Hi Mike, I have done that with my original openvpn config, in the upscript it
adds forwarding rules dependent on MAC address and source IP. I didn't know if
these raw iptables rules would work with the iptables rules shorewall
generates. It sounds like an option and if you have further suggestions would
be much appreciated.
I do also like to learn and also interested if the original plan of using multi
isp is possible or not.
Thanks and regards,
Chris
----- Reply message -----
From: "Mike Lander" <[email protected]>
To: "Shorewall Users" <[email protected]>
Subject: [Shorewall-users] Multi-ISP over tun not working
Date: Sun, May 15, 2011 01:39
>
> Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4
> running on Debian (installed via apt-get).
>
> I am trying to add a second ISP interface, which happens to be a OpenVPN
> outbound tun1 connection. It also has a second OpenVPN server but this is
> working ok so please ignore tun0, i am having problems getting tun1 working.
>
> The idea is i want the majority of traffic to go out the default PPPoE
> interface, and specific host(s) on the local subnet (in this case host
> 192.168.69.60) to go out via the VPN interface. My config is below:
>
> interfaces:
>
> #ZONE INTERFACE BROADCAST OPTIONS
> net ppp0 -
> dhcp,tcpflags,nosmurfs,routefilter,logmartians
> loc eth0 detect
> dhcp,tcpflags,nosmurfs,routefilter,logmartians
> vpn tun0 - routeback
> rem tun1 - routeback,optional
> ###############################################################################
>
> providers:
>
> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
> OPTIONS COPY
> ISP1 1 0x100 - ppp0 -
> track,balance
> UKVPN 2 0x200 - tun1 -
> track,balance
>
> tcrules:
>
> #MARK SOURCE DEST PROTO PORT(S) CLIENT USER
> TEST
> # PORT(S)
> 0x100:P 0.0.0.0/0
> 0x100 $FW
> 0x200 192.168.69.60
>
> masq:
>
> #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
> MARK
> tun1 eth0
> ppp0 eth0
>
>
> The problem is as soon as i enable the above multi-ISP config, from the
> firewall i can no longer connect to any hosts outside on the internet. I can
> continue to ping from the firewall to local workstations however. I cannot
> see any packets getting dropped in the log.
>
> A test for inside workstations showed they can continue to use the internet
> and can ping the firewall without issue.
>
> Internet for workstations was working until I tried to ping out from specific
> host 192.168.69.60, it couldn't ping, and then the entire firewall stopped
> routing (i.e. workstations that could ping out now couldnt). I then had to
> reboot the box in order for the settings to get cleared. I noticed at this
> point there were errors in /var/log/messages "martian source 192.168.69.21
> from 94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server.
>
> I have also attached the shorewall dump, i know i am doing something wrong
> and would appreciate some help on what to try next.
>
> Many thanks in advance,
>
> Chris
Why treat the vpn as an ISP? Just build the vpn and use routes to send the
traffic over openvpn?
Mike
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
