On 09/29/2017 11:34 AM, Jason Timmins wrote: > Hi Tom, > > Thanks for that. > > I've configured the zones and options files like you suggest but it's not > quite working. > > Packets from the branch travel across the tunnel to the firewall and get > passed to the Internet but tcpdump suggests that they are not NAT'd. Here's > an outbound ping from one machine and a DNS request from another... > > 19:27:15.107897 IP 10.1.4.41 > 8.8.8.8: ICMP echo request, id 3, seq 14396, > length 40 > 19:27:18.375539 IP 10.1.4.51.29901 > 8.8.8.8.domain: UDP, length 46 > > (10.1.4.0/24 is the branch network.) This is what I have in > /etc/shorewall/snat... > > SNAT(1.1.1.1) 10.1.4.0/24 eth0 > SNAT(1.1.1.1) 10.249.1.0/24 eth0 > > (Clearly, 1.1.1.1 is a fake public IP address but a real IP address is > actually in the file at our end.) 10.249.1.0/24 is the subnet for the LAN in > the data centre, masquerading from that subnet works fine. > > Any ideas? Do I need to configure /etc/shorewall/tunnels or anything else? >
Have you added rules allowing ESP and/or UDP port 4500 from the Internet to the firewall? You would normally need that or an entry in the tunnels file which will add those rules. Please forward the output of 'shorewall dump' collected as described at http://www.shorewall.org/support.htm#Guidelines. Send it to me privately as an attachment. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
