On Tue, 2011-09-06 at 12:45 +0100, Simon Hobson wrote: > Simon Matter wrote: > > >I'm afraid I don't really understand all details and also I don't have any > >experience with ADSL/PPPoE stuff. But I have something using Cable here > >which looks a bit similar so maybe you could try like so: > > > >on the firewall: > >ppp0 is 192.0.2.1/32 > >eth0 is 192.168.1.1/24 > >default gw is via ppp0 (don't know exactly how this looks like with ppp) > > > >then do proxyarp with shorewall on the firewall: > >192.0.2.2 eth0 ppp0 > >192.0.2.3 eth0 ppp0 > >192.0.2.4 eth0 ppp0 > > > >now connect clients to eth0 and configure them like this (yes, I know "ip" > >is there...): > > > >ifconfig eth0: > >eth0 Link encap:Ethernet HWaddr 00:5C:A4:4D:81:5A > > inet addr:192.0.2.2 Bcast:192.0.2.2 Mask:255.255.255.255 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > > >route -n: > >Kernel IP routing table > >Destination Gateway Genmask Flags Metric Ref Use Iface > >0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 eth0 > > > >Sorry if this is completely nonsense for what you try to do :) > > Yes it's what I'm trying to do, but from the reading I've done I'm > not sure it'll work - and there's another restriction that comes into > play as well. > > The first issue is whether proxyarp works over a PPP link
It does not. > I'm guessing on your cable connection you just get IP packets over > ethernet ? From what I've found, proxy-arp only works on > ethernet-like interfaces, not PPP which doesn't have MAC addresses. > > The other restriction is that we cannot (in the specific case I'm > needing to solve at the moment) change the config on some of the > clients. Some of them are secure gateways, and getting even a simple > change done requires change management procedures and a new security > audit. > > Lastly, if done as you suggest, does this allow clients to talk to > each other ? Eg, can 192.0.2.2 and 192.0.2.3 communicate using those > addresses ? > Simon (Hobson), The ISP is going to route all of the addresses via the pppoe address. So simply use that same address as the firewall's local LAN address (assuming that it is in the same IP network) and you're all set. You're making this harder than it really is. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
