shorewall-users April 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: [Shorewall-users] Multiple internal interfaces

[Shorewall-users] Multiple internal interfaces

From: Orion Poplawski <orion_at_nospam>
Date: Thu Apr 12 2012 - 17:57:58 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

Running shorewall 4.4.23.3. I'm trying to add another internal interface to
my firewall to segregate visitors onto. Our current internal network is
10.10.0.0/16 on interface em1. The visitor interface is 10.11.0.0/24 on
interface p1p1:

2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
      link/ether 00:b0:d0:df:e3:1d brd ff:ff:ff:ff:ff:ff
      inet 10.10.0.1/16 brd 10.10.255.255 scope global em1
      inet6 fe80::2b0:d0ff:fedf:e31d/64 scope link
         valid_lft forever preferred_lft forever

4: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
      link/ether 00:90:27:9d:49:63 brd ff:ff:ff:ff:ff:ff
      inet 10.11.0.1/24 brd 10.11.0.255 scope global p1p1
      inet6 fe80::290:27ff:fe9d:4963/64 scope link
         valid_lft forever preferred_lft forever

I added a visit zone and have setup some rules and policy.

The first issue I'm seeing though is that traffic from 10.10. to 10.11.1 is
going out the p2p2 interface which is our default route to the internet:

listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:51:24.773229 IP 4.28.99.98.47728 > 10.11.0.2.http: Flags [S], seq
1735808391, win 14600, options [mss 1460,sackOK,TS val 266593917 ecr
0,nop,wscale 4], length 0

# ip route
default via 4.28.99.97 dev p2p2
4.28.99.96/30 dev p2p2 proto kernel scope link src 4.28.99.98
4.28.99.97 dev p2p2 scope link src 4.28.99.98
4.28.99.160/27 dev em2 proto kernel scope link src 4.28.99.161
10.10.0.0/16 dev em1 proto kernel scope link src 10.10.0.1
10.11.0.0/24 dev p1p1 proto kernel scope link src 10.11.0.1
65.44.101.160/27 dev p2p1 proto kernel scope link src 65.44.101.162
65.44.101.161 dev p2p1 scope link src 65.44.101.162
65.44.101.179 dev em2 scope link
65.44.101.180 dev em2 scope link
65.44.101.182 dev em2 scope link
65.44.101.184 dev em2 scope link
65.44.101.187 dev em2 scope link
65.44.101.190 dev em2 scope link
169.254.0.0/16 dev em1 scope link metric 1002
169.254.0.0/16 dev em2 scope link metric 1003
169.254.0.0/16 dev p1p1 scope link metric 1004
169.254.0.0/16 dev p2p1 scope link metric 1005
169.254.0.0/16 dev p2p2 scope link metric 1006
192.168.201.0/29 dev em2 proto kernel scope link src 192.168.201.1

Shouldn't the route of 10.11.0.0/24 dev p1p1 send traffic there?

I first thought it was the masq setting and so did:

p2p2:!10.0.0.0/8 10.0.0.0/8 4.28.99.98

but it still routes it out p2p2:

11:22:02.561155 IP 10.10.20.2.53011 > 10.11.0.2.http: Flags [S], seq
2539220996, win 14600, options [mss 1460,sackOK,TS val 268431706 ecr
0,nop,wscale 4], length 0

dump is attached.

-- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users