[OmniOS-discuss] networking from a zone
Jim Klimov
jimklimov at cos.ru
Sun Jan 4 11:49:09 UTC 2015
On 4 January 2015 10:42:37 CET, Michael Mounteney <gate03 at landcroft.co.uk> wrote:
>Hello, my server is running a fairly simple firewall. The machine has
>two interfaces:
>
>e1000g0 192.168.0.n/24 connected to the cable modem and the internet.
>e1000g1 192.168.1.1/24 connected to a hub and hence various client
>machines.
>
>The firewall is basically as per http://pastebin.com/4aYyZhJ8 and while
>this works well for the clients, I can't make it work for a zone. I've
>got one zone which shares the e1000g1 interface, which provides various
>internal services which I don't want visible to the outside world, but
>another zone, which shares the e1000g0 interface, I *do* want to be
>able
>to see the outside world, but it won't do much. I can ping an external
>IP address, but can't do ssh (to an IP address) or DNS for example.
>
>Any ideas ? Thanks in expectation.
>
>Michael.
>_______________________________________________
>OmniOS-discuss mailing list
>OmniOS-discuss at lists.omniti.com
>http://lists.omniti.com/mailman/listinfo/omnios-discuss
Hello, by "sharing e1000gX" you mean shared IP stacks (special case of aliases) vs. exclusive stacks (over dedicated NICs, or VNICs bound to NICs)?
For the exclusive case, you set up complete routing (i.e. default gateway) in the zone.
For the shared case, the zone's interfaces are aliases to NICs used in the GZ and use its IP routing and ARP tables. Also, by default at least in older OpenSolaris IP stacks, communications within one stack bypassed L3-L2-L3 conversion and firewalls for speed and were essentially loopback comms.
In your case, the zone which 'shares' the internal e1000g1 can't use its 192.168.1.1 as a router, because the GZ does not have itself as a router, but it seems acceptable for you. Possibly comms between two zones in different subnets work already or can be enabled as that loopback bypass (maybe ipfilter ipf.conf loopback keyword had to do with that).
The zone sharing the e1000g0 interface should inherit the GZ's default route via 192.168.0.1(?) modem to the internet and so if the zone has an address in that subnet, and the modem does not filter it away (check lan/mac/acl controls of that router) - the internet should work... Just FYI, there were also less apparent 'fake router' tricks to add support for roiting a different subnet in a shared-stack LZ than what is bound to the GZ - essentially you added an address and support for that subnet on the router, and added a static entry into GZ's ARP table and another default route to the same external router with different address - then it could route an LZ too.
For debugging, you can 'snoop' in the zone owning the interface (GZ for shared, LZ for dedicated VNICs) to check what requests go out and what does or does not come back in. I did nlt look into pastebin, but maybe your GZ firewall does not allow non-icmp packets to/from the zone's IP address on the external interface, or the modem firewall may be to blame...
HTH,
//Jim
--
Typos courtesy of K-9 Mail on my Samsung Android
More information about the OmniOS-discuss
mailing list