I see many problems in such a setup. 1.) You will need policy routing for sure 2.) Normally providers assign one ip space to their customers e.g. 1.1.1.0/29. If this is valid for your environment too, you can not assign each single ip to a different layer-3 interface since one subnet can not be configured on different network interfaces which means you have to apply /32 masks and this does not sound as this is what you want
What does a lot of traffic means? For years NIC´s are able to handle up to 1 Gbit/s of traffic. It would be hard to believe that you receive more than 200 Mbit/s per each NIC, otherwise I have to suppose that the whole environment would look like completely different. I recommend trying to reduce to one NIC per each partner but 1.) has to be applied anyway otherwise locally generated traffic does not know which provider should be used, right! Shorewall and kernel is for sure more powerful than the amount of traffic you will expect. So keeping things small and easy should be your goal instead of using an environment which you will not like any more once the first configuration mistake occurs and has to be found. I suggest you sit down for a few minutes and think about my words. Maybe there will be a day where you are glad that you´ve got them :-) One last comment. You said your provider provides you with 5 static ip´s. Thats the regular useable range out of a /29 network (8 minus broadcast, minus ID, minus isp´s cpe) but I really do not believe that your isp will provide 5 ports beside the 5 ips. Even if it would be true I strongly recommend to convince your provider to change their mind. Such an environment will bring no luck to no one. If I am wrong I really misunderstood what you plan to do. Cheers Michael -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:[email protected]] Gesendet: Samstag, 22. Mai 2010 18:47 An: Shorewall Users Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? Hi, Thanks again for the response. So the plan is my firewall will be connected to 3 different WAN. eth0-eth4 will be connected to my ISP eth5 will be connected to Partner A eth6 will be connected to Partner B eth7 will be connected to LAN The reason I split into 5 ethernet cards for ISP A is because they give us 5 static IP and the traffic will be very high on each IP. Partner A will be a host to host connection, and also Partner B. And there will be many IP and portforward to servers behind the firewall via my ISP. I hope my explanation is OK. Thanks. sangprabv [email protected] On May 22, 2010, at 11:26 PM, Michael Weickel - iQom Business Services GmbH wrote: > > If your kernel supports up to 8 ethernet cards, shorewall will do as well. > > Normally the internet is provided by one port to you by your internet > service provider. Planning to use 7 nics to be connected to the internet > either means you have 7 internet connections or you plan something what is > usually not planned and out of my scope of knowledge. > > Of course it would be possible to bond those 7 interfaces together but the > sense would be not clear to me. But in that case you need 7 interfaces > provided by your isp anyway. > > So I suggest you explain your environment a bit more in detail so that guys > from list can help you out with your questions. > > > Cheers > Michael > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:[email protected]] > Gesendet: Samstag, 22. Mai 2010 18:20 > An: Shorewall Users > Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi Michael, > I'm sorry I don't understand with your explanation. So is it applicable to > setup Shorewall to works with 8 ethernet cards in a box. With these > allocation: > eth0-eth6 will be connected to WAN (internet) > eth7 will be connected to LAN > And Shorewall can manage all of those ethernet cards traffics. Many thanks. > > > > sangprabv > [email protected] > > > On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, >> otherwise use bonding >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:[email protected]] >> Gesendet: Samstag, 22. Mai 2010 15:04 >> An: Shorewall Users >> Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? >> >> Hi, >> I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the >> net interface for shorewall and eth1 as the lan network? Thanks. >> >> >> >> sangprabv >> [email protected] >> >> >> >> > ---------------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- -- > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ---------------------------------------------------------------------------- -- _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
