Hi, I'm still having trouble with my setup (multi-isp/openvpn) and it seems to be a routing problem, the subnets from the DMZ and LAN can't connect to the outside ... worse: some sites are reachable, some not, although I have flushed the routing tables. I see no drops or refejcts.
setup: ------ * esxi server * 2 hwnics * 3 vswitches (WAN, DMZ, LAN) * hwnic1 connected to WAN vswitch * hwnic2 connected to LAN vswitch * DMZ vswitch has no physical nics attached * shorewall vm: eth0 in DMZ switch, eth1 in WAN switch, eth2 in LAN switch eth0: 192.168.0.1/24 eth1: 192.168.2.251/24 eth2: 192.168.5.251/24 the shorewall machine opens a openvpn tunnel tun1 to the vpn server x.x.x.18 and has x.x.x.245/32 as an IP address and x.x.x.254/32 as the remote endpoint located at the vpn provider. moreover, what is working: port forwarding by the following rules: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST DNAT vpn dmz:192.168.0.11 icmp - - x.x.x.245 DNAT vpn dmz:192.168.0.11:80 tcp 80 - x.x.x.245 so far, so good. The trouble comes with routing and I can't figure out the correct settings, it seems. Some key settings: ================== /etc/sysconfig/network-scripts/ifcfg-eth0: DEFROUTE=no shorewall.conf: --------------- USE_DEFAULT_RT=Yes TRACK_PROVIDERS=Yes interfaces: ----------- #ZONE INTERFACE OPTIONS vpn tun1 blacklist,optional dmz eth0 blacklist wan eth1 blacklist lan eth2 blacklist zones: ------ fw firewall lan ipv4 wan ipv4 vpn ipv4 dmz ipv4 providers: ---------- #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ipev 1 1 - tun1 x.x.x.254 track tonline 2 2 - eth1 192.168.2.1 track rtrules: -------- #SOURCE DEST PROVIDER PRIORITY MARK - x.x.x.x.18/32 tonline 1000 - x.x.x.x.245/28 ipev 1001 192.168.0.0/24 - tonline 20001 2 192.168.5.0/24 - tonline 20001 2 I suspect my problem has to do with this file (rtrules). What I intended to reach: 1st line: I want the connections to the vpn server (vpn provider "ipev") over tonline / to build up the tunnel 2nd line: packets to x.x.x.245 handled by ipev (vpn provider) 3rd line: packets from 192.168.0.0/24 (DMZ) to anywhere shall go over tonline 4th line: packets from 192.168.5.0/24 (LAN) to anywhere shall go over tonline 1st and 2nd are working. 3rd and 4th are not working. I've also tried other priorities. With other words: I'd like ALL outbound traffic from LAN and DMZ to go over tonline. How can I solve this routing issue? TIA Michael PS: Seems that this is the only remaining issue. \o/ ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
