Hi,
I have this working network configuration with two VLANs and a Linux router
with DHCP server and Shorewall.
ISP
|
| eth0
|-----------|
| |
| Shorewall |
| |
|-----------|
| eth1 192.168.10.1
| eth1.20 192.168.20.1 (802.1Q VLAN tagging)
|
| VLAN trunk
|
| 192.168.10.254 (VLAN10 switch virtual interface)
| 192.168.20.254 (VLAN20 switch virtual interface)
|-----------|
| Netgear | VLAN10
| switch |-------
| | 192.168.10.0/24
|-----------| GW 192.168.10.1
|
|
|VLAN20
|192.168.20.0/24
|GW 192.168.20.1
The internal physical network interface of the shorewall box has a second
virtual interface eth1.20 with 802.1q vlan tagging on. The default gateway for
network computers is setup to the linux router. Gateway for VLAN10 is
192.168.10.1 and gateway for VLAN 20 is 192.168.20.1. With this configuration I
can acces the internet and communicate between both VLANs. All communication
between VLANs goes through the linux router.
Because my switch supports VLAN routing I tried to use it as a router to speed
up communication between VLANs. I did these steps:
1) On the switch I turned on routing and set default gateway to linux router
primary IP address 192.168.10.1.
2) On network computers I changed default gateway to switch virtual interface
address - 192.168.10.254 for VLAN10, 192.168.20.254 for VLAN20
With this configuration I'm able to communicate between both VLANs but cannot
access internet. I also can not ping from a computer in one VLAN to the IP
address of the shorewall box in the second VLAN (ping from 192.168.10.x to
192.168.20.1) and vice versa.
My current Shorewall configuration (simplified):
/etc/shorewall/zones
#ZONE TYPE
fw firewall
net ipv4
loc ipv4
/etc/shorewall/interfaces
#ZONE INTERFACE OPTIONS
net NET_IF physical=eth0,tcpflags,nosmurfs,routefilter
loc VLAN10
physical=eth1,dhcp,tcpflags,nosmurfs,routefilter,routeback
loc VLAN20
physical=eth1.20,dhcp,tcpflags,nosmurfs,routefilter,routeback
/etc/shorewall/snat
#ACTION SOURCE DEST
SNAT(external IP) 192.168.10.0/24,\
192.168.20.0/24 NET_IF
/etc/shorewall/policy
#SOURCE DEST POLICY LOGLEVEL
loc net ACCEPT
loc $FW ACCEPT
$FW loc ACCEPT
$FW net ACCEPT
net all DROP info
all all REJECT info
What should I change in my router/shorewall configuration to be able to access
internet from both VLANs with routing between them on the switch?
I need the second virtual interface of the shorewall box with 802.1q packed
tagging due to the dhcp server to be able to distinguish for which VLAN to
serve IP address. My switch does not provide DHCP Relay Agent function.
Thanks,
Bohuslav
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
