thr3ads.net - Shorewall users - Changing eth0 to VLANs [Sep 2013]

If this information is useful, please help other people find it:
Share via:

Tom Robinson

2013-Sep-05 16:03 UTC

Changing eth0 to VLANs

# shorewall version
4.5.20

Hi,

I''ve got a firewall with four interfaces, eth0, eth1, eth2 and eth3.

eth0 is the local LAN, eth1 the net, eth2 wifi and eth3 DMZ

I have a new requirement to VLAN the local LAN and am having trouble 
with setting up the Firewall.

The VLANs are setup ok:

# cat /proc/net/vlan/config
VLAN Dev name    | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth0.1000      | 1000  | eth0
eth0.1015      | 1015  | eth0
eth0.1018      | 1018  | eth0
eth0.192       | 192  | eth0

I have adjusted zones:
fw      firewall
net     ipv4
loc     ipv4
v1000   ipv4
v1015   ipv4
v1018   ipv4
dmz     ipv4
motex   ipv4

and interfaces:
-               eth1 dhcp,bridge,tcpflags,nosmurfs,routefilter,logmartians
loc             eth0.192 
dhcp,routeback,tcpflags,nosmurfs,routefilter,logmartians
v1000           eth0.1000 
routeback,tcpflags,nosmurfs,routefilter,logmartians
v1015           eth0.1015 
routeback,tcpflags,nosmurfs,routefilter,logmartians
v1018           eth0.1018 
routeback,tcpflags,nosmurfs,routefilter,logmartians
motex           eth2 tcpflags,nosmurfs,routefilter,logmartians
dmz             eth3 tcpflags,nosmurfs,routefilter,logmartians

I have also something in nat:
192.168.0.2     eth0.192        10.0.225.5      no              no

The problem is when I switch over to VLANning on Shorewall and the 
switch I get lots of ''FORWARD:REJECT'' log messages when
internal clients
try to access the internet and lots of ''INPUT:DROP'' log
messages when
the clients try to reach the natted address.

  Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.184 
DST=74.125.237.39 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21822 DF 
PROTO=TCP SPT=56373 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Shorewall:INPUT:DROP:IN=eth0 OUT= 
MAC=00:0c:29:8b:5f:80:00:22:19:08:d5:13:08:00 SRC=192.168.0.93 
DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=7988 SEQ=1

Also, these packets look like they are coming in on eth0, not eth0.192 
as I would have expected.

Are there any examples or more documentation on VLANning with Shorewall?

Any help is appreciated.

Kind regards,
Tom

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

Paul Gear

2013-Sep-12 11:55 UTC

head link

Re: Changing eth0 to VLANs

On 09/06/2013 02:03 AM, Tom Robinson wrote:>
> ...
> The problem is when I switch over to VLANning on Shorewall and the
> switch I get lots of ''FORWARD:REJECT'' log messages when
internal clients
> try to access the internet and lots of ''INPUT:DROP'' log
messages when
> the clients try to reach the natted address.
>
>    Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.184
> DST=74.125.237.39 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=21822 DF
> PROTO=TCP SPT=56373 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Shorewall:INPUT:DROP:IN=eth0 OUT>
MAC=00:0c:29:8b:5f:80:00:22:19:08:d5:13:08:00 SRC=192.168.0.93
> DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=7988 SEQ=1
>
> Also, these packets look like they are coming in on eth0, not eth0.192
> as I would have expected.
>
> Are there any examples or more documentation on VLANning with Shorewall?
Hi Tom,

When you see FORWARD or INPUT as a zone name like that, it means that 
the traffic is not matching any zones.

It looks to me like 192.168.0.0/24 is still coming into eth0 untagged; 
your Shorewall configuration is assuming that all VLANs on that 
interface are tagged.  If you provide some more details about your 
switch brand, model, and configuration, we can probably point you in the 
right direction.

Regards,
Paul



------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk

Shorewall users - Sep 2013 - Changing eth0 to VLANs

Changing eth0 to VLANs

Re: Changing eth0 to VLANs