On 08/07/2017 01:52 AM, Vieri Di Paola via Shorewall-users wrote: > > ________________________________ > From: Vieri Di Paola via Shorewall-users > <shorewall-users@lists.sourceforge.net> >> > >> So if I wanted to avoid using proxy arp on the WAN interface, and since the >> bulk 10.215.0.0/16 is > >> really on the LAN interface then I could change gw1's enp11s0 IP settings to >> 10.215.144.92/32 with a > >> route for 10.215.0.0/16 via 172.16.0.1. > > Hi, > > I changed the network configuration in my gw1 shorewall gateway, and removed > proxyarp=1 in fw2 as in the setup described earlier: > > Internet providers --- gw1 (10.215.144.92/32 172.16.0.2/28) --- fw2 --- lan > > Traffic from lan to wan is OK now, so the issue is solved. > > However, there's still just one last thing that I'd like to deal with. > > I tried to ping from gw1 to fw2 but failed. A tcpdump on fw2 shows that the > ping request source IP address is 172.16.0.2. It's being blocked by fw2's > shorewall rules. I could allow this traffic, but I'd rather keep the ACCEPT > rule from wan:10.215.14.92 to $FW alone. > I thought I only needed to masquerade on gw1's lan interface. > > Here's what I did in gw1's snat file: > > SNAT($IF_LAN_MASQ_ADDRESS) $IF_LAN_MASQ_SOURCE $IF_LAN > > The params file contains: > > IF_LAN=enp11s0 > IF_LAN_MASQ_ADDRESS=10.215.144.92 > IF_LAN_MASQ_SOURCE=172.16.0.2 > > However, pings still fail for the same reason. >
You wanted: SNAT($IF_LAN_MASQ_ADDRESS) $IF_LAN:$IF_LAN_MASQ_SOURCE - -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users