On Sun, Dec 13, 2015 at 10:55:46PM +0100, Jan Palus wrote:
> With kernel-netlink however I can achieve higher throughput with less
> CPU being used, but in that case SNAT seems to fail sometimes
> (connections are initiated correctly but "hang" after a while). Main
> difference is the lack of dedicated interface so routing customization
> is not required, but below SNAT rule seems to result in hanging
> connections:
>
> iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>
If you have set option masq for your WAN zone (set by default),
the autogenerated MASQUERADE rule takes priority over your SNAT rule,
assuming you entered it into /etc/firewall.user or have it generated
by an updown script.
VPN traffic is then erroneously mapped to the IP address of the WAN
interface instead of the IPsec virtual IP, and does not match the
tunnel's policy anymore.
You should insert your SNAT as the first rule in the POSTROUTING chain,
or restrict the scope of the WAN MASQUERADE to non-IPsec traffic.
It is also possible to achieve the same result through uci, without
manually inserting netfilter rules. I'll include parts of my OpenWrt
config below to illustrate this (OpenWrt 15.05, CHAOS CALMER).
Regards,
Mirko
------------------------------------------------------------------------
# /etc/config/firewall
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
option extra_src "-m policy --dir in --pol none"
option extra_dest "-m policy --dir out --pol none"
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option extra_src "-m policy --dir in --pol none"
option extra_dest "-m policy --dir out --pol none"
option masq 1
option mtu_fix 1
config zone
option name vpn
option input REJECT
option output ACCEPT
option forward REJECT
option subnet 192.168.178.0/24
option extra_src "-m policy --dir in --pol ipsec --proto esp"
option extra_dest "-m policy --dir out --pol ipsec --proto esp"
option conntrack 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config forwarding
option src lan
option dest vpn
config rule
option name Allow-VPN-TCP-some
option src vpn
option dest lan
option dest_port "22 80 443"
option proto tcp
option target ACCEPT
config rule
option name Allow-VPN-ping
option src vpn
option dest lan
option proto icmp
option icmp_type echo-request
option target ACCEPT
# Accept IPsec for OpenWrt gateway (input)
config rule
option name Allow-IKE-input
option src wan
option proto udp
option dest_port "500 4500"
option target ACCEPT
config rule
option name Allow-ESP-input
option src wan
option proto esp
option target ACCEPT
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
