Re: [Shorewall-users] /31 Network on Firewall

Thu, 30 Jan 2020 18:48:17 -0800 


On 1/23/20 2:03 PM, Tom Eastep wrote:

On 1/23/20 11:38 AM, Tom Eastep wrote:

On 1/23/20 10:53 AM, Eero Volotinen wrote:

https://www.google.fi/amp/s/blog.cloudtrooper.net/2017/09/19/setting-up-31-interfaces-and-bgp-on-a-centos-machine/amp/

it should work. follow the guide.


I suspect that there will be anomalies with Shorewall, however, because
both IP addresses will be broadcast addresses (one the network address
and the other the network broadcast address).

teastep@Asus:~/shorewall/web$ shorewall ipcalc 68.140.187.76/31
    CIDR=68.140.187.76/31
    NETMASK=255.255.255.254
    NETWORK=68.140.187.76
    BROADCAST=68.140.187.77
teastep@Asus:~/shorewall/web$

So, for example, the dropBcast action will drop all traffic to either
address. That can be fixed, but it will take a change to the Shorewall
code to special-case /31.

Also, the 'nosmurfs' interface option cannot be used as it will cause
all packets with the gateway address as the source IP to be dropped.


I've taken another look and the above issues should not present major
problems. There will be a minor problem in that multiple rules for
address 255.255.255.255 can be generated, because that is the broadcast
address reported by 'ip -f inet addr show'.

root@gateway:~# ip addr ls dev br2
15: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN group default qlen 1000
     link/ether 92:45:6b:91:0e:91 brd ff:ff:ff:ff:ff:ff
     inet 172.20.4.2/31 brd 255.255.255.255 scope global br2
        valid_lft forever preferred_lft forever
     inet6 fe80::9045:6bff:fe91:e91/64 scope link
        valid_lft forever preferred_lft forever
root@gateway:~#

So please let us know if you encounter any major problem...

Thanks,

-Tom


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



Hi there, thank you for your responses. I was unable to get it working 
in a test environment and after discussion enough with the ISP, they 
reconfigured the fiber connection and gave a /30 hand off. I am 
relieved. Thank you all.


Ryan



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to