On 7/9/10 1:20 PM, Markus Plessing wrote: > Hi, > > Tom Eastep schrieb: >> On 7/9/10 1:03 AM, Markus Plessing wrote: >>> Hello, >>> >>> I'm trying to set up shorewall to allow traffic from a single >>> host behind the firewall to a remote network both connected >>> as openvpn clients to an openvpn-server on the internet. >> [...] >> >> If the tunnel is being established fully, then the firewall rules are >> not the problem; traffic sent through the tunnel is not visible to the >> firewall; all the firewall is aware of are the TCP 1202 packets and >> responses. > > This is true according to my test and is the expected behaviour. I'm > glad that I was not wrong with this. :) > >> Is the VPN server assigning addresses that are in the 192.168.0.0/24 >> network? That would account for the results you are seeing (connect the >> client box directly to the internet and the tunnel would work; put it >> behind the masquerading firewall and it would not work). > > Yes there is masquerading on the network. > > The shorewall box is running a openvpn server also, our business > locations are connected by vpn. > There are plenty of interfaces and networks to handle this. > > * eth0 and ppp0 to connect the first internet line, dedicated for > internet access (192.168.2.0, local machine only) > * eth1 and ppp1 to connect the second internet line, dedicated to link > the business locations (192.168.3.0, local machine only) > * eth2 to connect the local network (192.168.0.0) > * tun0-4 to connect the other business location or home workers > (192.168.1.0 and home worker tunnels in 10.x.x.x networks ...) > > There are only two entries in /etc/shorewall/masq at the moment > ppp0 eth2 > ppp1 eth2 > > The entry in interfaces file for the local net is as follows > loc eth2 detect tcpflags,detectnets,nosmurfs,routeback
Forget the Shorewall configuration; it is not relevant! Once the connection is made, the only thing that is relevant is the IP configuration and routing. a) What IP address is being assigned to the client by the VPN server? b) What does the routing table on the client look like when the VPN is connected? c) What does the routing table look like at the remote client machine (192.168.6.1)? > > As I've understood, the packets with destination 192.168.6.0 are sent > through the established tunnel, but the answers get lost? I don't have enough information yet to even guess. > > Is there a way to get this done with settings of shorewall or am I wrong > here? Again -- once the connection is made, the Shorewall configuration is not relevant. This isn't a Shorewall issue and cannot be solved with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
