Hi, Can a shorewall bridge (with management IP address) be used as a host''s default gateway? HOST1 in loc/lan zone (10.215.146.89) -> Shorewall bridge (10.215.144.91) -> Gateway (10.215.144.90) Suppose I need to do a quick network change and I can''t update the hundreds of HOSTs in the loc/lan zone which all have 10.215.144.91 as default gateway. So hosts in the loc zone need to keep "default gw 10.215.144.91". Also, suppose that the gateway at 10.215.144.90 cannot be changed either, so its IP address needs to be 10.215.144.90 and I cannot add an alias IP addr. 10.215.144.91. So the only machine I can update is the Shorewall bridge at 10.215.144.91. If I ping from 10.215.146.89 (lan zone) to 209.85.229.147 (wan/net) then ping replies only if host at 10.215.146.89 has default gateway set to 10.215.144.90. It does not reply if default gw is set to 10.215.144.91. On the shorewall bridge at 10.215.144.91 I can tcpdump packets coming from 10.215.146.89 (lan zone) and going to 209.85.229.147 on the lan/loc ethernet interface (br0:eth0) but I see no packets if tcpdump''ing on the bridge''s net/wan ethernet interface (br0:eth1). Shorewall dump during the ping test: http://213.96.91.201/temp/dump.gz What could I try? Thanks, Vieri ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
Vieri Di Paola wrote:>Can a shorewall bridge (with management IP address) be used as a >host''s default gateway? > >HOST1 in loc/lan zone (10.215.146.89) -> Shorewall bridge >(10.215.144.91) -> Gateway (10.215.144.90) > >Suppose I need to do a quick network change and I can''t update the >hundreds of HOSTs in the loc/lan zone which all have 10.215.144.91 >as default gateway. >So hosts in the loc zone need to keep "default gw 10.215.144.91". > >Also, suppose that the gateway at 10.215.144.90 cannot be changed >either, so its IP address needs to be 10.215.144.90 and I cannot add >an alias IP addr. 10.215.144.91.There''s a lot to be said for using a virtual address for the gateway and running no other services on that IP - that avoids the situation you find yourself in. To minimise future problems, you might consider adding an alias IP to the gateway (10.215.144.90) - 10.215.144.1 or 10.215.144.254 would be logical choices if they aren''t already in use - and then as you fix up the local hosts, point them to this alias IP. If you need to change things in the future, you can assign the alias IP to another device without affecting other services. But yes, you can do it as you''ve sketched, you need to set the routeback flag so that the shorewall machine can route packets back out through the same interface they came in through. Inbound packets will not take this route (in and out of the shorewall machine) - the gateway at 10.215.144.90 will pass them directly to the host. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev
--- On Tue, 4/5/11, Simon Hobson <linux@thehobsons.co.uk> wrote:> Vieri Di Paola wrote: > > >Can a shorewall bridge (with management IP address) be > used as a > >host''s default gateway? > > > >HOST1 in loc/lan zone (10.215.146.89) -> Shorewall > bridge > >(10.215.144.91) -> Gateway (10.215.144.90) > > > >Suppose I need to do a quick network change and I can''t > update the > >hundreds of HOSTs in the loc/lan zone which all have > 10.215.144.91 > >as default gateway. > >So hosts in the loc zone need to keep "default gw > 10.215.144.91". > > > >Also, suppose that the gateway at 10.215.144.90 cannot > be changed > >either, so its IP address needs to be 10.215.144.90 and > I cannot add > >an alias IP addr. 10.215.144.91. > > There''s a lot to be said for using a virtual address for > the gateway > and running no other services on that IP - that avoids the > situation > you find yourself in. To minimise future problems, you > might consider > adding an alias IP to the gateway (10.215.144.90) - > 10.215.144.1 or > 10.215.144.254 would be logical choices if they aren''t > already in use > - and then as you fix up the local hosts, point them to > this alias > IP. If you need to change things in the future, you can > assign the > alias IP to another device without affecting other > services. > > But yes, you can do it as you''ve sketched, you need to set > the > routeback flag so that the shorewall machine can route > packets back > out through the same interface they came in through. > Inbound packets > will not take this route (in and out of the shorewall > machine) - the > gateway at 10.215.144.90 will pass them directly to the > host.In recent shorewall 4.4 releases, the bridge option implies routeback too. Anyway, I set it explicitly and this is my interfaces file: #ZONE INTERFACE BROADCAST OPTIONS brz br0 detect routefilter,bridge,routeback,blacklist,tcpflags lan br0:$IF_LAN wan br0:$IF_WAN caib $IF_CAIB detect routeback dmz $IF_DMZ detect dhcp,routeback road ppp+ Still, pings fail when a "lan" host with the shorewall bridge as the default gw tries to ping an internet host in the "wan" zone. I recall using the same config with a shorewall 3.x version and an older kernel (which also implied using physdev the old way) and hosts in the above scenario could use the bridge as their default gateway. Obviously, something''s different but I can''t tell what. Thanks, Vieri ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev