Hi, Thanks for your answer!
a) I tried re-configuring everything to use USE_DEFAULT_RT=Yes. Now, by default, all traffic goes through the vpn. I put something like this in the routing rules 998 from all iif lo lookup Coopso that all traffic from the $FW goes through the Coop provider on wlan1.
But this makes the marking of packets for user rtorrent (in tcrules) useless, because I never get to
match these rules 10000: from all fwmark 0x1/0xff lookup Coop 10001: from all fwmark 0x2/0xff lookup VPN sorry if I am misunderstanding something. b) I'm not sure what you mean here.I am using the .ovpn file supplied by my VPN provider. They are pushing routing rules into my main table from their server.
Should I insert a route-nopull in the .ovpn client file? I attach another dump with the new configuration. Thanks! Nella citazione in data Wed Apr 30 12:06:40 2014, Tom Eastep ha scritto:
On 4/29/2014 2:50 PM, Marcello Giordano wrote:Hi, Thanks for this great piece of software! I'm trying to setup my network as follows: $FW machine is running shorewall and has two NICs, one (wlan1) connected to the internet through a router; the second (eth0) masquerading a subnet. I recently bought a VPN access (I use OpenVPN on interface tun0) and followed the multi-isp howto to set it up two provicers, 1 on wlan1 (fallback) and 2 on tun0 (balanced). What I am trying to achieve is to have the $FW and the subnet connected to eth0 use the main internet connection through wlan1, and no VPN. Only one specific user on the $FW (called rtorrent) would have instead all is traffic routed through the VPN (I'm marking his packages with "2" in tcrules). This is proving to be extremely tricky. I can route all the traffic from the firewall through wlan1 by default, and I can redirect traffic through the VPN binding application to the IP address of tun0. The specific user though, has no connection whatsoever when I activate the tcrule marking his packets... I am using USE_DEFAULT_RT=no and openvpn is pulling routing rules from the server, copying them in the main table.Two things jump out immediately: a) You are using USE_DEFAULT_RT=No with a VPN. From http://www.shorewall.org/MultiISP.html#idp8710247968 "For those VPN types that use routing to direct traffic to remote VPN clients (including but not limited to OpenVPN in routed mode and PPTP), the VPN software adds a host route to the main table for each VPN client. The best approach is to use USE_DEFAULT_RT=Yes as described below. If that isn't possible, you must add a routing rule in the 1000-1999 range to specify the main table for traffic addressed to those clients. See Example 2 below." When the VPN tunnel is a provider, it is essential that you configure USE_DEFAULT_RT=Yes. b) You have configured OpenVPN to redirect its default route out of the VPN tunnel. That is wrong when the VPN tunnel is also a provider. -Tom ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- Marcello Giordano giorda...@ftml.net
dump.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users