Shorewall users - Oct 2011 - Using two upstream providers, one public and one private.

Hi,

I am building a firewall that will have two groups of subnets behind it which 
I''ll provision via vlans.

The upstream provider will be supplying a router with a single interface with 
two subnets routed into it, one is a private connection to the corporate WAN and
the other is a public (Internet) block.

One group of subnets behind the firewall will be SNAT''d out through a
public IP
on the firewall and another group will be routed on out through the corporate 
WAN to another site and eventually an Internet gateway via a private IP on the 
firewall.

What I am struggling with is using IP aliases on a single interface on the 
firewall to communicate with the upstream router.  I''m thinking it
might be
easier to add a third nic with a separate address, plug them both into a switch 
along with the upstream.

Any hints would be appreciated.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

On 10/18/2011 5:43 PM, Alan Madill wrote:
> Hi,
>
> I am building a firewall that will have two groups of subnets behind it
which
> I''ll provision via vlans.
>
> The upstream provider will be supplying a router with a single interface
with
> two subnets routed into it, one is a private connection to the corporate
WAN and
> the other is a public (Internet) block.
>
> One group of subnets behind the firewall will be SNAT''d out
through a public IP
> on the firewall and another group will be routed on out through the
corporate
> WAN to another site and eventually an Internet gateway via a private IP on
the
> firewall.
>
> What I am struggling with is using IP aliases on a single interface on the
> firewall to communicate with the upstream router.  I''m thinking it
might be
> easier to add a third nic with a separate address, plug them both into a
switch
> along with the upstream.
Further to this.

When you specify track as an option in providers with an aliased interface it 
uses the mac address to mark the packet, would not both macs be the same on the 
upstream router?


> Any hints would be appreciated.
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Wed, 2011-10-19 at 15:27 -0700, Alan Madill wrote:
> >
> > What I am struggling with is using IP aliases on a single interface on
the
> > firewall to communicate with the upstream router.  I''m
thinking it might be
> > easier to add a third nic with a separate address, plug them both into
a switch
> > along with the upstream.
> 
> Further to this.
> 
> When you specify track as an option in providers with an aliased interface
it
> uses the mac address to mark the packet, would not both macs be the same on
the
> upstream router?
Yes. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On 10/19/2011 3:38 PM, Tom Eastep wrote:
> On Wed, 2011-10-19 at 15:27 -0700, Alan Madill wrote:
>>> What I am struggling with is using IP aliases on a single interface
on the
>>> firewall to communicate with the upstream router.  I''m
thinking it might be
>>> easier to add a third nic with a separate address, plug them both
into a switch
>>> along with the upstream.
>> Further to this.
>>
>> When you specify track as an option in providers with an aliased
interface it
>> uses the mac address to mark the packet, would not both macs be the
same on the
>> upstream router?
> Yes.
>
> -Tom
>
I can''t make it work.  I''ll set up another zone called wan,
tie it to another
nic, and go that route.

I''m just in the testing/building stage but what I''ve done is
setup a second IP
on my office router.  Unless I ping it first to establish an arp table entry I 
get an error when starting shorewall on the testrouter.

  ERROR: Unable to determine the MAC address of 10.10.11.1 through interface 
"eth0": Firewall state not changed

But if I ping first or run the start again it works.

I''ve also started getting an error when starting or stopping shorewall
via the
redhat init scripts (CentOS6)
# service shorewall stop
Shutting down shorewall: rm: cannot remove
`/var/lock/subsys/shorewall'':
Permission denied

But is I use just "shorewall stop" it is fine.



------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On 10/19/2011 17:14, Alan Madill wrote:
>
> On 10/19/2011 3:38 PM, Tom Eastep wrote:
>> On Wed, 2011-10-19 at 15:27 -0700, Alan Madill wrote:
>>>> What I am struggling with is using IP aliases on a single
interface on the
>>>> firewall to communicate with the upstream router.  I''m
thinking it might be
>>>> easier to add a third nic with a separate address, plug them
both into a switch
>>>> along with the upstream.
>>> Further to this.
>>>
>>> When you specify track as an option in providers with an aliased
interface it
>>> uses the mac address to mark the packet, would not both macs be the
same on the
>>> upstream router?
>> Yes.
>>
>> -Tom
>>
> I can''t make it work.  I''ll set up another zone called
wan, tie it to another
> nic, and go that route.
>
> I''m just in the testing/building stage but what I''ve done
is setup a second IP
> on my office router.  Unless I ping it first to establish an arp table
entry I
> get an error when starting shorewall on the testrouter.
>
>    ERROR: Unable to determine the MAC address of 10.10.11.1 through
interface
> "eth0": Firewall state not changed
>
> But if I ping first or run the start again it works.
>
> I''ve also started getting an error when starting or stopping
shorewall via the
> redhat init scripts (CentOS6)
> # service shorewall stop
> Shutting down shorewall: rm: cannot remove
`/var/lock/subsys/shorewall'':
> Permission denied
>
> But is I use just "shorewall stop" it is fine.
>
>
>
>
------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
have you run service shorewall stop as root, or as regular user?

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On 10/19/2011 5:34 PM, Christ Schlacta wrote:
> have you run service shorewall stop as root, or as regular user?
As root, could be a timing issue.  When you use the service/inetd utility there 
is no console output (dumped to /dev/null ?) and the log file might still be in 
use by syslog as shorewall tries to remove it.  It''s a new i5 system
with little
else running on it.

Mind you, I have seen errors on occasion when starting shorewall about not being
able to "touch" or remove the log file.  Permissions are normal and
selinux is
not enabled.

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev