Tom,
you really can't imagine how happy I am, it worked at last and it works like
a charm!
Now I have a step by step documentation of how to set up a router based on
Debian Etch.
I think I'll be able to find a wiki where to publish it, for other noobs
like me.
For now it's in Danish when translated I'll post a link to it here, if it's
appropriate?
Some more comments follow among the lines below
> >
> > So I understand I should use example 1 or 2 from the masq file
> >
> > eth0 eth1
> > eth0 eth2
> >
> > or
> >
> > eth0 192.168.101.0/24
> > eth0 192.168.102.0/24
> >
> > that in our setup should be interchangeable.
>
> With the proxy ARP that is going on, they are NOT interchangable; that's
> what I pointed out in my b) note below.
> >
> > Probably I was fooled by the fact that so it was in the old file we
> > currently use (gibraltar based, shorewall 1.3.2, and who knows why it
> > works),
>
> It will work if you:
>
> 1) Change the ADDRESS to 84.63.114.115 (the address of eth0); or
I actually didn't understand this. Where do you get that address from
(84.63.114.115 )? Or is it a typo?
Our external address is 84.63.114.214 the gateway is 84.63.114.213,
broadcast is 80.63.114.215
> 2) Add 84.63.114.214 as an address on eth0; or
sorry, I don't understand when you say "add an address": do you mean in some
shorewall configuration file or in the box as basic configuration.
Being on Debian with have already
iface eth0 inet static
address 80.63.114.214
network 80.63.114.212
broadcast 80.63.114.215
netmask 255.255.255.252
gateway 80.63.114.213
in /etc/network/interfaces
> c) Set ADD_SNAT_ALIASES=Yes in shorewall.conf so Shorewall will add the
> address for you.
>
>
> You need to use the private network address in the SUBNET column rather
> than the interface name.
So being in doubt about the first 2 options I followed the third one
setting:
ADD_SNAT_ALIASES=Yes
in /etc/shorewall/shorewall.conf
and the settings below in /etc/shorewall/masq :
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth0 192.168.101.0/24 80.63.114.214
eth0 192.168.102.0/24 80.63.114.214
Adding ADD_SNAT_ALIASES=Yes and using the network address instead of the
interface was enough to make it work for me - without the external IP
address under the ADDRESS column (I'm almost sure).
However I left that address in place in case it was needed by the guy using
proxyarp (I'm still considering all this a kind of woodo but I'm on the
mend). I'll surely hear something from him if it's not okay ;)
Thank you so much again for having taken the time to look at the dump, and
for providing such a great tool.
/Paolo
> -Tom
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
