[SOLVED] Two LANs and one WAN

[Namo-san]

Network layout:

[rev138]

What is the gentoo box doing at the moment? NAT?

[nevynxxx]

Do you want them to see the internet as well?

You want to look at IP forwarding, and then IP Tables.

I would assume that once forwarding is on, and masquerading is on (ip tables stuff) you will be able to access the internet from both nets.

Then you add some more default routes, to allow the internal networks to communicate.

The you go about restricting what each net can do with IP tables again.
_________________
My Public Key

Wanted: Instructor in the art of Bowyery

[Namo-san]

[rev138]

[Namo-san]

Well I known iptables somewhat, like how to set the box as a NAT but not the bridge/router beteen the LANs

EDIT: And thanks for the tip, I will be checking it out.

[Namo-san]

Well, that was not what I was looking for, anyone who knowns iptables and know how to do this?

[nevynxxx]

google is your friend. Search for the terms like brigde, forwarding, masquerading, and then tinker!!!

If you can do nat your mostly what there, have you got one or both networks seeing the internet?

If so all you need now is the routing to allow the networks to see each other.

this is not an IP tables thing, though you will need iptables later to limit what gets through, it is a routing thing, google routing howto
_________________
My Public Key

Wanted: Instructor in the art of Bowyery

[rev138]

http://gentoo-wiki.com/HOWTO_setup_a_gentoo_bridge

[bosto]

Are you sure bridging is actually necessary here?
Say you have:
eth0 192.168.0.1/24
eth1 192.168.1.1/24

if u want to use your box as router u will have to have net.ipv4.conf.all.forwarding = 1, when u put both interfaces up, kernel will also set routes for each device. All u need to do then is to set up gateways properly for each subnet: all those connected to eth0 will have to use 192.168.0.1 for gateway, those on eth1need gateway 192.168.1.1. Afaik, that should work. You just set default gateway on your gentoo box thru eth2 ip adress and u got your wan up too.

[chronophobic]

A week ago I wante to do the same thing, except that it was 1 LAN (instead of two) and 1 WAN. Perhaps looking into the last post of
https://forums.gentoo.org/viewtopic-t-405150-highlight-.html will give you some useful links to work with. Good luck.
_________________
Confutatis maledictis, flammis acribus addictis!

[daeghrefn]

THis is just my opinion, so take it with a grain of salt.

I set up a gentoo router with almost exactly the same setup you want, except instead of a third eth card, I used a wireless card with hostapd to set up a wireless segment. I also operate a vpn with OpenVPN, adding a third "logical" segment.

Because of that, I found that writing all of the tables for iptables was a daunting task, since I was filtering traffic from one interface to any other given interface very specifically. For example, only DNS, HTTP and DHCP traffic is allowed between the wired and wireless segments. Filtering all that traffic would have been more difficult writing specific IPTables rules, rather than it was to put in the source zone, destination zone, protcol and port into the Shorewall rules config file.

My solution was to use Shorewall, like mentioned above. The configuration files are very specific and very well documented. You can place each adapter in a "zone" and then define the rules based on the zones rather than the adapters. Each zone can have one or more adapters. Personally, it was easier to remember zones such as "lan", "wlan", "vpn", "inet", etc., rather than try like hell to remember whether eth0 was the wan or eth1 was the wan or whatever.

I think that Shorewall offers the best flexibility and ease, while still offering precision. There are several great howtos on shorewall available. Unfortunately, I don't think I can post links. I used the howto on shorewall.net for Shorewall. For the OpenVPN I used the OpenVPN site and gentoo-wiki howtos. For the wireless access point I used the gentoo-wiki howtos and much googling. I can't exactly remember where all I found everything so that is why I'm mentioning it here. Below is the basic shorewall configuration I used. If you want both lan segments to be treated the same, just stick the second eth card into the same zone as the other lan eth card. Then all rules will apply to both subnets. There is also a section at the bottom of how to add a wireless segment which you could easily adapt for the second lan subnet as well. Use your imagination

Shorewall Basic 2 interface howto: http://www.shorewall.net/2.0/two-interface.htm

Just a piece of advice that tripped me up. Don't forget the compile FTP tracking into the kernel, otherwise you'll have trouble downloading anything from an FTP site (I use FTP mirrors for portage). If you need specifics, I'll add them when I get home. I would also be willing to post my shorewall configs if you need me to.

Personally, on the debate of bridging vs. routing, if you need filtering then I would set up routing. If you need or want no filtering between the two lan segments, it might be easier to configure a bridge between the two, and then set up Shorewall or IPTables to filter/masquerade traffic between the lan segments and the wan segments.

[Namo-san]