Hi.
If I understand correctly, you have one lan interface but want to have 2
separate networks (zones) on it right?
Then this will be the documentation for that scenario (by declaring the
interface as being on no zone "-" and then defining each zone's network
on the hosts file:
https://shorewall.org/Multiple_Zones.html
Be aware though that unless there's another router up ahead that
provides extra refining (e.g. you have an AP where you block the access
you your lan network), and you just place both IP networks on the same
layer 2 channel, then shorewall can't do nothing if someone on the guest
zone changes their IP manually to match your lan's network, because in
that case they will connect directly. Best scenario would be to use
vlans (needs switch support for that) or separate physical interfaces.
Good luck and stay safe.
On 25/11/20 14:54, [email protected] wrote:
Hello Justin,
On Wed, Nov 25, 2020, at 6:08 AM, Justin Pryzby wrote:
On Wed, Nov 25, 2020 at 05:35:41AM -0800, [email protected] wrote:
What Shorewall ruleset do I need to just allow this guest access to the
internet but keep it isolated to its 10.16.1.X segment?
You should look for logfile entries showing why not, and send a debugging dump
to the list.
I was just asking for what TO do the right way. Is there a documentation or
example on the site for that case maybe?
Right now when I try to do anything from the 10.16.1.X LAN "Guest", like `ping
1.1.1.1` or visit any site in a browser I don't see any logs about it at Shorewall.
I do see logs for all the dropped traffic for the 172.16. rules.
So maybe how do your turn on the logging for ALL of the 10.16.1.X traffic to
and from the Guest machine?
Dave
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
