Thanks for the tip, did not help though or maybe enabled in the wrong place.
I inserted the command in the openvpn init script when the tunnel is 
successfully up running.

Changing 1 to 0 in tun9.status in the client cleared the warning.

It must be a simple miss I've made


Running on server and nothing comes out.
tcpdump -i tun0 udp port 53

Running on client
07:50:09.922232 IP 172.29.71.195.52801 > 10.0.0.6.domain: 50186+ A? 
www.msftconnecttest.com. (41)

Shorewall show routing shows 
10.0.0.6 via 10.89.1.249 dev tun9
In main table.

Info in policy file produces the expected output of blocked traffic in the 
syslog, this traffic is completely lost, I can only see it hitting the tunnel 
on the client side.
Same domain look up from firewall works perfect.

Beats me.

Regards Göran

-----Ursprungligt meddelande-----
Från: Tom Eastep <teas...@shorewall.net> 
Skickat: den 18 december 2018 20:00
Till: shorewall-users@lists.sourceforge.net
Ämne: Re: [Shorewall-users] DNAT from specific host

On 12/18/18 4:24 AM, HÖGLUND, Göran via Shorewall-users wrote:
> Thanks!
> This works perfect, I have a follow up question though and this may be the 
> cause to my real problem.
> Instead of a dns server in the dmz zone I'd like to reach a dns server over a 
> openvpn connection.
> 
> The tunnel device tun9 is defined as a zone, we use the tunnel to reach the 
> firewall from a Nagios server where the tunnel terminates.
> Tcpdump show traffic entering the tunnel and it looks fine from the Shorewall 
> perspective in the client.
> On the server side the dns traffic from my host on the local lan on the 
> client is missing.

If tcpdump see outgoing traffic, then the configuration on that end is okay.

> 
> When I start Shorewall I get a warning about the tunnel
> WARNING: Optional Interface tun9 is not usable -- tun9 not Started

Try 'shorewall enable tun9'.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to