Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4
running on Debian (installed via apt-get).
I am trying to add a second ISP interface, which happens to be a OpenVPN
outbound tun1 connection. It also has a second OpenVPN server but this is
working ok so please ignore tun0, i am having problems getting tun1 working.
The idea is i want the majority of traffic to go out the default PPPoE
interface, and specific host(s) on the local subnet (in this case host
192.168.69.60) to go out via the VPN interface. My config is below:
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 -
dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc eth0 detect
dhcp,tcpflags,nosmurfs,routefilter,logmartians
vpn tun0 - routeback
rem tun1 - routeback,optional
###############################################################################
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
COPY
ISP1 1 0x100 - ppp0 -
track,balance
UKVPN 2 0x200 - tun1 -
track,balance
tcrules:
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
TEST
# PORT(S)
0x100:P 0.0.0.0/0
0x100 $FW
0x200 192.168.69.60
masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
MARK
tun1 eth0
ppp0 eth0
The problem is as soon as i enable the above multi-ISP config, from the
firewall i can no longer connect to any hosts outside on the internet. I can
continue to ping from the firewall to local workstations however. I cannot see
any packets getting dropped in the log.
A test for inside workstations showed they can continue to use the internet and
can ping the firewall without issue.
Internet for workstations was working until I tried to ping out from specific
host 192.168.69.60, it couldn’t ping, and then the entire firewall stopped
routing (i.e. workstations that could ping out now couldnt). I then had to
reboot the box in order for the settings to get cleared. I noticed at this
point there were errors in /var/log/messages "martian source 192.168.69.21 from
94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server.
I have also attached the shorewall dump, i know i am doing something wrong and
would appreciate some help on what to try next.
Many thanks in advance,
Chris
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
