Discussion:
[Shorewall-users] rtrules and openvpn; trying to set routing thru vpn according to lan source addr
Adam Cécile
2017-03-15 21:56:38 UTC
Permalink
Hello,


I'm trying to configure a single host from my lan to be routed to
internet through a VPN connected on my shorewall router. All other hosts
are routed to internet directly.

Sadly, I can't get that working...


The router is configured as:

wan: 192.168.178.254, gw 192.168.178.1 (ISP to internet); with SNAT

tun99: 10.100.0.6, gw 10.100.0.1 (OpenVPN, internet with SNAT on
server-side, working fine if static routing is done)

brlan: 10.1.0.254


What I'm trying to achieve is that any 10.1.0.0/24 reach internet
through "wan" except 10.1.0.9 which is using "tun99" instead.


I tried the following:


snat:

SNAT(192.168.178.254) 10.1.0.0/24 wan


providers:

ISP 1 1 - wan 192.168.178.1 track -
VPN 2 2 - tun99 10.100.0.1 track -


rtrules:

10.1.0.0/24 - ISP 1000

10.1.0.9/32 - VPN 1001


Can you help me figuring out what's wrong ?


Thanks in advance,


Best regards, Adam.
Tom Eastep
2017-03-15 22:23:17 UTC
Permalink
Post by Adam Cécile
Hello,
I'm trying to configure a single host from my lan to be routed to
internet through a VPN connected on my shorewall router. All other
hosts are routed to internet directly.
Sadly, I can't get that working...
wan: 192.168.178.254, gw 192.168.178.1 (ISP to internet); with
SNAT
tun99: 10.100.0.6, gw 10.100.0.1 (OpenVPN, internet with SNAT on
server-side, working fine if static routing is done)
brlan: 10.1.0.254
What I'm trying to achieve is that any 10.1.0.0/24 reach internet
through "wan" except 10.1.0.9 which is using "tun99" instead.
SNAT(192.168.178.254) 10.1.0.0/24 wan
ISP 1 1 - wan 192.168.178.1 track -
VPN 2 2 - tun99 10.100.0.1 track -
10.1.0.0/24 - ISP 1000
10.1.0.9/32 - VPN 1001
Can you help me figuring out what's wrong ?
Reverse the priorities of the rules.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Adam Cécile
2017-03-16 09:10:45 UTC
Permalink
Hello,

Thanks for the answer. You mean switch 1000 and 1001 only right ? Does the file lines order also matters ?

Regards, Adam.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Adam Cécile
Hello,
I'm trying to configure a single host from my lan to be routed to
internet through a VPN connected on my shorewall router. All other
hosts are routed to internet directly.
Sadly, I can't get that working...
wan: 192.168.178.254, gw 192.168.178.1 (ISP to internet); with SNAT
tun99: 10.100.0.6, gw 10.100.0.1 (OpenVPN, internet with SNAT on
server-side, working fine if static routing is done)
brlan: 10.1.0.254
What I'm trying to achieve is that any 10.1.0.0/24 reach internet
through "wan" except 10.1.0.9 which is using "tun99" instead.
SNAT(192.168.178.254) 10.1.0.0/24 wan
ISP 1 1 - wan 192.168.178.1 track -
VPN 2 2 - tun99 10.100.0.1 track -
10.1.0.0/24 - ISP 1000
10.1.0.9/32 - VPN 1001
Can you help me figuring out what's wrong ?
Reverse the priorities of the rules.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYyb7UAAoJEJbms/JCOk0Qjm4P/iA3cYz4/bwdjp8qiYvHh5BZ
drAWLlkDwUxA9ySoG/z6BQu5OU/Fmwn59/wGlpF3BFaO+S4pFb4QEtxXgD5JqSA0
UQRLLD3vsWoW0lW5D/O87c38hJ2xm/CN99xlQrIVWx1KlKB8SDx8pzG1uqI82gGT
2Eei1dK/15kc3qgX6SJRzDP1edZtd/geZ7qfChw4+o5DRZ/0nhV10dlu6m4OcxAG
ol9qE8eIwwb5HiSp0wSTkyxFVbv0uFs13h11kWYqWqKHyp6rK+SxQkYO6OVBc1ly
YZWMqC3VHPP7gssuBQx2hkFZ4Pfc/XJnTxXhQBPYHOF24jFnOn3HliWhbClzmT11
42r2moy4WvdM8TesmIqSytk8/CEIJT3VKv9WiTkYgocQQQuZLMBUR/mCuGw+4xae
BuMRfjnBJlWVt8NvGcgD3+OYr029DgG1nBDlSNOTaygOUAxBbIjeCD4P4GGffCSc
F6LWiNr5L5qvVxO6VGsMluGkewNwb/Uir8OnShVUtdBYdd5o1cQjfmDo/bdDyML7
GDFMgsccb9/kn+LtCEUpTb2oV1IAw/23xANgXdkQJlxvCJ57zMlv+vLDLAcb1bvr
65+RsSs4TkfqlkSc4fHSXIIEN38Rza6aoIYiqNLKFq79Y1jwUqXTfYVoGydyR8LY
lmVXF4j0+vJLLPYoKH+L
=Sr/7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté.
Adam Cécile
2017-03-16 19:21:29 UTC
Permalink
Hello,

I modified rtrules like this:

10.1.0.0/24 - ISP 1001
10.1.0.9/32 - VPN 1000

Now it's working as *expected* that the firewall itself get's Internet
through VPN instead of ISP.
Any hint ?

Thanks in advance,

Regards.
Post by Adam Cécile
Hello,
Thanks for the answer. You mean switch 1000 and 1001 only right ? Does the file lines order also matters ?
Regards, Adam.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Adam Cécile
Hello,
I'm trying to configure a single host from my lan to be routed to
internet through a VPN connected on my shorewall router. All other
hosts are routed to internet directly.
Sadly, I can't get that working...
wan: 192.168.178.254, gw 192.168.178.1 (ISP to internet); with SNAT
tun99: 10.100.0.6, gw 10.100.0.1 (OpenVPN, internet with SNAT on
server-side, working fine if static routing is done)
brlan: 10.1.0.254
What I'm trying to achieve is that any 10.1.0.0/24 reach internet
through "wan" except 10.1.0.9 which is using "tun99" instead.
SNAT(192.168.178.254) 10.1.0.0/24 wan
ISP 1 1 - wan 192.168.178.1 track -
VPN 2 2 - tun99 10.100.0.1 track -
10.1.0.0/24 - ISP 1000
10.1.0.9/32 - VPN 1001
Can you help me figuring out what's wrong ?
Reverse the priorities of the rules.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYyb7UAAoJEJbms/JCOk0Qjm4P/iA3cYz4/bwdjp8qiYvHh5BZ
drAWLlkDwUxA9ySoG/z6BQu5OU/Fmwn59/wGlpF3BFaO+S4pFb4QEtxXgD5JqSA0
UQRLLD3vsWoW0lW5D/O87c38hJ2xm/CN99xlQrIVWx1KlKB8SDx8pzG1uqI82gGT
2Eei1dK/15kc3qgX6SJRzDP1edZtd/geZ7qfChw4+o5DRZ/0nhV10dlu6m4OcxAG
ol9qE8eIwwb5HiSp0wSTkyxFVbv0uFs13h11kWYqWqKHyp6rK+SxQkYO6OVBc1ly
YZWMqC3VHPP7gssuBQx2hkFZ4Pfc/XJnTxXhQBPYHOF24jFnOn3HliWhbClzmT11
42r2moy4WvdM8TesmIqSytk8/CEIJT3VKv9WiTkYgocQQQuZLMBUR/mCuGw+4xae
BuMRfjnBJlWVt8NvGcgD3+OYr029DgG1nBDlSNOTaygOUAxBbIjeCD4P4GGffCSc
F6LWiNr5L5qvVxO6VGsMluGkewNwb/Uir8OnShVUtdBYdd5o1cQjfmDo/bdDyML7
GDFMgsccb9/kn+LtCEUpTb2oV1IAw/23xANgXdkQJlxvCJ57zMlv+vLDLAcb1bvr
65+RsSs4TkfqlkSc4fHSXIIEN38Rza6aoIYiqNLKFq79Y1jwUqXTfYVoGydyR8LY
lmVXF4j0+vJLLPYoKH+L
=Sr/7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2017-03-16 20:03:45 UTC
Permalink
Post by Adam Cécile
Hello,
10.1.0.0/24 - ISP 1001 10.1.0.9/32
- VPN 1000
Now it's working as *expected* that the firewall itself get's
Internet through VPN instead of ISP. Any hint ?
You need to add an entry for the firewall's Internet interface address.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Adam Cecile
2017-03-16 20:24:14 UTC
Permalink
I added a route with "lo" as source and it seems to fix the issue.
Is that correct?

Thanks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Adam Cécile
Hello,
10.1.0.0/24 - ISP 1001 10.1.0.9/32
- VPN 1000
Now it's working as *expected* that the firewall itself get's
Internet through VPN instead of ISP. Any hint ?
You need to add an entry for the firewall's Internet interface address.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYyu+hAAoJEJbms/JCOk0Q6FUQAKxStHfh2mN5s9MOFIusNX2k
ldmxVKGaAXnqzml9APOc9tzZRxTNIS75myrBk3xOXbwRPLAFet3DXFTbQN7YIBwg
7fFPBKpzJG9Qz4fxLdv0BjBToj96rgYIN5l6YauMHNk7BODRbqrbdx2eEcWs03pb
kHJ6AfFgY9/QzCsiHXeIADySn2JZAj1DFh/Y3X4qcUbzge2Or8fOHNYudQ6AP1NA
seesyeCTU9s6mneIxLZH1I+h5wR1KZBzy2XhCJNOkLI3wAS6WueHpk2LRDtruRtQ
gzIVYFT2iXQQsp/hwKW2aAqIydnXPxXh3WcJ8ltrzZInCUDwbOByOge019R+vjxD
xy236EEIxg7SzplpDWMGKnyE8A3tMw9dcqFJFwC9rYxIFAAL8PCeRzBtOad074gQ
g+SKzY3JLMndwSCT2G5jIcLSyPBpJRptXDs6kP/g+Me5atK57O83o4HpVYx7CItA
akxYbcGS9RWJkH59qak0aiUokY4pyk3m6WYJMu4C4FaOyNLxlL1RT6+pE79sR5sx
rCau5Z0d6edvyhBPT/Pa2yELuY4DHiw0hOioN5nrpHCT8g4If4knhm4bGQGk+8tw
9ROCSlz7UKL8wZhjZW32Ef/GxETC8FI7+EGRkac8Z8QeC4f7zomQeYXL4cH+7a0p
j1+3sNh+30APZW/tLooP
=eBrP
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2017-03-16 20:43:27 UTC
Permalink
Post by Adam Cecile
I added a route with "lo" as source and it seems to fix the issue.
Is that correct?
Yes -- that usually works.

- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.net \________________________________________________
Loading...