Hello Tom, thanks for your answer. I already have this masq entry: eth1:192.168.61.0/24 192.168.1.0/24 192.168.3.1 eth1:192.168.61.0/24 192.168.250.0/24 192.168.3.1 eth1:!192.168.61.0/24 eth0 192.168.0.2
192.168.61.0/24 is a remote point to point ipsec network, in which way I have to add the entry suggested by you? Thanks Ivan -----Messaggio originale----- Da: Tom Eastep [mailto:teas...@shorewall.net] Inviato: giovedì 27 luglio 2017 18:01 A: shorewall-users@lists.sourceforge.net Oggetto: Re: [Shorewall-users] R: DNAT on openvpn client over OPENWRT On 07/27/2017 07:07 AM, Ivan wrote: > Hello all, > > I have an Debian server with shorewall (version 4.6.4.3), on the same > server is installed an OpenVPN Server, on remote site I have a > LEDE/OpenWRT router with an OpenVPN Client connected to previous server. > > This is my network: > > Office with Debian Server > > 1. Eth0: internal network with address 192.168.1.1 (subnet > 192.168.1.0/24) 2. Eth1: external network with address 192.168.0.2 connected to > provider router; > 3. Tun0: OpenVPN Network with subnet 192.168.250.0/24 > > Home with LEDE/OpenWRT Router > > 1. The router is connected to internet through an LTE USB key; 2. On > the router is running OpenVN Client connected to server with IP > Address: 192.168.250.122 > 3. The internal network have the subnet 192.168.0.0/24 > > > > I need to expose a my home internal Web Server host (running on > address > 192.168.0.4) through my Office internet network. > > I configured Shorewall, OpenWRT and OpenVPN to do it and Im able to > reach the server from I internal office network connecting to OpenVPN > client IP (192.168.250.122), but Im not able to reach the web server > from internet following this route: > > > > Internet -> external office IP Address -> 192.168.0.2 -> 192.168.1.1 > -> > 192.168.250.122 -> 192.168.0.4 > > > > I believe that the issue is related to a wrong MASQ/SNAT > configuration, because into OpenWRT router logs I saw the request but > the Source IP Address is the original one instead of the office IP Address, is it true? > > I which way should I configure masquerade to solve this issue? > Sounds like, on the Office "Server" (which isn't really a server - it's a gateway/router), you need this masq entry: tun0 !192.168.1.0/24 -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users