Shorewall users - Jul 2010 - Dealing with multiple IP's from my ISP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am thinking about signing up for Comcast Business class internet with
5 public IP''s.

I run a shorewall box with two network cards, and no space to add any
more. eth0 is currently pointing towards my existing DSL provider (with
a single IP) and eth1 is NAT''ed and pointed towards my small home
network.

What would be the best practice to deal with this scenario? The first
thoughts that come to mind is to setup virtual interaces (eg. eth0:0,
eth0:1, etc) and assign them to the net zone along with a respective IP
from Comcast.

I''m waiting to hear back from Comcast on the brand and type of
firewall/modem they will be installing, but they have said it is able to
be bridged, I''d just like to know if I can deal with all 5
IP''s with one
interface on the Shorewall side...

Thanks,
Stephen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkwzRUQACgkQ3sJXNEncx7gafQCg61170m8+9qHpHiO6r7wLCQDT
aRUAoJgZ9vIJGwQjgpYzzLUR8b+IOtTT
=fHGG
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/6/10 8:01 AM, Stephen Brown wrote:
> I am thinking about signing up for Comcast Business class internet with
> 5 public IP''s.
> 
> I run a shorewall box with two network cards, and no space to add any
> more. eth0 is currently pointing towards my existing DSL provider (with
> a single IP) and eth1 is NAT''ed and pointed towards my small home
network.
> 
> What would be the best practice to deal with this scenario? The first
> thoughts that come to mind is to setup virtual interaces (eg. eth0:0,
> eth0:1, etc) and assign them to the net zone along with a respective IP
> from Comcast.
You need to read
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html. You do
not define aliased interfaces to Shorewall.
> 
> I''m waiting to hear back from Comcast on the brand and type of
> firewall/modem they will be installing, but they have said it is able to
> be bridged, I''d just like to know if I can deal with all 5
IP''s with one
> interface on the Shorewall side...
I have Comcast Business class service. What you get is a ''Comcast
Business Gateway'' which is a router with built-in firewall, NAT, DHCP,
etc. I did not get a manual for this thing and had a hell of a time
finding one on the Comcast Business Class web site. By the time that I
did find the PDF to download, I had already muddled through and arrived
at the same solution that the manual recommends:

1. The default internal network is 10.1.10.0/24 with the gateway having
address 10.1.10.1/24; I left it that way.
2. I modified the DHCP server configuration on the business gateway to
not assign 10.1.10.2 - 10.1.10.19.
3. I configured my Shorewall box''s external interface as 10.1.10.11/24.
4. On the business gateway, I added a static route to my /29
(70.90.191.120/29) via 10.1.10.11.
5. I configured the business gateway''s firewall to not filter traffic
to
the /29 (there''s a check-box for that, IIRC).
6. I run Linux-vserver on my Shorewall box so I configure the public IP
addresses on the box''s external interface (3 statically configured and
two are dynamically configured when I start my vservers). Here are my
/etc/shorewall/interfaces stanzas:

#
# Commcast Business Class
#
auto eth1 eth1:1 eth1:2 eth1:3
iface eth1 inet static
        address 70.90.191.121
        netmask 255.255.255.248
        network 70.90.191.120
        broadcast 70.90.191.127
	gateway 70.90.191.126

iface eth1:1 inet static
        address 70.90.191.122
        netmask 255.255.255.248
        network 70.90.191.120
        broadcast 70.90.191.127

iface eth1:2 inet static
        address 70.90.191.123
        netmask 255.255.255.248
        network 70.90.191.120
        broadcast 70.90.191.127

iface eth1:3 inet static
        address 10.1.10.11
        netmask 255.255.255.0
        network 10.1.10.0
        broadcast 10.1.10.255

The business class gateway has public IP address 60.90.191.126 so
that''s
what I configure as the Shorewall box''s default gateway.

Here''s the config up and running:

gateway:~# ip -4 addr ls dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
    inet 70.90.191.121/29 brd 70.90.191.127 scope global eth1
    inet 10.1.10.11/24 brd 10.1.10.255 scope global eth1:3
    inet 70.90.191.122/29 brd 70.90.191.127 scope global secondary eth1:1
    inet 70.90.191.123/29 brd 70.90.191.127 scope global secondary eth1:2
    inet 70.90.191.124/29 brd 70.90.191.127 scope global secondary eth1
    inet 70.90.191.125/29 brd 70.90.191.127 scope global secondary eth1
gateway:~#

My Shorewall configuration just has:

/etc/shorewall/interfaces:

net    COMCAST	  detect  physical=eth1,...

/etc/shorewall/masq:

#INTERFACE			SOURCE			ADDRESS

COMMENT Masquerade Local Network

COMCAST:10.1.10.0/24	 	0.0.0.0/0		10.1.10.11
COMCAST				!70.90.191.120/29	70.90.191.122

gateway:~#

By leaving the DHCP server running on the Business Class Gateway, I can
plug my wireless access point and work system into the gateway''s
built-in switch when I want to take the Shorewall box down for
maintenance; that way, I can maintain internet access for work and for
our in-home wireless network.

Hope this helps.
-Tom




-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

> 2. I modified the DHCP server configuration on the business gateway to
> not assign 10.1.10.2 - 10.1.10.19.
> 3. I configured my Shorewall box''s external interface as
10.1.10.11/24.
I should add that step 2 is unnecessary. By default, the DHCP server
assigns 10.1.10.11-10.1.10.199. My gateway had already been assigned .11
as it''s IP address through DHCP so I just left it that way and made
sure
that it could always use .11. If you manually assign your shorewall box
the address 10.0.10.2, you can leave the Business Gateway''s DHCP
configuration as it is.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first