I have two subnets running on 172.16.70.0/24 and 172.16.80.0/24. However the internet connection is on a router assigned with the ip 172.16.80.1 this is plugged directly into the switch for the .80 network because i only have two ethernet connections on my gateway for the .70 and .80 subnets. Now users can access the internet from the .70 network but the users on the .80 cannot.. any ideas please ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > I have two subnets running on 172.16.70.0/24 and 172.16.80.0/24. However > the internet connection is on a router assigned with the ip 172.16.80.1 > this is plugged directly into the switch for the .80 network because i > only have two ethernet connections on my gateway for the .70 and .80 > subnets. Now users can access the internet from the .70 network but the > users on the .80 cannot.. any ideas please >shorewall status and your config files please. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
please find attached rar file with status text and config files.. many thanks> > >> >> I have two subnets running on 172.16.70.0/24 and 172.16.80.0/24. However >> the internet connection is on a router assigned with the ip 172.16.80.1 >> this is plugged directly into the switch for the .80 network because i >> only have two ethernet connections on my gateway for the .70 and .80 >> subnets. Now users can access the internet from the .70 network but the >> users on the .80 cannot.. any ideas please >> > > shorewall status and your config files please. > > Jerry > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-
> >> I have two subnets running on 172.16.70.0/24 and 172.16.80.0/24.However> >> the internet connection is on a router assigned with the ip172.16.80.1> >> this is plugged directly into the switch for the .80 network because i > >> only have two ethernet connections on my gateway for the .70 and .80 > >> subnets. Now users can access the internet from the .70 network butthe> >> users on the .80 cannot.. any ideas please > >> > > > > shorewall status and your config files please. > > > > JerryWhat is with the other 2 interfaces that are not defined in shorewall? Add "routeback" as an option for eth3 in the interfaces file for a start. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
the other two devices are unusable.. problems with the hardware ports connectors.. (long story) anyway , even with routeback the .80 subnet is unable to access the net. but .70 can.>> >> I have two subnets running on 172.16.70.0/24 and 172.16.80.0/24. > However >> >> the internet connection is on a router assigned with the ip > 172.16.80.1 >> >> this is plugged directly into the switch for the .80 network because >> i >> >> only have two ethernet connections on my gateway for the .70 and .80 >> >> subnets. Now users can access the internet from the .70 network but > the >> >> users on the .80 cannot.. any ideas please >> >> >> > >> > shorewall status and your config files please. >> > >> > Jerry > > What is with the other 2 interfaces that are not defined in shorewall? > Add "routeback" as an option for eth3 in the interfaces file for a start. > > Jerry > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- -- David Bees MCR & Encoding Absolute Post London 8 Poland Street, W1F 8PX Tel: +44 (0)20 7851 6700 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> >> > > >> > Jerry > > > > What is with the other 2 interfaces that are not defined in shorewall? > > Add "routeback" as an option for eth3 in the interfaces file for astart.> > > > Jerry > the other two devices are unusable.. problems with the hardware ports > connectors.. (long story) anyway , even with routeback the .80 subnet is > unable to access the net. but .70 can. >Ok I''m confused... eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0e:0c:08:7f:ea brd ff:ff:ff:ff:ff:ff inet 172.16.80.2/24 brd 172.16.80.255 scope global eth3 inet 172.16.80.1/24 brd 172.16.80.255 scope global secondary eth3 Table main: 212.158.242.240/28 dev eth0 scope link 172.16.70.0/24 dev eth2 scope link 172.16.80.0/24 dev eth3 scope link 192.168.254.0/24 dev eth1 scope link 10.0.0.0/16 via 172.16.80.200 dev eth3 169.254.0.0/16 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 172.16.80.1 dev eth3 Why do you have an alias on eth3 with the same ip address as the gateway? I''d fix that first. At any rate you''ll need to masq the local lan back to itself, in masq: eth3 eth3:!172.16.80.1 172.16.80.2 Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
thanks jerry, that seems to work.. both subnets can now see outside ... with respect to rule sets however, when i create a rule for all outgoing traffic to be dropped from prod zone (the .80 network)to the FW zone these rules do not work, however with the same rule applied to the mcr zone (the .70) the rules work fine. I know my setup is not a typical, or perhaps ideal model but unfortunately it is what i have to work with without a major overhaul. Once again thanks for all your suggestions> >> >> > >> >> > Jerry >> > >> > What is with the other 2 interfaces that are not defined in shorewall? >> > Add "routeback" as an option for eth3 in the interfaces file for a > start. >> > >> > Jerry >> the other two devices are unusable.. problems with the hardware ports >> connectors.. (long story) anyway , even with routeback the .80 subnet is >> unable to access the net. but .70 can. >> > Ok I''m confused... > > eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:0e:0c:08:7f:ea brd ff:ff:ff:ff:ff:ff > inet 172.16.80.2/24 brd 172.16.80.255 scope global eth3 > inet 172.16.80.1/24 brd 172.16.80.255 scope global secondary eth3 > > Table main: > > 212.158.242.240/28 dev eth0 scope link > 172.16.70.0/24 dev eth2 scope link > 172.16.80.0/24 dev eth3 scope link > 192.168.254.0/24 dev eth1 scope link > 10.0.0.0/16 via 172.16.80.200 dev eth3 > 169.254.0.0/16 dev eth3 scope link > 127.0.0.0/8 dev lo scope link > default via 172.16.80.1 dev eth3 > > Why do you have an alias on eth3 with the same ip address as the gateway? > I''d fix that first. > > At any rate you''ll need to masq the local lan back to itself, in masq: > > eth3 eth3:!172.16.80.1 172.16.80.2 > > Jerry > > > > > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >0 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> thanks jerry, that seems to work.. both subnets can now see outside ... > with respect to rule sets however, when i create a rule for all outgoing > traffic to be dropped from prod zone (the .80 network)to the FW zonethese> rules do not work, however with the same rule applied to the mcr zone(the> .70) the rules work fine. I know my setup is not a typical, or perhaps > ideal model but unfortunately it is what i have to work with without a > major overhaul. > > Once again thanks for all your suggestions >Can you post the rule that your trying? Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
the rule i have set (as a test for the .80 network is) DROP prod $FW tcp just trying to see if i can block all outgoing traffic on the .80 network so i can then impliment further changes.> > >> thanks jerry, that seems to work.. both subnets can now see outside ... >> with respect to rule sets however, when i create a rule for all outgoing >> traffic to be dropped from prod zone (the .80 network)to the FW zone > these >> rules do not work, however with the same rule applied to the mcr zone > (the >> .70) the rules work fine. I know my setup is not a typical, or perhaps >> ideal model but unfortunately it is what i have to work with without a >> major overhaul. >> >> Once again thanks for all your suggestions >> > > Can you post the rule that your trying? > > Jerry > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click