anyone?

I've used Smoothwall - easy to set up, community support is quite good.
I had to change some files within it to cope with our weird network, but for most people everything should be configurable through your web browser.

As standard it only firewalls in one direction, but there is a mod to make it restrict outgoing traffic, too.

I can't remember why I chose Smoothwall over ipcop but there was a good reason at the time.

I'll put in a vote for smoothwall, but only because it was the first one to come across my path when I set up the machine. Very easy to set up and I've hardly had to fiddle with it.

Uberlad

I've used Smoothwall following suggestions on here. Its been iron-clad. Was great cos I needed two separate LANs to share a net connection without being able to see each other. It only runs DCHP on one LAN though, but this isn't normally a problem.

Hey, my friend beat me to you guys and pushed me to try IPCop, so I did.

However, it's not working 100%.

I have a 172 network and a 192 network.

The router is obviously on both networks, with 2 lan cards.

The GREEN network is the 192 network.
The RED network is the 172 network.

I didn't do anything fancy to the configuration.

192 computers can see the router (named Rizzo), and they can also see the 172 computers.
The 172 computers can see the 172 side of Rizzo, but can't see anything past that.

I checked the routing tables, and they appear identical to the old Red Hat box that it's replacing, with the exception of the eth0 and eth1 being switched in the routing tables.

If I flip around the network cables into Rizzo, it doesn't seem to work right.

Any ideas?

I haven't used IP-COP, but that sounds like the behaviour you would expect of Smoothwall. Green is the local LAN, Red is the internet...

Right...so did I do something wrong? I mean, I want red to be the outside network, but not necessarily the internet.

There is a firewall from red to green, which is what is causing your problem.

Maybe if you stuck another card in and connected your networks to either orange and green, or maybe red and orange, you could get it working that way. I think as default orange and green are seperated by the firewall, but I think this can be turned off.

If it worked Orange and Green, that would be easier as then the Green network machines could (still) admin the ipcop box.

Yeah, I just realized this.

I wonder if I can run an Orange/Green network only?

Well, I set it up so I'm running Orange + Green + (red is the modem) without the red. So essentially an Orange + Green.

It STILL won't work. From the Orange network, I can ping RIZZO, and from the Green network I can ping a machine on the orange network, but an orange machine can't see any greens. What gives?

Looks like you're a little confused about the products you're using. IPCop and Smoothwall are firewalls, with preconfigured rulesets to protect the networks you set up. Looks like you just need a router. IPCop gives you the options of setting up 4 networks:

GREEN: your internal network, this is protected from all other networks, and can go anywhere

ORANGE: this is your "DMZ", or the network where your internet accessible machines(web servers, mail servers, etc.) will sit

BLUE: this is a new network for wireless, this is isolated to just internet access, the main reason for this is the unsecure nature of most home wireless devices

RED: the internet interface - this network can *never* access *any* of your internal networks without explicit rules to allow it (incoming port forwarding or routes to the DMZ)


If you take a look at the default iptables for a GREEN+ORANGE+RED the rules look like this:

If you just want a route traffic between your 192/172 networks with no rules/policies, set up a linux/FBSD box that routes the traffic back and forth w/o applying iptables rules. You can set up access to the green network from other networks using "Port Forwarding(GREEN/ORANGE from RED)" or "DMZ Pinholes" (ORANGE to GREEN)

p.s. I'm the friend who "pushed" him to IPCop

I already tried both DMZ Pinholes and the Port Forwarding. Neither worked.

The machines on either side of Rizzo are set to route via Rizzo to the other network.

Your pinholes are not setup correctly from Orange to Green. Remember the pinholes are just that: they are ports opened to SPECIFIC IP addresses. IPTables can be funny that way.

For more on this subject take a look at one of the many topics on the subject Here.

I just grabbed the first topic from the list dealing with Orange Here.

Well, at first I tried a range, and later I tried a specific machine on each side. It STILL wouldn't work.