On 1/13/19 11:24 AM, Tom Eastep wrote: > On 1/13/19 11:21 AM, C. Cook wrote: >>> What you are trying to do *will never work*. You are accepting web >>> connections on the public IP address on the Shorewall router, port >>> forwarding them to the web server who is trying to reply out of the WG >>> server. There are two problems with this idea: >>> >>> a) The WG server can't reverse the effect of the DNAT in the router, so >>> the responses are going out with the wrong source IP. >>> >>> b) Even if DNAT were not involved, you would likely be sending packets >>> out through one ISP with source addresses assigned to another ISP. Those >>> are subject to being dropped. >>> >>> -Tom >> Understand. But I only arrived here after my sites went down with no >> mods to the webserver VM, and a full day of trying to get them back up. >> >> And my goal is ultimately to move my server to the outgoing VPN, but >> that's low priority. Sites out is high priority. >> > The obvious fix is to change the web server's default gateway back to > the Shorewall router. > > -Tom
The webserver's default gateway is and always has been the router. Router's eth2 is DMZ at 10.1.1.2. And in the router the correct IP for the webserver: Web(DNAT) net dmz:10.1.1.30 - - - - 3/sec:10 Web(DNAT) local dmz:10.1.1.30 - - - ð0 I don't know what happened but the sites are back up now, thankfully. Maybe I was in such a rush to get this going that I misinterpreted things.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
