[Shorewall-users] Shorewall and VLAN routing

Tue, 11 Sep 2018 03:30:56 -0700 

Hi,

I have this working network configuration with two VLANs and a Linux router 
with DHCP server and Shorewall.

              ISP
               |
               | eth0
         |-----------|
         |           |
         | Shorewall |
         |           |
         |-----------|
               | eth1 192.168.10.1
               | eth1.20 192.168.20.1 (802.1Q VLAN tagging)
               |
               | VLAN trunk
               |
               | 192.168.10.254 (VLAN10 switch virtual interface)
               | 192.168.20.254 (VLAN20 switch virtual interface)
         |-----------|
         |  Netgear  | VLAN10
         |  switch   |-------
         |           | 192.168.10.0/24
         |-----------| GW 192.168.10.1
               |
               |
               |VLAN20
               |192.168.20.0/24
               |GW 192.168.20.1
               

The internal physical network interface of the shorewall box has a second 
virtual interface eth1.20 with 802.1q vlan tagging on. The default gateway for 
network computers is setup to the linux router. Gateway for VLAN10 is 
192.168.10.1 and gateway for VLAN 20 is 192.168.20.1. With this configuration I 
can acces the internet and communicate between both VLANs. All communication 
between VLANs goes through the linux router.

Because my switch supports VLAN routing I tried to use it as a router to speed 
up communication between VLANs. I did these steps:

1) On the switch I turned on routing and set default gateway to linux router 
primary IP address 192.168.10.1.

2) On network computers I changed default gateway to switch virtual interface 
address - 192.168.10.254 for VLAN10, 192.168.20.254 for VLAN20

With this configuration I'm able to communicate between both VLANs but cannot 
access internet. I also can not ping from a computer in one VLAN to the IP 
address of the shorewall box in the second VLAN (ping from 192.168.10.x to 
192.168.20.1) and vice versa.

My current Shorewall configuration (simplified):

/etc/shorewall/zones
#ZONE     TYPE
fw        firewall
net       ipv4
loc       ipv4

/etc/shorewall/interfaces
#ZONE     INTERFACE      OPTIONS
net       NET_IF         physical=eth0,tcpflags,nosmurfs,routefilter
loc       VLAN10         
physical=eth1,dhcp,tcpflags,nosmurfs,routefilter,routeback
loc       VLAN20         
physical=eth1.20,dhcp,tcpflags,nosmurfs,routefilter,routeback

/etc/shorewall/snat
#ACTION            SOURCE                  DEST
SNAT(external IP)  192.168.10.0/24,\
                   192.168.20.0/24         NET_IF

/etc/shorewall/policy
#SOURCE   DEST      POLICY   LOGLEVEL
loc       net       ACCEPT
loc       $FW       ACCEPT
$FW       loc       ACCEPT
$FW       net       ACCEPT
net       all       DROP     info
all       all       REJECT   info

What should I change in my router/shorewall configuration to be able to access 
internet from both VLANs with routing between them on the switch?

I need the second virtual interface of the shorewall box with 802.1q packed 
tagging due to the dhcp server to be able to distinguish for which VLAN to 
serve IP address. My switch does not provide DHCP Relay Agent function.

Thanks,
Bohuslav


_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to