On 7/6/10 8:01 AM, Stephen Brown wrote: > I am thinking about signing up for Comcast Business class internet with > 5 public IP's. > > I run a shorewall box with two network cards, and no space to add any > more. eth0 is currently pointing towards my existing DSL provider (with > a single IP) and eth1 is NAT'ed and pointed towards my small home network. > > What would be the best practice to deal with this scenario? The first > thoughts that come to mind is to setup virtual interaces (eg. eth0:0, > eth0:1, etc) and assign them to the net zone along with a respective IP > from Comcast.
You need to read http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html. You do not define aliased interfaces to Shorewall. > > I'm waiting to hear back from Comcast on the brand and type of > firewall/modem they will be installing, but they have said it is able to > be bridged, I'd just like to know if I can deal with all 5 IP's with one > interface on the Shorewall side... I have Comcast Business class service. What you get is a 'Comcast Business Gateway' which is a router with built-in firewall, NAT, DHCP, etc. I did not get a manual for this thing and had a hell of a time finding one on the Comcast Business Class web site. By the time that I did find the PDF to download, I had already muddled through and arrived at the same solution that the manual recommends: 1. The default internal network is 10.1.10.0/24 with the gateway having address 10.1.10.1/24; I left it that way. 2. I modified the DHCP server configuration on the business gateway to not assign 10.1.10.2 - 10.1.10.19. 3. I configured my Shorewall box's external interface as 10.1.10.11/24. 4. On the business gateway, I added a static route to my /29 (70.90.191.120/29) via 10.1.10.11. 5. I configured the business gateway's firewall to not filter traffic to the /29 (there's a check-box for that, IIRC). 6. I run Linux-vserver on my Shorewall box so I configure the public IP addresses on the box's external interface (3 statically configured and two are dynamically configured when I start my vservers). Here are my /etc/shorewall/interfaces stanzas: # # Commcast Business Class # auto eth1 eth1:1 eth1:2 eth1:3 iface eth1 inet static address 70.90.191.121 netmask 255.255.255.248 network 70.90.191.120 broadcast 70.90.191.127 gateway 70.90.191.126 iface eth1:1 inet static address 70.90.191.122 netmask 255.255.255.248 network 70.90.191.120 broadcast 70.90.191.127 iface eth1:2 inet static address 70.90.191.123 netmask 255.255.255.248 network 70.90.191.120 broadcast 70.90.191.127 iface eth1:3 inet static address 10.1.10.11 netmask 255.255.255.0 network 10.1.10.0 broadcast 10.1.10.255 The business class gateway has public IP address 60.90.191.126 so that's what I configure as the Shorewall box's default gateway. Here's the config up and running: gateway:~# ip -4 addr ls dev eth1 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 inet 70.90.191.121/29 brd 70.90.191.127 scope global eth1 inet 10.1.10.11/24 brd 10.1.10.255 scope global eth1:3 inet 70.90.191.122/29 brd 70.90.191.127 scope global secondary eth1:1 inet 70.90.191.123/29 brd 70.90.191.127 scope global secondary eth1:2 inet 70.90.191.124/29 brd 70.90.191.127 scope global secondary eth1 inet 70.90.191.125/29 brd 70.90.191.127 scope global secondary eth1 gateway:~# My Shorewall configuration just has: /etc/shorewall/interfaces: net COMCAST detect physical=eth1,... /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS COMMENT Masquerade Local Network COMCAST:10.1.10.0/24 0.0.0.0/0 10.1.10.11 COMCAST !70.90.191.120/29 70.90.191.122 gateway:~# By leaving the DHCP server running on the Business Class Gateway, I can plug my wireless access point and work system into the gateway's built-in switch when I want to take the Shorewall box down for maintenance; that way, I can maintain internet access for work and for our in-home wireless network. Hope this helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
