[Shorewall-users] Multiple public dynamic IPs using shorewall


Sat Dec 13 09:33:00 PST 2003


Hello!

My ISP offers the use of up to 5 public but dynamic (DHCP) ip addresses and
I would like to take advantage of this offer by giving the 3 computers in my
lan public ip's to make it easier to use things like irc, p2p and online
games from the lan computers.

I've been trying for some days now without success. My initial thought was
to use proxyarp and dhcrelay, but I have been unable to get it too work as
of yet.I've been running dhcrelay like this:

dhcrelay 195.54.96.215

where 195.54.96.215 is the ip of my isps dhcp server (at least I think so, I
took it from the "option dhcp-server-identifier 195.54.96.215;" line in
/var/lib/dhcp/dhclient-eth1.leases)

and I have the following in my interfaces file

loc eth0 192.168.1.255 dhcp,proxyarp
net eth1 detect dhcp,norfc1918,proxyarp

which I think is all that should be needed for dhcrelay+proxyarp to work,
right? But I can't get it to work from the computers in the loc zone. I get
no errormessages in /var/logs/syslog, I only get this startup messeage from
dhcrelay

Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Internet Software Consortium DHCP
Relay Agent V3.0pl2
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Copyright 1997-2000 Internet
Software Consortium.
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: All rights reserved.
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: For info, please visit
http://www.isc.org/products/DHCP
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Listening on
LPF/eth1/00:a0:24:c5:63:7a
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Sending on  
LPF/eth1/00:a0:24:c5:63:7a
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Listening on
LPF/eth0/00:80:ad:86:37:19
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Sending on  
LPF/eth0/00:80:ad:86:37:19
Dec 13 15:04:42 h177n2fls24o1074 dhcrelay: Sending on   Socket/fallback

which leads me to belive that it atleast is should be working. But I can't
get ip adresses for computers in the loc zone using dhcp, and as I said I
get no error messages from dhcrelay while the dhcpclient times out waiting
for a response.

I though of trying one-to-one NAT and setting up a bunch of aliased
interfaces, but dhclient doesn't seem to want to get ip's for aliased
interfaces.

Well, on to my questions. I am supposing that I could get this to work with
one-to-one NAT if I hade more physical nic's on the firewall, dhclient
should be able to get ip's for all of them I think. (my adsl modem has 4
ports, and the manual for it says that if you want to connect more to use a
hub or switch) But since I don't have any extra nic's I would like to get it
to work using a cheaper solution if possible.

Can anyone see what I'm doing wrong with my proxyarp+dhcrelay setup? Are
there extra steps that I'm missing?

Would one-to-one NAT be a possible solution, or am I makeing assumptions
here? I think that I would need a script to put the new ip's into the
shorewall config and restart shorewall whenever I get a new ip, but that I
think shouldn't be too hard right?

Is it possible to get dhclient to work with aliased interfaces, or is there
some other dhcp software I sould be using instead?

Sorry if some of these questions aren't 100% shorewall related.

Sincerely,
Kristoffer Ekelund

________________________________________________
This mail was sent by UebiMiau 2.5




More information about the Shorewall-users mailing list