Mike Lander wrote: > > PS So you can follow building reference > building 1 Full T-1 under my control with /29 non-routed > building 2 Full T-1 under Toyota's Control. natted with > a cisco router with lan ip10.5.198.238 > > Note: In my test environment the practice ip 10.194.79.254 > will emulate like 10.5.198.238 > > Tom, > I was just eating lunch and thought I should explain this better > instead > of assuming you followed our post. I built these guys a shorewall box > in 2003 as you have seen. It has redhat 8 and shorewall 3.0.2. > and its been serving as a file server as well. When I checked this place > the admin thought the T-1's where in the same building as the old > shorewall box is now. The old box is accessing the 10.5.198.238 > gateway only for networks 63.90.860/24. > > PS old box is still at the location being used. > > Since the old shoreall box was built the natted gateway that > is out of my control has beenupgraded to a Full T-1 in building 2 > where currently there is no shorewall box. Just the Toyota Cisco. > I was going to use three nic box with two nics for Ips's > But the two buildings are connected with fiber on the > lan 10.5.198.0/24 So now a dual nic that Jerry has > working sounded attractive. > > I will put the old shorewall box in building 2 (after rebuild)_ > for a backup file server is what its primary purpose is. > > They have liked it so much, they want a bigger > better box built for redirecting mydocments on their Xp boxes to a > Samba share. So I built a Dell 2900 quad zeon 2gb ram to handle > being a domain controller for their network to knock out the > old shorewall box. > The natted T-1 is hardly being used they wish to load > balance to take advantage of the T-1's and maybe down the > road use as failover. I am not opposed to a better idea than > the two nics if you have an idea. Because in a simular situation > I asked you aways back I need customer wireless to a 2nd building > slaved with fiber on a lan and you suggested to vpn to the wireless > to seperateh the lan traffic from customer wireless router > and that worked great. Getting lengthy so hope this helps. >
Mike, Does http://www1.shorewall.net/images/Landers.png accurately reflect the network topology? If so, you want this masq entry; eth0 10.194.79.0/24 66.224.62.120 -Tom Yes this accurately reflects the network topology? However I been testing squid through this now and the brower pauses an balks at times. So I tried 10.194.79.181 in tcp outgoing in squid.conf and browsing was fine. When I changed tcp outgoing to 66.224.62.120, the trouble started again. You would of thought I would have been the lan gateway causing trouble. any ideas? PS back up a litte about masq. I am trying to understand the masq stuff for multi-isp In my main firewall my masq is as follows eth0 $ETH2_IP 66.224.62.118 eth2 66.224.62.118 $ETH2_IP eth0 eth1 66.224.62.118 eth2 eth1 $ETH2_IP When you said this looks "silly" why would we need in the first rule anything coming in on $eth2(comcast) going out eth0 (eshelon t-1) be rewritten as 66.244.62.118 when no traffic should not be going through in the first place with policy "net net drop" Thank You, Mike ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
