Eric C. Herot
2002-Sep-17 16:14 UTC
[Shorewall-users] Multiple computers on external side of the network
My setup is that I have a whole /24 subnet to myself (or my company rather) and I want all of the internal machines to have the same addresses inside as outside (i don''t like nat, it causes too many headaches for things like MSN Instant Messenger file transfers, which the CEO of our company is very fond of). I have two problems: Firstly, I''m trying to set up a VPN alongside (in parallel with?) the firewall, it too requires one interface on the inside and another on the outside. The problem is: If I activate the external interface on the VPN while Shorewall is running, it tells me that I have an IP address conflict with the external NIC of the firewall. It''s not enough just to have the external network adaptor of the firewall enabled, I actually have to have Shorewall running (which is why I have come here with this problem). If I look at the syslog, there are many many messages from Shorewall indicating that it was trying to figure out what to do with packets directed at the external address of the VPN (why would the firewall be trying to deal with those packets at all? How do I get the firewall to not claim responsibility for certain IPs on its network?) Secondly, (and perhaps fixing this would be a solution to the first as well, but I don''t know) since my internal and external networks use the same IP addresses, I''ve had a few problems setting up the proper netmask. The way I''ve gotten it to work for now is to set the netmask on all internal machines to 255.255.255.128. Obviously this means I can only use half of my allocated addresses. Is there any way that I can have the same IP on both the internal and external interfaces of the firewall without having to sacrifice half of my addresses? Thanks a bunch, Eric
Tom Eastep
2002-Sep-17 17:35 UTC
[Shorewall-users] Multiple computers on external side of the network
Eric C. Herot wrote: > My setup is that I have a whole /24 subnet to myself (or my company > rather) and I want all of the internal machines to have the same > addresses inside as outside (i don''t like nat, it causes too many > headaches for things like MSN Instant Messenger file transfers, which > the CEO of our company is very fond of). > > I have two problems: > > Firstly, I''m trying to set up a VPN alongside (in parallel with?) the > firewall, it too requires one interface on the inside and another on the > outside. The problem is: If I activate the external interface on the > VPN while Shorewall is running, it tells me that I have an IP address > conflict with the external NIC of the firewall. It''s not enough just to > have the external network adaptor of the firewall enabled, I actually > have to have Shorewall running (which is why I have come here with this > problem). If I look at the syslog, there are many many messages from > Shorewall indicating that it was trying to figure out what to do with > packets directed at the external address of the VPN (why would the > firewall be trying to deal with those packets at all? How do I get the > firewall to not claim responsibility for certain IPs on its network?) > Several things: 1. From the above description, I am unable to draw a diagram of your network setup (I don''t understand where the VPN fits into the picture). 2. Shorewall deals with ALL packets going to/from/through the firewall. If you want it to transparently pass certain traffic then you have to configure Shorewall appropriately. > Secondly, (and perhaps fixing this would be a solution to the first as > well, but I don''t know) since my internal and external networks use the > same IP addresses, I''ve had a few problems setting up the proper > netmask. The way I''ve gotten it to work for now is to set the netmask > on all internal machines to 255.255.255.128. Obviously this means I can > only use half of my allocated addresses. Is there any way that I can > have the same IP on both the internal and external interfaces of the > firewall without having to sacrifice half of my addresses? > Does the upstream router route all traffic to your /24 to the external IP of your firewall/router? Is the IP address of the upstream router in your /24? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Heupink, Mourik Jan C.
2002-Sep-17 18:37 UTC
[Shorewall-users] Multiple computers on external side of the network
Hello. i was in a simular situation, and ended up doing the following: i build a transparent bridging firewall myself. it''s a bit more complicated than setting up shorewall, but it did the trick for me. It allows me to keep the current network configuration *exactly* as it is now. (you have to learn iptables, though...) I''ve simply put the firewall in between the internet and our network (just before the utp <-> glassfibre converter) and up and running in no time. If ever the firewall breaks down, i simply take firewall out, and all works just as before, only without firewall. of course implementing a dmz etc is not possible this way. (i guess?) And, when building a new network, ground up, I will absolutely be using shorewall, but to deal with the situation as it was given to me, this really looked like the best solution. anyway: don''t know if it applies to you, if not, forget i said anything :) (it''s just that I had been struggling with this issue for a week or two, and then all of a sudden, someone mentioned the beast ''transparent bridging firewall'', and it turned out to be *exactly* what i was looking for. yours, mourik jan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, September 17, 2002 19:35 To: Shorewall Users Subject: Re: [Shorewall-users] Multiple computers on external side of the network Eric C. Herot wrote: > My setup is that I have a whole /24 subnet to myself (or my company > rather) and I want all of the internal machines to have the same > addresses inside as outside (i don''t like nat, it causes too many > headaches for things like MSN Instant Messenger file transfers, which > the CEO of our company is very fond of). > > I have two problems: > > Firstly, I''m trying to set up a VPN alongside (in parallel with?) the > firewall, it too requires one interface on the inside and another on the > outside. The problem is: If I activate the external interface on the > VPN while Shorewall is running, it tells me that I have an IP address > conflict with the external NIC of the firewall. It''s not enough just to > have the external network adaptor of the firewall enabled, I actually > have to have Shorewall running (which is why I have come here with this > problem). If I look at the syslog, there are many many messages from > Shorewall indicating that it was trying to figure out what to do with > packets directed at the external address of the VPN (why would the > firewall be trying to deal with those packets at all? How do I get the > firewall to not claim responsibility for certain IPs on its network?) > Several things: 1. From the above description, I am unable to draw a diagram of your network setup (I don''t understand where the VPN fits into the picture). 2. Shorewall deals with ALL packets going to/from/through the firewall. If you want it to transparently pass certain traffic then you have to configure Shorewall appropriately. > Secondly, (and perhaps fixing this would be a solution to the first as > well, but I don''t know) since my internal and external networks use the > same IP addresses, I''ve had a few problems setting up the proper > netmask. The way I''ve gotten it to work for now is to set the netmask > on all internal machines to 255.255.255.128. Obviously this means I can > only use half of my allocated addresses. Is there any way that I can > have the same IP on both the internal and external interfaces of the > firewall without having to sacrifice half of my addresses? > Does the upstream router route all traffic to your /24 to the external IP of your firewall/router? Is the IP address of the upstream router in your /24? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Sep-17 19:29 UTC
[Shorewall-users] Multiple computers on external side of the network
Heupink, Mourik Jan C. wrote:> Hello. > > i was in a simular situation, and ended up doing the following: > > i build a transparent bridging firewall myself. it''s a bit more complicated > than setting up shorewall, but it did the trick for me. It allows me to keep > the current network configuration *exactly* as it is now. (you have to learn > iptables, though...) >Configured properly, Shorewall should work with the bridging/firewall code. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Martinez, Mike (MHS-ACS)
2002-Sep-17 19:57 UTC
[Shorewall-users] Multiple computers on external side of the network
Eric, I have a network that is very similar to what you are trying to setup. We have a full class c subnet (/24) and a Nortel 1500 vpn. One of our management requirements was that we had to maintain the same public IP''s on all of our workstations and servers. With shorewall all I had to do was to implement proxyarp (http://www.shorewall.net/Documentation.htm#ProxyArp) and it worked. On the firewall, Our external nic (eth0) has a real ip, the internal nic (eth1) has a private ip of 192.168.1.1 and our dmz nic (eth2) has a private ip of 192.168.2.1 and it works. My proxyarp file has 254 IP''s in it and you setup in this file were this ip is (internal nic (eth1) or dmz nic (eth0). When you do a route command the route table knows exactly were to send the packets. It''s like a bridged firewall\router. And the nice thing about this is that we did not have to change anything on our workstations\servers. They all have public IP''s, the subnet mask is 255.255.255.0 and the gateway is our router. Example: #ADDRESS INTERFACE EXTERNAL HAVEROUTE 207.xxx.xxx.2 eth1 eth0 no 207.xxx.xxx.3 eth1 eth0 no 207.xxx.xxx.4 eth1 eth0 no 207.xxx.xxx.5 eth1 eth0 no 207.xxx.xxx.6 eth2 eth0 no 207.xxx.xxx.7 eth0 eth0 no As far as the vpn goes, our Nortel documentation recommends that the vpn sits parallel with the firewall as you describe. I could not get this to work in parallel with our shorewall box no matter what I did. So, we put our Nortel vpn inside our firewall and setup some rules to allow esp and udp 500 and the vpn works like a charm. Here are the rules that i have for the vpn ACCEPT net loc esp ACCEPT net loc udp 500 Anyway''s I know shorewall will work for your setup and I hope this helps. Mike -----Original Message----- From: Eric C. Herot [mailto:eric@herot.com] Sent: Tuesday, September 17, 2002 11:15 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Multiple computers on external side of the network My setup is that I have a whole /24 subnet to myself (or my company rather) and I want all of the internal machines to have the same addresses inside as outside (i don''t like nat, it causes too many headaches for things like MSN Instant Messenger file transfers, which the CEO of our company is very fond of). I have two problems: Firstly, I''m trying to set up a VPN alongside (in parallel with?) the firewall, it too requires one interface on the inside and another on the outside. The problem is: If I activate the external interface on the VPN while Shorewall is running, it tells me that I have an IP address conflict with the external NIC of the firewall. It''s not enough just to have the external network adaptor of the firewall enabled, I actually have to have Shorewall running (which is why I have come here with this problem). If I look at the syslog, there are many many messages from Shorewall indicating that it was trying to figure out what to do with packets directed at the external address of the VPN (why would the firewall be trying to deal with those packets at all? How do I get the firewall to not claim responsibility for certain IPs on its network?) Secondly, (and perhaps fixing this would be a solution to the first as well, but I don''t know) since my internal and external networks use the same IP addresses, I''ve had a few problems setting up the proper netmask. The way I''ve gotten it to work for now is to set the netmask on all internal machines to 255.255.255.128. Obviously this means I can only use half of my allocated addresses. Is there any way that I can have the same IP on both the internal and external interfaces of the firewall without having to sacrifice half of my addresses? Thanks a bunch, Eric _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
mourik jan c heupink
2002-Sep-17 20:17 UTC
[Shorewall-users] Multiple computers on external side of the network
dear tom, i didn''t know that... but doesn''t the whole bridging firewall idea need the kernel patch..? that''s what i assumed. ...? becoming quite confused here... if i search for bridge on the shorewall site, i get one hit saying: <quote> ... are insecure when used over the internet; use them at your own risk GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. GRE tunnels were introduced in shorewall version 1.2.0_Beta2. The simple scripts described in the Linux Advanced Routing and ... </quote> but it specifically says: two masqueraded networks. that''s not what i''m talking about... yours, mourik jan On Tue, 2002-09-17 at 21:29, Tom Eastep wrote:> Heupink, Mourik Jan C. wrote: > > Hello. > > > > i was in a simular situation, and ended up doing the following: > > > > i build a transparent bridging firewall myself. it''s a bit more complicated > > than setting up shorewall, but it did the trick for me. It allows me to keep > > the current network configuration *exactly* as it is now. (you have to learn > > iptables, though...) > > > > Configured properly, Shorewall should work with the bridging/firewall code. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net
mourik jan c heupink
2002-Sep-17 20:24 UTC
[Shorewall-users] Multiple computers on external side of the network
wait... replied too fast (once more...) you mean that shorewall can be used to generate the iptables rules to be used with the bridging firewall. right? could you tell me how? (i''ve dunnit myself, for now, but it would be interesting to know how this can be done with shorewall) On Tue, 2002-09-17 at 22:17, mourik jan c heupink wrote:> dear tom, > > i didn''t know that... but doesn''t the whole bridging firewall idea need > the kernel patch..? that''s what i assumed. > > ...? becoming quite confused here... > > if i search for bridge on the shorewall site, i get one hit saying: > <quote> > ... are insecure when used over the internet; use them at your own risk > GRE and IPIP tunneling with Shorewall requires iproute2 and can be used > to bridge two masqueraded networks. GRE tunnels were introduced in > shorewall version 1.2.0_Beta2. The simple scripts described in the Linux > Advanced Routing and ... > </quote> > > but it specifically says: two masqueraded networks. that''s not what i''m > talking about... > > yours, > mourik jan > > On Tue, 2002-09-17 at 21:29, Tom Eastep wrote: > > Heupink, Mourik Jan C. wrote: > > > Hello. > > > > > > i was in a simular situation, and ended up doing the following: > > > > > > i build a transparent bridging firewall myself. it''s a bit more complicated > > > than setting up shorewall, but it did the trick for me. It allows me to keep > > > the current network configuration *exactly* as it is now. (you have to learn > > > iptables, though...) > > > > > > > Configured properly, Shorewall should work with the bridging/firewall code. > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > AIM: tmeastep \ http://www.shorewall.net > > ICQ: #60745924 \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2002-Sep-17 20:29 UTC
[Shorewall-users] Multiple computers on external side of the network
mourik jan c heupink wrote:> wait... replied too fast (once more...) > > you mean that shorewall can be used to generate the iptables rules to be > used with the bridging firewall. right?Thats correct.> > could you tell me how? (i''ve dunnit myself, for now, but it would be > interesting to know how this can be done with shorewall) >I haven''t tried it -- Jacques Nilo (Bering LEAF distribution) has done it though. It might be fastest if you sent me a copy of your rules and I''ll work backward from them to produce a Shorewall config (or the outline of one). I can then add some documentation to the web site. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net