[Shorewall-users] Three Interface with VPN - Tweaks to net Traffic

Sat, 15 Apr 2017 12:13:11 -0700

Hello,

I have a very basic 3 interface setup - no packet marking, load balancing, etc (this might need to change though).  My three interface setup is like so:
net/eth0  ISP
loc/eth1  LAN
vpn0/tun0 OpenVPN client tunnel on eth0

I'm trying to achieve two things and I'm unable to figure out how to do this.


1.  I lose all incoming traffic on eth0 when tun0 is up.  So for instance, I'd like external SSH access, I have a Plex Media Server that I'd like external access to, and a few other things.  I do not believe it's a routing issue.  Observe:

# without vpn
$ ip route ls
default via 72.x.x.x dev eth0
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1

# with vpn
$ ip route ls
0.0.0.0/1 via 10.y.y.y dev tun0
default via 72.x.x.x dev eth0
10.y.y.y/24 dev tun0 proto kernel scope link src 10.y.y.y
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
128.0.0.0/1 via 10.y.y.y dev tun0
142.z.z.z via 72.x.x.x dev eth0 # 142.z.z.z = vpn gateway
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1

So I see the eth0 route present regardless of tun0's existence (albeit lower in the chain when tun0 is up), so that's why I don't think it's a routing issue.

Here is my Shorewall policy:
loc        fw       ACCEPT
loc        net      ACCEPT
loc        vpn0     ACCEPT
fw         loc      ACCEPT
fw         net      ACCEPT
fw         vpn0     ACCEPT
net        all      DROP        info
vpn0       all      DROP        info
# THE FOLLOWING POLICY MUST BE LAST
all        all      REJECT      info

...and here is my Shorewall rule to allow SSH (SSH server runs on the FW), for example:
ACCEPT:info net fw tcp 22


2.  I'd like to have a small portion of clients use eth0 instead of tun0 for outgoing traffic.  I figured I could fix this in snat, but it's not working.  All outbound traffic is using tun0.  Here is my snat:
{ action="" source=>"192.168.123.35,192.168.123.43",                  dest=>eth0 }
{ action="" source=>"192.168.123.0/23!192.168.123.35,192.168.123.43", dest=>tun0 }

Both eth0 and tun0 are dynamic IP's so I have to use MASQUERADE based on what I've read in the docs.

BTW - I love the new config file format and thanks for implementing that.  It saves a lot of heartache if you have nothing to specify in certain columns.

My Shorewall version is 5.0.15.2 and I'm running on Debian/testing 9.0.  Any help is greatly appreciated.

Thanks,
-MikeD

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to