[Shorewall-users] Design Problems for VPN/Transparent Firewall

dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com
Sun, 13 Jan 2002 12:42:28 -0600 (CST)


Hi all,

I have been struggling some architectural trade-offs, and I've hit a knowledge 
wall. I am trying to design one appliance that will act as a transparent 
router/firewall for a /25 range of legal addresses AND provide FreeS/WAN subnet-
to-subnet tunnels for two remote networks.  Based upon the statement in the 
Shorewall doc warning against using FreeS/WAN in combination with Proxy-ARP, 
that solution seems to be off the table.  

While attempting to configure Shorewall, I can across some things that didn't 
seem sane.  Like, the fact that eth1 and eth0, while in the same subnet, needed 
to be in different zones.  The DSL router also shares that subnet, but it is 
clearly not in the loc zone.  The syntax for defining zones seems to give the 
ability to define single hosts (or lists thereof) or entire subnets; but not 
the apparent ability to do ranges of IPs.  Based upon my rusting IP networking 
skills, I get the feeling I will need to subnet my subnet further -- but I'm 
just not connecting how to do it in this scenario.  Can anyone sanity check my 
hunch, and possibly give me some pointers, if this is the case?

Any other ideas on how to skin this cat would be most welcome :)

Here's the layout:

+-------------------+
| 209.36.43.127/128 |   <==== DSL Router
+-------------------+
          |
          |
+-------------------+
| 209.36.43.126/128?|
|                   |
|                   |
| 209.36.43.???/??? |   <==== Variable length subnet mask?
+-------------------+
          |
          |
    ------+-----------+-----------+
          |           |           |
       HOST A      HOST B      HOST C    <=== Legal/Routable IPs
                                              Derivded from
                                              209.36.43.128/128