I use since a lot of time a "classical" two-interfaces setup, with the
net
interface connected to an ADSL modem in half-bridge mode, which receives a
public IP from the ISP and gives it to the Linux net interface; the lan
interface has the 192.168.30.0/24 class.
Now I need to change this setup, because my new ISP (that will switch soon to
a FTTS VDSL2 connection) sent me a VDSL2 WiFi router, and I need to replace
the old configuration to be ready to the switch to VDSL2. The router LAN and
WiFi interfaces have the 192.168.1.0/24 class, and the router can be
configured to forward all connections from Internet to the public IP to a host
in the LAN ("DMZ" function). Since I want to use the WiFi function for
clients
in the lan, I am forced to use a sort of "one interface routing",
connecting
the router to the lan interface on the firewall and having the two IP classes
on the same wire.
I read the documentation on the pages "Shorewall and Aliased
Interfaces" and
"Routing on One Interface", and I tried to follow the indications, but
with no
success. Specifically, I have eth0 with IP 192.168.30.1 (lan) and eth0:0 with
IP 192.168.1.1 (net) configured to use 192.168.1.254 as the default gateway
(the IP of the router). The lan clients use the lan address of the firewall
192.168.30.1 as their default gateway, and the firewall should masquerade.
I did not change the policy and rules files, and I modificed interfaces, masq
and added a hosts file; these are the relevant lines:
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 -
hosts:
#ZONE HOST(S) OPTIONS
net eth0:192.168.1.0/24
loc eth0:192.168.30.0/24
masq:
#INTERFACE SOURCE ADDRESS ...
eth0:0 192.168.30.0/24
When shorewall is not started, or after a shorewall clear, the firewall
connects to the Internet and local clients connect to the firewall, but
obviously the clients do not connect to the Internet because masquerading is
not active on the firewall.
When shorewall is started, it stops connecting to the Internet, with a fast
scrolling series of messages like this:
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
when I ping any public IP.
I tried to understand the problem, and I narrowed it down to the combination
of the interfaces and hosts files; if I comment out the two lines in the hosts
file and I assign eth0 in the interfaces file to the net zone, as in a
"normal" one-interface setup, it works also with shorewall started,
but
obviously the local clients do not connect to the Internet because the
masquerading is not correctly configured.
I tried to understand my mistake(s), but with no success. Any advice would be
welcome.
Thanks
Elio
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
On 09/06/2013 04:51 PM, Elio Tondo wrote:> I use since a lot of time a "classical" two-interfaces setup, with the net > interface connected to an ADSL modem in half-bridge mode, which receives a > public IP from the ISP and gives it to the Linux net interface; the lan > interface has the 192.168.30.0/24 class. > > Now I need to change this setup, because my new ISP (that will switch soon to > a FTTS VDSL2 connection) sent me a VDSL2 WiFi router, and I need to replace > the old configuration to be ready to the switch to VDSL2. The router LAN and > WiFi interfaces have the 192.168.1.0/24 class, and the router can be > configured to forward all connections from Internet to the public IP to a host > in the LAN ("DMZ" function). Since I want to use the WiFi function for clients > in the lan, I am forced to use a sort of "one interface routing", connecting > the router to the lan interface on the firewall and having the two IP classes > on the same wire. > > I read the documentation on the pages "Shorewall and Aliased Interfaces" and > "Routing on One Interface", and I tried to follow the indications, but with no > success. Specifically, I have eth0 with IP 192.168.30.1 (lan) and eth0:0 with > IP 192.168.1.1 (net) configured to use 192.168.1.254 as the default gateway > (the IP of the router). The lan clients use the lan address of the firewall > 192.168.30.1 as their default gateway, and the firewall should masquerade. > > I did not change the policy and rules files, and I modificed interfaces, masq > and added a hosts file; these are the relevant lines: > > interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > - eth0 - > > hosts: > #ZONE HOST(S) OPTIONS > net eth0:192.168.1.0/24 > loc eth0:192.168.30.0/24 > > masq: > #INTERFACE SOURCE ADDRESS ... > eth0:0 192.168.30.0/24 > > When shorewall is not started, or after a shorewall clear, the firewall > connects to the Internet and local clients connect to the firewall, but > obviously the clients do not connect to the Internet because masquerading is > not active on the firewall. > > When shorewall is started, it stops connecting to the Internet, with a fast > scrolling series of messages like this: > > From 192.168.1.1 icmp_seq=1 Destination Host Unreachable > > when I ping any public IP. > > I tried to understand the problem, and I narrowed it down to the combination > of the interfaces and hosts files; if I comment out the two lines in the hosts > file and I assign eth0 in the interfaces file to the net zone, as in a > "normal" one-interface setup, it works also with shorewall started, but > obviously the local clients do not connect to the Internet because the > masquerading is not correctly configured. > > I tried to understand my mistake(s), but with no success. Any advice would be > welcome.Please forward the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
On 07/09/2013 16:13, Tom Eastep wrote:>> I tried to understand my mistake(s), but with no success. Any advice would be >> welcome. > > Please forward the output of ''shorewall dump'' collected as described at > http://www.shorewall.net/support.htm#Guidelines. > > Thanks, > -TomThank you for your support. The dump is attached. Probably it''s useful to add some details about my current configuration. I have two static openvpn tunnels to two remote servers (remote endpoints 192.168.10.1 and 192.168.20.1) configured in the loc zone (I don''t need any special policy, they are another location of the same company and a dedicated server at OVH). Due to the current problem, I added a default route in the openvpn tunnel to 192.168.20.1 where I masquerade the tunnel, and I am currently reaching the Internet from here through this unusual path. The tunnels stay up and work also when starting shorewall, it''s only the connection from the firewall to the local router that stops working. Just before capturing the dump I did a ping to 8.8.8.8. Kind regards, Elio ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
On 07/09/2013 16:13, Tom Eastep wrote:>> I tried to understand my mistake(s), but with no success. Any advice would be >> welcome. > > Please forward the output of ''shorewall dump'' collected as described at > http://www.shorewall.net/support.htm#Guidelines.I solved the problem by switching to a slightly different configuration. I followed exactly your tutorial "One-armed Router" at the end of this page: http://www.shorewall.net/Multiple_Zones.html and now it works. Kind regards, Elio ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk