Hi, I would really apreciate some help. I have ethernet link with two alias interfaces: eth1 192.168.4.0/24 eth1:0 192.168.6.0/24 loc ipv4 where loc zone is 192.168.4.0/24 guest ipv4 where guest zone is 192.168.6.0/24 A firewall wich is also DNS gateway In order to asign ip address from fw to "guest" zone i put in rules file: . . . ACCEPT $FW guest tcp 53 ACCEPT $FW guest udp 53,67,68 ACCEPT $FW all icmp 8 ACCEPT guest $FW icmp 8 . . . the problem is that it doesn''t work. The network guest doesn''t reach the network and not guet an ip address thanks for your help teresa mondragón ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
I didn''t quite understand what you were asking but I''m going to answer what I think you''re trying to do. Are you trying to allow 192.168.6.0/24 addresses to query your dns server (the firewall)? If you are you need to: ---- I think you''ve got your DEST and SOURCE zones mixed. FOR DNS, there''s a macro so there''s less typing: DNS(ACCEPT) guest $FW Also you added a line for DHCP, what you should do instead of adding that line is, edit your interfaces file and add the option dhcp to the interface that the dhcp server listens on. So if your dhcp server is listening on eth0, you would: interfaces: loc eth0 detect dhcp On Wed, Sep 11, 2013 at 11:00 AM, María Teresa Mondragón Reye < tere.mon.r@hotmail.com> wrote:> Hi, > > I would really apreciate some help. > > I have ethernet link with two alias interfaces: > > eth1 192.168.4.0/24 > eth1:0 192.168.6.0/24 > > loc ipv4 where loc zone is 192.168.4.0/24 > guest ipv4 where guest zone is 192.168.6.0/24 > > A firewall wich is also DNS gateway > > In order to asign ip address from fw to "guest" zone i put in rules file: > . > . > . > > ACCEPT $FW guest tcp 53 > ACCEPT $FW guest udp 53,67,68 > > ACCEPT $FW all icmp 8 > ACCEPT guest $FW icmp 8 > . > . > . > > the problem is that it doesn''t work. The network guest doesn''t reach the > network and not > guet an ip address > > thanks for your help > > teresa mondragón > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
El 12/09/13 14:18, johnny bowen escribió:> I didn''t quite understand what you were asking but I''m going to answer > what I think you''re trying to do. >sorry by my poor english :)> Are you trying to allow 192.168.6.0/24 <http://192.168.6.0/24> > addresses to query your dns server (the firewall)?yes, all of them will be dinamic ip but also I need 192.168.4.0/24. In this segment some ipaddres will be static an others will be dinamic. In both cases the dhcp server is the same, and this two segments are on interface eth1:0 and eth0 respectively.> f you are you need to: > ---- I think you''ve got your DEST and SOURCE zones mixed. > > FOR DNS, there''s a macro so there''s less typing: > > DNS(ACCEPT) guest $FW >thanks, it works fine> Also you added a line for DHCP, what you should do instead of adding > that line is, edit your interfaces file and add the option dhcp to the > interface that the dhcp server listens on. So if your dhcp server is > listening on eth0, you would: > interfaces: > loc eth0 detect dhcp > >o.k. it also works fine. I just guet an ip address from 192.168.6.XXX Please, Now, i have a another doubt...If i need a "dinamic Ip" from segment 192.168.6.XXX, how can i control to get it in that segment and not from the another 192.168.4.XXX thanks again tere.mondragón> > On Wed, Sep 11, 2013 at 11:00 AM, María Teresa Mondragón Reye > <tere.mon.r@hotmail.com <mailto:tere.mon.r@hotmail.com>> wrote: > > Hi, > > I would really apreciate some help. > > I have ethernet link with two alias interfaces: > > eth1 192.168.4.0/24 <http://192.168.4.0/24> > eth1:0 192.168.6.0/24 <http://192.168.6.0/24> > > loc ipv4 where loc zone is 192.168.4.0/24 > <http://192.168.4.0/24> > guest ipv4 where guest zone is 192.168.6.0/24 > <http://192.168.6.0/24> > > A firewall wich is also DNS gateway > > In order to asign ip address from fw to "guest" zone i put in > rules file: > . > . > . > > ACCEPT $FW guest tcp 53 > ACCEPT $FW guest udp 53,67,68 > > ACCEPT $FW all icmp 8 > ACCEPT guest $FW icmp 8 > . > . > . > > the problem is that it doesn''t work. The network guest doesn''t > reach the > network and not > guet an ip address > > thanks for your help > > teresa mondragón > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > <mailto:Shorewall-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
First I need to gather a little information. It sounds like you have two subnets connected to the same switch which are then connected to one ethernet port that has an alias on it. Why are you using two subnets? If you need dhcp on both subnets when a client connects to network it will make a broadcast dhcp query to get an ip address. So any dhcp server listening on either 192.168.4.0/24 or 192.168.6.0/24 will respond. There will be a race condition. The first reply received is the one that that computer will use. It''s hard to understand exactly what you''re trying to accomplish, but I get the feeling that you want to have a network with mixed static ips and dynamic ips. For that you could use one single net: 192.168.6.0/24, then just configure your dhcpd server to only select dynamic ips from a pool like: 192.168.6.50-192.168.6.254 If you want to keep your current setup you can force the dhcp server to only listen on a specific interface. ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
El 12/09/13 19:02, johnny bowen escribió:> First I need to gather a little information. >Johnny, I''m grateful..> It sounds like you have two subnets connected to the same switch which > are then connected to one ethernet port that has an alias on it.yes, i have a three interface shorewall 1. ifconfig br0 link ..... xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is a public IP) eth0 link .... eth1 192.168.4.254 eth1:0 192.168.6.254 eth2 link You are rigth, there are two subnets link to eth1 -------------------------------- SHOREWALL 2. interfaces file: pub br0 detect logmartians,routerfilter,bridge net br0:eth0 dmz br0:eth2 - eth1 detect dhcp (as you suggest me) ----------------------- 3. zones file: fw firewall pub ipv4 net:pub bport4 dmz:pub bport4 loc ipv4 guest ipv4 -------------------------- 4. bridge file: BRIDGE_INGERFACE=br0 INTERFACES="eth0 eth2" ------------------------- 5. hosts file: loc eth1:192.168.4.0/24 guest eth1:192.168.6.0/24 ------------------------------ 6. masq file: ... eth1:0 192.168.6.0/24 eth1 192.168.4.0/24 #Last line br0 192.168.6.0/24 xxx.xxx.xxx.xxx br0 192.168.4.0/24 xxx.xxx.xxx.xxx ------------------------------------> Why are you using two subnets?the mount of subnets is because one segment is going to be used from local users (employees, ...) the another one is to provide just internet support to guests, movil devices, eventual users etc, etc... and insolate the connections. This ip only would have internet connection and not more i would separate ips and subtnets to have a little one security and control> If you need dhcp on both subnets when a client connects to network it > will make a broadcast dhcp query to get an ip address. So any dhcp > server listening on either 192.168.4.0/24 <http://192.168.4.0/24> or > 192.168.6.0/24 <http://192.168.6.0/24> will respond.!!!ups!!!!! then, there are no solution from control which one 4.xxx or 6.xxx will have the new device when is connect to the network ???> > There will be a race condition. The first reply received is the one > that that computer will use. > > It''s hard to understand exactly what you''re trying to accomplish, but > I get the feeling that you want to have a network with mixed static > ips and dynamic ips. >yes, the 192.168.4.0/24 subnet, just this have a mix of dinamic and static. I have dnsmasq-host.conf file wich contains mac address and IP''s number to get static IP''s ... and the dnsmas.conf file is configurated to leave a segment (192.168.4.200 -- 192.168.4.220) as a dinamic IPS In the same file dnsmasq.conf the i put all 192.168.6.0/24 to leave dinamic ips> For that you could use one single net: 192.168.6.0/24 > <http://192.168.6.0/24>, then just configure your dhcpd server to only > select dynamic ips from a pool like: 192.168.6.50-192.168.6.254 >o.k.. i understand what you mean.. the razon is, my boss ask me for this configuration... a mix of static and dinamic IPs for one subnet and the another one only dinamic subnets...> If you want to keep your current setup you can force the dhcp server > to only listen on a specific interface. > >and what if i need listening in both ???> > >I really apreciate your help, thanks a lot> > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
Hey Maria, you''re not going to be able to get two networks isolated from each other if you''re using the same physical interface and using one switch. If you''re trying to have a setup of security and control this is what I would do: Interfaces: net eth0 detect dhcp,tcpflags,logmartians,nosmurfs (use dhcp if needed on WAN) lan eth1 detect dhcp,tcpflags,logmartians,nosmurfs guest eth2 detect dhcp,tcpflags,logmartians,nosmurfs Zones: fw firewall net ipv4 lan ipv4 guest ipv4 Masq: eth0 192.168.4.0/24,192.168.6.0/24 This is a basic setup that will get you isolated networks On Fri, Sep 13, 2013 at 9:21 AM, María Teresa Mondragón Reye < tere.mon.r@hotmail.com> wrote:> El 12/09/13 19:02, johnny bowen escribió: > > First I need to gather a little information. > > Johnny, > > I''m grateful.. > > It sounds like you have two subnets connected to the same switch which > are then connected to one ethernet port that has an alias on it. > > yes, i have a three interface shorewall > > 1. ifconfig > br0 link ..... xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is a > public IP) > > eth0 link .... > > eth1 192.168.4.254 > > eth1:0 192.168.6.254 > > eth2 link > > You are rigth, there are two subnets link to eth1 > -------------------------------- > SHOREWALL > > 2. interfaces file: > pub br0 detect logmartians,routerfilter,bridge > net br0:eth0 > dmz br0:eth2 > - eth1 detect dhcp (as you suggest me) > ----------------------- > 3. zones file: > fw firewall > pub ipv4 > net:pub bport4 > dmz:pub bport4 > loc ipv4 > guest ipv4 > -------------------------- > 4. bridge file: > BRIDGE_INGERFACE=br0 > INTERFACES="eth0 eth2" > ------------------------- > 5. hosts file: > loc eth1:192.168.4.0/24 > guest eth1:192.168.6.0/24 > ------------------------------ > 6. masq file: > ... > eth1:0 192.168.6.0/24 > eth1 192.168.4.0/24 > #Last line > br0 192.168.6.0/24 xxx.xxx.xxx.xxx > br0 192.168.4.0/24 xxx.xxx.xxx.xxx > ------------------------------------ > > Why are you using two subnets? > > the mount of subnets is because one segment is going to be used from local > users (employees, ...) > > the another one is to provide just internet support to guests, movil > devices, eventual users etc, etc... and insolate the connections. This ip > only would have internet connection and not more > > i would separate ips and subtnets to have a little one security and control > > > If you need dhcp on both subnets when a client connects to network it > will make a broadcast dhcp query to get an ip address. So any dhcp server > listening on either 192.168.4.0/24 or 192.168.6.0/24 will respond. > > !!!ups!!!!! then, there are no solution from control which one 4.xxx or > 6.xxx will have the new device when is connect to the network ??? > > > > > There will be a race condition. The first reply received is the one that > that computer will use. > > It''s hard to understand exactly what you''re trying to accomplish, but I > get the feeling that you want to have a network with mixed static ips and > dynamic ips. > > yes, the 192.168.4.0/24 subnet, just this have a mix of dinamic and > static. I have dnsmasq-host.conf file wich contains mac address and IP''s > number to get static IP''s ... and the dnsmas.conf file is configurated to > leave a segment (192.168.4.200 -- 192.168.4.220) as a dinamic IPS > > In the same file dnsmasq.conf the i put all 192.168.6.0/24 to leave > dinamic ips > > For that you could use one single net: 192.168.6.0/24, then just > configure your dhcpd server to only select dynamic ips from a pool like: > 192.168.6.50-192.168.6.254 > > o.k.. i understand what you mean.. the razon is, my boss ask me for > this configuration... a mix of static and dinamic IPs for one subnet and > the another one only dinamic subnets... > > > > > If you want to keep your current setup you can force the dhcp server to > only listen on a specific interface. > > > > and what if i need listening in both ??? > > > > > I really apreciate your help, thanks a lot > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant taskshttp://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Shorewall-users mailing listShorewall-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
Great Johnny, I did it and works, thanks for your help, i really apreciate your pacient. Have a wonderfull week tere.mondragon El 16/09/13 13:45, johnny bowen escribió:> Hey Maria, you''re not going to be able to get two networks isolated > from each other if you''re using the same physical interface and using > one switch. If you''re trying to have a setup of security and control > this is what I would do: > > Interfaces: > net eth0 detect dhcp,tcpflags,logmartians,nosmurfs > (use dhcp if needed on WAN) > lan eth1 detect dhcp,tcpflags,logmartians,nosmurfs > guest eth2 detect dhcp,tcpflags,logmartians,nosmurfs > > Zones: > fw firewall > net ipv4 > lan ipv4 > guest ipv4 > > > Masq: > eth0 192.168.4.0/24,192.168.6.0/24 <http://192.168.4.0/24,192.168.6.0/24> > > > > This is a basic setup that will get you isolated networks > > > On Fri, Sep 13, 2013 at 9:21 AM, María Teresa Mondragón Reye > <tere.mon.r@hotmail.com <mailto:tere.mon.r@hotmail.com>> wrote: > > El 12/09/13 19:02, johnny bowen escribió: >> First I need to gather a little information. >> > Johnny, > > I''m grateful.. >> It sounds like you have two subnets connected to the same switch >> which are then connected to one ethernet port that has an alias >> on it. > yes, i have a three interface shorewall > > 1. ifconfig > br0 link ..... xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx > is a public IP) > > eth0 link .... > > eth1 192.168.4.254 > > eth1:0 192.168.6.254 > > eth2 link > > You are rigth, there are two subnets link to eth1 > -------------------------------- > SHOREWALL > > 2. interfaces file: > pub br0 detect logmartians,routerfilter,bridge > net br0:eth0 > dmz br0:eth2 > - eth1 detect dhcp (as you suggest me) > ----------------------- > 3. zones file: > fw firewall > pub ipv4 > net:pub bport4 > dmz:pub bport4 > loc ipv4 > guest ipv4 > -------------------------- > 4. bridge file: > BRIDGE_INGERFACE=br0 > INTERFACES="eth0 eth2" > ------------------------- > 5. hosts file: > loc eth1:192.168.4.0/24 <http://192.168.4.0/24> > guest eth1:192.168.6.0/24 <http://192.168.6.0/24> > ------------------------------ > 6. masq file: > ... > eth1:0 192.168.6.0/24 <http://192.168.6.0/24> > eth1 192.168.4.0/24 <http://192.168.4.0/24> > #Last line > br0 192.168.6.0/24 <http://192.168.6.0/24> xxx.xxx.xxx.xxx > br0 192.168.4.0/24 <http://192.168.4.0/24> xxx.xxx.xxx.xxx > ------------------------------------ >> Why are you using two subnets? > the mount of subnets is because one segment is going to be used > from local users (employees, ...) > > the another one is to provide just internet support to guests, > movil devices, eventual users etc, etc... and insolate the > connections. This ip only would have internet connection and not more > > i would separate ips and subtnets to have a little one security > and control > > >> If you need dhcp on both subnets when a client connects to >> network it will make a broadcast dhcp query to get an ip address. >> So any dhcp server listening on either 192.168.4.0/24 >> <http://192.168.4.0/24> or 192.168.6.0/24 <http://192.168.6.0/24> >> will respond. > !!!ups!!!!! then, there are no solution from control which one > 4.xxx or 6.xxx will have the new device when is connect to the > network ??? > >> >> There will be a race condition. The first reply received is the >> one that that computer will use. >> >> It''s hard to understand exactly what you''re trying to accomplish, >> but I get the feeling that you want to have a network with mixed >> static ips and dynamic ips. >> > yes, the 192.168.4.0/24 <http://192.168.4.0/24> subnet, just this > have a mix of dinamic and static. I have dnsmasq-host.conf file > wich contains mac address and IP''s number to get static IP''s ... > and the dnsmas.conf file is configurated to leave a segment > (192.168.4.200 -- 192.168.4.220) as a dinamic IPS > > In the same file dnsmasq.conf the i put all 192.168.6.0/24 > <http://192.168.6.0/24> to leave dinamic ips > >> For that you could use one single net: 192.168.6.0/24 >> <http://192.168.6.0/24>, then just configure your dhcpd server to >> only select dynamic ips from a pool like: 192.168.6.50-192.168.6.254 >> > o.k.. i understand what you mean.. the razon is, my boss ask me > for this configuration... a mix of static and dinamic IPs for one > subnet and the another one only dinamic subnets... > > > > >> If you want to keep your current setup you can force the dhcp >> server to only listen on a specific interface. >> >> > > and what if i need listening in both ??? >> >> >> > I really apreciate your help, thanks a lot > >> >> ------------------------------------------------------------------------------ >> How ServiceNow helps IT people transform IT departments: >> 1. Consolidate legacy IT systems to a single system of record for IT >> 2. Standardize and globalize service processes across IT >> 3. Implement zero-touch automation to replace manual, redundant tasks >> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net <mailto:Shorewall-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > <mailto:Shorewall-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk