The Shorewall firewall is the default gateway for every host in both the lan zone (enp10s0) and the dmz zone (enp5s0).
An example host in the lan zone has these settings: inet 10.215.144.2/16 brd 10.215.255.255 scope global eth0 default via 10.215.144.91 dev eth0 An example host in the dmz zone (eg. dmz11) has these settings: inet 192.168.210.2 brd 192.168.210.255 scope global eth0 default via 192.168.210.1 dev eth0 The only big difference between Configuration 1 and Configuration 2 is that while in the first (working) setup the Shorewall box's lan interface (enp10s0) is not in bridge mode and has no vlans defined, in the second (failing) setup the lan interface is a bridge with vlans. Configuration 1: enp10s0 has IP addresses 10.215.144.91/32 10.215.144.6/32 10.215.246.91/32 192.168.144.91/24 10.215.145.241/32 10.215.145.242/32 10.215.145.81/32 and the following route entries: 10.215.144.0/22 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 10.215.246.0/23 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 10.215.248.0/24 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 Configuration 2: Bridge "lanbr" bridges the interfaces "enp10s0 enp5s0.12 enp10s0.1 enp10s0.12 enp10s0.13 enp10s0.14 enp10s0.15" (where enp5s0.12 is one of the dmz interface's vlans). lanbr has the same IP addresses and route entries as in Configuration 1 This is basically it. I am putting in a dmz vlan interface within lanbr in Configuration 2, but I don't believe that may have any unwanted side-effects. This dmz vlan interface is only in lanbr. Once the interfaces and zones are defined in Shorewall the rest of the rules and policies are basically the same. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
