Hey Maria, you're not going to be able to get two networks isolated
from each other if you're using the same physical interface and using
one switch. If you're trying to have a setup of security and control
this is what I would do:
Interfaces:
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
(use dhcp if needed on WAN)
lan eth1 detect dhcp,tcpflags,logmartians,nosmurfs
guest eth2 detect dhcp,tcpflags,logmartians,nosmurfs
Zones:
fw firewall
net ipv4
lan ipv4
guest ipv4
Masq:
eth0 192.168.4.0/24,192.168.6.0/24 <http://192.168.4.0/24,192.168.6.0/24>
This is a basic setup that will get you isolated networks
On Fri, Sep 13, 2013 at 9:21 AM, María Teresa Mondragón Reye
<[email protected] <mailto:[email protected]>> wrote:
El 12/09/13 19:02, johnny bowen escribió:
First I need to gather a little information.
Johnny,
I'm grateful..
It sounds like you have two subnets connected to the same switch
which are then connected to one ethernet port that has an alias
on it.
yes, i have a three interface shorewall
1. ifconfig
br0 link ..... xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx
is a public IP)
eth0 link ....
eth1 192.168.4.254
eth1:0 192.168.6.254
eth2 link
You are rigth, there are two subnets link to eth1
--------------------------------
SHOREWALL
2. interfaces file:
pub br0 detect logmartians,routerfilter,bridge
net br0:eth0
dmz br0:eth2
- eth1 detect dhcp (as you suggest me)
-----------------------
3. zones file:
fw firewall
pub ipv4
net:pub bport4
dmz:pub bport4
loc ipv4
guest ipv4
--------------------------
4. bridge file:
BRIDGE_INGERFACE=br0
INTERFACES="eth0 eth2"
-------------------------
5. hosts file:
loc eth1:192.168.4.0/24 <http://192.168.4.0/24>
guest eth1:192.168.6.0/24 <http://192.168.6.0/24>
------------------------------
6. masq file:
...
eth1:0 192.168.6.0/24 <http://192.168.6.0/24>
eth1 192.168.4.0/24 <http://192.168.4.0/24>
#Last line
br0 192.168.6.0/24 <http://192.168.6.0/24> xxx.xxx.xxx.xxx
br0 192.168.4.0/24 <http://192.168.4.0/24> xxx.xxx.xxx.xxx
------------------------------------
Why are you using two subnets?
the mount of subnets is because one segment is going to be used
from local users (employees, ...)
the another one is to provide just internet support to guests,
movil devices, eventual users etc, etc... and insolate the
connections. This ip only would have internet connection and not more
i would separate ips and subtnets to have a little one security
and control
If you need dhcp on both subnets when a client connects to
network it will make a broadcast dhcp query to get an ip address.
So any dhcp server listening on either 192.168.4.0/24
<http://192.168.4.0/24> or 192.168.6.0/24 <http://192.168.6.0/24>
will respond.
!!!ups!!!!! then, there are no solution from control which one
4.xxx or 6.xxx will have the new device when is connect to the
network ???
There will be a race condition. The first reply received is the
one that that computer will use.
It's hard to understand exactly what you're trying to accomplish,
but I get the feeling that you want to have a network with mixed
static ips and dynamic ips.
yes, the 192.168.4.0/24 <http://192.168.4.0/24> subnet, just this
have a mix of dinamic and static. I have dnsmasq-host.conf file
wich contains mac address and IP's number to get static IP's ...
and the dnsmas.conf file is configurated to leave a segment
(192.168.4.200 -- 192.168.4.220) as a dinamic IPS
In the same file dnsmasq.conf the i put all 192.168.6.0/24
<http://192.168.6.0/24> to leave dinamic ips
For that you could use one single net: 192.168.6.0/24
<http://192.168.6.0/24>, then just configure your dhcpd server to
only select dynamic ips from a pool like: 192.168.6.50-192.168.6.254
o.k.. i understand what you mean.. the razon is, my boss ask me
for this configuration... a mix of static and dinamic IPs for one
subnet and the another one only dinamic subnets...
If you want to keep your current setup you can force the dhcp
server to only listen on a specific interface.
and what if i need listening in both ???
I really apreciate your help, thanks a lot
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
