I'm in the early stages of replacing a linux based router and VPN server and I'm hoping to get some suggestions on the best way to implement it using Shorewall. I've used Shorewall before on a half dozen routers and I can work my way through the man pages and howtos. I just don't wish to start off with the wrong strategy.
Router has two ethernet i/f's, eth0 connected to the Internet and eth1 connected to a tagged VLAN fiber backbone. Zone's - corporate - VLAN2 and VLAN3 - two subnets to different buildings with routing between them. Default gateway for the corporate WAN is a router on VLAN2. - industrial - VLAN4 and VLAN5 - two subnets to different buildings with routing between them. - internet - PopTop pptpd server on router so that outside systems (limited by an extensive ACL) can connect to the industrial zone. Also a ssh server protected by the same ACL. No communication between corporate and industrial zones required but it might be nice to be able to reach the time server on the DC on VLAN2 from the industrial zone. I think I could do that with DNAT. Dhcp relay running on the router to relay dhcp requests from VLAN3 to the DC on VLAN2. The system that we are replacing used to be the main NAT router to the Internet for the corporate side. As such it has it's default gateway on the Internet and a large routing table to direct anything on the corporate side out via the WAN router. This is a pain to maintain. I'd rather have the WAN router be the default. I guess the question is how do I have any incoming connections (pptpd and ssh) on the Internet i/f route back out to the gateway on the internet side. It's like a dual homed router (which I have done before) but I don't want to load balance. I just want any incoming connections from the internet zone to the firewall to use the gateway on the internet. It would also be good if any ip request originating from the router to any ip address outside of the directly connected networks or explicitly defined in the routing table to use the internet GW as it's default. Another way of putting the problem is I need any routing requests for the default gw from systems on the corporate zone to use one target and any requests for the default gw originating on the firewall itself to use a different target. Thanks in advance for your help. ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
