On 02/01/2013 09:12 AM, Ville Walveranta wrote: > I'm setting up Shorewall (4.4.26.1), and have been trying to figure out > routing between two LAN segments now for a few days. It's time to ask > for help. > > I have three NICs: WAN (Internet), LAN1 (primary LAN), and LAN2 (link to > a "legacy" LAN). WAN-to-LAN is working inbound through NAT, and > outbound through DNAT (set in masq). LAN2 should not (and currently > does not) have access to the Internet through this Shorewall instance > (it has its own route to the Internet), and it should not be able to > access LAN1, but it should be accessible from LAN1. > > I'm currently able to get to LAN2 from the Shorewall server, but not > from the other servers in LAN1 (which is the problem). The necessary > rules are in place, but apparently routing isn't working. If I disable > the firewall access rules, I get immediate "connection refused" when > attempting to connect to a server in LAN2 from a server in LAN1. When > firewall access rules are enabled, SSH simply hangs and traceroute > doesn't go beyond the firewall. LAN1 (primary) is in the 172.0.0.0 > address space and LAN2 (legacy) is in the 10.0.0.0 address space. > > I currently have: > > $LAN2_IF 10.0.0.0/24 <http://10.0.0.0/24> > > .. in masq, but that's not working ($LAN2_IF resolves to eth2 which is > the LAN2 interface). > > My question is: What is the simplest Shorewall configuration to forward > traffic between two differently addressed LAN segments that are > connected to separate NICs? A pointer to documentation or other > reference would help, a bare-bones config example would be even better. > I've been sifting through the Shorewall documentation on routing, but > haven't yet found a matching description (for instance, I would rather > not have to bridge the LAN1 and LAN2 interfaces if it can be avoided > since they need to remain separated: LAN2 should not have access either > to the Internet or LAN1). > > This is my first Shorewall setup, so the solution may be really > obvious. Thanks for any advice!
Please forward the output of 'shorewall dump' collected as described at http://www.shorewall.net/support.htm#guidelines. Thanks, -Tom PS -- Except when you are using Shorewall's Multi-ISP feature or Proxy ARP, Shorewall is uninvolved in routing. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
