Hi Tom (and others) encase you don''t know my network already ;) here''s a quick run down eth0 lan 192.168.1.1/255.255.255.0 eth1 wan1 172.30.7.4/255.255.240.0 eth2 wan2 202.37.230.93/255.255.255.192 eth3 wan3 203.96.213.73/255.255.254.0 I''ve got routes and rules for all the above interfaces :) I want to add another one, however I fear this might cause some issues I have another IP address 203.96.212.68/255.255.254.0 which is in the same subnet as eth3 203.96.213.73 is it going to cause problem having these IP''s on the same router? I want to enable DNAT rules, and masq for both IP''s I''m hoping I can do it using eth3:0 and eth3:1 because I''ve run out of PCI slot''s :) but if I can''t I''ll drop eth 172.30.7.4 and replace it with 203.96.212.68 any advice on how I begin this? and what "gotcha''s" I should look out for? P.S. 172 addy''s and 203 addy''s are on the same "flat" layer 2 network which may cause some problems (the old - plug the network cables in the same switch problem :) ) but it hasn''t caused any issues yet. explanation: I have a Large scale wifi network (approx 300 square kilometers) the user addresses are all 203.96.212or3.0 and the wifi gear is all on 172.30.7.x I can remotely manage the radio''s using 172 addys and hand out 203 addy''s to customers .. I guess the proper way would be to VLAN the two networks :/ but that involves buying vlan gear :( Paul.
On Fri, 2004-12-03 at 10:10 +1300, Paul wrote:> Hi Tom (and others) > encase you don''t know my network already ;) here''s a quick run down > eth0 lan 192.168.1.1/255.255.255.0 > eth1 wan1 172.30.7.4/255.255.240.0 > eth2 wan2 202.37.230.93/255.255.255.192 > eth3 wan3 203.96.213.73/255.255.254.0 > > I''ve got routes and rules for all the above interfaces :) > > I want to add another one, however I fear this might cause some issues > I have another IP address 203.96.212.68/255.255.254.0 which is in the > same subnet as eth3 203.96.213.73 > is it going to cause problem having these IP''s on the same router? > I want to enable DNAT rules, and masq for both IP''s > I''m hoping I can do it using eth3:0 and eth3:1That''s what I would do. See http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for more information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Fri, 2004-12-03 at 10:10 +1300, Paul wrote: > >>Hi Tom (and others) >>encase you don''t know my network already ;) here''s a quick run down >>eth0 lan 192.168.1.1/255.255.255.0 >>eth1 wan1 172.30.7.4/255.255.240.0 >>eth2 wan2 202.37.230.93/255.255.255.192 >>eth3 wan3 203.96.213.73/255.255.254.0 >> >>I''ve got routes and rules for all the above interfaces :) >> >>I want to add another one, however I fear this might cause some issues >>I have another IP address 203.96.212.68/255.255.254.0 which is in the >>same subnet as eth3 203.96.213.73 >>is it going to cause problem having these IP''s on the same router? >>I want to enable DNAT rules, and masq for both IP''s >>I''m hoping I can do it using eth3:0 and eth3:1 > > > That''s what I would do. See > http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for more > information. > > -Tomcan I do this in masq? #INTERFACE SUBNET ADDRESS eth2 eth0 203.96.213.73 eth2 eth0 203.96.212.68 Paul.
On Fri, 2004-12-03 at 11:19 +1300, Paul wrote:> Tom Eastep wrote: > > On Fri, 2004-12-03 at 10:10 +1300, Paul wrote: > > > >>Hi Tom (and others) > >>encase you don''t know my network already ;) here''s a quick run down > >>eth0 lan 192.168.1.1/255.255.255.0 > >>eth1 wan1 172.30.7.4/255.255.240.0 > >>eth2 wan2 202.37.230.93/255.255.255.192 > >>eth3 wan3 203.96.213.73/255.255.254.0 > >> > >>I''ve got routes and rules for all the above interfaces :) > >> > >>I want to add another one, however I fear this might cause some issues > >>I have another IP address 203.96.212.68/255.255.254.0 which is in the > >>same subnet as eth3 203.96.213.73 > >>is it going to cause problem having these IP''s on the same router? > >>I want to enable DNAT rules, and masq for both IP''s > >>I''m hoping I can do it using eth3:0 and eth3:1 > > > > > > That''s what I would do. See > > http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for more > > information. > > > > -Tom > can I do this in masq? > #INTERFACE SUBNET ADDRESS > eth2 eth0 203.96.213.73 > eth2 eth0 203.96.212.68eth2 eth0 203.96.213.73,203.96.212.68 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > can I do this in masq? > #INTERFACE SUBNET ADDRESS > eth2 eth0 203.96.213.73 > eth2 eth0 203.96.212.68 > > Paul.err .. I shoulda kept reading :) #INTERFACE SUBNET ADDRESS eth2:0 eth0 203.96.213.73 eth2:1 eth0 203.96.212.68
On Fri, 2004-12-03 at 11:22 +1300, Paul wrote:> > > > can I do this in masq? > > #INTERFACE SUBNET ADDRESS > > eth2 eth0 203.96.213.73 > > eth2 eth0 203.96.212.68 > > > > Paul. > > err .. I shoulda kept reading :) > #INTERFACE SUBNET ADDRESS > eth2:0 eth0 203.96.213.73 > eth2:1 eth0 203.96.212.68You didn''t read enough -- the above will NOT do what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > > eth2 eth0 203.96.213.73,203.96.212.68 > > -TomOnce again thanks ;) more questions .. sorry. I have load balancing over 202.37.230.93 and 203.96.213.73. I also have connection tracking, so if a request from outside comes into 202.37.230.93 then the answer is sent out the correct interface. example: 0.0.0.0 ---> 202.37.230.93 --> 192.168.1.1 --> 192.168.1.2 --> 192.168.1.1 --> 202.37.230.93 --> 0.0.0.0 if the request starts on my lan then load balancing takes shape 192.168.1.2 --> 192.168.1.1 {some load balancing magic} --> 202.37.230.93 OR 203.96.213.73 --> 0.0.0.0 I want to leave this "as is" but add the new IP. but only allows responses on 203.96.212.68 not initial connections. example: 0.0.0.0 --> 203.96.212.68 --> 192.168.1.1 --> 192.168.1.2 --> 192.168.1.1 --> 203.96.212.68 --> 0.0.0.0 192.168.1.2 --> 192.168.1.1 {magic} --> 203.96.213.73 OR 202.37.230.93 --> 0.0.0.0 as far as I can see I don''t need to do anything to the routing table. but I''m not 100% sure. any advice? Paul. P.S. I can send you my routing rules if you want.
On Thu, 2004-12-02 at 14:27 -0800, Tom Eastep wrote:> On Fri, 2004-12-03 at 11:22 +1300, Paul wrote: > > > > > > can I do this in masq? > > > #INTERFACE SUBNET ADDRESS > > > eth2 eth0 203.96.213.73 > > > eth2 eth0 203.96.212.68 > > > > > > Paul. > > > > err .. I shoulda kept reading :) > > #INTERFACE SUBNET ADDRESS > > eth2:0 eth0 203.96.213.73 > > eth2:1 eth0 203.96.212.68 > > You didn''t read enough -- the above will NOT do what you want.Unless you plan to do policy routing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2004-12-03 at 11:45 +1300, Paul wrote:> > > > > > eth2 eth0 203.96.213.73,203.96.212.68 > > > > -Tom > > Once again thanks ;) > more questions .. sorry. > I have load balancing over 202.37.230.93 and 203.96.213.73. > I also have connection tracking, so if a request from outside comes into > 202.37.230.93 then the answer is sent out the correct interface. > > example: > 0.0.0.0 ---> 202.37.230.93 --> 192.168.1.1 --> 192.168.1.2 --> > 192.168.1.1 --> 202.37.230.93 --> 0.0.0.0 > > if the request starts on my lan then load balancing takes shape > 192.168.1.2 --> 192.168.1.1 {some load balancing magic} --> > 202.37.230.93 OR 203.96.213.73 --> 0.0.0.0 > > I want to leave this "as is" but add the new IP. but only allows > responses on 203.96.212.68 not initial connections. > > example: > 0.0.0.0 --> 203.96.212.68 --> 192.168.1.1 --> 192.168.1.2 --> > 192.168.1.1 --> 203.96.212.68 --> 0.0.0.0 > 192.168.1.2 --> 192.168.1.1 {magic} --> 203.96.213.73 OR 202.37.230.93 > --> 0.0.0.0 > > as far as I can see I don''t need to do anything to the routing table. > but I''m not 100% sure. > any advice?Sorry -- as always, I do not answer questions about multiple internet connections and routing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-12-02 at 14:49 -0800, Tom Eastep wrote:> > > > as far as I can see I don''t need to do anything to the routing table. > > but I''m not 100% sure. > > any advice? > > Sorry -- as always, I do not answer questions about multiple internet > connections and routing. >But the basics are covered in Shorewall FAQ 32 (which you have probably already found). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Thu, 2004-12-02 at 14:49 -0800, Tom Eastep wrote: > > >>>as far as I can see I don''t need to do anything to the routing table. >>>but I''m not 100% sure. >>>any advice? >> >>Sorry -- as always, I do not answer questions about multiple internet >>connections and routing. >> > > > But the basics are covered in Shorewall FAQ 32 (which you have probably > already found). > > -TomFYI: I added another IP last night, did absolutley nothing to te routing table. added eth2 eth0 203.96.213.73,203.96.212.6 to masq and all is tickety boo ;) that was far too easy. on to my nect question :) can you recommend a pptp server that will interact nicely with shorewall? Paul.
On Wed, 2004-12-08 at 10:56 +1300, Paul wrote:> on to my nect question :) > can you recommend a pptp server that will interact nicely with shorewall?PoPToP running on the firewall works ok although it doesn''t support Microsoft''s compression algorithm. I personally run an XP box behind the firewall -- works okay for my limited needs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key