|Main Archive Page > Month Archives > shorewall-users archives|
On 01/12/2012 07:36 AM, Stephane Bouvard wrote:
> Yes, i've read the differents FAQ, and i fully understand them...
> But i cannot use proxy arp : my hosts are dedicated servers hosted on the cloud with only one vlan available (my hoster refuse to give more than 1 vlan), and thus my two zones net & loc are connected to the same vlan, and proxy arp need two layer 2 separated network. Split DNS are not a solution nope, because i do not have control on the DNS (i host customers VPS on my servers, my customers use their own DNS on their VPS, and i cannot give to one customer the list of domains used by the others customers).
> As i do not want that loc->loc traffic appear to originate on the firewall, i'm testing another solution that i would like to explain here, to see if you think there could be some problems i've not yet detected...
> Thus to resume :
> # net (eth0) : 188.8.131.52/24 - gateway (router of my hoster) 184.108.40.206
> # loc (eth1) : 10.1.1.0/24
> # interfaces
> net eth0 detect blacklist
> loc eth1 detect routeback
> # nat
> 220.127.116.11 eth0 10.1.1.2 no no
> 18.104.22.168 eth1 10.1.1.2 no no
> 22.214.171.124 eth0 10.1.1.3 no no
> 126.96.36.199 eth1 10.1.1.3 no no
> To explain : i declare twice the one-to-one rules, once on the net interface, like documented, but also once on the loc interface... i do *not* declare any masq rule
> It seems to work : when 10.1.1.2 try to reach 188.8.131.52, 10.1.1.3 receive the connection originated from 184.108.40.206, it's what i want...
> But is there any reason i should not use this method ? I've not found this solution documented in the FAQ of Shorewall, and thus i ask myself if i miss something...
There is no reason not to use your rules. But these rules do the same thing:
220.127.116.11 eth0 10.1.1.2 yes -
18.104.22.168 eth1 10.1.1.2 yes -
and are documented in FAQ 2a.
-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Shorewall-users mailing list