On Ne, 2003-03-02 at 22:16, Bart De Schuymer wrote:
> > route add -net 0.0.0.0 netmask 0.0.0.0 dev br1
> > route add -net 0.0.0.0 netmask 0.0.0.0 dev br3
>
> You can send stuff destined to hosts on br1 to the br1 device, using the
> appropriate routing table entry. I don't see what your problem is...
> Anyway, my vlan knowledge is limited.
It is not about VLANs, forget VLANs.
For example you have a firewall with 5 physical interfaces.
eth0 and eth1 is in br0
eth2 and eth3 is in br1
eth4 is connected to proxy and it have a IP address
the firewall is not designed as your testing topology.
In this example topology is the firewall connecting TWO computers with
public addresses to the internet.
Like on this picture:
bridge firewall router
+-------------+ +--------+
comp1 -- |eth0-br0-eth1| -- | | -- internet
comp2 -- |eth2-br1-eth3| -- | |
| eth4 | +--------+
+------+------+
|
+---+----+
| server |
+--------+
comp1 and comp2 are computers (or it can be LANs behind a NAT boxes)
with public IP address connected to the internet. Between this computers
comp1 and comp2 (or LANs behind NAT boxes) and the internet is a bridge
firewall. Bridge firewall is also connected to a "server".
And now what i need. When somebody is connecting FROM an internet to the
comp1 to port 80 (web) all work well becouse firewall is configured to
accept this traffic from the internet. The traffic go via br0 to comp1.
When somebody is connecting from a internet to the comp2 to port 80,
firewall also accepted and it go via br1 to comp2.
It is easy. :-)
Now about redirection. I would like to redirect all the traffic from
internet to the comp1 to port 3333 to "server".
So when somebody is connecting from internet to the comp1 to port 3333,
i would like the bridge firewall will redirect this traffic to "server"
to port 25 (SMTP).
so when i will execute this command somewhere in internet:
$telnet comp1 3333
the "server" (not comp1) tell me SMTP (port 25) answer:
Connected to server.
Escape character is '^]'.
220 server ESMTP
For this i need to have added (as you wrote in last email) the route on
interface br0 (becouse comp1 is connected via br0). The route will look
like this:
route add -net 0.0.0.0 netmask 0.0.0.0 dev br0
it is "default" route. It tell the bridge firewall that ALL traffic will
send to br0 interface.
This is the main difference to your testing topology becouse you have
_directly_connected_ 2 computers in bridge in the same subnet. So you
need only route for the network 172.16.1.0. Becouse both computers are
_directly_ connected.
In my case the connection is originate from the internet. So firewall
must know the _default_ route to the internet. I hope you know what i
mean.
It is not problem to add this default route on the firewall for a bridge
br0.
But problem (big problem for me :-) is, when i would like the same also
for br1. Like above for br0 i would like, when somebody from the
internet will connect to the comp2 (it will go via br1) to the port
3333, the traffic will be redirected to the "server". In another way the
same like previous example for comp1.
So it mean that i need second route in routing table. The only diff is
that this new route is for br1. It must be also _default_ route, becouse
the traffic is originated from the internet. And IT is the big problem
for me. Becouse it mean that i need TWO DEFAULT ROUTES (TWO DEFAULT
GATEWAYS) on one machine:
route add -net 0.0.0.0 netmask 0.0.0.0 dev br0
route add -net 0.0.0.0 netmask 0.0.0.0 dev br1
And i guess it is not possible. Becouse linux dont know virtual routing.
I hope the explanation is now little bit clear. :-)
kolisko
>
> --
> cheers,
> Bart
>
--
---
Michal Kolesár
[EMAIL PROTECTED]
http://kolisko.penguin.cz
+420.777.225.297
Don't send me any attachment in Micro$oft (.DOC, .PPT) format please
Read http://www.fsf.org/philosophy/no-word-attachments.html
Preferable attachments: .PDF, .HTML, .TXT
Thanx for adding this text to Your signature
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
