I''m trying to setup cidr routing on shorewall and don''t understand the proper way to do this. We changed isp''s to cox.net and now they have given us a public ip and a public cidr block of ip''s on a separate subnet than our public ip is on. How do I set this up proper in the config files? I have added both of the broadcast address in the interface file and also added the cidr block ip''s in the nat file and have added rules in the rules file to allow nat''d access to our lan servers but we are having communication problems with our asterisk server and can''t ping any of the cidr ip''s. I have attached the shorewall dump file and also here is a link describing the cidr setup that cox has given us. http://www.dslreports.com/forum/r20479109-RI-COX-Cidr-block-configuration-issue Any help on this is appreciated. ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
Ryan Ferguson wrote:>I''m trying to setup cidr routing on shorewall and don''t understand >the proper way to do this. We changed isp''s to cox.net and now they >have given us a public ip and a public cidr block of ip''s on a >separate subnet than our public ip is on. How do I set this up >proper in the config files?Lucky you - that allocation of IPs gives you so much flexibility. Traditionally you''d use three interfaces - one outside, one ''dmz'', one inside. Your outside interface will obviously have to match teh single public IP etc. Then you use the additional IP block on the dmz, and private (RFC1918) addresses on the internal LAN. It''s great for servers because they can be on public IPs (ie no NAT) but still have a firewall between them and the outside world. With that setup, you define your three interfaces, NAT your inside interface to the outside (using the shared public IP), and set your policies and rules. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
On Thu, 2011-09-08 at 22:16 +0100, Simon Hobson wrote:> Ryan Ferguson wrote: > >I''m trying to setup cidr routing on shorewall and don''t understand > >the proper way to do this. We changed isp''s to cox.net and now they > >have given us a public ip and a public cidr block of ip''s on a > >separate subnet than our public ip is on. How do I set this up > >proper in the config files? > > Lucky you - that allocation of IPs gives you so much flexibility. > > Traditionally you''d use three interfaces - one outside, one ''dmz'', > one inside. Your outside interface will obviously have to match teh > single public IP etc. Then you use the additional IP block on the > dmz, and private (RFC1918) addresses on the internal LAN. It''s great > for servers because they can be on public IPs (ie no NAT) but still > have a firewall between them and the outside world. > > With that setup, you define your three interfaces, NAT your inside > interface to the outside (using the shared public IP), and set your > policies and rules. >I agree with Simon. The configuration that he recommends is so much cleaner than what you currently have; and it will work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
ok, thank you, but I''m not sure that it''ll work for this situation will it?. I already have three interfaces in the machine because there are two lans on separate subnets and some of the servers cannot be located on the dmz with a public address cause they are domain controllers. Is there a way I can keep the current lan setups since some of them are also on xen machines running on the lan? --- On Thu, 9/8/11, Tom Eastep <teastep@shorewall.net> wrote: From: Tom Eastep <teastep@shorewall.net> Subject: Re: [Shorewall-users] cidr route To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Date: Thursday, September 8, 2011, 2:33 PM On Thu, 2011-09-08 at 22:16 +0100, Simon Hobson wrote:> Ryan Ferguson wrote: > >I''m trying to setup cidr routing on shorewall and don''t understand > >the proper way to do this. We changed isp''s to cox.net and now they > >have given us a public ip and a public cidr block of ip''s on a > >separate subnet than our public ip is on. How do I set this up > >proper in the config files? > > Lucky you - that allocation of IPs gives you so much flexibility. > > Traditionally you''d use three interfaces - one outside, one ''dmz'', > one inside. Your outside interface will obviously have to match teh > single public IP etc. Then you use the additional IP block on the > dmz, and private (RFC1918) addresses on the internal LAN. It''s great > for servers because they can be on public IPs (ie no NAT) but still > have a firewall between them and the outside world. > > With that setup, you define your three interfaces, NAT your inside > interface to the outside (using the shared public IP), and set your > policies and rules. >I agree with Simon. The configuration that he recommends is so much cleaner than what you currently have; and it will work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ -----Inline Attachment Follows----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
On 8 Sep 2011, at 23:44, Ryan Ferguson wrote:> ok, thank you, but I''m not sure that it''ll work for this situation will it?. I already have three interfaces in the machine because there are two lans on separate subnets and some of the servers cannot be located on the dmz with a public address cause they are domain controllers. Is there a way I can keep the current lan setups since some of them are also on xen machines running on the lan? >A couple of things come to mind, depending on exactly what you require: 1) If there are hosts in your DMZ that shouldn''t be publicly accessible at all [!], then add another zone + interface (say srv) and put your DCs (et al.) in it. Use the same private block you currently do for your DMZ. Make your DMZ use the actual public IP block. Connect both srv and dmz networks to your Xen hosts, and set up the interface connections for the guest VMs to use one or the other as appropriate. 2) If you don''t want to change IP of the DCs, but they do provide public services, you could add a nat rule for LAN->DMZ so that local machines can get the DC on its old private address, as well as on its public one. If proxyarp and NAT coexist, then things get a bit ugly if you need those machines to talk to each other - because even if you have split-horizon DNS, then you''d need to use routeback to get the connection to work. So I would strongly recommend avoiding that arrangement. For (1), if you can''t add another physical interface, then you could do it with VLAN ones, using the 8021q kernel module. - Dominic ------------------------------------------------------------------------------ Why Cloud-Based Security and Archiving Make Sense Osterman Research conducted this study that outlines how and why cloud computing security and archiving is rapidly being adopted across the IT space for its ease of implementation, lower cost, and increased reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Ryan Ferguson wrote:>ok, thank you, but I''m not sure that it''ll work for this situation >will it?. I already have three interfaces in the machine because >there are two lans on separate subnets and some of the servers >cannot be located on the dmz with a public address cause they are >domain controllers. Is there a way I can keep the current lan >setups since some of them are also on xen machines running on the >lan?At work we have customers in that situation - not to mention ourselves. While it does lessen the protection from having a DMZ, you can dual-home those machines that need a presence in the LAN. The same goes for your Xen hosts. So for your Xen hosts you could have 2 or 3 NICs (and associated bridges) so they are on one or both lans in addition to the dmz. Then you can connect your guests to whichever network(s) they need. You do not need to give a Dom0 an address in order to put it on a network - so you can keep the host with just an address on the lan, but a physical presence in the dmz. For real hosts, it''s a matter of having multiple NICs connected to the right networks. Depending on your scale, you could replace "multiple NICs" with "single NIC and VLAN trunking", but that''s a bit more effort to manage and some people struggle to get their heads around VLANs. The alternative is to start using "host routes" and/or proxy-arp to ''pass-through'' public IPs individually to hosts located on one or other lan - these hosts will need to have two IPs on an interface, one for the lan, one public. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Why Cloud-Based Security and Archiving Make Sense Osterman Research conducted this study that outlines how and why cloud computing security and archiving is rapidly being adopted across the IT space for its ease of implementation, lower cost, and increased reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/