Thanks for your effort. I found out a openvpn setting for remote LAN (routing) was missing, now I got it to work. The enabling of the vpn in Shorewall seems to make the whole chain much more steady.
I am still unable to see this specific traffic in tcpdump on the server side, but I can see it leaving the server, very odd. Anyhow, the enabling of vpn gave me a much more stable connection thanks. /Göran -----Ursprungligt meddelande----- Från: Tom Eastep <teas...@shorewall.net> Skickat: den 19 december 2018 19:57 Till: shorewall-users@lists.sourceforge.net Ämne: Re: [Shorewall-users] DNAT from specific host On 12/18/18 11:58 PM, HÖGLUND, Göran via Shorewall-users wrote: > Thanks for the tip, did not help though or maybe enabled in the wrong place. > I inserted the command in the openvpn init script when the tunnel is > successfully up running. > > Changing 1 to 0 in tun9.status in the client cleared the warning. > > It must be a simple miss I've made > > > Running on server and nothing comes out. > tcpdump -i tun0 udp port 53 > > Running on client > 07:50:09.922232 IP 172.29.71.195.52801 > 10.0.0.6.domain: 50186+ A? > www.msftconnecttest.com. (41) That is using tcpdump on the firewall's tun9 interface? > > Shorewall show routing shows > 10.0.0.6 via 10.89.1.249 dev tun9 > In main table. > > Info in policy file produces the expected output of blocked traffic in the > syslog, this traffic is completely lost, I can only see it hitting the tunnel > on the client side. > Same domain look up from firewall works perfect. > > Beats me. > Me too. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
