thr3ads.net - Shorewall users - [Shorewall-users] Shorewall and VLANs (802.1q) [Oct 2002]

If this information is useful, please help other people find it:
Share via:

Gilson Soares

2002-Oct-14 22:12 UTC

[Shorewall-users] Shorewall and VLANs (802.1q)

My actual scenario is:
-Hundreds PCs in a internal network (fixed IP), divided in +- 6 different 
subnets
-A +- 6 customers with leased lines
-A Cisco Catalyst 4006 connecting groups of PCs to corresponding customers 
(imagine a Call Center company)
-Works fine.

The problem:
Frequently, it''s necessary to migrate dozens PCs from a customer to 
another. You know, change all IPs and reconfigure all interfaces.

The target:
Implement a centralized Linux box with Shorewall/NAT/VLAN, slice the PCs in 
small groups of VLANs (even smaller groups for manageability, i.e., +-30-50 
groups), in a one whole internal subnet, and use NAT to give access from 
one PC to the correct customer.

Suppose PC-1 (from VLAN-1) is accessing the CUSTOMER-1 network.
If I need to migrate PC-1 to CUSTOMER-2, I just change the NAT in shorewall 
config files and restart it. I don''t need to change any configuration
on
client machine.

If it''s NAT issue, why not just Iptables ? I don''t know
iptables, but I
know Shorewall. I can also create a Web interface to easily permit the IT 
guy to manage this configuration and restart Shorewall.

Does anyone had any experience with Shorewall and VLANs (802.1q) 
(http://www.candelatech.com/~greear/vlan.html) ?
If yes, any issue i need to be aware of ?

-Gilson

Tuomo Soini

2002-Oct-15 20:52 UTC

head link

[Shorewall-users] Shorewall and VLANs (802.1q)

Gilson Soares wrote:

> Does anyone had any experience with Shorewall and VLANs (802.1q) 
> (http://www.candelatech.com/~greear/vlan.html) ?
> If yes, any issue i need to be aware of ?
I have. On http://tis.foobar.fi/tis/vconfig-1.6-5foo.src.rpm you can 
find vconfig which works with redhat 7.3.

There are some limitations to device names because of redhat startup 
scripts but it works great. I have build firewall which filters traffic 
between corporate vlans using one giga-ethernet network card on firewall 
box.

There were some problems with asyncronous routing when some machines 
were sitting on several vlans. Problem was fixed using bind9 views and 
telling local ip via dns.

There seems to be performance problems within shorewall when there are 
lots of rules and lots of zones. On my config there were about 20 vlan 
interfaces and shorewall restart takes more than 60 seconds.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

Apparently Analagous Threads

Search for more reasonably related threads

Shorewall users - Oct 2002 - Shorewall and VLANs (802.1q)

[Shorewall-users] Shorewall and VLANs (802.1q)

[Shorewall-users] Shorewall and VLANs (802.1q)

Apparently Analagous Threads