Re: [Shorewall-users] Multi ISP setup + Openvpn + bridge mode

Tue, 09 Dec 2008 08:02:00 -0800 

Harry Lachanas wrote:

> 
> In short the setup that it sugests is this
> ---------------------------------------------------
> Shorewall.conf
> 
> BRIDGING=Yes

That won't work with your 2.6.25 kernel -- this is pointed out in large
bold font on the Shorewall home page:
http://www.shorewall.net/shorewall_index.htm#Notice1

> -------------------------------------
> Zones
> vpn     ipv4
> --------------------------------------
> Interfaces
> #ZONE      INTERFACE        BROADCAST     OPTIONS
> -        br0

I personally would just use a simple bridge
(http://www.shorewall.net/SimpleBridge.html) and make your VPN clients
part of the 'loc' zone.

#ZONE        INTERFACE         BROADCAST     OPTIONS
loc          br0               ...

And remove whatever entry you currently have for loc.

> -------------------------------------
> hosts
> #ZONE           HOST(S)                         OPTIONS
> loc     br0:eth3
> vpn     br0:tap0

You don't need anything in the hosts file.

> -----------------------------------------
> tunnels
> # TYPE                  ZONE    GATEWAY         GATEWAY
> #                                               ZONE
> openvpn        net     0.0.0.0/0       vpn

I would make that 'openvpnserver' and get rid of the 'vpn' at the end
(GATEWAY ZONE only applies to IPSEC tunnels).

> 
> -----------------------------------------------------------
> and finally policy
> 
> #SOURCE        DEST          POLICY          LOG LEVEL
> loc            vpn           ACCEPT
> vpn            loc           ACCEPT

And you don't need any policies since the VPN clients are already in the
loc zone.

> 
> ------------------------------------------------------------------------------
> So far so good this seemed clear
> 
> In my case though with 2 ISPs
> 
> I miss how to fill the providers file  the copy field

Replace your current local interface with 'br0'.

------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to