netfilter@xxxxxxxxxxxxxx a écrit : > On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg" >> >> How then do you know which interface of the router is connected to which >> network ? > > I'm basing the router connections to the various networks by the IP > addresses and network Addresses. That is not enough. The virtualization system (Parallels for you) deals only with the link (ethernet) layer, not the IP layer. You can set up multiple IP subnets on the same link but they are not isolated. > Sending a broadcast packet (good idea) from network B I see the packet > show up at network A machine and on both interfaces of the firewall. I > even see the packets show up on network A when the firewall/router is > turned off. So all interfaces are connected to the same link, just as I thought. > Both Net A and Net B are assigned IPs on two entirely > different networks. Obviously, this is not the expected behavior. It is expected behaviour when all interfaces are connected to the same link. Think as if all interfaces are connected to the same switch and you didn't define separate VLANs. Ideally you need to set up two separate virtual links and define which interface is connected to which link. Other options include : a) Use tagged VLAN interfaces (see vconfig). This requires only one ethernet interface on the router. E.g. : VLAN 1 for network A, machines use eth0.1 VLAN 2 for network B, machines use eth0.2 b) Set /proc/sys/net/ipv4/all/arp_ignore to 1 on the router so each interface replies only to ARP requests for its own address. This way the other machines will send packets only to the correct interface. Note that these options do not provide the same level of security as separate links. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
