Hello Tom,
thanks for your answer. I already have this masq entry:
eth1:192.168.61.0/24    192.168.1.0/24          192.168.3.1
eth1:192.168.61.0/24    192.168.250.0/24        192.168.3.1
eth1:!192.168.61.0/24   eth0                    192.168.0.2


192.168.61.0/24 is a remote point to point ipsec network, in which way I
have to add the entry suggested by you?
Thanks
Ivan

-----Messaggio originale-----
Da: Tom Eastep [mailto:teas...@shorewall.net] 
Inviato: giovedì 27 luglio 2017 18:01
A: shorewall-users@lists.sourceforge.net
Oggetto: Re: [Shorewall-users] R: DNAT on openvpn client over OPENWRT

On 07/27/2017 07:07 AM, Ivan wrote:

> Hello all,
> 
> I have an Debian server with shorewall (version 4.6.4.3), on the same 
> server is installed an OpenVPN Server, on remote site I have a 
> LEDE/OpenWRT router with an OpenVPN Client connected to previous server.
> 
> This is my network:
> 
> Office with Debian Server
> 
>  1. Eth0: internal network with address 192.168.1.1 (subnet 
> 192.168.1.0/24)  2. Eth1: external network with address 192.168.0.2
connected to
>     provider router;
>  3. Tun0: OpenVPN Network with subnet 192.168.250.0/24
> 
> Home with LEDE/OpenWRT Router
> 
>  1. The router is connected to internet through an LTE USB key;  2. On 
> the router is running OpenVN Client connected to server with IP
>     Address: 192.168.250.122
>  3. The internal network have the subnet 192.168.0.0/24
> 
>  
> 
> I need to expose a my home internal Web Server host (running on 
> address
> 192.168.0.4) through my Office internet network.
> 
> I configured Shorewall, OpenWRT and OpenVPN to do it and I’m able to 
> reach the server from I internal office network connecting to OpenVPN 
> client IP (192.168.250.122), but I’m not able to reach the web server 
> from internet following this route:
> 
>  
> 
> Internet -> external office IP Address -> 192.168.0.2 -> 192.168.1.1 
> ->
> 192.168.250.122 -> 192.168.0.4
> 
>  
> 
> I believe that the issue is related to a wrong MASQ/SNAT 
> configuration, because into OpenWRT router logs I saw the request but 
> the Source IP Address is the original one instead of the office IP
Address, is it true?
> 
> I which way should I configure masquerade to solve this issue?
> 

Sounds like, on the Office "Server" (which isn't really a server - it's a
gateway/router), you need this masq entry:

tun0    !192.168.1.0/24

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to