On Wed, 11 Oct 2017, Tom Eastep wrote:
If you 'shorewall clear' on both firewalls, can you communicate between
the two LANs? (be sure to 'shorewall start' both after the test).
No.
Tried to flip the roles/configuration opf openvpn, same result.
Then you have an OpenVPN configuration problem, not a Shorewall problem.
You might be able to work around it by masquerading your local LANs out
of the tun0 interfaces.
You mean insert:
MASQUERADE 10.8.0.0/24 tun0
into snat files?
Yes.
Already inserted without success :-(
In the "server" side my snat file is:
MASQUERADE 192.168.107.0/24 ens18
MASQUERADE 10.8.0.0/24 tun0
And
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.117.1 0.0.0.0 UG 0 0 0 ens18
10.0.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.107.0 0.0.0.0 255.255.255.0 U 0 0 0 ens19
192.168.117.0 0.0.0.0 255.255.255.0 U 0 0 0 ens18
In the "client" side:
MASQUERADE 10.0.0.0/24 vmbr1
MASQUERADE 10.8.0.0/24 tun0
and:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.189.254 0.0.0.0 UG 0 0 0 vmbr1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.107.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.189.0 0.0.0.0 255.255.255.0 U 0 0 0 vmbr1
Is it possible to use tcpdump to monitor packets into the tunnel?
Yes, it is.
tcpdump -ni tun0 <selection expression>
That is what I tried in my experiments whithout result (so I supposed
there is some limit or trick to sniff the tunnel)
In LinuxGW2 I did:
tcpdump -ni tun0 host 10.0.0.242
From LAN1, box 10.0.0.242:
root@serverdoc ~# ping 192.168.107.94
PING 192.168.107.94 (192.168.107.94) 56(84) bytes of data.
^C
--- 192.168.107.94 ping statistics ---
54 packets transmitted, 0 received, 100% packet loss, time 54254ms
root@serverdoc ~# telnet 192.168.107.94 80
Trying 192.168.107.94...
^C
root@serverdoc ~# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=0.157 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=0.416 ms
64 bytes from 10.8.0.2: icmp_seq=3 ttl=64 time=0.388 ms
64 bytes from 10.8.0.2: icmp_seq=4 ttl=64 time=0.336 ms
64 bytes from 10.8.0.2: icmp_seq=5 ttl=64 time=0.384 ms
64 bytes from 10.8.0.2: icmp_seq=6 ttl=64 time=0.417 ms
64 bytes from 10.8.0.2: icmp_seq=7 ttl=64 time=0.383 ms
64 bytes from 10.8.0.2: icmp_seq=8 ttl=64 time=0.392 ms
64 bytes from 10.8.0.2: icmp_seq=9 ttl=64 time=0.388 ms
64 bytes from 10.8.0.2: icmp_seq=10 ttl=64 time=0.320 ms
^C
--- 10.8.0.2 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9204ms
rtt min/avg/max/mdev = 0.157/0.358/0.417/0.073 ms
root@serverdoc ~# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
^C
--- 10.8.0.1 ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26602ms
tcpdump in LinuxGW2 didn't receive any packet :-(
--
Thanks,
Paolo
____________________________________________
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
