On 9/19/20 9:40 AM, Shorewall via Shorewall-users wrote: > Just a heads up, this is not really a SHOREWALL question, although > shorewall is part of the solution. I am posting here because I know > there are some really smart people here who understand > iptables/routing/vpn and I believe can help answer my question or point > me in the right direction. > > To simplify things let's says I have your typical 2-interface shorewall > setup one interface to internet the other to LAN. On the LAN network I > have a raspberry pi that I run nextcloud on. So I forward traffic from > internet to nextcloud server and everything works fine. So I decide I > also want to turn that raspberry pi into a wifi access point with > hostapd. So that is all setup and works fine. Now I decide I want to > turn that raspberry pi wifi access point into an access point whose > internet connection is through VPN. So that is all set up and working > fine <Doing a postroute; sending everything outbound through the tun0 > interface> > > So the issue, which I assume most people have figured out by now, is > that by doing the above, I have broken the ability of the internet to > connect to the raspberry pi nextcloud server. So shorewall still > forwards packets to raspberry pi which are received, but I assume return > packets instead of going back the way they came in now go out the tun0 > interface (as told) which makes the packet "Lost in translation". > > So what I would like to do is set up iptables on the raspberry pi so > that packets from the internet which came through eth0 (from shorewall > forwarding) go back the way they came, while still having the wifi > interface of raspberry pi still accept packets (from wifi access point) > and send those packets to the internet via the tun0 interface. > > I tried reading packet marking both in shorewall and in iptables > thinking that is probably the solution, but I quickly was down the > rabbit hole and not necessarily getting closer to a solution. > > So I am asking this group if 1) if what I am trying to accomplish is > possible. 2) Is marking packets the correct solution? 3) Anyone know > of a good guide that might help? > > If this is against this mailing lists' rules and regulations, I > apologize. I thought as I believe the answer to be an iptables > solution, and I have subscribed to this list for many years, that people > here would certainly have the knowledge to help. >
Sounds like you want to use Shorewall's multi-ISP facility (https://shorewall.org/MultiISP.html). Make tun0 the 'primary' provider and eth0 the 'fallback' provider. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
