Tom Eastep wrote: > Sergio A. Kessler wrote: >> hi tom, >> >> Tom Eastep wrote: >>> Sergio A. Kessler wrote: >>> >>>> I also tried with: >>>> # cat /etc/shorewall/masq >>>> ############################################################################### >>>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>>> IPSEC >>>> eth0 eth1 $EXT_SALIDA >>>> eth0 eth3 $EXT_SALIDA >>>> eth0 eth1 $EXT_VPN 47 >>>> >>>> but the problem remains, >>>> the protocol 47 is not being SNAT'ed with the correct external IP. >>> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match >>> is >>> the one that is used. >> yes !! it worked ! >> thanks tom ! >> >> anyway, I'm still wondering why the rule -- in /etc/shorewall/rules >> >> DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN >> >> is not working as I expected... > > It is working exactly as you *should* expect. The problem is that the > server is sending GRE packets before the client.
aha, *before* being the key, I understand now... thanks Tom ! > Normally, that is not a > problem because all outbound traffic is SNATed through the same IP > address. In your case, you want it to get a different source IP from > other traffic -- so you must include the entry in /etc/shorewall/masq to > make that work. > > If you load the kernel pptp helper modules (ipt_conntract_pptp and > ipt_nat_pptp), you won't need the masq entry (or that's my understanding > -- I haven't tried it). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
