Hi,
I have backfire and openswan running currently, but am having a few
issues I cannot seem to easily figure out. I have 6 IP networks, the
pppoe connection out, and an IPsec tunnel to work that stays nailed
up. openswan is working fine when I manually start it, and I will
move it to pre/post ppp scripts when I get everything ironed out.
My first issue is that I do not want to clamp mss, so I have always
set my IP mtu to 1492 for everything behind the router. This appears
to be working for the first 3 of my 6 interfaces, and after that they
stay at 1500. I can manually change them with ifconfig or ip after
they are up though. Is this something that is common, or do I have a
misconfiguration somewhere?
I am looking for more along the lines of adive about vpn though.
While I am very comfortable in linux, I am pretty new to more than
basic iptables. I do not mind clamping mss on my encrypted stuff
since it will need to be dropped to 1380 for most things, but I have
been unsuccessful in getting it to work. If I drop it for the whole
network, it obviously break all sorts of other stuff.
Everything was working nice with all of my traffic flows the way I
wanted, but when I threw vpn in the mix, and finally got it working, I
realized I had broken other things (netbooting, etc...).
I do not know how to fix-mtu without having an interface specified for
the vpn. All of the examples I see using openvpn (not an option since
this pix is ipsec only) have an interface created that goes up and
down with the tunnel. Should I do this for the ipsec0 interface that
is automagically created, and assign that to a firewall zone? From
the looks of the output of the iptables command, it appears that every
possible combination of chain/target gets created whether or not it is
actually used. If I create a zone for the ipsec0 interface, it looks
like it wil automatically create the tcpmss chain for it, but is that
all it takes?
configs follow - it is eth0 to provider, and 1 trunk to my switch.. I
currently opened "incoming" as default on all of the network segments
to simplify troubleshooting..
Thanks!
-Greg
# network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'MGMT'
option 'proto' 'static'
option 'type' 'bridge'
option 'ifname' 'eth1.1'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
option 'stp' '0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'mtu' '1492'
config 'interface' 'PRIVATE'
option 'proto' 'static'
option 'type' 'bridge'
option 'ifname' 'eth1.2'
option 'ipaddr' '192.168.2.1'
option 'netmask' '255.255.255.0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'mtu' '1492'
config 'interface' 'MEDIA'
option 'proto' 'static'
option 'type' 'bridge'
option 'ifname' 'eth1.3'
option 'ipaddr' '192.168.3.1'
option 'netmask' '255.255.255.0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'mtu' '1492'
config 'interface' 'VOICE'
option 'proto' 'static'
option 'type' 'bridge'
option 'ifname' 'eth1.4'
option 'ipaddr' '192.168.4.1'
option 'netmask' '255.255.255.0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'mtu' '1492'
config 'interface' 'LAB'
option 'proto' 'static'
option 'type' 'bridge'
option 'ifname' 'eth1.5'
option 'ipaddr' '172.17.0.1'
option 'netmask' '255.255.255.0'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'mtu' '1492'
config 'interface' 'INET'
option 'ifname' 'eth0'
option 'proto' 'pppoe'
option 'username' '*****'
option 'password' '*****'
option 'defaultroute' '1'
option 'peerdns' '1'
option 'mtu' '1478'
config 'switch' 'eth1'
option 'name' 'eth1'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '1'
option 'vid' '1'
option 'ports' '0t 4t'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '2'
option 'vid' '2'
option 'ports' '0t 4t'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '3'
option 'vid' '3'
option 'ports' '0t 3 4t'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '4'
option 'vid' '4'
option 'ports' '0t 4t'
config 'switch_vlan'
option 'device' 'eth1'
option 'vlan' '5'
option 'vid' '5'
option 'ports' '0t 4t'
#wifi
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'macaddr' '00:0C:42:64:B3:DE'
list 'ht_capab' 'SHORT-GI-40'
list 'ht_capab' 'TX-STBC'
list 'ht_capab' 'RX-STBC1'
list 'ht_capab' 'DSSS_CCK-40'
option 'channel' '4'
option 'hwmode' '11g'
option 'country' 'US'
option 'disabled' '0'
config 'wifi-iface'
option 'device' 'radio0'
option 'mode' 'ap'
option 'ssid' 'BULLET-G'
option 'network' 'PRIVATE'
option 'encryption' 'psk-mixed'
config 'wifi-iface'
option 'device' 'radio0'
option 'mode' 'ap'
option 'ssid' 'BULLET-G-MEDIA'
option 'network' 'MEDIA'
option 'encryption' 'psk-mixed'
config 'wifi-iface'
option 'device' 'radio0'
option 'mode' 'ap'
option 'ssid' 'BULLET-G-LAB'
option 'network' 'LAB'
option 'encryption' 'psk-mixed'
config 'wifi-device' 'radio1'
option 'type' 'mac80211'
option 'macaddr' '00:0c:42:64:b4:49'
list 'ht_capab' 'SHORT-GI-40'
list 'ht_capab' 'TX-STBC'
list 'ht_capab' 'RX-STBC1'
list 'ht_capab' 'DSSS_CCK-40'
option 'country' 'US'
option 'disabled' '0'
option 'hwmode' '11na'
option 'htmode' 'HT40+'
option 'channel' '149'
config 'wifi-iface'
option 'device' 'radio1'
option 'mode' 'ap'
option 'network' 'PRIVATE'
option 'encryption' 'psk2'
option 'ssid' 'BULLET-5'
config 'wifi-iface'
option 'device' 'radio1'
option 'mode' 'ap'
option 'network' 'MEDIA'
option 'encryption' 'psk2'
option 'ssid' 'BULLET-5-MEDIA'
config 'wifi-iface'
option 'device' 'radio1'
option 'mode' 'ap'
option 'network' 'LAB'
option 'encryption' 'psk2'
option 'ssid' 'BULLET-5-LAB'
config 'wifi-device' 'radio2'
option 'type' 'mac80211'
option 'macaddr' '00:0c:42:64:b3:e6'
option 'disabled' '0'
option 'country' 'US'
list 'ht_capab' 'SHORT-GI-40'
list 'ht_capab' 'TX-STBC'
list 'ht_capab' 'RX-STBC1'
list 'ht_capab' 'DSSS_CCK-40'
option 'hwmode' '11ng'
option 'htmode' 'HT40+'
option 'channel' '6'
config 'wifi-iface'
option 'device' 'radio2'
option 'mode' 'ap'
option 'ssid' 'BULLET-N'
option 'network' 'PRIVATE'
option 'encryption' 'psk2'
config 'wifi-iface'
option 'device' 'radio2'
option 'mode' 'ap'
option 'ssid' 'BULLET-N-MEDIA'
option 'network' 'MEDIA'
option 'encryption' 'psk2'
config 'wifi-iface'
option 'device' 'radio2'
option 'mode' 'ap'
option 'ssid' 'BULLET-N-LAB'
option 'network' 'LAB'
option 'encryption' 'psk2'
# firewall
config 'defaults'
option 'syn_flood' '1'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'REJECT'
config 'include'
option 'path' '/etc/firewall.user'
config 'zone'
option 'name' 'INET'
option 'network' 'INET'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'zone'
option 'name' 'PRIVATE'
option 'network' 'PRIVATE'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'ACCEPT'
config 'zone'
option 'name' 'MEDIA'
option 'network' 'MEDIA'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'ACCEPT'
config 'zone'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'ACCEPT'
option 'name' 'VOICE'
option 'network' 'VOICE'
config 'zone'
option 'name' 'MGMT'
option 'network' 'MGMT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'input' 'ACCEPT'
config 'forwarding'
option 'src' 'PRIVATE'
option 'dest' 'INET'
config 'forwarding'
option 'src' 'PRIVATE'
option 'dest' 'VOICE'
config 'forwarding'
option 'src' 'PRIVATE'
option 'dest' 'LAB'
config 'zone'
option 'name' 'LAB'
option 'output' 'ACCEPT'
option 'input' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'forwarding'
option 'src' 'MEDIA'
option 'dest' 'INET'
config 'forwarding'
option 'dest' 'INET'
option 'src' 'LAB'
config 'forwarding'
option 'dest' 'INET'
option 'src' 'MGMT'
config 'forwarding'
option 'dest' 'INET'
option 'src' 'INET'
config 'forwarding'
option 'src' 'PRIVATE'
option 'dest' 'MGMT'
config 'forwarding'
option 'src' 'VOICE'
option 'dest' 'INET'
config 'forwarding'
option 'dest' 'MGMT'
option 'src' 'MEDIA'
config 'forwarding'
option 'src' 'MGMT'
option 'dest' 'MEDIA'
#firewall.user
iptables -A input_INET -p esp -j ACCEPT # allow IPSEC
iptables -A input_INET -p udp --dport 500 -j ACCEPT # allow ISAKMP
iptables -A input_INET -p udp --dport 4500 -j ACCEPT # allow NAT-T
iptables -t nat -A postrouting_rule -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A postrouting_rule -d 10.0.0.0/8 -j ACCEPT
iptables -t nat -A postrouting_rule -d 172.16.0.0/12 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o br-LAB -j ACCEPT
iptables -A forwarding_rule -i br-LAB -o ipsec0 -j ACCEPT
_______________________________________________
openwrt-users mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-users
