thr3ads.net - Shorewall users - stuck with private ip range in vlan [Oct 2008]

If this information is useful, please help other people find it:
Share via:

Jord Wegge (Aqua Bio)

2008-Oct-08 21:01 UTC

stuck with private ip range in vlan

Hello List,

I’ve got perhaps an unusual question for you:

I’ve inherited a lan setup which ought to be private but instead uses 
192.9.200.0/24 as IP range. The lan was kept as is and migrated to 
vlan4. As the hardware on this vlan are PLC’s and such, I cannot change 
it to f.i. 192.168.3.0/24.

I can only get pc’s in vlan2 (office) to connect to vlan4 
(production-site) if I use static IP addresses on the office PC’s and 
give them 2 IP’s (in each (v)lan), but I need DHCP for laptop users

I was thinking along these lines, but that is not allowed:

DNAT vlan2 vlan4:192.9.200.64:23 tcp 23 - net:192.9.200.64

What I basically want is to redirect/forward all traffic (tcp/udp & all 
ports) from vlan2 to net:192.9.200.0/24 to vlan4:192.9.200.0/24

For example I want to telnet & ftp from 10.201.13.105 (vlan2) to 
192.9.200.64 (vlan4)

Underneath some info regarding my setup:

/etc/net work/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

# vlan1 is not used as it is the default vlan in many switches
auto vlan2
auto vlan3
auto vlan4
auto vlan5

# VLAN 2 : office
iface vlan2 inet static
address 10.201.13.10
netmask 255.255.255.0
network 10.201.13.0
broadcast 10.201.13.255
mtu 1500
vlan_raw_device eth1

# VLAN 3 : flourmill
iface vlan3 inet static
address 192.168.1.10
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
mtu 1500
vlan_raw_device eth1

# VLAN 4 : production
iface vlan4 inet static
address 192.9.200.10
netmask 255.255.255.0
network 192.9.200.0
broadcast 192.9.200.255
mtu 1500
vlan_raw_device eth1

# VLAN 5 : visitors & wifi --> only internet access
iface vlan5 inet static
address 192.168.2.10
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
mtu 1500
vlan_raw_device eth1

/sbin/shorewall version
3.2.6

ip addr show
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
inet6 fe80::219:bbff:fecf:838/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 576 qdisc pfifo_fast qlen 100
link/ether 00:18:71:eb:54:f8 brd ff:ff:ff:ff:ff:ff
inet 81.82.243.114/24 brd 255.255.255.255 scope global eth0
5: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
23: vlan2@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
inet 10.201.13.10/24 brd 10.201.13.255 scope global vlan2
inet6 fe80::219:bbff:fecf:838/64 scope link
valid_lft forever preferred_lft forever
24: vlan3@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global vlan3
inet6 fe80::219:bbff:fecf:838/64 scope link
valid_lft forever preferred_lft forever
25: vlan4@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
inet 192.9.200.10/24 brd 192.9.200.255 scope global vlan4
inet6 fe80::219:bbff:fecf:838/64 scope link
valid_lft forever preferred_lft forever
26: vlan5@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global vlan5
inet6 fe80::219:bbff:fecf:838/64 scope link
valid_lft forever preferred_lft forever
49: vpn-user: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc 
pfifo_fast qlen 100
link/[65534]
inet 10.30.0.1 peer 10.30.0.2/32 scope global vpn-user


ip route show
10.30.0.2 dev vpn-user proto kernel scope link src 10.30.0.1
10.201.13.0/24 dev vlan2 proto kernel scope link src 10.201.13.10
10.30.0.0/24 via 10.30.0.2 dev vpn-user
192.168.2.0/24 dev vlan5 proto kernel scope link src 192.168.2.10
192.168.1.0/24 dev vlan3 proto kernel scope link src 192.168.1.10
81.82.243.0/24 dev eth0 proto kernel scope link src 81.82.243.114
192.9.200.0/24 dev vlan4 proto kernel scope link src 192.9.200.10
default via 81.82.243.1 dev eth0

Any ideas?

Thanks in advance!

Cheers,
Jord

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Jord Wegge (Aqua Bio)

2008-Oct-09 05:05 UTC

head link

Re: stuck with private ip range in vlan

I should perhaps have mentioned that I tried to do this with the policy 
file, but hat doesn''t work as the gateway forwards the traffic intended
for vlan4 to the internet.

As the gateway is also the dhcp server for vlan3 throug vlan5 (vlan2 
kept it original Win2003 dhcp server when I migrated from lan --> vlan), 
the gw can telnet to 192.9.200.64 in vlan4.

Underneath the relevant part of my policy file:
#
# Policies for traffic originating from the local LAN (loc)
vlan2           net                ACCEPT
vlan2           $FW             REJECT          info
vlan2           all                 REJECT          info
vlan2           vlan3             ACCEPT
vlan2           vlan4           ACCEPT
vlan2           vlan5           ACCEPT
vlan2           ovpn            ACCEPT
vlan2           pvpn            ACCEPT
vlan3           net             ACCEPT
vlan3           $FW             REJECT          info
vlan3           all             REJECT          info
vlan4           net             REJECT
vlan4           $FW             REJECT          info
vlan4           all             REJECT          info
vlan5           net             REJECT
vlan5           $FW             REJECT          info
vlan5           all             REJECT          info

TIA,
Jord


Jord Wegge (Aqua Bio) schreef:> Hello List,
>
> I’ve got perhaps an unusual question for you:
>
> I’ve inherited a lan setup which ought to be private but instead uses
> 192.9.200.0/24 as IP range. The lan was kept as is and migrated to
> vlan4. As the hardware on this vlan are PLC’s and such, I cannot change
> it to f.i. 192.168.3.0/24.
>
> I can only get pc’s in vlan2 (office) to connect to vlan4
> (production-site) if I use static IP addresses on the office PC’s and
> give them 2 IP’s (in each (v)lan), but I need DHCP for laptop users
>
> I was thinking along these lines, but that is not allowed:
>
> DNAT vlan2 vlan4:192.9.200.64:23 tcp 23 - net:192.9.200.64
>
> What I basically want is to redirect/forward all traffic (tcp/udp & all
> ports) from vlan2 to net:192.9.200.0/24 to vlan4:192.9.200.0/24
>
> For example I want to telnet & ftp from 10.201.13.105 (vlan2) to
> 192.9.200.64 (vlan4)
>
> Underneath some info regarding my setup:
>
> /etc/net work/interfaces
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> allow-hotplug eth0
> iface eth0 inet dhcp
>
> # vlan1 is not used as it is the default vlan in many switches
> auto vlan2
> auto vlan3
> auto vlan4
> auto vlan5
>
> # VLAN 2 : office
> iface vlan2 inet static
> address 10.201.13.10
> netmask 255.255.255.0
> network 10.201.13.0
> broadcast 10.201.13.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 3 : flourmill
> iface vlan3 inet static
> address 192.168.1.10
> netmask 255.255.255.0
> network 192.168.1.0
> broadcast 192.168.1.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 4 : production
> iface vlan4 inet static
> address 192.9.200.10
> netmask 255.255.255.0
> network 192.9.200.0
> broadcast 192.9.200.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 5 : visitors & wifi --> only internet access
> iface vlan5 inet static
> address 192.168.2.10
> netmask 255.255.255.0
> network 192.168.2.0
> broadcast 192.168.2.255
> mtu 1500
> vlan_raw_device eth1
>
> /sbin/shorewall version
> 3.2.6
>
> ip addr show
> 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast
qlen
> 1000
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 576 qdisc pfifo_fast qlen
100
> link/ether 00:18:71:eb:54:f8 brd ff:ff:ff:ff:ff:ff
> inet 81.82.243.114/24 brd 255.255.255.255 scope global eth0
> 5: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
> 23: vlan2@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 10.201.13.10/24 brd 10.201.13.255 scope global vlan2
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 24: vlan3@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.10/24 brd 192.168.1.255 scope global vlan3
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 25: vlan4@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.9.200.10/24 brd 192.9.200.255 scope global vlan4
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 26: vlan5@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.10/24 brd 192.168.2.255 scope global vlan5
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 49: vpn-user: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
> pfifo_fast qlen 100
> link/[65534]
> inet 10.30.0.1 peer 10.30.0.2/32 scope global vpn-user
>
>
> ip route show
> 10.30.0.2 dev vpn-user proto kernel scope link src 10.30.0.1
> 10.201.13.0/24 dev vlan2 proto kernel scope link src 10.201.13.10
> 10.30.0.0/24 via 10.30.0.2 dev vpn-user
> 192.168.2.0/24 dev vlan5 proto kernel scope link src 192.168.2.10
> 192.168.1.0/24 dev vlan3 proto kernel scope link src 192.168.1.10
> 81.82.243.0/24 dev eth0 proto kernel scope link src 81.82.243.114
> 192.9.200.0/24 dev vlan4 proto kernel scope link src 192.9.200.10
> default via 81.82.243.1 dev eth0
>
> Any ideas?
>
> Thanks in advance!
>
> Cheers,
> Jord
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great 
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the 
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Shorewall users - Oct 2008 - stuck with private ip range in vlan

stuck with private ip range in vlan

Re: stuck with private ip range in vlan