-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Il 13/06/2016 15:25, Răzvan Sandu ha scritto: > Hello, > > Please explain (in a piece of documentation similar to > http://shorewall.net/Shorewall_and_Aliased_Interfaces.html) how to > *correctly* define and use VLAN interfaces with shorewall.
With VLANs properly configured, shorewall does **NOT** need any particular configuration at all. As for shorewall, a properly configured "VLAN-interface" is nothing more than a "common"/"ordinary" phisical interface. > This seems to be an entirely different situation than aliased > interfaces, because of their (desired) complete separation at the OSI > 2 level. That's true. Despite the similar naming (eg.: eth0.2 vs. eth0:2) they are _TOTALLY_ different. > However, in practice, simply creating virtual interfaces ethX.100 and > ethX.200, assigning IP addreses to them and putting them in different > firewall zones seems not to work. Are you sure this is a "shorewall" issue? I bet not. > This is especially the case when one of the VLANs is the default one > (VLAN1, on ethX.1), because some returning frames seems to be treated > by the parent interface ethX instead of ethX.1 (VLAN1), despite being > tagged with VID1, not untagged. Dealing with "default VLAN" and, expecially, TAGging the default-VLAN is definitely a _*NO*_*NO*_! Don't do it! We're using plenty of VLANs (we have a shorewall firewall dealing with more than 80 VLANs spanning more than 250 swiches) and we have no issue. _NEVER_ had an issue! Anyway, as soon as you start TAGging VLAN 1 (on your switches, providing that them give you such a possibility) and/or start "forcing" the linux networking layer to TAG VLAN 1 than.... something strange start happening. So, again: - - please, check your VLAN configuration (Linux _AND_ switches) and _AVOID_ TAGging VLAN 1. Best, _AVOID_ using default VLAN at all; - - when everything works (externally to shorewall) than, enter the shorewall configuration, treating the VLAN-interface as "ordinary" interfaces; - - if problems persist, please get back here, with more details about your topology and problems. Bye, DV - -- Damiano Verzulli e-mail: [email protected] - --- possible?ok:while(!possible){open_mindedness++} - --- "Technical people tend to fall into two categories: Specialists and Generalists. The Specialist learns more and more about a narrower and narrower field, until he eventually, in the limit, knows everything about nothing. The Generalist learns less and less about a wider and wider field, until eventually he knows nothing about everything." - William Stucke - AfrISPA http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAldfBeMACgkQcwT9fsMT4Sxx1QCbBytGR7ZMVwZVjUa0oVqi6U8t GhsAn1Kh6kEQh1Lu5H9aZu/SiodsjI3N =cfoA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
