hi there, i have a question about the possibility of the following setup ... for better understanding, i've attached an image ... it's not big, but i excuse me beforehand for putting that image on this list:
well, there are 2 VLANs on each PC ... every VLAN should access its internal IPs (i.e. 172.16.10.2 should ping 172.16.10.3 without problems, because shorewall isn't interacting yet) what i want to do is, to give vlan1 access to vlan2, but only! with its external IPs (i.e. 172.16.10.2 should ping 192.168.10.10, but also its own VLAN members like 192.168.10.3) so there is one trick, i had to add the routeback option on the vlan interfaces, because when i ping from 172.16.10.2 inside vlan1 to the external IP 192.168.10.3, shorewall routes me back to the same interface, which isn't allowed by default ... so, i've tested this setup with shorewall and it works quite nice ... interfaces: loc eth0 detect v1234 eth0.1234 detect routeback v1235 eth0.1235 detect routeback zones: fw firewall loc ipv4 v1234 ipv4 v1235 ipv4 nat: 192.168.10.2 eth0:0 172.16.10.2 yes yes 192.168.10.3 eth0:1 172.16.10.3 yes yes 192.168.10.10 eth0:2 172.16.10.10 yes yes 192.168.10.11 eth0:3 172.16.10.11 yes yes policy: # from LAN loc v1234 ACCEPT loc v1235 ACCEPT loc $FW ACCEPT loc all REJECT # from firewall $FW v1234 REJECT $FW v1235 REJECT $FW loc REJECT $FW all REJECT # from VLANs v1234 v1235 DROP v1234 loc ACCEPT v1234 $FW DROP v1234 all DROP v1235 v1234 DROP v1235 loc ACCEPT v1235 $FW DROP v1235 all DROP now, my main problem ... probably i have to set up 10 or up to 100 VLANs ... i don't want add them all manually to the config, especially the iptables rules will be blown up ... so there is a method to match all VLANs with one line: vlan eth0.+ detect but now the VLANs are handled as one zone(interface) ... so there is my problem ... whithout the routeback option, i can only ping the VLAN internal IPs ... i.e. from 172.16.10.2 to 172.16.10.3 or from 172.16.10.10 to 172.16.10.11, but nowhere else, because there is only one big vlan zone/interface ... so i have to put in the routeback option, which cause having access to all IPs ... the 172.16.10.2 can ping the 172.16.10.10 (in the other VLAN), but i only want to use the external IPs to get access between different VLANs is there any way to set up such an environment without having 100 zones and interfaces if i have 100 VLANs ? thank you felix _________________________________________________________________ Windows Live Messenger: Direkter Zugriff auf Ihre E-Mails! Ohne Neuanmeldung! http://get.live.com/de-de/messenger/overview _________________________________________________________________ Neu: Mit Live Search Ihre Stadt in der Vogelperspektive! http://maps.live.de
<<attachment: vlans_shorewall_clear_small.jpg>>
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
