On Nov 10, 2017, at 7:35 PM, Gonzalo Ibáñez <goniba...@hotmail.com> wrote:
> Hi all, > > I've a problem that may be has been solved before but I can't find a solution > through documentation nor searching on this list archive. > > My scenario is an Astlinux box with only an EXTINF (no LAN interface) > directly connected to my internet router through the local LAN > 192.168.1.0/24. I'm able to access Astlinux box from LAN through EXTINF by > adding a 'Pass EXT->Local' firewall rule. > > The Astlinux server is running an Openvpn server with network 10.0.0.0/24 and > there's a remote location with LAN 192.168.2.0/24 permanently connected by > vpn so that they can reach local LAN 192.168.1.0/24 but the problem is I > can't reach remote 192.168.2.0/24 from 192.168.1.0/24. 192.168.2.0/24 is > reachable directly from Astlinux box so I suspect the problem is related to > NAT/Arno firewall configuration. I've tried different iptables configurations > without success so far. > > Any idea? I think I follow your setup ... Remote 192.168.2.0/24 is routed to (OpenVPN) 10.0.0.0/24 within AstLinux which is NAT'ed to EXT 192.168.1.0/24, and the return path works via the NAT firewall state. BTW, the default OpenVPN Server "tun0" interface is treated as an internal LAN interface, which is NAT'ed to the external interface. For your situation, it may be better if the tun0 interface is routed to the EXT 192.168.1.0/24, but that is a little more complicated. First, disable NAT for the tun0 interface (OpenVPN Server) -- Add to /mnt/kd/rc.conf.d/user.conf -- NONAT="tun0" -- Second, the 192.168.1.0/24 network must have firewall access to the 192.168.2.0/24 network, that can be done by adding firewall rules for TCP/UDP and ICMP ... -- Pass EXT->LAN Source: 192.168.1.0/24 Protocol: [TCP/UDP] Destination: 192.168.2.0/24 Port: ___ (empty for any port) -- Pass EXT->LAN Source: 192.168.1.0/24 Protocol: [ ICMP ] Destination: 192.168.2.0/24 -- Now, restart the firewall via the web interface. Finally, you need a static route telling your 192.168.1.0/24 network that the 192.168.2.0/24 network is via 192.168.1.nn (the AstLinux box external IP). Note that this route is not for AstLinux, but rather for the 192.168.1.0/24 router or a specific 192.168.1.0/24 device. I may have missed something, not tested, but just might work :-) Be sure to do a "ip r" on AstLinux to make sure all the routes exist you expect. Lonnie ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
