On 12/28/18 1:34 PM, Tom Eastep wrote: > On 12/28/18 10:08 AM, C. Cook wrote: >> Idk whether this is a Shorewall question or not. >> >> My LAN has a class C of 192.168.1.0. The gateway for all LAN members is >> 192.168.1.1 >> >> Now one of the LAN members is a KVM VM at 192.168.1.16, and it is the >> Wireguard VPN server. Remote machines come in through the gateway and >> are port-forwarded to the VPN server for full access to the LAN. This >> works fine now. (Thank you) >> >> First Question: Remote VPN members can access any node in the LAN, but >> can not get back out through the gateway for internet access. Any idea >> where I should look? The VPN server does have its gateway set to >> 192.168.1.1. > Is the remote VPN client configured to use the VPN as a default route?
It's set so that no applications are exempted from using the VPN. I should think this would be equivalent. Seems to be my only option. > >> Second Question: Another member of the LAN, 192.168.1.4, is the backups >> server. And the backups server runs a KVM VM which handles all security >> cameras (ZoneMinder) through a dedicated port in the class C of >> 10.1.50.0. This security cam VM has a second IP in the class C of the >> LAN and serves Zoneminder to the LAN this way. >> >> I would like to serve Zoneminder to the outside only on the VPN. Does >> that mean I port-forward 80 to the VPN server, either through a reverse >> SSH tunnel or by Shorewall DNAT? Then to access it from remote on the >> VPN server? Is this the best way? Would it then also still be >> accessible to the LAN? > I'm confused. Who initiates this TCP connection on port 80 and where is > the http server? The remote phone could initiate it using the ZM app, or any random machine inside the LAN could initiate it. Only the WireGuard server is running Wg so no internal communications is VPN. Communication with the cameras could be via port 80 to get ZoneMinder functionality, or directly from the cameras by getting the rtsp stream with something like VLC. > >> Third Question: The cameras on 10.1.50.0 are only visible to the >> cameras server on a dedicated port. These cameras provide a high-res >> RTSP stream and a low-res RTSP stream, the latter being appropriate for >> a remote phone. Can anyone see how I can pipe the low-res stream to the >> VPN server so it's accessible by a remote phone? >> > Is this stream accessible from other hosts on the LAN? If so, how? It's not, because the cameras are in a different class C than the LAN. The rtsp streams can be reached by the backups server (KVM host to the cameras VM) because it has a dual IP, one of which is in the cameras' domain. If I add IPs to all machines in the LAN I'm concerned that this would put them in the collision domains of the cameras, defeating the purpose of having them in a different class C.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
