Discussion:
[Shorewall-users] OpenVPN traffic not passing through Shorewall (5.0.4) to static routed destination
Philipp Felix Hoefler
2016-07-20 12:24:34 UTC
Permalink
Dear list,

when starting Shorewall all traffic from local OpenVPN (2.3.11) is
blocked/rejected. Without any firewall rules (“shorewall clear”) all
traffic works flawlessly - so I assume it’s not a routing or network
error (though I let convince myself ;-) )

Short system information:
CentOS 7.2.1511
Shorewall 5.0.4
OpenVPN 2.3.11

Host has a static route to the destination network (10.249.0.0/16) via a
router in between. Transit-LAN is 10.249.100.64/26. OpenVPN subnet is
10.20.40.0/21.
The Router has of course a “backroute” (10.20.40.0/21 via 10.249.100.67)

Short network layout:

HQ (10.249.0.0/16) <—> Router (10.249.100.126) <—> Shorewall & OpenVPN
Server (10.249.100.67) <— OpenVPN tunnel —> 10.20.41.3

Pinging (and other connection) from 10.20.41.3 to 10.249.0.15 do not
work with Shorewall started. When issuing a “shorewall clear” all
connections work.

Please find my “shorewall dump” attached.

Thanks a lot!

Kind regards,
philipp
Tom Eastep
2016-07-23 15:22:55 UTC
Permalink
Post by Philipp Felix Hoefler
Dear list,
when starting Shorewall all traffic from local OpenVPN (2.3.11) is
blocked/rejected. Without any firewall rules (“shorewall clear”)
all traffic works flawlessly - so I assume it’s not a routing or
network error (though I let convince myself ;-) )
Short system information: CentOS 7.2.1511 Shorewall 5.0.4 OpenVPN
2.3.11
Host has a static route to the destination network (10.249.0.0/16)
via a router in between. Transit-LAN is 10.249.100.64/26. OpenVPN
subnet is 10.20.40.0/21. The Router has of course a “backroute”
(10.20.40.0/21 via 10.249.100.67)
HQ (10.249.0.0/16) <—> Router (10.249.100.126) <—> Shorewall &
OpenVPN Server (10.249.100.67) <— OpenVPN tunnel —> 10.20.41.3
Pinging (and other connection) from 10.20.41.3 to 10.249.0.15 do
not work with Shorewall started. When issuing a “shorewall clear”
all connections work.
Please find my “shorewall dump” attached.
It appears that your interfaces file contains:

vpn vpn+ ...

When you actually want

vpn tun+ ...

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Philipp Felix Hoefler
2016-07-24 08:04:58 UTC
Permalink
Ohhh… Tha’s now really embarrissing ;-)

That was is!
Thanks a lot for your help! Appreciate it very much.

best regards,
philipp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Philipp Felix Hoefler
Dear list,
when starting Shorewall all traffic from local OpenVPN (2.3.11) is
blocked/rejected. Without any firewall rules (“shorewall clear”)
all traffic works flawlessly - so I assume it’s not a routing or
network error (though I let convince myself ;-) )
Short system information: CentOS 7.2.1511 Shorewall 5.0.4 OpenVPN
2.3.11
Host has a static route to the destination network (10.249.0.0/16)
via a router in between. Transit-LAN is 10.249.100.64/26. OpenVPN
subnet is 10.20.40.0/21. The Router has of course a “backroute”
(10.20.40.0/21 via 10.249.100.67)
HQ (10.249.0.0/16) <—> Router (10.249.100.126) <—> Shorewall &
OpenVPN Server (10.249.100.67) <— OpenVPN tunnel —> 10.20.41.3
Pinging (and other connection) from 10.20.41.3 to 10.249.0.15 do
not work with Shorewall started. When issuing a “shorewall clear”
all connections work.
Please find my “shorewall dump” attached.
vpn vpn+ ...
When you actually want
vpn tun+ ...
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJXk4vPAAoJEJbms/JCOk0Qlv0P/3HJH/6A8YtELJi//dKEYFJS
VMUZmPRf5VdW34iwEpvVsjfIgAuCgTarCIa1Q3W3OcDjwEdX8A1Ocw4NEMHtXLXr
LUr0CeFkESiQgt3mFWg2kllmd3fvd5knIKbSFLLHODIq1AeRAFs0bz5r0OAtKAqX
4rYQU2GKJRbZrC5pttCgHqdv3SonH44VHF2Z8U6JuMx45Nx1w40K90dv8C3OiAhK
PR7Z9yexKyt0aVoCg41OJhtS2EKyRhJuflB9djI5LqACS5Zuo/NERocnBKON04RH
G8N/KXKrF0mmbDiSTON6NsgKQohHFQX7a4nL82MYtO+Bh8BSCDTbLu4QXWEdVq4q
MC91al0H6GyTvLQiqyVgJ5ZQf5thLqxLbag9djqr6PjCuPXafXFZNmOyrcE7lzJn
oB7juy4lJAA0VFxUWeeXcxsOVnivaA4U2/FcQhnOwA11RLPGqsJn5IfS/ZjIVOva
kanW2Z5HxIjRwrVU+1JRUZKbcKTCXWFQUU/iv/3FW2T3pTqAGnkZs3zm79c86mtI
krDa8rubQoqNnambG1NAOCSoJXjG1QxxzyUwdn+ILZfGNaAFm/0aKqji2jSVfqjb
jz3tKz6EinSAaJH4bsm4B9Orc4X3uu/8FoSW/7wUOuiYFG6iATKcBXwez/43rhmm
OZkXId4ZharKGNBZ5k/e
=Aeo0
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...