On 04/21/2013 4:46 am, Chris Boot wrote:
> On 21/04/2013 02:26,
Tom Jensen wrote:
>
>> I have been a long time Shorewall user. My
company has grown it is was time to decommission many of the old servers
and network devices. I was contemplating ditching Shorewall in my new
network configuration. I originally bought a new Cisco all-in-on
VPN/Firewall/Wireless AP product in order to consolidate many existing
devices. I soon learned how undesirable that device was. The Internet
forums are filled with user complaints and documented bugs with no
workarounds. So this brand new device is being repurposed as a
paperweight and I am turning back to my trusting Shorewall. My old
Shorewall installation was actually a virtualized machine with three
interfaces. I actually had the Shorewall firewall in the DMZ of my ISPs
DSL modem. My initial plan for the new Shorewall installation was to
have four interfaces: eth0 would be the WAN interface. I have since
configured the DSL modem as a transparent bridge. My new firewall box is
handling the authentication with my DSL provider via the pppoeconf
package. This configuration was setup outside of Shorewall. Eventually
it will be assigned as a zone in Shorewall. eth1 is planned to serve the
network management devices (e.g. switches, routers, etc.) on the
network. I had planned to use the 192.168.110.0/24 subnet for these
devices. eth2 is planned to serve the local client devices on the
network. I had planned to use the 192.168.130.0/24 subnet for these
devices. eth3 is planned to serve as the DMZ with publicly available
servers on the network. I had planned to use the 192.168.120.0/24 subnet
for these devices. Currently, the new Shorewall machine has four
physical NICs installed. I am beginning to think I can get away with
just two NICs. I also recently purchased a really good Cisco managed
switch and planned to implement VLANs within the network. I am thinking
that if I have two physical NICs within the Shorewall machine, I can use
eth0 as the WAN interface as already configured, but assign various VLAN
interfaces using the raw eth1 interface. I realize this really isn't
Shorewall specific since each VLAN interface would be entered as a zone
and rules configured appropriately. But I would appreciate some
validation with my planned approach. Has anyone done something similar?
Is my thinking with VLANs correct? I don't have much experience with
VLANs yet. Is there documentation using Shorewall in a similar setup?
>
> Hi Tom,
>
> I have done similar, including occasionally building
firewalls/routers
> with only a single physical interface but many
VLANs. The setup works
> great. If you have VLAN-aware managed switches
then using VLANs
> definitely cuts down on the mess of cables and
switches in your wiring
> closet / server room. As long as you are
religious about keeping the
> VLANs apart (e.g. don't bridge them
somehow, by mistake or otherwise)
> the setup will be just as secure as
not using VLANs at all.
>
> My current Shorewall box is a re-purposed
Watchguard Firebox running
> Debian, although I'm only using 3
interfaces: one for PPPoE, one for the
> VLAN trunk to my switch, and
another for my AP (long story).
>
> HTH,
> Chris
>
> --
> Chris
Boot
> [email protected]
>
>
------------------------------------------------------------------------------
>
Precog is a next-generation analytics platform capable of advanced
>
analytics on semi-structured data. The platform includes APIs for
building
> apps and a phenomenal toolset for data science. Developers
can use
> our toolset for easy data analysis & visualization. Get a free
account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
[1]
> _______________________________________________
> Shorewall-users
mailing list
> [email protected]
>
https://lists.sourceforge.net/lists/listinfo/shorewall-users [2]
Thanks
to everyone who has responded. The responses confirmed that I was headed
in the right direction. Implementation has been a bit of a challenge.
Below is an excerpt from my /etc/network/interfaces file. I think I
mentioned it before, but this is also my first attempt with a Debian box
operating at the PPPoE client. That part seems to be working well, but
feel free to recommend any suggested improvements or changes.
# The
loopback network interface
auto lo
iface lo inet loopback
# The
onboard network interface
auto eth0
iface eth0 inet dhcp
# The WAN
interface
auto dsl-provider
iface dsl-provider inet ppp
pre-up
/sbin/ifconfig eth0 up # line maintained by pppoeconf
provider
dsl-provider
# Default VLAN interface?
auto eth1
iface eth1 inet
static
address 192.168.120.1
netmask 255.255.255.0
# The Management
VLAN interface
auto eth1.110
iface eth1.110 inet static
address
192.168.110.1
netmask 255.255.255.0
I've read contradictory reports
about the correct syntax for creating VLANs within the interfaces files.
Some posts suggest using the "vlan_raw_device eth1" syntax to the
interface stanza. Other posts state that is the "old" way of defining
VLANs.
Another complicating factor in my setup is the Cisco switch. It
is a Small Business edition switch with excellent owner reviews. It is
capable of running in L2 or L3 mode. I currently have it configure in L2
mode and have eth1 plugged into a port configured as a trunk port.
However, on the CLI of the switch, the option to configure the
switchport mode to 802.1q is not available as a valid command.
With
the interfaces file defined as above and eth1.110 called out as an
interface within Shorewall with appropriate rules, I cannot ping or
reach any services on VLAN 110. If I simply revert the interface files
back to using interface eth1, everything works through Shorewall. So I
believe the issue is my incorrect implementation of VLANs.
Any help is
appreciated.
Links:
------
[1]
http://www2.precog.com/precogplatform/slashdotnewsletter
[2]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
