March 9, 2011 at 1:47 pm #42897
I need some assistance with configuring my firewall and QoS shaping. I have working solutions for either of those two things but I just can’t figure out how to get them working simultaneously.
What I have
– A Box with four network interfaces running Zeroshell 1.0beta14 (1xWAN, 3xLAN)
– A manageable switch supporting vlans (Cisco SLM224G)
– A DSL modem (actually, it’s a 4 port “DSL router” but it’s only connected to one of the Zeroshell interfaces which I refer to as WAN interface)
– An ADSL line which, due to the physical condition of the line, is limited to 6139/768kbit/s.
– Three independent LANs
What I want to do with that
– All three LANs should have Internet access
– Each of those networks (and services on them) should be granted different bandwidths and priorities, respectively
– Traffic between those three LANs should be limited to certain layer 7 protocols/ports (or be blocked completely which means that each of the three LANs is allowed to connect to the Internet but not to each other.)
What I have tried
Use all three LAN interfaces of the Zeroshell box for one separate LAN. Those were separated by distinct IP ranges. Enabled NAT.
Everything worked fine but inbound shaping as QoS can only be applied to outgoing traffic on an interface. However, inbound traffic was distributed over three interfaces. Everything else worked fine.
Same as above but created a bridge over those interfaces. (For some weird reason the bridge refused to work with three interfaces.) I added the QoS classes for incoming traffic to the new bridge interface. Voilá, shaping works pretty fine now – but, unfortunately, iptables cannot tell the three interfaces apart. Actually, iptables just ignores any filter by interface but by BRIDGE00. Still, I can filter by IP, but that means that a user can switch from one of the LANs to another by just changing the IP address of his machine. So this attempt failed as well.
I used only one LAN interface of the Zeroshell box to connect to the three LANs and configured the switch to add a VLAN tag on incoming traffic. I created three different VLANs on the LAN interface and enabled NAT. The result was quite similar to that of my first attempt. I tried to attach packets to a certain QoS class by matching the VLAN which, unfortunately, did not work. Keeping the LANs separate, however, worked pretty fine.
Admittedly, I knew in advance that this one most probably would fail but I just wanted to give it a try. I created a bridge with the three VLAN interfaces (that were using one physical interface as in the third attempt above). As I expected, QoS shaping worked pretty fine now. But as I had learned from my second approach, when bridging the interfaces there obviously is no way to tell traffic from different interfaces (physical or virtual) apart. Same applies here.
This was just an idea I had… some kind of workaround. What if I could find another way to force users into a particular LAN. I tried to configure the captive portal in such a way that users could only log in if they are connecting from the LAN (IP-range) they are supposed to be in. Unfortunately, this stupid attempt failed as all the others. Apart from that, this approach would still allow users to be in the “wrong” LAN. Users could still use the bridge to access machines in other LANs. But that does not matter as this approach failed as well.
Does anybody have any suggestions on how to get that working? I considered using dummy interfaces for filtering but I could not figure out how to create dummy interfaces in Zeroshell. When using VLANs, there still are two physical interfaces that are unused… maybe I could do something with those?
If I get that working, I will provide some good documentation for that – also because I appreciate the concept of motivating people to contribute to a free project by locking some parts for contributors. That, in my opinion, is a great concept to improve free software (and documentation). BTW, does this concept have a name?
AileronJanuary 23, 2013 at 10:15 am #51631
I wonder if things have changed in Zeroshell v2 now… I’m about to give it a try. However, the main problem is that one particular network connected to the zeroshell machine is consuming most of the available inbound WAN bandwidth. Any suggestions on how to solve this with Zeroshell?
You must be logged in to reply to this topic.