Thanks for the tip, did not help though or maybe enabled in the wrong place. I inserted the command in the openvpn init script when the tunnel is successfully up running.
Changing 1 to 0 in tun9.status in the client cleared the warning. It must be a simple miss I've made Running on server and nothing comes out. tcpdump -i tun0 udp port 53 Running on client 07:50:09.922232 IP 172.29.71.195.52801 > 10.0.0.6.domain: 50186+ A? www.msftconnecttest.com. (41) Shorewall show routing shows 10.0.0.6 via 10.89.1.249 dev tun9 In main table. Info in policy file produces the expected output of blocked traffic in the syslog, this traffic is completely lost, I can only see it hitting the tunnel on the client side. Same domain look up from firewall works perfect. Beats me. Regards Göran -----Ursprungligt meddelande----- Från: Tom Eastep <teas...@shorewall.net> Skickat: den 18 december 2018 20:00 Till: shorewall-users@lists.sourceforge.net Ämne: Re: [Shorewall-users] DNAT from specific host On 12/18/18 4:24 AM, HÖGLUND, Göran via Shorewall-users wrote: > Thanks! > This works perfect, I have a follow up question though and this may be the > cause to my real problem. > Instead of a dns server in the dmz zone I'd like to reach a dns server over a > openvpn connection. > > The tunnel device tun9 is defined as a zone, we use the tunnel to reach the > firewall from a Nagios server where the tunnel terminates. > Tcpdump show traffic entering the tunnel and it looks fine from the Shorewall > perspective in the client. > On the server side the dns traffic from my host on the local lan on the > client is missing. If tcpdump see outgoing traffic, then the configuration on that end is okay. > > When I start Shorewall I get a warning about the tunnel > WARNING: Optional Interface tun9 is not usable -- tun9 not Started Try 'shorewall enable tun9'. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
