Vieri Di Paola
2011-Apr-06 11:03 UTC
1 shorewall router + 1 shorewall gateway/router + proxyarp
Hi, I''m setting up a test network like this: - host in lan zone at 10.215.146.89 with default gw 10.215.144.91 - shorewall firewall as router (ROUTER1) with eth0 interfacing the lan zone with 10.215.144.91/16 and eth1 with IP addr. 172.16.0.1/23 pointing to a wan zone - another shorewall router (ROUTER2) as a gateway to Internet. This gateway has eth0 as "loc" interface connecting to ROUTER1''s "wan" zone. ROUTER2''s eth0 has private IP addr. 172.16.0.2/23. ROUTER2''s eth1 has private IP addr. 192.168.103.3/24 and is wired to an ADSL modem/router whose IP addr. is 192.168.103.1. ROUTER2 is configured as a standard "two-interface" setup but with this difference: I had to: route add -net 10.215.0.0 netmask 255.255.0.0 gw 172.16.0.1 and updated /etc/shorewall/masq: eth1 10.215.0.0/16,172.16.0.1/23 ROUTER1 is also a standard "two-interface" setup except that: /etc/shorewall/masq is empty and /etc/shorewall/interfaces has: #ZONE INTERFACE BROADCAST OPTIONS lan $IF_LAN detect routeback,proxyarp=1 wan $IF_WAN detect routeback,proxyarp=1 Now, if I ping from lan zone host IP addr. 10.215.146.89 to 8.8.8.8 and I watch the packet flow with tcpdumps on ROUTER2 then: I get ICMP requests coming in on eth0 and out eth1 as expected. Then ICMP replies come back from 8.8.8.8 to 192.168.103.3 then I see a second line ICMP reply 8.8.8.8 > 10.215.146.89 and that goes out eth0 and reaches ROUTER1''s eth1 and eventually the lan zone host with IP addr. 10.215.146.89. So the pings work fine and so does HTTP browsing, etc. However, this is just a test system and I''m new to the proxyARP concept. Should I check anything before moving this setup to production? Should I expect trouble? Any special precaution? Thanks, Vieri ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev