Re: [Shorewall-users] DNAT issue (I think)

Wed, 11 Dec 2024 08:17:56 -0800 

Issue has been resolved.

-  The rules were likely "working" but not working due to me not having a 
complete understanding of DNAT, which a friend cleared up for me. I'm using 
Nginx Proxy Manager to successfully handle the traffic redirects (a minor pain 
since each port to stream has to be individually configured - it won't do port 
ranges, but at least it's working).
- The VPN was a bad test. I tested internally and it still wouldn't connect, at 
which point I started digging and found out that both my client certificate and 
the server side CRL certificate had expired since my last successful connection 
before the ISP fiasco.

---

Mark D Montgomery II
https://www.techiem2.net (Personal Site)
https://shop.techiem2.tv (Photo Portfolio/Shop)
https://pillar.io/techiem2 (Social links, etc.)

Sent with [Proton Mail](https://proton.me/mail/home) secure email.

On Sunday, December 8th, 2024 at 11:15 PM, Mark D Montgomery II via 
Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:

> I THINK this is a DNAT issue but I'm not certain, since I haven't messed with 
> dual interface and DNAT in years.
> I could very well have something else misconfigured somewhere. :)
>
> Long story short, I'm trying to use a VPS as a tunnel to my LAN since my ISP 
> keeps breaking bridge mode (and it's currently been broken for about a 
> month..).
>
> So basically right now I have
> Internet -> VPS -> LAN (via wireguard tunnel)
> I can ping and ssh from VPS to various machines on LAN as well as from LAN to 
> VPS, so the routing and basic rules there all seems to be good.
> However, when I add a DNAT rule it does not appear to actually hit the 
> destination (or something is not establishing).
> I'm testing with my OpenVPN client (maybe a bad idea?) since that should be 
> fairly straight forward...
>
> Zones:
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> net ipv4
> vpn ipv4
>
> Interfaces:
> #ZONE INTERFACE OPTIONS
> net eth0 dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
> vpn wg0 routeback
>
> Policy:
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
> $FW net ACCEPT
> vpn all ACCEPT
> $FW vpn ACCEPT
> net all DROP info
> # The FOLLOWING POLICY MUST BE LAST
> all all REJECT info
>
> DNAT Rule from Rules:
> #OpenVPN
> DNAT net vpn:192.168.100.6 udp 1194
>
> Wireguard subnet: 192.168.10.0/24
> Home server subnet: 192.168.100.0/24
>
> shorewall show nat
>
> Chain net_dnat (1 references)
> pkts bytes target prot opt in out source destination
> 4 328 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 to:192.168.100.6
>
> VPN client on phone just gives the standard failed to complete handshake in 
> 60 seconds blah blah.
>
> Any thoughts/suggestions?
>
> Thanks!
>
> ---
>
> Mark D Montgomery II
> https://www.techiem2.net (Personal Site)
> https://shop.techiem2.tv (Photo Portfolio/Shop)
> https://pillar.io/techiem2 (Social links, etc.)
>
> Sent with [Proton Mail](https://proton.me/mail/home) secure email.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to