I''m in the process of migrating to a multi-isp install of shorewall on
a single firewall / gateway. But in the meantime, I have shorewall
installed on my old and new firewalls.
Question: Is there any easy way to setup Firewall1 so that traffic
destined for a specific IP will exit the network via Firewall2?
Firewall1:
Public IP1 (eth1)
|
Firewall
|
192.168.1.1 (eth0)
Firewall2:
Public IP2 (w1g1ppp)
|
Firewall
|
192.168.1.20 (eth0)
192.168.1.1 is the default gateway for all addresses on the network,
including Firewall2 (to allow a migration path, and to allow clients to
access services on both Firewall(s) during the transition).
I''ve been struggling with this for 2 days now, trying different
combinations of static routing, routeback, hints from the shorewall
transparent proxy faq, etc to no avail. Is there an easy way to achieve
what I''m trying or am I smoking too much crack?
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Keith Mitchell wrote:> I''m in the process of migrating to a multi-isp install of shorewall on > a single firewall / gateway. But in the meantime, I have shorewall > installed on my old and new firewalls. > > Question: Is there any easy way to setup Firewall1 so that traffic > destined for a specific IP will exit the network via Firewall2? > > > Firewall1: > > Public IP1 (eth1) > | > Firewall > | > 192.168.1.1 (eth0) > > > Firewall2: > > Public IP2 (w1g1ppp) > | > Firewall > | > 192.168.1.20 (eth0) > > > 192.168.1.1 is the default gateway for all addresses on the network, > including Firewall2 (to allow a migration path, and to allow clients to > access services on both Firewall(s) during the transition). > > I''ve been struggling with this for 2 days now, trying different > combinations of static routing, routeback, hints from the shorewall > transparent proxy faq, etc to no avail. Is there an easy way to achieve > what I''m trying or am I smoking too much crack?I guess I''m unclear on exactly what you are trying to do. Making the first firewall the default gateway for the second one seems somewhat wacky to me. Can you give us an idea of the steps you intend to go through to effect this migration? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep> Sent: Tuesday, April 25, 2006 8:52 AM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] Shorewall on multiple hosts / gateways > > Keith Mitchell wrote: > I''m in the process of migrating to a multi-isp install of shorewall > on a single firewall / gateway. But in the meantime, I have shorewall> installed on my old and new firewalls. > > Question: Is there any easy way to setup Firewall1 so that traffic > destined for a specific IP will exit the network via Firewall2? > > > Firewall1: > > Public IP1 (eth1) > | > Firewall > | > 192.168.1.1 (eth0) > > > Firewall2: > > Public IP2 (w1g1ppp) > | > Firewall > | > 192.168.1.20 (eth0) > > > 192.168.1.1 is the default gateway for all addresses on the network, > including Firewall2 (to allow a migration path, and to allow clients > to access services on both Firewall(s) during the transition). > > I''ve been struggling with this for 2 days now, trying different > combinations of static routing, routeback, hints from the shorewall > transparent proxy faq, etc to no avail. Is there an easy way to > achieve what I''m trying or am I smoking too much crack?> I guess I''m unclear on exactly what you are trying to do. Making thefirst firewall the default gateway for the second one seems> somewhat wacky to me. > > Can you give us an idea of the steps you intend to go through toeffect this migration?> -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyYou''re right. It *is* wacky. That was the smoking crack part. The new firewall should be setup to gateway itself. Duh. Anyway, the current firewall is running a number of services, including DNS, VPN concentration, and e-mail filtering. I want to keep it running for as long as possible while I mirror the services over to the new host so that I have fallback during the transition. Additionally, I have yet to test my "old" internet connection with the WAN card in the new firewall, so that''s another step I have to take as well. My goal is to implement this one step at a time, to test operation with the new setup, as well as keeping a failover during transition. So if I switch Firewall2 to be its own gateway, is it possible to do the redirect of selected traffic for a destination IP through it? I''ll test with that setup to see if that is what was causing all my trauma when I tried this on my own. Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Keith Mitchell wrote:>> -----Original Message----- >> From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom > Eastep >> Sent: Tuesday, April 25, 2006 8:52 AM >> To: shorewall-users@lists.sourceforge.net >> Subject: Re: [Shorewall-users] Shorewall on multiple hosts / gateways >> >> Keith Mitchell wrote: >> I''m in the process of migrating to a multi-isp install of shorewall >> on a single firewall / gateway. But in the meantime, I have shorewall > >> installed on my old and new firewalls. >> >> Question: Is there any easy way to setup Firewall1 so that traffic >> destined for a specific IP will exit the network via Firewall2? >> >> >> Firewall1: >> >> Public IP1 (eth1) >> | >> Firewall >> | >> 192.168.1.1 (eth0) >> >> >> Firewall2: >> >> Public IP2 (w1g1ppp) >> | >> Firewall >> | >> 192.168.1.20 (eth0) >> >> >> 192.168.1.1 is the default gateway for all addresses on the network, >> including Firewall2 (to allow a migration path, and to allow clients >> to access services on both Firewall(s) during the transition). >> >> I''ve been struggling with this for 2 days now, trying different >> combinations of static routing, routeback, hints from the shorewall >> transparent proxy faq, etc to no avail. Is there an easy way to >> achieve what I''m trying or am I smoking too much crack? > >> I guess I''m unclear on exactly what you are trying to do. Making the > first firewall the default gateway for the second one seems >> somewhat wacky to me. >> >> Can you give us an idea of the steps you intend to go through to > effect this migration? > >> -Tom >> -- >> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >> Shoreline, \ http://shorewall.net >> Washington USA \ teastep@shorewall.net >> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > You''re right. It *is* wacky. That was the smoking crack part. The new > firewall should be setup to gateway itself. Duh. Anyway, the current > firewall is running a number of services, including DNS, VPN > concentration, and e-mail filtering. I want to keep it running for as > long as possible while I mirror the services over to the new host so > that I have fallback during the transition. Additionally, I have yet to > test my "old" internet connection with the WAN card in the new firewall, > so that''s another step I have to take as well. My goal is to implement > this one step at a time, to test operation with the new setup, as well > as keeping a failover during transition. > > So if I switch Firewall2 to be its own gateway, is it possible to do the > redirect of selected traffic for a destination IP through it? I''ll test > with that setup to see if that is what was causing all my trauma when I > tried this on my own. >You can select one Linux box on the LAN to be your testbed. Use the instructions posted recently by Ricardo Kleeman to set it up with dual default routes. That way, you can test incoming connections from both firewalls to that box. By simply adding and deleting routes via one firewall or the other, you can test outgoing traffic through either box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key