Rebuilt a firewall box a few days ago and had to use two USB NICs - performance was horrible, but everything was working:
Public
Private
DMZ
Including the static route from Private directly to the DMZ.
Replaced the two USB NICs with PCI-E today, updated the configuration, and speed is back to normal, but the “Private -> DMZ” connection is broken. Reset/set the IP Forward and Masquerading options via Yast, no change. Compared the network config files to the last backup (old system, 13.2), couldn’t spot anything obvious. The old IF names are no longer present anywhere in Yast or the config directory.
Other than the “Masquerading” option (set) and “IP Forwarding” (set), what else might affect the configuration?
The interface zones are configured in /etc/sysconfig/SuSEfirewall2
These variables are relevant as described by comments in that file…
# For firewalls that should perform routing or masquerading between
# networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
# FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
# FW_FORWARD_MASQ
## Type: string
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
Is “” now, … the backup was “0/0”, … tried “0/0” (““0/0” unrestricted access to the internet”), no difference. Private access to Internet is fine [luckily], …
I can only suggest you do a diff on the working openSUSE 13.2 /etc/sysconfig/SuSEfirewall2 and the Leap 42.2 config. Copy it across via memory stick then do something like
Did not see anything interesting comparing the 13.2 version to the 42.2, … even tried the 13.2 version with the interface names changed - no connection Private -> DMZ.
so, … back to basics. Grabbed a virgin SuSEFirewall2 from a newly installed machine, assigned each of the three interface zones, ensured IP Forwarding was set in Network Configuration, and turned on Masquerading. NO JOY!! This is exactly what I did earlier this week; it worked just fine then, but not now.
Could there be a difference with the first version [working] using eth0, eth1, eth2, … while the current version uses eth0, p132p1, and p128p1?
Could anyone share a working 42.2 SuSEfirewall2 configuration with the three standard zones?
NICs can be close but not exactly a like, small differences in the hardware may make a difference. I don’t know if that is the problem but you must use mkinird to discover any new hardware. Does not hurt to try