Hi all,
I have a Shorewall box setup in a fairly vanilla fashion with three
network zones, WAN, DMZ, and LAN. The wan is a single IP, the DMZ is a
routable /28 block, and the LAN is a NAT subnet masqed to the WAN.
I am being forced by my client to put in some equipment that
requires a huge number of ports to be be open on public IPs, or be
NAT''d
into a LAN segment. I was wondering if the following is possible:
My DMZ port acts as a gateway to my public servers, I''d like to be
able to add two virtual IPs to the DMZ interface and NAT two separate
RFC1918 subnets off of the virtual interfaces and have them route out to
the internet. (Back through the subnet''s gateway off the same
interface)
The network would look like this (excuse crafty IP rule breaking):
WAN:
Net 98.55.41.500/24
eth0 98.55.41.501
DMZ:
Net 69.33.64.586/28
eth1 69.33.64.587
eth1:1: 69.33.64.588
eth1:2: 69.33.64.589
(Note: Standalone servers with 69.33.64.587 as the gateway
route out just fine)
LAN:
Net 192.168.1.0/24
eth1 192.168.1.1 (masq to 98.55.41.501)-- works!
eth2:1 192.168.100.1/28 (masq to 69.33.64.588)
eth2:2: 192.168.200.1/28 (masq to 69.33.64.589)
I have no problem setting this up, and the new LAN subnets masq into
the DMZ just fine. However, networks masqed behind eth0:1 and eth0:2 do
not route out of the DMZ even with routeback enabled.
Note: yes the two additional NAT subnets will get their own card
when I get this figured out.
I''m a bit stymied- anyone have any ideas? It must be simple? What
am
I missing?
Michael
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Thursday 03 November 2005 07:26, Michael Cozzi wrote:> Hi all, > > I have a Shorewall box setup in a fairly vanilla fashion with three > network zones, WAN, DMZ, and LAN. The wan is a single IP, the DMZ is a > routable /28 block, and the LAN is a NAT subnet masqed to the WAN. > > I am being forced by my client to put in some equipment that > requires a huge number of ports to be be open on public IPs, or be NAT''d > into a LAN segment. I was wondering if the following is possible: > > My DMZ port acts as a gateway to my public servers, I''d like to be > able to add two virtual IPs to the DMZ interface and NAT two separate > RFC1918 subnets off of the virtual interfaces and have them route out to > the internet. (Back through the subnet''s gateway off the same interface) > > The network would look like this (excuse crafty IP rule breaking): > > WAN: > Net 98.55.41.500/24 > eth0 98.55.41.501 > > DMZ: > Net 69.33.64.586/28 > eth1 69.33.64.587 > eth1:1: 69.33.64.588 > eth1:2: 69.33.64.589 > (Note: Standalone servers with 69.33.64.587 as the gateway > route out just fine)You also need to add RFC1918 addresses on this interface OR you will have to have a host route from each of the masqueraded servers to the associated public IP (I assume these absurd 69.x.x.x addresses are meant to be public) and you must configure the default gateway on the masqueraded servers to be that public IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thursday 03 November 2005 07:26, Michael Cozzi wrote:> Hi all, > > I have a Shorewall box setup in a fairly vanilla fashion with three > network zones, WAN, DMZ, and LAN. The wan is a single IP, the DMZ is a > routable /28 block, and the LAN is a NAT subnet masqed to the WAN. > > I am being forced by my client to put in some equipment that > requires a huge number of ports to be be open on public IPs, or be NAT''d > into a LAN segment. I was wondering if the following is possible: > > My DMZ port acts as a gateway to my public servers, I''d like to be > able to add two virtual IPs to the DMZ interface and NAT two separate > RFC1918 subnets off of the virtual interfaces and have them route out to > the internet. (Back through the subnet''s gateway off the same interface) > > The network would look like this (excuse crafty IP rule breaking): > > WAN: > Net 98.55.41.500/24 > eth0 98.55.41.501 > > DMZ: > Net 69.33.64.586/28 > eth1 69.33.64.587 > eth1:1: 69.33.64.588 > eth1:2: 69.33.64.589 > (Note: Standalone servers with 69.33.64.587 as the gateway > route out just fine) > > LAN: > Net 192.168.1.0/24 > eth1 192.168.1.1 (masq to 98.55.41.501)-- works! > eth2:1 192.168.100.1/28 (masq to 69.33.64.588) > eth2:2: 192.168.200.1/28 (masq to 69.33.64.589) > > I have no problem setting this up, and the new LAN subnets masq into > the DMZ just fine. However, networks masqed behind eth0:1 and eth0:2 do > not route out of the DMZ even with routeback enabled. >Hmmm -- I read your post again and I think I was confused earlier. You want the systems connected to the LAN to be masqueraded with source IP addresses that you assign to eth1 -- is that what you are trying to accomplish? If that''s what you are trying to do, the "do not route out of the DMZ" is absurd. Packets from the local LAN to the WAN will not go to the DMZ -- Your /etc/shorewall/masq file should have entries like: eth0 192.168.100.0/28 69.33.64.588 eth0 192.168.200.0/28 69.33.64.589 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key