This system (Dom0) has multiple interfaces:
eth0: external
br0: internal - subnet1 (private IP connects to DomU’s)
eth3: internal
subnet2 (private IP)
subnet3 (public IP)
SuSEfirewall2 configuration
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_NETS= private IP subnets
FW_TRUSTED_NETS= all MY subnets
FW_FORWARD= configured appropriately including subnet2 ↔ subnet3
Networking was working pretty much as expected except there was no
communication between subnet2 and subnet3. I assumed this was because
they are on the same interface and routing is -between- interfaces.
/etc/sysconfig/SuSEfirewall2 states:[color=blue]
Type: string
Default:
33.)
Bridge interfaces without IP address
Traffic on bridge interfaces like the one used by xen appears to
enter and leave on the same interface. Add such interfaces here in
order to install special permitting rules for them.
Format: list of interface names separated by space
Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING
instead
Example:
FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”
FW_FORWARD_ALWAYS_INOUT_DEV=“”[/color]
Since FW_FORWARD_ALLOW_BRIDGING was already set to “yes”, I resolved
this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV=“eth3”. But
eth3 is not really a bridge and this option is depreciated. Is there
another way to make this work, other than by assigning each subnet to
its own interface, or is this configured correctly?
–
Kevin Boyle
If you find this post helpful, please click on the star below!
This system (Dom0) has multiple interfaces:
eth0: external
br0: internal - subnet1 (private IP connects to DomU’s)
eth3: internal
subnet2 (private IP)
subnet3 (public IP)
SuSEfirewall2 configuration
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_NETS= private IP subnets
FW_TRUSTED_NETS= all MY subnets
FW_FORWARD= configured appropriately including subnet2 ↔ subnet3
Networking was working pretty much as expected except there was no
communication between subnet2 and subnet3. I assumed this was because
they are on the same interface and routing is -between- interfaces.
/etc/sysconfig/SuSEfirewall2 states:
Since FW_FORWARD_ALLOW_BRIDGING was already set to “yes”, I resolved
this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV=“eth3”. But
eth3 is not really a bridge and this option is depreciated. Is there
another way to make this work, other than by assigning each subnet to
its own interface, or is this configured correctly?[/color]
I haven’t done this before and also don’t know/think it’s a wise thing
to do (place the public and private IP on one interface).
In any case, for this to work I’d think you’d also need to enable
routing within the servers network configuration (as I don’t see you
mentioning that).
Again, not sure but also don’t think it’s a good idea what you are
trying to do on one interface.
-Willem
–
Novell Knowledge Partner (voluntary sysop)
It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world
I haven’t done this before and also don’t know/think it’s a wise thing
to do (place the public and private IP on one interface).
In any case, for this to work I’d think you’d also need to enable
routing within the servers network configuration (as I don’t see you
mentioning that).
Again, not sure but also don’t think it’s a good idea what you are
trying to do on one interface.
-Willem[/color]
Hi Willem,
This server is the firewall -and- router (FW_ROUTE=“yes”). The firewall
rules determine what gets through to where.
I was more interested in learning whether routing -between subnets on
the same interface- could be enabled other than by using a depreciated
option. Other than that, it appears to be working as expected. The issue
would still be present had I used two private subnets.
I guess I’m just learning about the limitations of SuSEfirewall2. I
suspect I’ll have to start working with iptables to implement additional
capabilities.
Thanks!
–
Kevin Boyle
If you find this post helpful, please click on the star below!
This server is the firewall -and- router (FW_ROUTE=“yes”). The firewall
rules determine what gets through to where.
I was more interested in learning whether routing -between subnets on
the same interface- could be enabled other than by using a depreciated
option. Other than that, it appears to be working as expected. The issue
would still be present had I used two private subnets.
I guess I’m just learning about the limitations of SuSEfirewall2. I
suspect I’ll have to start working with iptables to implement additional
capabilities.
Thanks![/color]
Hey Kevin,
The routing switch I mean is in the network configuration… and I
thought unrelated to the SuSEfirewall, and something within the Linux
network stack itself. Now you mention it, it’s something I need to take
a closer look at
Thanks for the thanks… but it’s apparent you have a better clue what
you are doing here then I have.
Cheers,
Willem
–
Novell Knowledge Partner (voluntary sysop)
It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world
