Re: [Shorewall-users] Shorewall Setup Suggestions Requested

Sun, 21 Apr 2013 03:24:17 -0700 

On 04/21/2013 11:26 AM, Tom Jensen wrote:
> ...
> I realize this really isn't Shorewall specific since each VLAN interface
> would be entered as a zone and rules configured appropriately.  But I
> would appreciate some validation with my planned approach.
>
> Has anyone done something similar?  Is my thinking with VLANs correct?
>   I don't have much experience with VLANs yet.  Is there documentation
> using Shorewall in a similar setup?

Hi Tom,

I do something very similar with my main client at present.  In fact, 
we're working on putting everything in VLANs (not just internal stuff) 
and running the server with bonded interfaces, so that the staff at our 
remote offices don't have to care which server NIC is which.  They can 
just plug into any (or all) of the interfaces and it will work.

I typically set up something like this:

- VLAN 1: management - contains switch, wifi AP, and sometimes ESXi 
server management IPs

- VLAN 10: staff - PCs, printers, staff laptops via wifi, sometimes file 
servers

- VLAN 20: public - PCs, sometimes printers, guest wifi devices

- VLAN 30: ADSL modem - PPPoE runs on this interface.

In the bonded scenario i described, we would put all of the ethX 
interfaces into bond0 (in ALB or TLB mode, so that there's no need for 
LACP on the switch), then use the bond0.VLAN interfaces as the shorewall 
zones (except the management VLAN, which is just bond0, and ppp0, which 
will be your DSL interface for the net zone).

To do this, you need to make sure the server NICs are plugged into trunk 
ports on the Cisco switch.  Switch setup for the above would be 
something like this:

vlan 1
        name mgt
vlan 10
        name staff
vlan 20
        name public
vlan 30
        name adsl
interface GigabitEthernet1/0/1
        switchport mode trunk
        switchport trunk native vlan 1
        switchport trunk encapsulation dot1q
        switchport trunk allowed vlan 10,20,30
interface GigabitEthernet1/0/2
        switchport mode trunk
        switchport trunk native vlan 1
        switchport trunk encapsulation dot1q
        switchport trunk allowed vlan 10,20,30
... (repeat for as many server NICs as you want)

Regards,
Paul



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to