On 1/20/2014 2:48 PM, Mike Coan wrote: > List, > > I currently have a three interface Shorewall box running version > 4.5.11.2 on opensuse 13.1. > > Given my limited knowledge of networking, it is a testimony to the docs > that such a firewall is functioning without problems. > > In the DMZ there is a web server, an email server, and a wireless > router. They all have private ips in 192.168.2.x range and the > appropriate ports are fowarded from the public ips. The router is > basically to provide internet access to guests and smartphones. The > wireless router is a Buffalo WZR-600DHP. It is simultaneous dual band > and runs the DD-WRT firmware. > > The wireless router has a DHCP server 9uses DNsMasq) and habds out > addresses in the 192.168.12.x range. the wireless router is in Gateway > mode, which according to the DD-WRT docs, means it does NAT/MASQ and all > the devices on the 192.168.11.x range appear as the static WAN of the > wireless router. Everyone has internet access and all is well. > > I would like to treat the 5 GZ and the 2.4 Gz bands separately and for > that reason put them on separate subnets. The DD-WRT docs explain > various ways to do that. I have chosen one way and it is mostly successful. > > ath0 is the 2.4GZ wireless band > ath0.1 is a virtual interface > ath1 is the 5 GZ wireless band > > By putting ath0.1 in unbridged mode you can assign it an ip address in a > different subnet. I gave it 192.168.13.1. You can also set up dnsmasq > to do dhcp on that subnet. > > Here is what I have. Connect wirelessly to ath0 or ath1 you get an > address in the 192.168.12.x range and you can connect to the internet > just fine. > > Connect wirelessly to ath0.1 and you get an address in the 19.168.13.x > range and you cannot connect tot he internet. I can ping the WAN of the > wireless router but not the dmz NIC of the shorewall box. I can ping > the DMZ NIC of the shorewall box from the other subnet just fien. > > I suspect that the virtual interface does not get NATed retains its ip > address in the 192.168.13.x range and the wireless router and/or > shorewall don't know what to do with the packets. I have read a lot > today about adding routes. That is actually a good result, because then > I can use Squid on the Shorewall box to treat that subnet differently. I > have several questions. > > How do I tell where the 192.168.13.x packets get stopped. Traceroute, > wireshark, shorewall logs? I have seen lots of references to these in > the list, but haven't used them. The shorewall firewall logs don't seem > to be applicable >
Try 'tcpdump -ni ethX net 192.168.13.0/24' where ethX is the DMZ interface on the Shorewall box. What do you see when you try to connect from that net? > Do I need to add a static route to both Shorewall and the wireless > router, or to just one. Let get the answer to the above and then go from there. > > The third question is whether there is a better way to do what I am > doing. The DD-WRT docs did add the possibility of adding a bridge and > then assigning ath0.1 to that bridge. > You will have to ask the DD-WRT folks about that. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
