Mike Dillinger
2017-04-15 19:35:40 UTC
(I'm re-posting without using HTML - apologies for doing that)
Hello,
I have a very basic 3 interface setup - no packet marking, load
balancing, etc (this might need to change though). My three interface
setup is like so:
net/eth0 ISP
loc/eth1 LAN
vpn0/tun0 OpenVPN client tunnel on eth0
I'm trying to achieve two things and I'm unable to figure out how to do
this.
1. I lose all incoming traffic on eth0 when tun0 is up. So for
instance, I'd like external SSH access, I have a Plex Media Server that
I'd like external access to, and a few other things. I do not believe
it's a routing issue. Observe:
# without vpn
$ ip route ls
default via 72.x.x.x dev eth0
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1
# with vpn
$ ip route ls
0.0.0.0/1 via 10.y.y.y dev tun0
default via 72.x.x.x dev eth0
10.y.y.y/24 dev tun0 proto kernel scope link src 10.y.y.y
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
128.0.0.0/1 via 10.y.y.y dev tun0
142.z.z.z via 72.x.x.x dev eth0 # 142.z.z.z = vpn gateway
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1
So I see the eth0 route present regardless of tun0's existence (albeit
lower in the chain when tun0 is up), so that's why I don't think it's a
routing issue.
Here is my Shorewall policy:
loc fw ACCEPT
loc net ACCEPT
loc vpn0 ACCEPT
fw loc ACCEPT
fw net ACCEPT
fw vpn0 ACCEPT
net all DROP info
vpn0 all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
...and here is my Shorewall rule to allow SSH (SSH server runs on the
FW), for example:
ACCEPT:info net fw tcp 22
2. I'd like to have a small portion of clients use eth0 instead of tun0
for outgoing traffic. I figured I could fix this in snat, but it's not
working. All outbound traffic is using tun0. Here is my snat:
{ action=>MASQUERADE, source=>"192.168.123.35,192.168.123.43", dest=>eth0 }
{ action=>MASQUERADE,
source=>"192.168.123.0/23!192.168.123.35,192.168.123.43", dest=>tun0 }
Both eth0 and tun0 are dynamic IP's so I have to use MASQUERADE based on
what I've read in the docs.
BTW - I love the new config file format and thanks for implementing
that. It saves a lot of heartache if you have nothing to specify in
certain columns.
My Shorewall version is 5.0.15.2 and I'm running on Debian/testing 9.0.
Any help is greatly appreciated.
Thanks,
-MikeD
Hello,
I have a very basic 3 interface setup - no packet marking, load
balancing, etc (this might need to change though). My three interface
setup is like so:
net/eth0 ISP
loc/eth1 LAN
vpn0/tun0 OpenVPN client tunnel on eth0
I'm trying to achieve two things and I'm unable to figure out how to do
this.
1. I lose all incoming traffic on eth0 when tun0 is up. So for
instance, I'd like external SSH access, I have a Plex Media Server that
I'd like external access to, and a few other things. I do not believe
it's a routing issue. Observe:
# without vpn
$ ip route ls
default via 72.x.x.x dev eth0
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1
# with vpn
$ ip route ls
0.0.0.0/1 via 10.y.y.y dev tun0
default via 72.x.x.x dev eth0
10.y.y.y/24 dev tun0 proto kernel scope link src 10.y.y.y
72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x
128.0.0.0/1 via 10.y.y.y dev tun0
142.z.z.z via 72.x.x.x dev eth0 # 142.z.z.z = vpn gateway
192.168.122.0/23 dev eth1 proto kernel scope link src 192.168.123.1
So I see the eth0 route present regardless of tun0's existence (albeit
lower in the chain when tun0 is up), so that's why I don't think it's a
routing issue.
Here is my Shorewall policy:
loc fw ACCEPT
loc net ACCEPT
loc vpn0 ACCEPT
fw loc ACCEPT
fw net ACCEPT
fw vpn0 ACCEPT
net all DROP info
vpn0 all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
...and here is my Shorewall rule to allow SSH (SSH server runs on the
FW), for example:
ACCEPT:info net fw tcp 22
2. I'd like to have a small portion of clients use eth0 instead of tun0
for outgoing traffic. I figured I could fix this in snat, but it's not
working. All outbound traffic is using tun0. Here is my snat:
{ action=>MASQUERADE, source=>"192.168.123.35,192.168.123.43", dest=>eth0 }
{ action=>MASQUERADE,
source=>"192.168.123.0/23!192.168.123.35,192.168.123.43", dest=>tun0 }
Both eth0 and tun0 are dynamic IP's so I have to use MASQUERADE based on
what I've read in the docs.
BTW - I love the new config file format and thanks for implementing
that. It saves a lot of heartache if you have nothing to specify in
certain columns.
My Shorewall version is 5.0.15.2 and I'm running on Debian/testing 9.0.
Any help is greatly appreciated.
Thanks,
-MikeD