needed. Ron
Hi Ron: The network segments have a subnet of 255.0.0.0. IP: 10.1.2.X SN: 255.0.0.0 GW: 10.1.1.1 IP: 10.1.1.X SN: 255.0.0.0 GW: 10.1.1.1 Mike Digital Minds International E-Mail:MikeB@DigitalMinds.net Web: http://www.DigitalMinds.net Tel: (615) 661-7900 Fax: (615) 661-7949 ---------- Original Message ----------- From: "Ron Shannon" <rshannon@cruzcom.com> To: "Michael Bush" <MikeB@digitalminds.net>, <shorewall-users@shorewall.net> Sent: Thu, 1 Aug 2002 21:28:22 -0700 Subject: RE: [Shorewall-users] Multiple IP segments on LAN> > I went to install Shorewall on a network today and found the > > network had to > > segments on it (10.1.2.x and 10.1.1.x) with the firewall at 10.1.1.1. > > Shorewall box has two NICs (One public and the 10.1.1.1 > > private). Shorewall > > will be replacing a WinProxy/NT4 box that keeps blue > > screening one a day. Is > > there any special that needs to be done on the Shorewall > > configuration to > > accept both IP ranges/segments to browse out to the internet? > > Any advance on > > the setup would be greatly appreciated. > > Am wondering -- are you sure they are really separate networks? What > netmask is being used on each? If you really have two networks, are > the networks connected (routed) to each other? What default gateway > is in use on hosts on the 10.1.2.x network? > > In any case, there shouldn''t be any special problems. Shorewall will > support any number of interfaces, and/or multiple IP''s (network > addresses) per interface, if needed. > > Ron------- End of Original Message -------
Hi Mike If you setup shorewall with the same netmask it will know. But I´m not shure if you know the basics of TCP/IP addressing and networking (sorry). In you case a netmask of 255.0.0.0 means that all 10.x.x.x IP addresses are located in you local network. This are 255 x 255 x 255 = 16.581.375 IP addresses. I don´t think you plan to have over 16 million machines in your LAN ;-))) On the other hand there is no real segmentation in you config. With this netmask all machines with an IP of 10.x.x.x are on the same subnet. - If you don´t have to many machines you want to put them all in a 255.255.255.0 subnet (e.g. 10.1.1.x). - If you want to separate the network the give both a netmask of 255.255.255.0 and setup a second interface or IP on the shorewall and if desired setup routing between the two networks. - If you (relay ;-) want to stick with you your config then at least give the machines a netmask of 255.255.0.0 or even better 255.255.252.0 (this will allow 10.1.1.x and 10.1.2.x to be in the same subnet). Happy shorewalling Sascha -------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany Leo +49-8151-773261 WGS84: N57°59''52.4" E11°20''34.3" knific@k-sysdes.net http://www.k-sysdes.net Michael Bush wrote:>Hi Ron: > >The network segments have a subnet of 255.0.0.0. > >IP: 10.1.2.X >SN: 255.0.0.0 >GW: 10.1.1.1 > > >IP: 10.1.1.X >SN: 255.0.0.0 >GW: 10.1.1.1 > >Mike > >Digital Minds International >E-Mail:MikeB@DigitalMinds.net >Web: http://www.DigitalMinds.net >Tel: (615) 661-7900 >Fax: (615) 661-7949 > > >---------- Original Message ----------- >From: "Ron Shannon" <rshannon@cruzcom.com> >To: "Michael Bush" <MikeB@digitalminds.net>, <shorewall-users@shorewall.net> >Sent: Thu, 1 Aug 2002 21:28:22 -0700 >Subject: RE: [Shorewall-users] Multiple IP segments on LAN > > >>>I went to install Shorewall on a network today and found the >>>network had to >>>segments on it (10.1.2.x and 10.1.1.x) with the firewall at 10.1.1.1. >>>Shorewall box has two NICs (One public and the 10.1.1.1 >>>private). Shorewall >>>will be replacing a WinProxy/NT4 box that keeps blue >>>screening one a day. Is >>>there any special that needs to be done on the Shorewall >>>configuration to >>>accept both IP ranges/segments to browse out to the internet? >>> Any advance on >>>the setup would be greatly appreciated. >>> >>Am wondering -- are you sure they are really separate networks? What >>netmask is being used on each? If you really have two networks, are >>the networks connected (routed) to each other? What default gateway >>is in use on hosts on the 10.1.2.x network? >> >>In any case, there shouldn''t be any special problems. Shorewall will >>support any number of interfaces, and/or multiple IP''s (network >>addresses) per interface, if needed. >> >>Ron >> >------- End of Original Message ------- > >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users > >
On Fri, 2 Aug 2002, Michael Bush wrote:> Hi Ron: > > The network segments have a subnet of 255.0.0.0. > > IP: 10.1.2.X > SN: 255.0.0.0 > GW: 10.1.1.1 > > > IP: 10.1.1.X > SN: 255.0.0.0 > GW: 10.1.1.1 >That is ONE network. see: http://www.shorewall.net/shorewall_setup_guide.htm#Addressing -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom: Thanks for the clarification and referencing the docs. Michael Bush Digital Minds International E-Mail:MikeB@DigitalMinds.net Web: http://www.DigitalMinds.net Tel: (615) 661-7900 Fax: (615) 661-7949 ---------- Original Message ----------- From: Tom Eastep <teastep@shorewall.net> To: Michael Bush <MikeB@digitalminds.net> Sent: Fri, 2 Aug 2002 06:19:17 -0700 (PDT) Subject: RE: [Shorewall-users] Multiple IP segments on LAN> On Fri, 2 Aug 2002, Michael Bush wrote: > > > Hi Ron: > > > > The network segments have a subnet of 255.0.0.0. > > > > IP: 10.1.2.X > > SN: 255.0.0.0 > > GW: 10.1.1.1 > > > > > > IP: 10.1.1.X > > SN: 255.0.0.0 > > GW: 10.1.1.1 > > > > That is ONE network. see: > > http://www.shorewall.net/shorewall_setup_guide.htm#Addressing > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net------- End of Original Message -------