Hi, thanks for a great piece of software! ...at the moment I have a commercial VPN box, which also acts as our firewall. I wish to replace this firewall functionality with a decicated Shorewall firewall, and use the VPN box only for VPN traffic. At the moment, this VPN/Firewall box is at an internet visible address, x.x.x.85 I wish to make the new Shorewall fireall x.x.x.85 and move the VPN to x.x.x.83 For mail relay purposes, our LAN firewall whether a VPN box, or a shorewall box, cannot be anything other than x.x.x.85. It does simple SNAT. Now: eth1 eth0 x.x.x.85 y.y.y.3 **** |----| -------------- /-LAN A Net*----|ADSL|------|VPN/Firewall|--------/---LAN B **** |----| -------------- \-- LAN C Planned: eth1 eth0 x.x.x.85 y.y.y.3 **** |----| ----------- /--LAN A Net*----|ADSL|-----------|Shorewall|-----/---LAN B **** |----| | ----------- \-- LAN C | /eth2 | ----- / |-|VPN|--/ ----- z.z.z.0 x.x.x.83 I would expect to set up route commands on the firewall to route the appropriate traffic to the VPN or the Internet as needed. I believe the firewall would be acting as a bridge between the VPN and the LAN, and that no sort of NAT would be needed. Packets arriving through the VPN tunnel from a particular office will be from z.z.z.0 and destined to my LAN y.y.y.0 How can I just forward these packets which match a certain subnet z.z.z.0 on interface eth2, on to interface eth0, without modification also allowing the return packets? Does this seem like the right way to go about it? Thanks in advance, Hugh __________________________________________________ Do You Yahoo!? Everything you''ll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
Hugh McGuirk wrote:> Hi, thanks for a great piece of software! > > ...at the moment I have a commercial VPN box, which > also acts as our firewall. I wish to replace this > firewall functionality with a decicated Shorewall > firewall, and use the VPN box only for VPN traffic. > > At the moment, this VPN/Firewall box is at an internet > visible address, x.x.x.85 > I wish to make the new Shorewall fireall x.x.x.85 and > move the VPN to x.x.x.83 > For mail relay purposes, our LAN firewall whether a > VPN box, or a shorewall box, cannot be anything other > than x.x.x.85. It does simple SNAT. > > Now: > eth1 eth0 > x.x.x.85 y.y.y.3 > **** |----| -------------- /-LAN A > Net*----|ADSL|------|VPN/Firewall|--------/---LAN B > **** |----| -------------- \-- LAN C > > Planned: > eth1 eth0 > x.x.x.85 y.y.y.3 > **** |----| ----------- /--LAN A > Net*----|ADSL|-----------|Shorewall|-----/---LAN B > **** |----| | ----------- \-- LAN C > | /eth2 > | ----- / > |-|VPN|--/ > ----- z.z.z.0 > x.x.x.83 > > I would expect to set up route commands on the > firewall to route the appropriate traffic to the VPN > or the Internet as needed. > > I believe the firewall would be acting as a bridge > between the VPN and the LAN, and that no sort of NAT > would be needed. > Packets arriving through the VPN tunnel from a > particular office will be from z.z.z.0 and destined to > my LAN y.y.y.0 > > How can I just forward these packets which match a > certain subnet z.z.z.0 on interface eth2, on to > interface eth0, without modification also allowing the > return packets? >Three questions: a) Do VPN clients need to access the internet through the Shorewall box? b) Is z.z.z.0/24 a public subnetwork? c) If so, is traffic from the internet destined for z.z.z.0/24 routed through your firewall/VPN today? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hugh McGuirk wrote:>> >>Three questions: >> >>a) Do VPN clients need to access the internet >>through the Shorewall box? >>b) Is z.z.z.0/24 a public subnetwork? >>c) If so, is traffic from the internet destined for >>z.z.z.0/24 routed >>through your firewall/VPN today? >> >>-Tom >>-- > > > a) VPN clients dont need to access the internet, they > just need to access the LAN, presumably through the > Shorewall box. > > b) z.z.z.0/24 is the private RFC1918 address of the > Client''s LAN which gets tunneled through the VPN as > far as our network. > > c)Clients at the other end of the VPN have their own > direct access to the internet, so there is only > routing between our LAN and the client''s LAN. >Then this is just a simple routing problem. If you give eth2 a z.z.z.x/24 address, everything will "just work". Traffic from the VPN destined for a host in LANA, LANB or LANC will be routed out eth0. Traffic from those LANs for z.z.z.* will be routed out eth2. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net