On 11/8/18 4:56 AM, Vieri Di Paola wrote: > Hi, > > I'd like to describe my goal here to see if someone can guide me to > the "best solution". > > A Shorewall server has several ethernet interfaces, and one of them > (say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11, > eth0.12). > > So eth0 is then connected to a "trunk" port on a managed switch > (untagged VLAN 1, tagged VLAN 11, tagged VLAN 12). > > The eth0 IP addr. configuration on the Shorewall system is something > like 192.168.210.1/24, and the hosts in this LAN segment are within > this IP addr. range with static IP addresses. > It is REQUIRED that all hosts in this network have IP addresses within > this range, and that the Shorewall server use the least IP addresses > as possible (ie. 1). > > As a simplified practical example, suppose I have the following: > > - 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw > 192.168.210.1 > - 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw > 192.168.210.1 > - 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw > 192.168.210.1 > > I need Shorewall to manage traffic between these VLANs > (allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts, > VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can > access selected ports on VLAN 1 hosts. > > The usual way to configure VLANs is to use non-overlapping IP ranges > for each virtual interface. > However, I cannot do that here. > > I was thinking of using "parallel zones", but I'm not sure that would > work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall > Interfaces file).
Of course you can!!! > > I was also trying to configure a bridge, but I don't know if and how I > can bridge a VLAN with the interface, and then set Shorewall > BPORT-based rules. > Something like bridging eth0.1, eth0.11 and eth0.12, setting a > management IP address 192.168.210.1/24, and then defining bridge zones > and BPORT rules. > > Can anyone please give me some hints and pointers? > There is *nothing* unique about VLAN interfaces, as far as Shorewall is concerned. Treat them just as you would non-VLAN ethernet devices. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
