Shorewall users - Jun 2005 - Multiple Vpns

I have built a fedora 3 test box that has 4 pptp client vpn''s from my
T-1 to
a Group of businesses (test environment).
The businesses all have pptp vpn concentrators on their ends. The purpose is 
that all of the businesses
will be at an offsite location together for a 3 day sale.
    I have the box working now with the latest ver of shorewall with two 
nics on this fedora box eth0
will be on the net eth1 loc. eth0 will authenacating ppoe over high gain 
wireless from an temp ISP.
    The lan is on 192.168.50.1 on eth1. I have the vpns working now all on 
that lan, I can access all of the businesses servers
from this one fedora box.
    Now what I would like to do is ask for advice about this. To provide 
security between the businesses
since they are all on 192.168.50.0/24 (no security between each other) is to 
make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on
to be able to separate these people from accessing each other''s
networks. Or
is this possible with zones or do I need both.

    Anyway at times I give to much to chew on and may ask for to much and 
don''t realize that its to much to ask
So if anybody could help please let me know.


Thanks

Mike

> I have built a fedora 3 test box that has 4 pptp client vpn''s from
my T-1
to
> a Group of businesses (test environment).
> The businesses all have pptp vpn concentrators on their ends. The purpose
is
> that all of the businesses
> will be at an offsite location together for a 3 day sale.
>     I have the box working now with the latest ver of shorewall with two
> nics on this fedora box eth0
> will be on the net eth1 loc. eth0 will authenacating ppoe over high gain
> wireless from an temp ISP.
>     The lan is on 192.168.50.1 on eth1. I have the vpns working now all
on
> that lan, I can access all of the businesses servers
> from this one fedora box.
>     Now what I would like to do is ask for advice about this. To provide
> security between the businesses
> since they are all on 192.168.50.0/24 (no security between each other) is
to
> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on
> to be able to separate these people from accessing each other''s
networks.
Or
> is this possible with zones or do I need both.
>
>     Anyway at times I give to much to chew on and may ask for to much and
> don''t realize that its to much to ask
> So if anybody could help please let me know.
>
>
> Thanks
>
> Mike
>
Just to have it clear in my head, these businesses will share a common lan
at the
sale site, and your tunnelling back to each of their respective home
locations?

You have two issues, at the sale site, they should not be able to talk to
each other,
right? The vlan idea takes care this issue, no other way with a common
wire(less?)
connection. Now you have to ensure that each business can only "call
home",
correct?
This is a zone/interface/(hosts?)/policy issue. In short, both are needed.

Jerry




Jerry

----- Original Message ----- 
From: "Jerry Vonau" <jvonau@shaw.ca>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, June 24, 2005 4:43 PM
Subject: Re: [Shorewall-users] Multiple Vpns

>
>> I have built a fedora 3 test box that has 4 pptp client vpn''s
from my T-1
> to
>> a Group of businesses (test environment).
>> The businesses all have pptp vpn concentrators on their ends. The
purpose
> is
>> that all of the businesses
>> will be at an offsite location together for a 3 day sale.
>>     I have the box working now with the latest ver of shorewall with
two
>> nics on this fedora box eth0
>> will be on the net eth1 loc. eth0 will authenacating ppoe over high
gain
>> wireless from an temp ISP.
>>     The lan is on 192.168.50.1 on eth1. I have the vpns working now all
> on
>> that lan, I can access all of the businesses servers
>> from this one fedora box.
>>     Now what I would like to do is ask for advice about this. To
provide
>> security between the businesses
>> since they are all on 192.168.50.0/24 (no security between each other)
is
> to
>> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on
>> to be able to separate these people from accessing each
other''s networks.
> Or
>> is this possible with zones or do I need both.
>>
>>     Anyway at times I give to much to chew on and may ask for to much
and
>> don''t realize that its to much to ask
>> So if anybody could help please let me know.
>>
>>
>> Thanks
>>
>> Mike
>>
>
> Just to have it clear in my head, these businesses will share a common lan
> at the
> sale site, and your tunnelling back to each of their respective home
> locations?
>
> You have two issues, at the sale site, they should not be able to talk to
> each other,
> right? The vlan idea takes care this issue, no other way with a common
> wire(less?)
> connection. Now you have to ensure that each business can only "call 
> home",
> correct?
> This is a zone/interface/(hosts?)/policy issue. In short, both are needed.
>
> Jerry
> They can already communicate with their own servers from the sale. I have 
> that working.
And yes they can talk to each other because they are on 192.168.50.0/24. 
They could also
with know how use each other''s tunnels as well and communicate from the
lan
to each of
their respective since I have the one box tunneled to all of their own 
businesses.

    Ideally to explain this better, each business should have their own 
routers on each end
with their own tunnels as the temp ISP has given us 10 ppoe accounts each 
with its own FQIP (with 16 port switch pppoe)
Since I support four of the busisness I built a server to save money. And 
since I support the servers
at the concetrator end this is the solution I am testing. The wireless is 
from a cell tower and not a consideration
as this will come out a switch RJ45 ppoe on eth0.
    I would like to provide security on the lan. Since I have never 
installed a lan from one interface (eth1)
with serveral separate corp''s  the same lan.
I was thinking the only way to do this with shorewall for security is to 
alias the lan correct me if I am
wrong.

PS I have this already tested and working from my T-1 minus security on the 
192.168.50.0/24 lan
Thanks

Mike

----- Original Message ----- 
From: "Mike Lander" <landers@lanlinecomputers.com>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Friday, June 24, 2005 5:13 PM
Subject: Re: [Shorewall-users] Multiple Vpns

>
> ----- Original Message ----- 
> From: "Jerry Vonau" <jvonau@shaw.ca>
> To: "Mailing List for Shorewall Users" 
> <shorewall-users@lists.shorewall.net>
> Sent: Friday, June 24, 2005 4:43 PM
> Subject: Re: [Shorewall-users] Multiple Vpns
>
>
>>
>>> I have built a fedora 3 test box that has 4 pptp client
vpn''s from my
>>> T-1
>> to
>>> a Group of businesses (test environment).
>>> The businesses all have pptp vpn concentrators on their ends. The 
>>> purpose
>> is
>>> that all of the businesses
>>> will be at an offsite location together for a 3 day sale.
>>>     I have the box working now with the latest ver of shorewall
with two
>>> nics on this fedora box eth0
>>> will be on the net eth1 loc. eth0 will authenacating ppoe over high
gain
>>> wireless from an temp ISP.
>>>     The lan is on 192.168.50.1 on eth1. I have the vpns working now
all
>> on
>>> that lan, I can access all of the businesses servers
>>> from this one fedora box.
>>>     Now what I would like to do is ask for advice about this. To
provide
>>> security between the businesses
>>> since they are all on 192.168.50.0/24 (no security between each
other)
>>> is
>> to
>>> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on
>>> to be able to separate these people from accessing each
other''s
>>> networks.
>> Or
>>> is this possible with zones or do I need both.
>>>
>>>     Anyway at times I give to much to chew on and may ask for to
much
>>> and
>>> don''t realize that its to much to ask
>>> So if anybody could help please let me know.
>>>
>>>
>>> Thanks
>>>
>>> Mike
>>>
>>
>> Just to have it clear in my head, these businesses will share a common 
>> lan
>> at the
>> sale site, and your tunnelling back to each of their respective home
>> locations?
>>
>> You have two issues, at the sale site, they should not be able to talk
to
>> each other,
>> right? The vlan idea takes care this issue, no other way with a common
>> wire(less?)
>> connection. Now you have to ensure that each business can only
"call
>> home",
>> correct?
>> This is a zone/interface/(hosts?)/policy issue. In short, both are 
>> needed.
>>
>> Jerry
>> They can already communicate with their own servers from the sale. I
have
>> that working.
> And yes they can talk to each other because they are on 192.168.50.0/24. 
> They could also
> with know how use each other''s tunnels as well and communicate
from the
> lan to each of
> their respective since I have the one box tunneled to all of their own 
> businesses.
>
>    Ideally to explain this better, each business should have their own 
> routers on each end
> with their own tunnels as the temp ISP has given us 10 ppoe accounts each 
> with its own FQIP (with 16 port switch pppoe)
> Since I support four of the busisness I built a server to save money. And 
> since I support the servers
> at the concetrator end this is the solution I am testing. The wireless is 
> from a cell tower and not a consideration
> as this will come out a switch RJ45 ppoe on eth0.
>    I would like to provide security on the lan. Since I have never 
> installed a lan from one interface (eth1)
> with serveral separate corp''s  the same lan.
> I was thinking the only way to do this with shorewall for security is to 
> alias the lan correct me if I am
> wrong.
>
> PS I have this already tested and working from my T-1 minus security on 
> the 192.168.50.0/24 lan
> Thanks
>
> Mike
I think what I will try is the example Tom has at the bottom of  shorewall 
and
aliased interfaces and go from there to seperate this config