routing 2 internal LANS

SUSE Product Topics SLES Networking
1

we are moving from NetWare to OES2
I have setup the SLES 11 server that we are going to be using and I am
slowly moving services over to it.

our old NW server routed traffic between two network and I need the new
SLES 11 server to do the same thing.

eth0 = 10.0.1.21
eth1 = 10.0.2.21

(following various bits of information I’ve gathered searching google)
I made the following changes in /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT=“any eth0”
FW_DEV_INT=“eth1”
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“0/0”

so…
devices connected to eth1 can connect to everything on eth0.
devices connected to eth0 cannot connect to anything on eth1.
and that seems to make sense - this looks like a typical firewall setup,
let traffic from eth1 masquerade to eth0.

I’m not sure if I messed up a setting or went in the complete wrong
direction. Is there a simpler way to route 2 networks without using
masquerade?

2

I got it working

it was missing the FW_FORWARD=“10.0.1.0/24,10.0.2.0/24”

still curious if this the right way to do this

3

Steve B wrote:
[color=blue]

I’m not sure if I messed up a setting or went in the complete wrong
direction. Is there a simpler way to route 2 networks without using
masquerade?[/color]

Yes! /etc/sysconfig/SuSEfirewall2 is the correct place to make the
configuration changes but what are you trying to do?

FW_ROUTE=“yes”
FW_FORWARD=“10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24”

Is that what you really want?

You said:
[color=blue]

eth0 = 10.0.1.21
eth1 = 10.0.2.21

FW_DEV_EXT=“any eth0”
FW_DEV_INT=“eth1”[/color]

You would be permitting all traffic between your external and private
networks. Essentially, you would have no firewall.

FW_FORWARD allows you to be very specific about what is to be
forwarded. Read the comments in /etc/sysconfig/SuSEfirewall2 and be
very sure about what you are trying to accomplish.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below…

4

On 9/12/12 7:26 PM, KBOYLE wrote:[color=blue]

Steve B wrote:
[color=green]

I’m not sure if I messed up a setting or went in the complete wrong
direction. Is there a simpler way to route 2 networks without using
masquerade?[/color]

Yes! /etc/sysconfig/SuSEfirewall2 is the correct place to make the
configuration changes but what are you trying to do?

FW_ROUTE=“yes”
FW_FORWARD=“10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24”

Is that what you really want?

You said:
[color=green]

eth0 = 10.0.1.21
eth1 = 10.0.2.21

FW_DEV_EXT=“any eth0”
FW_DEV_INT=“eth1”[/color]

You would be permitting all traffic between your external and private
networks. Essentially, you would have no firewall.

FW_FORWARD allows you to be very specific about what is to be
forwarded. Read the comments in /etc/sysconfig/SuSEfirewall2 and be
very sure about what you are trying to accomplish.
[/color]

these are internal networks that need to talk to each other - not
hitting the internet.

5

Steve B wrote:
[color=blue]

these are internal networks that need to talk to each other - not
hitting the internet.[/color]

That should work then. You’ll want IP forwarding on. You can enable it
for each nic in the YaST network configuration.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below…

6

On 9/12/12 9:28 PM, KBOYLE wrote:[color=blue]

Steve B wrote:
[color=green]

these are internal networks that need to talk to each other - not
hitting the internet.[/color]

That should work then. You’ll want IP forwarding on. You can enable it
for each nic in the YaST network configuration.
[/color]
Thanks

7

KBOYLE wrote:
[color=blue]

FW_FORWARD=“10.0.1.21/24,10.0.2.21/24 10.0.2.21/24,10.0.1.21/24”[/color]

Sorry for the typo…

FW_FORWARD=“10.0.1.0/24,10.0.2.0/24 10.0.2.0/24,10.0.1.0/24”

It should read: from subnet 1 to subnet 2 and from subnet 2 to subnet 1.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below…

8

You may also have a look at www.fwbuilder.org - makes life a lot easier when it comes to routing/firewall configuration. Way better than SuSEfirewall (IMHO) .

[QUOTE=Steve B;6837]I got it working

it was missing the FW_FORWARD=“10.0.1.0/24,10.0.2.0/24”

still curious if this the right way to do this[/QUOTE]