I''ve set up shorewall with the two-interface mode.
pc #1 eth1 ---> ppp0 ---> Internet eth1: 10.10.10.254
eth0: 10.10.10.1
> via a crossover cable
pc #2 eth0: 10.10.10.2 (gateway=10.10.10.254)
I am able to surf the net with pc #1, but pc #2 is completely cut off
from pc #1 and the net. I am also unable to ping from and to pc #2.
What is wrong with my setup?
hans
On Sunday 19 January 2003 09:06 am, hans wrote:> I''ve set up shorewall with the two-interface mode. > > pc #1 eth1 ---> ppp0 ---> Internet eth1: 10.10.10.254 > eth0: 10.10.10.1 > > > via a crossover cable > > pc #2 eth0: 10.10.10.2 (gateway=10.10.10.254) > > I am able to surf the net with pc #1, but pc #2 is completely cut off > from pc #1 and the net. I am also unable to ping from and to pc #2. > > What is wrong with my setup? > > hansJust out of curiosity, why did you choose the same subnet for your inside lan as your outside connection.? Your pc#2 should be on a different subnet, and its gateway should be on the nic closest to it in the other machine. It can''t "see" the outside nic on the firewall. Convert eth0 in pc1 and 2 to a different subnet, I suggest 192.168.0.1 and 192.168.0.2 respectivly, just to keep things simple and seperate. -- John Andersen - NORCOM http://www.norcomsoftware.com/
No, explicitly NOT. You would want your eth0 (inside) on both stations behind firewall to be in the same subnet wouldn''t you? with that mask you''ve just compounded the problem. On 20 Jan 2003 at 18:40, Mario R. Pizzolanti wrote:> I think he meant 192.168.1.0 and 192.168.2.0 (or any combination > thereoff) with submask 255.255.255.0 (24) > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf OfJohn> Andersen Sent: Monday, January 20, 2003 6:39 AM To: hans; > Shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Unableto> have pc #2 connect > > > On Sunday 19 January 2003 09:06 am, hans wrote: > > I''ve set up shorewall with the two-interface mode. > > > > pc #1 eth1 ---> ppp0 ---> Internet eth1: 10.10.10.254 > > eth0: 10.10.10.1 > > > > > via a crossover cable > > > > pc #2 eth0: 10.10.10.2 (gateway=10.10.10.254) > > > > I am able to surf the net with pc #1, but pc #2 is completely cut > > off from pc #1 and the net. I am also unable to ping from and topc> > #2. > > > > What is wrong with my setup? > > > > hans > > Just out of curiosity, why did you choose the same subnet for your > inside lan as your outside connection.? > > Your pc#2 should be on a different subnet, and its gateway shouldbe> on the nic closest to it in the other machine. It can''t "see" the > outside nic on the firewall. > > Convert eth0 in pc1 and 2 to a different subnet, I suggest192.168.0.1> and 192.168.0.2 respectivly, just to keep things simple andseperate.> > > > -- > John Andersen - NORCOM > http://www.norcomsoftware.com/ > _______________________________________________ > Shorewall-users mailing list Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
No, explicitly NOT. You would want your eth0 (inside) on both stations behind firewall to be in the same subnet wouldn''t you? with that mask you''ve just compounded the problem. On 20 Jan 2003 at 18:40, Mario R. Pizzolanti wrote:> I think he meant 192.168.1.0 and 192.168.2.0 (or any combination > thereoff) with submask 255.255.255.0 (24) > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf OfJohn> Andersen Sent: Monday, January 20, 2003 6:39 AM To: hans; > Shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Unableto> have pc #2 connect > > > On Sunday 19 January 2003 09:06 am, hans wrote: > > I''ve set up shorewall with the two-interface mode. > > > > pc #1 eth1 ---> ppp0 ---> Internet eth1: 10.10.10.254 > > eth0: 10.10.10.1 > > > > > via a crossover cable > > > > pc #2 eth0: 10.10.10.2 (gateway=10.10.10.254) > > > > I am able to surf the net with pc #1, but pc #2 is completely cut > > off from pc #1 and the net. I am also unable to ping from and topc> > #2. > > > > What is wrong with my setup? > > > > hans > > Just out of curiosity, why did you choose the same subnet for your > inside lan as your outside connection.? > > Your pc#2 should be on a different subnet, and its gateway shouldbe> on the nic closest to it in the other machine. It can''t "see" the > outside nic on the firewall. > > Convert eth0 in pc1 and 2 to a different subnet, I suggest192.168.0.1> and 192.168.0.2 respectivly, just to keep things simple andseperate.> > > > -- > John Andersen - NORCOM > http://www.norcomsoftware.com/ > _______________________________________________ > Shorewall-users mailing list Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
And the point of having each machine in you LAN on a different subnet would be what??? The fact that with enough configuration that you MIGHT be able to get this to work (sort of) hardly makes it a recommended practice, and certainly does not help Hans who is new to shorewall to get his network up and running. On 20 Jan 2003 at 22:27, Mario R. Pizzolanti wrote:> Not at all... You just put a masquerade rule and that''s it. > > -----Original Message----- > From: John S. Andersen [mailto:jsa@norcomix.dyndns.org] > Sent: Monday, January 20, 2003 9:59 PM > To: Mario R. Pizzolanti > Cc: Shorewall-users@shorewall.net > Subject: RE: [Shorewall-users] Unable to have pc #2 connect > > > No, explicitly NOT. > You would want your eth0 (inside) on both stations behind firewallto> be in the same subnet wouldn''t you? with that mask you''ve just > compounded the problem. > > On 20 Jan 2003 at 18:40, Mario R. Pizzolanti wrote: > > > I think he meant 192.168.1.0 and 192.168.2.0 (or any combination > > thereoff) with submask 255.255.255.0 (24) > > > > -----Original Message----- > > From: shorewall-users-bounces@lists.shorewall.net > > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of > John > > Andersen Sent: Monday, January 20, 2003 6:39 AM To: hans; > > Shorewall-users@shorewall.net Subject: Re: [Shorewall-users]Unable> to > > have pc #2 connect > > > > > > On Sunday 19 January 2003 09:06 am, hans wrote: > > > I''ve set up shorewall with the two-interface mode. > > > > > > pc #1 eth1 ---> ppp0 ---> Internet eth1: 10.10.10.254 > > > eth0: 10.10.10.1 > > > > > > > via a crossover cable > > > > > > pc #2 eth0: 10.10.10.2 (gateway=10.10.10.254) > > > > > > I am able to surf the net with pc #1, but pc #2 is completelycut> > > off from pc #1 and the net. I am also unable to ping from andto> pc > > > #2. > > > > > > What is wrong with my setup? > > > > > > hans > > > > Just out of curiosity, why did you choose the same subnet foryour> > inside lan as your outside connection.? > > > > Your pc#2 should be on a different subnet, and its gateway should > be > > on the nic closest to it in the other machine. It can''t "see"the> > outside nic on the firewall. > > > > Convert eth0 in pc1 and 2 to a different subnet, I suggest > 192.168.0.1 > > and 192.168.0.2 respectivly, just to keep things simple and > seperate. > > > > > > > > -- > > John Andersen - NORCOM > > http://www.norcomsoftware.com/ > > _______________________________________________ > > Shorewall-users mailing list Shorewall-users@lists.shorewall.net > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > > > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386_______________________________________ > John S. Andersen > NORCOM mailto:JAndersen@norcomsoftware.com > Juneau, Alaska > http://www.screenio.com/ > >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
On Sun, 19 Jan 2003 19:38:42 -0900, you wrote:> >Just out of curiosity, why did you choose the same subnet for your >inside lan as your outside connection.? >A good question. I have a simple answer, though. I set it up in exactly the same way as illustrated in the shorewall document so that anyone else can easily troubleshoot any problem that may arise. If you look at the diagram on page 62 of shorewall-1.3.12.pdf, you will know what I mean. (note: I meant to reply to the shorewall list but my reply was sent directly to the individual who responded. I am not sure it is a proper way of posting messages, so I repost my message to the list.)>Your pc#2 should be on a different subnet, and its gateway should >be on the nic closest to it in the other machine. It can''t "see" >the outside nic on the firewall. > >Convert eth0 in pc1 and 2 to a different subnet, I suggest >192.168.0.1 and 192.168.0.2 respectivly, just to keep >things simple and seperate.
--On Tuesday, January 21, 2003 10:47 AM +0000 hans <hans@yonder.com> wrote:> On Sun, 19 Jan 2003 19:38:42 -0900, you wrote: > >> >> Just out of curiosity, why did you choose the same subnet for your >> inside lan as your outside connection.? >> > A good question. I have a simple answer, though. > > I set it up in exactly the same way as illustrated in the shorewall > document so that anyone else can easily troubleshoot any problem that > may arise. If you look at the diagram on page 62 of > shorewall-1.3.12.pdf, you will know what I mean. >Please don''t post references to page numbers in the .pdf -- all of the documentation is available online in html format and if you post a URL, we will all be able to see what you are talking about without having to download a 2MB document. I guess that I have to add a warning in big red letters that if your setup has 10.10.10.0/24 as the external interface, then you need to pick a different internal subnet because in a simple two-interface setup, you NEVER want the internal and external subnets to be the same. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Tue, 21 Jan 2003 09:11:13 -0800, you wrote:> >Please don''t post references to page numbers in the .pdf -- all of the >documentation is available online in html format and if you post a URL, we >will all be able to see what you are talking about without having to >download a 2MB document. > >I guess that I have to add a warning in big red letters that if your setup >has 10.10.10.0/24 as the external interface, then you need to pick a >different internal subnet because in a simple two-interface setup, you >NEVER want the internal and external subnets to be the same. > >-TomI am sorry for what I did. I won''t mention the .pdf page although you also advertised today that such document is now available. I simply mention the page to show that I followed exactly what is on the manual. I am glad to know that there was an error in the manual and to make a small contribution to your endeavor. hans
--On Tuesday, January 21, 2003 11:56 AM +0000 hans <hans@yonder.com> wrote:> > I am sorry for what I did. I won''t mention the .pdf page although you > also advertised today that such document is now available.\No need to be sorry -- I was just pointing out that if you want people to answer your question, you probably don''t want to make them download a large document before they can even understand the question. Just because the .pdf files are available, doesn''t mean that everyone on the list has bothered to download them. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net