comments inline... Michel van Horssen wrote: > Thing is, those messages talk about the IP command on the shell prompt, > there are also policies possible in the cli. Are those the same? No. Policy routing is not included in the CLI right now. You must use the ip command in the linux shell.
> Our situation is as follows: > > eth0: 192.168.1.0/24 interface adres is 192.168.1.1 > eth1: 192.168.10.0/24 interface adres is 192.168.10.1 > eth2: 192.168.254.0/24 interface adres is 192.168.254.2 (router on the > other end with 192.168.254.1) > > The default next hop to the firewall would be 192.168.1.2 this should be > restricted to a few computers in the 192.168.10.0/24 segment. > > What I've read so far is that the cli can't handle it and I would have > to do it on the root shell with the IP command. > > The first rule would be: > ip route add default via 192.168.1.2 dev eth0 tab 1 > > But then I'm stuck because the servers and a few clients who would be allowed > access to that default route aren't all in a nice string of addresses. > > What I would like is to tell that the range from 192.168.10.10:192.168.10.50 > and 192.168.10.155 etc etc wuld be allowed to go to that next hop. You will have to break that range into smaller ranges for your ip rule statements. For example, the first range of 10.10 to 10.50 would be something like this... ip rule add from 192.168.10.10/31 tab 1 ip rule add from 192.168.10.12/30 tab 1 ip rule add from 192.168.10.16/28 tab 1 ip rule add from 192.168.10.32/28 tab 1 ip rule add from 192.168.10.48/31 tab 1 ip rule add from 192.168.10.50/32 tab 1 Cheers, Robert. _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
