Hi, I'd like to describe my goal here to see if someone can guide me to the "best solution".
A Shorewall server has several ethernet interfaces, and one of them (say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11, eth0.12). So eth0 is then connected to a "trunk" port on a managed switch (untagged VLAN 1, tagged VLAN 11, tagged VLAN 12). The eth0 IP addr. configuration on the Shorewall system is something like 192.168.210.1/24, and the hosts in this LAN segment are within this IP addr. range with static IP addresses. It is REQUIRED that all hosts in this network have IP addresses within this range, and that the Shorewall server use the least IP addresses as possible (ie. 1). As a simplified practical example, suppose I have the following: - 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw 192.168.210.1 - 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw 192.168.210.1 - 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw 192.168.210.1 I need Shorewall to manage traffic between these VLANs (allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts, VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can access selected ports on VLAN 1 hosts. The usual way to configure VLANs is to use non-overlapping IP ranges for each virtual interface. However, I cannot do that here. I was thinking of using "parallel zones", but I'm not sure that would work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall Interfaces file). I was also trying to configure a bridge, but I don't know if and how I can bridge a VLAN with the interface, and then set Shorewall BPORT-based rules. Something like bridging eth0.1, eth0.11 and eth0.12, setting a management IP address 192.168.210.1/24, and then defining bridge zones and BPORT rules. Can anyone please give me some hints and pointers? Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
