On 5/1/2014 6:56 AM, Michael Kress wrote: > Hi, I'm still having trouble with my setup (multi-isp/openvpn) and it > seems to be a routing problem, the subnets from the DMZ and LAN can't > connect to the outside ... worse: some sites are reachable, some not, > although I have flushed the routing tables. I see no drops or refejcts. > > setup: > ------ > * esxi server > * 2 hwnics > * 3 vswitches (WAN, DMZ, LAN) > * hwnic1 connected to WAN vswitch > * hwnic2 connected to LAN vswitch > * DMZ vswitch has no physical nics attached > * shorewall vm: eth0 in DMZ switch, eth1 in WAN switch, eth2 in LAN switch > eth0: 192.168.0.1/24 > eth1: 192.168.2.251/24 > eth2: 192.168.5.251/24 > > the shorewall machine opens a openvpn tunnel tun1 to the vpn server > x.x.x.18 and has x.x.x.245/32 as an IP address and x.x.x.254/32 as the > remote endpoint located at the vpn provider. > > moreover, what is working: port forwarding by the following rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > DNAT vpn dmz:192.168.0.11 icmp - - x.x.x.245 > DNAT vpn dmz:192.168.0.11:80 tcp 80 - x.x.x.245 > > > so far, so good. > > The trouble comes with routing and I can't figure out the correct > settings, it seems. > > Some key settings: > ================== > > /etc/sysconfig/network-scripts/ifcfg-eth0: > DEFROUTE=no > > shorewall.conf: > --------------- > USE_DEFAULT_RT=Yes > TRACK_PROVIDERS=Yes > > interfaces: > ----------- > #ZONE INTERFACE OPTIONS > vpn tun1 blacklist,optional > dmz eth0 blacklist > wan eth1 blacklist > lan eth2 blacklist > > zones: > ------ > fw firewall > lan ipv4 > wan ipv4 > vpn ipv4 > dmz ipv4 > > providers: > ---------- > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > COPY > ipev 1 1 - tun1 x.x.x.254 track > tonline 2 2 - eth1 192.168.2.1 track > > rtrules: > -------- > #SOURCE DEST PROVIDER PRIORITY MARK > - x.x.x.x.18/32 tonline 1000 > - x.x.x.x.245/28 ipev 1001 > 192.168.0.0/24 - tonline 20001 2 > 192.168.5.0/24 - tonline 20001 2 > > > > I suspect my problem has to do with this file (rtrules). > What I intended to reach: > 1st line: I want the connections to the vpn server (vpn provider "ipev") > over tonline / to build up the tunnel > 2nd line: packets to x.x.x.245 handled by ipev (vpn provider) > 3rd line: packets from 192.168.0.0/24 (DMZ) to anywhere shall go over > tonline > 4th line: packets from 192.168.5.0/24 (LAN) to anywhere shall go over > tonline > > 1st and 2nd are working. > 3rd and 4th are not working. I've also tried other priorities. > > With other words: I'd like ALL outbound traffic from LAN and DMZ to go > over tonline. > How can I solve this routing issue?
Please forward the output of 'shorewall dump' collected as desccribed at http://www.shorewall.net/support.htm#Guidelines Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
