> > Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4 > running on Debian (installed via apt-get). > > I am trying to add a second ISP interface, which happens to be a OpenVPN > outbound tun1 connection. It also has a second OpenVPN server but this is > working ok so please ignore tun0, i am having problems getting tun1 working. > > The idea is i want the majority of traffic to go out the default PPPoE > interface, and specific host(s) on the local subnet (in this case host > 192.168.69.60) to go out via the VPN interface. My config is below: > > interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - > dhcp,tcpflags,nosmurfs,routefilter,logmartians > loc eth0 detect > dhcp,tcpflags,nosmurfs,routefilter,logmartians > vpn tun0 - routeback > rem tun1 - routeback,optional > ############################################################################### > > providers: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 0x100 - ppp0 - > track,balance > UKVPN 2 0x200 - tun1 - > track,balance > > tcrules: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER > TEST > # PORT(S) > 0x100:P 0.0.0.0/0 > 0x100 $FW > 0x200 192.168.69.60 > > masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC > MARK > tun1 eth0 > ppp0 eth0 > > > The problem is as soon as i enable the above multi-ISP config, from the > firewall i can no longer connect to any hosts outside on the internet. I can > continue to ping from the firewall to local workstations however. I cannot > see any packets getting dropped in the log. > > A test for inside workstations showed they can continue to use the internet > and can ping the firewall without issue. > > Internet for workstations was working until I tried to ping out from specific > host 192.168.69.60, it couldn't ping, and then the entire firewall stopped > routing (i.e. workstations that could ping out now couldnt). I then had to > reboot the box in order for the settings to get cleared. I noticed at this > point there were errors in /var/log/messages "martian source 192.168.69.21 > from 94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server. > > I have also attached the shorewall dump, i know i am doing something wrong > and would appreciate some help on what to try next. > > Many thanks in advance, > > Chris Why treat the vpn as an ISP? Just build the vpn and use routes to send the traffic over openvpn?
Mike ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
