PDA

View Full Version : routing 2 internal LANS



Steve B
12-Sep-2012, 18:28
we are moving from NetWare to OES2
I have setup the SLES 11 server that we are going to be using and I am
slowly moving services over to it.

our old NW server routed traffic between two network and I need the new
SLES 11 server to do the same thing.

eth0 = 10.0.1.21
eth1 = 10.0.2.21

(following various bits of information I've gathered searching google)
I made the following changes in /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT="any eth0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"

so...
devices connected to eth1 can connect to everything on eth0.
devices connected to eth0 cannot connect to anything on eth1.
and that seems to make sense - this looks like a typical firewall setup,
let traffic from eth1 masquerade to eth0.

I'm not sure if I messed up a setting or went in the complete wrong
direction. Is there a simpler way to route 2 networks without using
masquerade?

Steve B
12-Sep-2012, 20:31
I got it working

it was missing the FW_FORWARD="10.0.1.0/24,10.0.2.0/24"

still curious if this the right way to do this

KBOYLE
13-Sep-2012, 01:26
Steve B wrote:

> I'm not sure if I messed up a setting or went in the complete wrong
> direction. Is there a simpler way to route 2 networks without using
> masquerade?

Yes! /etc/sysconfig/SuSEfirewall2 is the correct place to make the
configuration changes but what are you trying to do?


FW_ROUTE="yes"
FW_FORWARD="10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24"

Is that what you *really* want?

You said:

> eth0 = 10.0.1.21
> eth1 = 10.0.2.21
>
> FW_DEV_EXT="any eth0"
> FW_DEV_INT="eth1"

You would be permitting *all* traffic between your external and private
networks. Essentially, you would have no firewall.

FW_FORWARD allows you to be very specific about what is to be
forwarded. Read the comments in /etc/sysconfig/SuSEfirewall2 and be
very sure about what you are trying to accomplish.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below...

Steve B
13-Sep-2012, 02:15
On 9/12/12 7:26 PM, KBOYLE wrote:
> Steve B wrote:
>
>> I'm not sure if I messed up a setting or went in the complete wrong
>> direction. Is there a simpler way to route 2 networks without using
>> masquerade?
>
> Yes! /etc/sysconfig/SuSEfirewall2 is the correct place to make the
> configuration changes but what are you trying to do?
>
>
> FW_ROUTE="yes"
> FW_FORWARD="10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24"
>
> Is that what you *really* want?
>
> You said:
>
>> eth0 = 10.0.1.21
>> eth1 = 10.0.2.21
>>
>> FW_DEV_EXT="any eth0"
>> FW_DEV_INT="eth1"
>
> You would be permitting *all* traffic between your external and private
> networks. Essentially, you would have no firewall.
>
> FW_FORWARD allows you to be very specific about what is to be
> forwarded. Read the comments in /etc/sysconfig/SuSEfirewall2 and be
> very sure about what you are trying to accomplish.
>

these are internal networks that need to talk to each other - not
hitting the internet.

KBOYLE
13-Sep-2012, 03:28
Steve B wrote:

> these are internal networks that need to talk to each other - not
> hitting the internet.

That should work then. You'll want IP forwarding on. You can enable it
for each nic in the YaST network configuration.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below...

Steve B
13-Sep-2012, 03:56
On 9/12/12 9:28 PM, KBOYLE wrote:
> Steve B wrote:
>
>> these are internal networks that need to talk to each other - not
>> hitting the internet.
>
> That should work then. You'll want IP forwarding on. You can enable it
> for each nic in the YaST network configuration.
>
Thanks

KBOYLE
13-Sep-2012, 07:02
KBOYLE wrote:

> FW_FORWARD="10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24"

Sorry for the typo...

FW_FORWARD="10.0.1.0/24,10.0.2.0/24 10.0.2.0/24,10.0.1.0/24"

It should read: from subnet 1 to subnet 2 and from subnet 2 to subnet 1.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below...

Simeonof
17-Sep-2012, 11:02
You may also have a look at www.fwbuilder.org - makes life a lot easier when it comes to routing/firewall configuration. Way better than SuSEfirewall (IMHO) .



I got it working

it was missing the FW_FORWARD="10.0.1.0/24,10.0.2.0/24"

still curious if this the right way to do this