1

We have been trying to move away from a SonicWall firewall for quite some time now.

Through much Googling and many hours of trial and error, we have met varying degrees of success through different firewall distros such as m0n0wall, Smoothwall, PFSense, Vyatta, etc.

Our current setup is a Ubuntu Server 11.04 distro running Shorewall. This has been our most successful setup thus far, but we are still having several routing issues. We have noticed several references to strange or erroneous behavior when running Shorewall on Debian based distros and we're wondering if this has something to do with our current problems.

Because we have had so many setups fail, we have concluded that we are doing something fundamentally wrong. So what would be a simple setup that would handle what we've outlined below?

We have three interfaces on our firewall machine:

  • eth0 (LAN): 10.10.0.0/16
  • eth1 (XO): x.x.x.178/30 gateway:x.x.x.177 (routes traffic for a separate public subnet z.z.z.z/24)
  • eth2 (Qwest): y.y.y.225/29 gateway:y.y.y.230

We need to NAT traffic from z.z.z.z and y.y.y.y addresses to internal servers. But all outbound traffic needs to default to XO unless explicitly directed through the Qwest connection.


Thank you very much for your input!

miquella
  • 250
  • 1
  • 5
  • 10
  • Does this need to be done in software using a linux server? Does it need to be free software? Would you consider buying one of the many router/firewall products on the market that has built-in support for dual (or more) WAN connections, and everything you're asking here (and more)? – gregmac Jul 14 '11 at 04:40
  • You could always take the time to learn how to use ip route directly [LARTC HOWTO](http://lartc.org/howto/). Firewall distros, and front ends are great, I use them and recommend them, but you will be much better off if you understand the underlying tools. – Zoredache Jul 14 '11 at 07:35
  • We have no particular aversion to using a commercial product, quite the contrary, we expect to be purchasing a commercial router at some point. However, we are hesitant to do so because we cannot get this to work as is. We have even tried some of the mid-level ZyWall products in addition to all of the distros mentioned above, but all to no avail. So we are wondering if there is some fundamental piece of this that we're missing that prevents it from working? – miquella Sep 28 '11 at 21:42

0 Answers0