I should perhaps have mentioned that I tried to do this with the policy
file, but hat doesn''t work as the gateway forwards the traffic intended
for vlan4 to the internet.
As the gateway is also the dhcp server for vlan3 throug vlan5 (vlan2
kept it original Win2003 dhcp server when I migrated from lan --> vlan),
the gw can telnet to 192.9.200.64 in vlan4.
Underneath the relevant part of my policy file:
#
# Policies for traffic originating from the local LAN (loc)
vlan2 net ACCEPT
vlan2 $FW REJECT info
vlan2 all REJECT info
vlan2 vlan3 ACCEPT
vlan2 vlan4 ACCEPT
vlan2 vlan5 ACCEPT
vlan2 ovpn ACCEPT
vlan2 pvpn ACCEPT
vlan3 net ACCEPT
vlan3 $FW REJECT info
vlan3 all REJECT info
vlan4 net REJECT
vlan4 $FW REJECT info
vlan4 all REJECT info
vlan5 net REJECT
vlan5 $FW REJECT info
vlan5 all REJECT info
TIA,
Jord
Jord Wegge (Aqua Bio) schreef:> Hello List,
>
> I’ve got perhaps an unusual question for you:
>
> I’ve inherited a lan setup which ought to be private but instead uses
> 192.9.200.0/24 as IP range. The lan was kept as is and migrated to
> vlan4. As the hardware on this vlan are PLC’s and such, I cannot change
> it to f.i. 192.168.3.0/24.
>
> I can only get pc’s in vlan2 (office) to connect to vlan4
> (production-site) if I use static IP addresses on the office PC’s and
> give them 2 IP’s (in each (v)lan), but I need DHCP for laptop users
>
> I was thinking along these lines, but that is not allowed:
>
> DNAT vlan2 vlan4:192.9.200.64:23 tcp 23 - net:192.9.200.64
>
> What I basically want is to redirect/forward all traffic (tcp/udp & all
> ports) from vlan2 to net:192.9.200.0/24 to vlan4:192.9.200.0/24
>
> For example I want to telnet & ftp from 10.201.13.105 (vlan2) to
> 192.9.200.64 (vlan4)
>
> Underneath some info regarding my setup:
>
> /etc/net work/interfaces
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> allow-hotplug eth0
> iface eth0 inet dhcp
>
> # vlan1 is not used as it is the default vlan in many switches
> auto vlan2
> auto vlan3
> auto vlan4
> auto vlan5
>
> # VLAN 2 : office
> iface vlan2 inet static
> address 10.201.13.10
> netmask 255.255.255.0
> network 10.201.13.0
> broadcast 10.201.13.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 3 : flourmill
> iface vlan3 inet static
> address 192.168.1.10
> netmask 255.255.255.0
> network 192.168.1.0
> broadcast 192.168.1.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 4 : production
> iface vlan4 inet static
> address 192.9.200.10
> netmask 255.255.255.0
> network 192.9.200.0
> broadcast 192.9.200.255
> mtu 1500
> vlan_raw_device eth1
>
> # VLAN 5 : visitors & wifi --> only internet access
> iface vlan5 inet static
> address 192.168.2.10
> netmask 255.255.255.0
> network 192.168.2.0
> broadcast 192.168.2.255
> mtu 1500
> vlan_raw_device eth1
>
> /sbin/shorewall version
> 3.2.6
>
> ip addr show
> 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast
qlen
> 1000
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 576 qdisc pfifo_fast qlen
100
> link/ether 00:18:71:eb:54:f8 brd ff:ff:ff:ff:ff:ff
> inet 81.82.243.114/24 brd 255.255.255.255 scope global eth0
> 5: sit0: <NOARP> mtu 1480 qdisc noop
> link/sit 0.0.0.0 brd 0.0.0.0
> 23: vlan2@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 10.201.13.10/24 brd 10.201.13.255 scope global vlan2
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 24: vlan3@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.10/24 brd 192.168.1.255 scope global vlan3
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 25: vlan4@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.9.200.10/24 brd 192.9.200.255 scope global vlan4
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 26: vlan5@eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> link/ether 00:19:bb:cf:08:38 brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.10/24 brd 192.168.2.255 scope global vlan5
> inet6 fe80::219:bbff:fecf:838/64 scope link
> valid_lft forever preferred_lft forever
> 49: vpn-user: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc
> pfifo_fast qlen 100
> link/[65534]
> inet 10.30.0.1 peer 10.30.0.2/32 scope global vpn-user
>
>
> ip route show
> 10.30.0.2 dev vpn-user proto kernel scope link src 10.30.0.1
> 10.201.13.0/24 dev vlan2 proto kernel scope link src 10.201.13.10
> 10.30.0.0/24 via 10.30.0.2 dev vpn-user
> 192.168.2.0/24 dev vlan5 proto kernel scope link src 192.168.2.10
> 192.168.1.0/24 dev vlan3 proto kernel scope link src 192.168.1.10
> 81.82.243.0/24 dev eth0 proto kernel scope link src 81.82.243.114
> 192.9.200.0/24 dev vlan4 proto kernel scope link src 192.9.200.10
> default via 81.82.243.1 dev eth0
>
> Any ideas?
>
> Thanks in advance!
>
> Cheers,
> Jord
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the
> world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/