Salut, Daca din clienti ai ping in 172.20.0.200 (si ar trebui sa ai, fiindca e in subnet direct connectat), nu ar trebui sa fie problema de intoarcere clienti->sursa (clientii trebuie sa raspunda catre 172.20.0.200, adresa masq'd). Pentru verificare reguli NAT, un wireshark pe una din statii e edificator (trebuie sa vezi pachete dinspre 172.20.0.200 si reply-urile respective. Banuiesc ca nu ai probleme basic gen enable ip_forward.
Toate cele bune 2016-12-22 12:45 GMT+02:00 Adrian Sevcenco <[email protected]>: > On 12/13/2016 07:25 PM, Adrian Sevcenco wrote: > >> On 12/13/2016 07:05 PM, alex alex wrote: >> >>> Salut, >>> >> Salut! >> >> Push route functioneza cind un client se conecteaza la un server >>> openvpn. >>> Aici se conecteaza doua servere openvpn. Clientii din lan ai lui >>> Adrian nu >>> stiu sa intoarca pachetele catre o retea necunoscuta pentru ei, asa ca >>> arunca pachetele la def. gateway. care le dropeaza, gateway-ul probabil >>> nestiind nici el de retaua respectiva. >>> Deci fie ruta de intoarcere specifica pentru lan-ul remote pe statii, fie >>> NAT (caz in care calculatoarele replica catre ip-ul gateway-ului openvpn, >>> din moment ce sursa vine dinspe acesta) >>> >> mda, make sense! acum imi dau seama ca singura solutie e NAT pe serverul >> openvpn remote (sau solutia de haproxy data de Iulian) >> dar mai intii incerc cu NAT :) >> > Salut! Am incercat sa fac NAT dar imi scapa ceva (cel mai probabil > intoarcerea de la clienti la sursa) > > situatia e asha : > 192.168.1.100 - acasa > 10.1.1.2 - acasa tun10 > 10.1.1.1 - office tun10 > 172.20.0.200 - office privat > > am ping de la 192.168.1.100 la 172.20.0.200 si invers > scopul e sa am ping de la 192.168.1.100 la oricare altele din 172.20.0/24 > > am in iptables urmatoarele : > *nat > -A POSTROUTING -s 192.168.1.0/24 -d 172.20.0.0/24,10.10.8.0/22 -j > MASQUERADE > > *filter > -A FORWARD -p icmp -j ACCEPT > -A FORWARD -i tun10 -j ACCEPT > > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,SNAT,DNAT -j ACCEPT > > -A FORWARD -s 192.168.1.0/24 -d 172.20.0.0/24,10.10.8.0/22 -m conntrack > --ctstate NEW -j ACCEPT > > Nu imi dau seama ce anume lipseste ... > > Multumesc frumos! > Adrian > > > >> Multumesc! >> Adrian >> >> >>> 2016-12-12 17:09 GMT+02:00 manuel "lonely wolf" wolfshant >>> <[email protected] >>> >>>> : >>>> >>> >>> On 12/12/2016 03:57 PM, Mihai Badici wrote: >>>> >>>>> Poti sa pui ruta inversa cu "push route": >>>>> >>>>> push "route 10.10.0.0 255.255.0.0" in configul de server. Cred ca >>>>> merge >>>>> >>>> si >>>> >>>>> in acel fisier in care ai pus iroute. >>>>> ( exemplele mele nu sunt consistente, sunt din configuri diferite) >>>>> >>>>> config functional de ani de zile in curtea mea: >>>> >>>> push "route 192.168.10.201 255.255.255.255" >>>> push "route 192.168.5.1 255.255.255.255" >>>> push "route 192.168.5.24 255.255.255.255" >>>> push "route 192.168.5.29 255.255.255.255" >>>> push "dhcp-option DNS 192.168.10.11" >>>> >>>> _______________________________________________ >>>> RLUG mailing list >>>> [email protected] >>>> http://lists.lug.ro/mailman/listinfo/rlug >>>> >>>> _______________________________________________ >>> RLUG mailing list >>> [email protected] >>> http://lists.lug.ro/mailman/listinfo/rlug >>> >>> >> >> >> >> _______________________________________________ >> RLUG mailing list >> [email protected] >> http://lists.lug.ro/mailman/listinfo/rlug >> >> > > -- > ---------------------------------------------- > Adrian Sevcenco, Ph.D. | > Institute of Space Science - ISS, Romania | > adrian.sevcenco at {cern.ch,spacescience.ro} | > ---------------------------------------------- > > > _______________________________________________ > RLUG mailing list > [email protected] > http://lists.lug.ro/mailman/listinfo/rlug > > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
