I have setup a new bering box where I have connected eth2 to a "DMZ" which is in fact a real DMZ accessed from another leaf box with real public addresses. This new leaf machine has ADSL on it with a single external public address, the older one is on 128kbit ISDN and has a public subnet allocated to it.
The issue is this, these machines have a public sub C address range they can be accessed on by using the ISDN route but for tasks these machines undertake they pull data from external sites, and I would like to go out a second gateway, namely the ADSL service, for these particular needs. This in fact the main task of these machines, they do little else externally. As stated the main traffic to and from these machines is initiated from the machines themselves and to save some money and get faster traffic throughput I reasoned that they could be connected to the ADSL service using a third DMZ interface on the ADSL service to the existing DMZ on thre ISDN service, but apart from bringing up an interface to this subnet and accessing the DMZ from the firewall I cannot seem to talk to it from the internal network (a 192.168 subnet) nor successfully configure it to be accessed via DNAT from the single public address on the ADSL service externally. I have a DNAT connection using a M$ PPTP server coming in from the ADSL external interface so its mainly an issue of understanding and configuring shorewall correctly to this eth2 connection. The subnet is a 26 bit mask address network, it is connected to eth2 and is just like the three interface example in the shorewall documentation. eth0 is external using ppp0 on an ADSL service, eth1 is the internal network on 192.168.0.0/24 and eth2 is to be connected to the sub class C subnet. Do we masq to this eth2 network from the internal eth1 subnet? I would think not as the leaf machine has a route to the subnet and traffic will get there although shorewall must know of it for security. Should the DMZ be masqueraded to the external interface, yes as we only have one ip externally, bearing in mind the DMZ addresses are effectively a private DMZ as ther addresses belong to another ISP and cannot be routed through this ADSL service. I hope this is clear enough, I seek assitance on this as I have got no further in connecting this up apart from getting it connected via eth2. I continue to be amazed at how much there is to lear, regards Matthew ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html