I'm fooling around with Quagga/Shorewall at home and am wondering if what I am trying to do is possible. I will try to create an ASCII art diagram to give you a better picture of what I am trying to accomplish (and hopefully it will not look like crap):



{ TestNetwk 172.31.1.0/24 }---.1<MyFW>.1---{ HomeNetwk 172.31.254.0/24 }---.254<ISPRouter>---{ Internet }


The remaining details:
1) All the clients on the Home Network have the ISPRouter configured as the default gateway (e.g. 172.31.254.254)
2) I have a test server in the Test Network that I want to access (e.g. 172.31.1.2).
3) When I try to access the test server (i.e. 172.31.1.2) from a client computer on the home network it looks like the client is trying to access the test server via the default gateway. I want the client to access the test server via MyFW (i.e. 172.31.254.1).

Question: how can I reconfigure things such that the ISPRouter remains the default gateway for Internet requests, but MyFW is used when resources on the Test Network are to be accessed? Can the ISPRouter notify the client that the correct gateway is 172.31.254.1 for network 172.31.1.0? NOTE: I do not want to add static routing on the client side--too much hassle.

The problem you have is that your HomeNetwork systems are all on the same network, so MyFW never gets a chance to route. The only possible solution is to have ISPRouter send ICMP redirects, and it has to be told about your TestNetwork.

Clients on the TestNetwork should use MyFW as their gateway.

Dear Mr. C,

Yes, yes, wow, what you are suggesting sounds exactly what I am aiming for. Thank you I had been trying to configure Quagga and my ISP's router to exchange internal routing information with each other (no success so far. I know I could use static routes, but I wanted to play with OSPF). So am I right in thinking that if I succeed in doing this, the ISP's router will be aware of MyFW and will use ICMP redirects to point clients to MyFW when they attempt to access resources on the test network? I just want to be sure that I am not barking up the wrong tree...

Well, you really don't want to use ICMP redirects if possible.

You really want:
This creates three networks, and your FW/Router does your LAN routing, leaving the ISP router as the internet gateway.

ICMP redirects are advisory, and can be used maliciously, so are often disabled by default.

Since you don't have a routing network where routing protocols can have much impact, and because ICMP redirects are at a much lower layer, you'll not accomplish what you want.

I had a feeling that I was barking up the wrong tree. Who knows how much more time I would have wasted had I not asked for help...? I'm going to try to switch over to the more traditional, and admittedly superior, architecture that you suggested. Thanks again for your help