Dear Tom, How if my shorewall is using different public ip for internal interface, there is no local (private ip)...? Because without local connection on shorewall has confusing me. how to configure it with shorewall.. ex; External $fw= 172.1.1.1 (eth0) Internal1$fw = 172.1.1.2 (eth1) to web server with public ip 172.1.1.3 Internal2 $fw= 60.1.1.1 (eth2) to mail server with public ip 60.1.1.2 Regards, Wisnu ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
wisnu dwi hidayat wrote:>External $fw= 172.1.1.1 (eth0) >Internal1$fw = 172.1.1.2 (eth1) to web server with public ip 172.1.1.3 >Internal2 $fw= 60.1.1.1 (eth2) to mail server with public ip 60.1.1.2Taking the second one first, that''s just a matter of routing (ie do NOT configure Masq/NAT) between outside and inside interfaces. The first one is trickier - you have the same subnet on internal and external interfaces which means you either have to bridge eth0 and eth1 or use proxy arp. It might help if you tell us EXACTLY what information your ISP has given you about your IP allocations - the above looks rather unusual to me. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Simon Hobson wrote:> wisnu dwi hidayat wrote: > >> External $fw= 172.1.1.1 (eth0) >> Internal1$fw = 172.1.1.2 (eth1) to web server with public ip 172.1.1.3 >> Internal2 $fw= 60.1.1.1 (eth2) to mail server with public ip 60.1.1.2> The first one is trickier - you have the same subnet on internal and > external interfaces which means you either have to bridge eth0 and > eth1 or use proxy arp. >It is also silly to use different IP addresses for External and Internal1; Use the same address and you save one of your public addresses. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
wisnu dwi hidayat
2009-Aug-31 04:29 UTC
Re: 2 internal interface using different public ip
Dear Simon, Actually the public ip from ISP is (excuse me to hide the IP) External $fw= 202.xxx.xxx.1 (eth0) Internal1$fw = 202.xxx.xxx.2 (eth1) to web server with public ip 202.xxx.xxx.3 Internal2 $fw= 60.xxx.xxx.1 (eth2) to mail server with public ip 60.xxx.xxx.2 The ISP has given me different subnet public ip especially for mail server, cause of the old IP has blocked and we can''t sending out any messeges. Actually the old one was in the same subnet with webserver.. And don''t know why they gave us different subnet now.. I don''t configure masq/NAT yet, but I suspecting the ISP did the masq/NAT on their router.. The topology ISP--Router--Firewall--Server ________________________________ From: Simon Hobson <linux@thehobsons.co.uk> To: Shorewall Users <shorewall-users@lists.sourceforge.net> Sent: Friday, August 28, 2009 4:18:03 PM Subject: Re: [Shorewall-users] 2 internal interface using different public ip wisnu dwi hidayat wrote:>External $fw= 172.1.1.1 (eth0) >Internal1$fw = 172.1.1.2 (eth1) to web server with public ip 172.1.1.3 >Internal2 $fw= 60.1.1.1 (eth2) to mail server with public ip 60.1.1.2Taking the second one first, that''s just a matter of routing (ie do NOT configure Masq/NAT) between outside and inside interfaces. The first one is trickier - you have the same subnet on internal and external interfaces which means you either have to bridge eth0 and eth1 or use proxy arp. It might help if you tell us EXACTLY what information your ISP has given you about your IP allocations - the above looks rather unusual to me. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 wisnu dwi hidayat wrote:> Dear Simon, > > Actually the public ip from ISP is (excuse me to hide the IP) > External $fw= 202.xxx.xxx.1 (eth0) > Internal1$fw = 202.xxx.xxx.2 (eth1) to web server with public ip > 202.xxx.xxx.3 > Internal2 $fw= 60.xxx.xxx.1 (eth2) to mail server with public ip > 60.xxx.xxx.2 > > The ISP has given me different subnet public ip especially for mail > server, cause of the old IP has blocked and we can''t sending out any > messeges. Actually the old one was in the same subnet with webserver.. > And don''t know why they gave us different subnet now.. > > I don''t configure masq/NAT yet, but I suspecting the ISP did the > masq/NAT on their router..I seriously doubt that. Is your ISP routing 60.xxx.xxx.2 via 60.xxx.xxx.1? Or are both addresses being routed via one of your other IP addresses? Or does your ISP expect that both .1 and .2 will respond to ARP requests directly from their upstream router? In that case, hopefully they can still use the same gateway as your Shorewall box is using? These details determine how you must configure your Shorewall system. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkqcF1kACgkQO/MAbZfjDLISUACZASJwPcsTFgNQdJ5lBWKCnYEr Wa0An1nxngffPVzB0VrpcGC77CDkfQWX =U9Gg -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july