Re: [Shorewall-users] Multi-ISP from fw only using OpenVPN tun0 as second ISP for one user

Sun, 03 Jul 2011 10:34:58 -0700 

On Jul 2, 2011, at 10:28 PM, Tyler Walters wrote:

> Hello,
> 
> I have a server with 5 public facing ips, and one OpenVPN tun
> connection. The 5 ips are all from the same provider and face the same
> gateway. I would eventually like to route all of one user's traffic to
> and from the VPN while leaving the rest of the server's traffic
> untouched. There is no local lan, and the firewall is also the server
> -- everything resides on $FW.
> 
> I have tried this from a number of angles, so I setup a VMWare machine
> to run a limited test before migrating it to the full scale server. I
> am testing using "ping -I tun0 google.ca" and "ping google.ca", where
> the first one should route to and from tun0 only, and the second to
> and from eth0 only (by default). tun0 will always be assigned the
> static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
> been sucessfully tested and monitored using tshark on both ends of the
> tunnel, and on all interfaces (both tun* and eth* at each side). Below
> is version information, the commands that successfully work WITHOUT
> shorewall being installed at all, and attached is a dump of all config
> files as well as a "shorewall dump". Thanks for your help, hopefully
> this is easier than I find it to be thus far.


Don't use either the route_rules or routes file and simply put this in your 
/etc/shorewall/providers:

#PROVIDER     NUMBER    MARK    DUPLICATE   INTERFACE     GATEWAY         
OPTIONS       COPY
ISP             1       -       main        eth0          192.168.217.2   
track,balance none
VPN             2       -       main        tun0          10.88.0.5       -     
        none

That's it!

-Tom
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: PGP.sig
Description: This is a digitally signed message part

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to