[KLUG Members] Multiple networks on a single switch?

[Andrew Thompson]

On Mon, 2003-03-03 at 17:11, Bob Kanaley wrote:
> Greetings,
> 
> I want to update my trusty but dated LRP/LEAP firewall distribution to
> support modem bonding with two external dial-up modems (I can't get DSL or
> ISDN, my ISP supports dual 56K dialup for $40/month and I have an unused
> phone line.) Apparently to get this feature in PPPd, I must patch the kernel
> and run a patched version of my current PPPd or I need to update the kernel
> and use a newer PPPd.
> 
> Rather than mess around with the distro I am using, I am looking at some of
> the newer LEAP distro's, some of which come with Shorewall. I was reading
> the Shorewall doc's for a three interface configuration (PPP, DMZ, LOC). The
> Shorewall docs said "Do not connect more than one interface to the same hub
> or switch (even for testing). It won't work the way you expect it to and you
> will end up confused and believing that Shorewall doesn't work at all."

It will probably be easiest to understand if you have a look at this
location:

http://shorewall.sourceforge.net/shorewall_setup_guide.htm#Routed

It's section 5.1 of the Shorewall Setup Guide, which describes setup for
a routed network. You'll want to look very closely at the diagram to see
which IP addresses are where in the example. Apparently, when a machine
sends an ARP request for an IP that happens to be on the firewall but
NOT assigned to the interface connected to that zone, the firewall will
actually reply with the MAC address of the interface that IS in that
zone. When the firewall has TWO interfaces attached to the same zone,
this may then lead to a race condition where the MAC address reported
for the given IP depends on which interface catches it first. Just how
much of a problem this is I don't know. The link above should
(hopefully) explain it better.

-- 
Andrew Thompson <tempes@ameritech.net>
The Imagerie