Hello, and thanks in advance for any suggestions. I switched from a dumb DSL modem doing my firewall and routing to a powerful Linux server with shorewall (iptables frontend), but I have a small issue with static routing for my openvpn. I was hoping someone might be able to shed some light on this issue that kept me up all last night. I have everything working and more than I did with the dumb DSL modem, with the exception of the static routing.
Summary question: How do you get shorewall to do a static route? Long description: I had my network setup with Qwest DSL with a single IP address, which was assigned to the DSL modem, and then the network behind was NATed. I also had a machine behind the network with OpenVPN installed (10.10.10.3) which had a VPN network setup as 10.10.20.x. I had UDP port 1194 forward through the NAT to 10.10.10.3. The default gateway on all of the machines was 10.10.10.1, which was the DSL modem. Because when a machine connects to the VPN network, and then connects to another machine on the local network, it appears that it is coming from 10.10.20.x, but none of the machines had this route in their routing tables, it would route out to the default gateway of 10.10.10.1, but I had entered in a static route so that anything arriving to the modem heading to 10.10.20.x/255.255.255.0 would be redirected to 10.10.10.3. Any everything worked as expected. Then I decided to get greedy and wanted a Linux firewall, with shorewall as my gateway, and I wanted to increase my IP block to 5 so I could have various IP addresses route to different boxes. Well I upgraded my Qwest account, got the 5 addresses, installed shorewall, masqueraded my internal network and forwarded on the new IP addresses to various servers using shorewall's DNAT, and everything was happy. Or so I thought. The DNATed traffic works wonderfully, and the masquerading works great, but the VPN traffic to anything but the VPN server is now broken. If I got to any particular machine and add in a static route on that machine then I can get traffic to that machine fine. How do I get my default gateway to do the static routing that my DSL modem was doing before? eth0 is the Internet interface eth1 is the LAN interface 10.10.10.x is the LAN network 10.10.20.x is the VPN virtual network 10.10.10.1 is the gateway (shorewall linux server) address 10.10.10.3 is the vpn server lan address I have in my rules: DNAT net lan:10.10.10.3 udp 1194 - 65.X.X.X Here is how I am adding a static route: route add -net 10.10.20.0 netmask 255.255.255.0 gw 10.10.10.3 dev eth1 My policy has: $FW net ACCEPT $FW lan ACCEPT lan $FW ACCEPT lan net ACCEPT I watch the message log, and it does not appear that shorewall is dropping any connections, so it appears that I am just doing the routing wrong. Any suggestions? This all worked with a simple DSL modem, so this should work with a powerful Linux router, right? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
