[Shorewall-users] Routing real external IP's on Lan

Tom Eastep teastep@shorewall.net
Sun, 21 Apr 2002 06:25:38 -0700 (PDT)


On Sun, 21 Apr 2002, Andy wrote:

> Hi All,
> 
>   I have a quick question, probably more a router issue, but seeing as I use
> shorewall I though I would the list..
> 
>   I currently use shorewall to route my internal lan to the internet, but I
> will shortly be receiving 8 'real' ips.
> 
>   Therefore, my question being, can shorewall then route external IP 1, 2,
> 3, 4, 5 from ppp0 (or eth0) to the appropriate machine(s) on the internal
> LAN via
>   eth1.

Yes.

>   And, if so, I take it it can act as a firewall over the muliple ip's.
> 

Yes.

>   Probably very simple, but my head gets achey when thinking about multiple
> IP's over the one ethernet interface, well ok two interfaces, but
>   you know what I mean.
> 

It will depend on how your ISP is going to handle your 8 addresses. If
they are going to be treated as a /29 subnet then you can't use the first
and last address :-(. You would define your firewall with the second
address as the IP FOR BOTH INTERFACES then specify a subnet mask of
255.255.255.248 on eth1 (and probably 255.255.255.0 on eth1). In this
case, your /etc/shorewall/masq, /etc/shorewall/nat and
/etc/shorewall/proxyarp should all be empty.

If your ISP is just going to give you 8 IP addresses out of a larger 
subnet then you can use all 8 addresses and you will want to use Proxy 
ARP. See the Documentation and ask for help if you can't figure it out.

>   The current connection 'in' to the router is via a speedtouch usb adsl
> modem, but im grabbing a router asap (any reccomendations?)
>

Sure -- use your Linux box; you don't need any more router than that.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net