On 4/29/2014 2:50 PM, Marcello Giordano wrote: > Hi, > > Thanks for this great piece of software! > I'm trying to setup my network as follows: > > $FW machine is running shorewall and has two NICs, one (wlan1) connected > to the internet through a router; the second (eth0) masquerading a subnet. > I recently bought a VPN access (I use OpenVPN on interface tun0) and > followed the multi-isp howto to set it up two provicers, 1 on wlan1 > (fallback) and 2 on tun0 (balanced). > > What I am trying to achieve is to have the $FW and the subnet connected > to eth0 use the main internet connection through wlan1, and no VPN. > > Only one specific user on the $FW (called rtorrent) would have instead > all is traffic routed through the VPN (I'm marking his packages with "2" > in tcrules). > > This is proving to be extremely tricky. I can route all the traffic from > the firewall through wlan1 by default, and I can redirect traffic > through the VPN binding application to the IP address of tun0. The > specific user though, has no connection whatsoever when I activate the > tcrule marking his packets... > > I am using USE_DEFAULT_RT=no and openvpn is pulling routing rules from > the server, copying them in the main table.
Two things jump out immediately: a) You are using USE_DEFAULT_RT=No with a VPN. From http://www.shorewall.org/MultiISP.html#idp8710247968 "For those VPN types that use routing to direct traffic to remote VPN clients (including but not limited to OpenVPN in routed mode and PPTP), the VPN software adds a host route to the main table for each VPN client. The best approach is to use USE_DEFAULT_RT=Yes as described below. If that isn't possible, you must add a routing rule in the 1000-1999 range to specify the main table for traffic addressed to those clients. See Example 2 below." When the VPN tunnel is a provider, it is essential that you configure USE_DEFAULT_RT=Yes. b) You have configured OpenVPN to redirect its default route out of the VPN tunnel. That is wrong when the VPN tunnel is also a provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
