I have built a fedora 3 test box that has 4 pptp client vpn''s from my T-1 to a Group of businesses (test environment). The businesses all have pptp vpn concentrators on their ends. The purpose is that all of the businesses will be at an offsite location together for a 3 day sale. I have the box working now with the latest ver of shorewall with two nics on this fedora box eth0 will be on the net eth1 loc. eth0 will authenacating ppoe over high gain wireless from an temp ISP. The lan is on 192.168.50.1 on eth1. I have the vpns working now all on that lan, I can access all of the businesses servers from this one fedora box. Now what I would like to do is ask for advice about this. To provide security between the businesses since they are all on 192.168.50.0/24 (no security between each other) is to make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on to be able to separate these people from accessing each other''s networks. Or is this possible with zones or do I need both. Anyway at times I give to much to chew on and may ask for to much and don''t realize that its to much to ask So if anybody could help please let me know. Thanks Mike
> I have built a fedora 3 test box that has 4 pptp client vpn''s from my T-1to> a Group of businesses (test environment). > The businesses all have pptp vpn concentrators on their ends. The purposeis> that all of the businesses > will be at an offsite location together for a 3 day sale. > I have the box working now with the latest ver of shorewall with two > nics on this fedora box eth0 > will be on the net eth1 loc. eth0 will authenacating ppoe over high gain > wireless from an temp ISP. > The lan is on 192.168.50.1 on eth1. I have the vpns working now allon> that lan, I can access all of the businesses servers > from this one fedora box. > Now what I would like to do is ask for advice about this. To provide > security between the businesses > since they are all on 192.168.50.0/24 (no security between each other) isto> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on > to be able to separate these people from accessing each other''s networks.Or> is this possible with zones or do I need both. > > Anyway at times I give to much to chew on and may ask for to much and > don''t realize that its to much to ask > So if anybody could help please let me know. > > > Thanks > > Mike >Just to have it clear in my head, these businesses will share a common lan at the sale site, and your tunnelling back to each of their respective home locations? You have two issues, at the sale site, they should not be able to talk to each other, right? The vlan idea takes care this issue, no other way with a common wire(less?) connection. Now you have to ensure that each business can only "call home", correct? This is a zone/interface/(hosts?)/policy issue. In short, both are needed. Jerry Jerry
----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Friday, June 24, 2005 4:43 PM Subject: Re: [Shorewall-users] Multiple Vpns> >> I have built a fedora 3 test box that has 4 pptp client vpn''s from my T-1 > to >> a Group of businesses (test environment). >> The businesses all have pptp vpn concentrators on their ends. The purpose > is >> that all of the businesses >> will be at an offsite location together for a 3 day sale. >> I have the box working now with the latest ver of shorewall with two >> nics on this fedora box eth0 >> will be on the net eth1 loc. eth0 will authenacating ppoe over high gain >> wireless from an temp ISP. >> The lan is on 192.168.50.1 on eth1. I have the vpns working now all > on >> that lan, I can access all of the businesses servers >> from this one fedora box. >> Now what I would like to do is ask for advice about this. To provide >> security between the businesses >> since they are all on 192.168.50.0/24 (no security between each other) is > to >> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on >> to be able to separate these people from accessing each other''s networks. > Or >> is this possible with zones or do I need both. >> >> Anyway at times I give to much to chew on and may ask for to much and >> don''t realize that its to much to ask >> So if anybody could help please let me know. >> >> >> Thanks >> >> Mike >> > > Just to have it clear in my head, these businesses will share a common lan > at the > sale site, and your tunnelling back to each of their respective home > locations? > > You have two issues, at the sale site, they should not be able to talk to > each other, > right? The vlan idea takes care this issue, no other way with a common > wire(less?) > connection. Now you have to ensure that each business can only "call > home", > correct? > This is a zone/interface/(hosts?)/policy issue. In short, both are needed. > > Jerry > They can already communicate with their own servers from the sale. I have > that working.And yes they can talk to each other because they are on 192.168.50.0/24. They could also with know how use each other''s tunnels as well and communicate from the lan to each of their respective since I have the one box tunneled to all of their own businesses. Ideally to explain this better, each business should have their own routers on each end with their own tunnels as the temp ISP has given us 10 ppoe accounts each with its own FQIP (with 16 port switch pppoe) Since I support four of the busisness I built a server to save money. And since I support the servers at the concetrator end this is the solution I am testing. The wireless is from a cell tower and not a consideration as this will come out a switch RJ45 ppoe on eth0. I would like to provide security on the lan. Since I have never installed a lan from one interface (eth1) with serveral separate corp''s the same lan. I was thinking the only way to do this with shorewall for security is to alias the lan correct me if I am wrong. PS I have this already tested and working from my T-1 minus security on the 192.168.50.0/24 lan Thanks Mike
----- Original Message ----- From: "Mike Lander" <landers@lanlinecomputers.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Friday, June 24, 2005 5:13 PM Subject: Re: [Shorewall-users] Multiple Vpns> > ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Friday, June 24, 2005 4:43 PM > Subject: Re: [Shorewall-users] Multiple Vpns > > >> >>> I have built a fedora 3 test box that has 4 pptp client vpn''s from my >>> T-1 >> to >>> a Group of businesses (test environment). >>> The businesses all have pptp vpn concentrators on their ends. The >>> purpose >> is >>> that all of the businesses >>> will be at an offsite location together for a 3 day sale. >>> I have the box working now with the latest ver of shorewall with two >>> nics on this fedora box eth0 >>> will be on the net eth1 loc. eth0 will authenacating ppoe over high gain >>> wireless from an temp ISP. >>> The lan is on 192.168.50.1 on eth1. I have the vpns working now all >> on >>> that lan, I can access all of the businesses servers >>> from this one fedora box. >>> Now what I would like to do is ask for advice about this. To provide >>> security between the businesses >>> since they are all on 192.168.50.0/24 (no security between each other) >>> is >> to >>> make aliases to eth1 like 192.168.100.0 192.168.150.0 and so on >>> to be able to separate these people from accessing each other''s >>> networks. >> Or >>> is this possible with zones or do I need both. >>> >>> Anyway at times I give to much to chew on and may ask for to much >>> and >>> don''t realize that its to much to ask >>> So if anybody could help please let me know. >>> >>> >>> Thanks >>> >>> Mike >>> >> >> Just to have it clear in my head, these businesses will share a common >> lan >> at the >> sale site, and your tunnelling back to each of their respective home >> locations? >> >> You have two issues, at the sale site, they should not be able to talk to >> each other, >> right? The vlan idea takes care this issue, no other way with a common >> wire(less?) >> connection. Now you have to ensure that each business can only "call >> home", >> correct? >> This is a zone/interface/(hosts?)/policy issue. In short, both are >> needed. >> >> Jerry >> They can already communicate with their own servers from the sale. I have >> that working. > And yes they can talk to each other because they are on 192.168.50.0/24. > They could also > with know how use each other''s tunnels as well and communicate from the > lan to each of > their respective since I have the one box tunneled to all of their own > businesses. > > Ideally to explain this better, each business should have their own > routers on each end > with their own tunnels as the temp ISP has given us 10 ppoe accounts each > with its own FQIP (with 16 port switch pppoe) > Since I support four of the busisness I built a server to save money. And > since I support the servers > at the concetrator end this is the solution I am testing. The wireless is > from a cell tower and not a consideration > as this will come out a switch RJ45 ppoe on eth0. > I would like to provide security on the lan. Since I have never > installed a lan from one interface (eth1) > with serveral separate corp''s the same lan. > I was thinking the only way to do this with shorewall for security is to > alias the lan correct me if I am > wrong. > > PS I have this already tested and working from my T-1 minus security on > the 192.168.50.0/24 lan > Thanks > > MikeI think what I will try is the example Tom has at the bottom of shorewall and aliased interfaces and go from there to seperate this config