I use since a lot of time a "classical" two-interfaces setup, with the net
interface connected to an ADSL modem in half-bridge mode, which receives a
public IP from the ISP and gives it to the Linux net interface; the lan
interface has the 192.168.30.0/24 class.
Now I need to change this setup, because my new ISP (that will switch soon to
a FTTS VDSL2 connection) sent me a VDSL2 WiFi router, and I need to replace
the old configuration to be ready to the switch to VDSL2. The router LAN and
WiFi interfaces have the 192.168.1.0/24 class, and the router can be
configured to forward all connections from Internet to the public IP to a host
in the LAN ("DMZ" function). Since I want to use the WiFi function for clients
in the lan, I am forced to use a sort of "one interface routing", connecting
the router to the lan interface on the firewall and having the two IP classes
on the same wire.
I read the documentation on the pages "Shorewall and Aliased Interfaces" and
"Routing on One Interface", and I tried to follow the indications, but with no
success. Specifically, I have eth0 with IP 192.168.30.1 (lan) and eth0:0 with
IP 192.168.1.1 (net) configured to use 192.168.1.254 as the default gateway
(the IP of the router). The lan clients use the lan address of the firewall
192.168.30.1 as their default gateway, and the firewall should masquerade.
I did not change the policy and rules files, and I modificed interfaces, masq
and added a hosts file; these are the relevant lines:
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 -
hosts:
#ZONE HOST(S) OPTIONS
net eth0:192.168.1.0/24
loc eth0:192.168.30.0/24
masq:
#INTERFACE SOURCE ADDRESS ...
eth0:0 192.168.30.0/24
When shorewall is not started, or after a shorewall clear, the firewall
connects to the Internet and local clients connect to the firewall, but
obviously the clients do not connect to the Internet because masquerading is
not active on the firewall.
When shorewall is started, it stops connecting to the Internet, with a fast
scrolling series of messages like this:
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
when I ping any public IP.
I tried to understand the problem, and I narrowed it down to the combination
of the interfaces and hosts files; if I comment out the two lines in the hosts
file and I assign eth0 in the interfaces file to the net zone, as in a
"normal" one-interface setup, it works also with shorewall started, but
obviously the local clients do not connect to the Internet because the
masquerading is not correctly configured.
I tried to understand my mistake(s), but with no success. Any advice would be
welcome.
Thanks
Elio
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
