First of all, I''d like to say that I am a very happy Shorewall user, and that I have had many trouble-free years of using it to configure iptables. But now I''m stumped... The situation I have is that my home network is behind a linux firewall/router running shorewall, but now I have to add a VPN/VOIP router for work to my network. It is a SonicWall (SW) box that expects to be the only router in the system. The SW expects to have unfettered acess to the internet, so I would like to add another NIC to my firewall and have it be "unmanaged" by shorewall. I don''t want to have it bridged to my external interface, as I don''t want to pay the extra $$ for a second IP from my ISP. I just want it on an interface that does not get filtered. Is this possible? Best regards, Ken Crandall -- Ken Crandall ken.crandall@gmail.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ken Crandall wrote:>The situation I have is that my home network is behind a linux >firewall/router running shorewall, but now I have to add a VPN/VOIP >router for work to my network. It is a SonicWall (SW) box that >expects to be the only router in the system. The SW expects to have >unfettered acess to the internet, so I would like to add another NIC >to my firewall and have it be "unmanaged" by shorewall. I don''t >want to have it bridged to my external interface, as I don''t want to >pay the extra $$ for a second IP from my ISP. I just want it on an >interface that does not get filtered. Is this possible?No. The problem you have is that effectively you want to have both your own firewall and the new one using the same address - that just doesn''t work (except on some rather esoteric systems running ''interesting'' software to make it all work). Now, IFF the new box is capable of working behind a NAT router then you can connect it to an additional network card and give it''s own rfc1918 subnet. After that, simply do port forwarding for all the ports it wants to use. I would say that there is a good chance that that the box will have options for doing this - though you may have to tell it what your public IP is. If the new box REALLY has to be directly on a public IP then you only have two options - bridge it to an extra IP or put it between your current setup and your internet connection. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ken Crandall wrote:> First of all, I''d like to say that I am a very happy Shorewall user, > and that I have had many trouble-free years of using it to configure > iptables. But now I''m stumped... > > The situation I have is that my home network is behind a linux > firewall/router running shorewall, but now I have to add a VPN/VOIP > router for work to my network. It is a SonicWall (SW) box that > expects to be the only router in the system. The SW expects to have > unfettered acess to the internet, so I would like to add another NIC > to my firewall and have it be "unmanaged" by shorewall. I don''t want > to have it bridged to my external interface, as I don''t want to pay > the extra $$ for a second IP from my ISP. I just want it on an > interface that does not get filtered. Is this possible?Hi Ken, The Sonic Wall should be able to connect into your private network, and create an additional NAT''d segment for just your phones. It would be a separate NAT network, however the advantage here is that your shorewall box would still have control over the edge and your VOIP systems would all hang off of one IP *internally*. I''m not up on the SW systems these days. I stopped using them 5 or 6 years ago. But the SW should be able to be configured in a way that allows it to connect to the local network. Then simply allow the needed traffic to the SW. If you are saying that the VOIP/VPN implementation cannot be NAT''d (or cannot be NAT''d without scary port redirection), then a second ethernet card, with a different private subnet, also NAT''d to the external interface would work (private physical segment). And since that segment would be private- you could use 1 to 1 NAT to the SW without much worry about security- with the exception of the Sonic appliance itself. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Michael Cozzi wrote:> If you are saying that the VOIP/VPN implementation cannot be NAT''d > (or cannot be NAT''d without scary port redirection), then a second > ethernet card, with a different private subnet, also NAT''d to the > external interface would work (private physical segment). And since that > segment would be private- you could use 1 to 1 NAT to the SW without > much worry about security- with the exception of the Sonic appliance itself. >I left something out here.... You would then give the internal interface of the SW an internal IP on your LAN for VPN purposes. Michael ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ken Crandall wrote:> The situation I have is that my home network is behind a linux > firewall/router running shorewall, but now I have to add a VPN/VOIP > router for work to my network. It is a SonicWall (SW) box that > expects to be the only router in the system. The SW expects to have > unfettered acess to the internet, so I would like to add another NIC > to my firewall and have it be "unmanaged" by shorewall. I don''t > want to have it bridged to my external interface, as I don''t want to > pay the extra $$ for a second IP from my ISP. I just want it on an > interface that does not get filtered. Is this possible?Sonicwall uses IPsec but can configured to allow use thru a NAT''ed interface by turning off AH and using ESP only. Give the Sonicwall external interface it''s own zone, set that interface to masquerade thru your outgoing interface, and set the policy to SonicWall Internet ACCEPT You may have to play with the routing tables on any client expecting to go thru the Sonicwall but I can''t be more specific without detailed knowledge of your network. This has worked for me using Checkpoint so I''m guessing it will work for Sonicwall. OTOH, IPsec problems can be a real bitch to diagnose on a good day and throwing in a NAT''ed hop doesn''t make it any easier. One caveat is the remote side may demand AH. In that case, don''t waste time trying to NAT -- it won''t work. Another option is to use IPsec on Linux to connect to the remote Sonicwall. They are supposed to be compatible. Good Luck -- Stephen Carville <stephen@totalflood.com> Systems Engineer Land America ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV