On 04/29/2016 01:08 AM, Eduard Vidal i Tulsà wrote: > Hello Tom & others. > > Still figthing against vpn's net rule. > > I made few types of rules, one go to loc network to scale for control it. > The other one go to net network for remote access to wireless printer > conected trough router /wifi ADSL. > > Thanks to Tom last week i fixed some in masq file for acces to vpn to net. > > Computers in same vpn network see perfectly scale, and printer. > > But now still problems > VPN server is in a pfsense utility. > In pfsense local network computers are in a diferent range 10.1.1.0/24 > <http://10.1.1.0/24> > This local computers see scale, but the ports for printer still been > filtered. > > I thing is a shorewall related missconfiguration, because office > computers can see 6000 and 22 port > This vpn shop client can access remotly to 10.1.1.0/24 > <http://10.1.1.0/24> computers in main office. > > > > figueres[~]#route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 > wlan0 > 10.0.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 > 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 > 10.1.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > wlan0 > > > My rules: > > figueres[~]#cat /etc/shorewall/rules |grep -v \# > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > Invalid(DROP) net all tcp > DNS(ACCEPT) $FW net > SSH(ACCEPT) loc $FW > SSH(ACCEPT) vpn $FW > > Ping(ACCEPT) loc $FW > > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > ACCEPT vpn all all > DNS(ACCEPT) loc $FW > SSH(ACCEPT) net $FW TCP > DNAT vpn loc:10.1.3.2 tcp 6000 > DNAT vpn net:192.168.1.69:80 > <http://192.168.1.69:80> tcp 80 > DNAT vpn net:192.168.1.69:443 > <http://192.168.1.69:443> tcp 443 > DNAT vpn net:192.168.1.69:631 > <http://192.168.1.69:631> tcp 631 > DNAT vpn net:192.168.1.69:515 > <http://192.168.1.69:515> tcp 515 > DNAT vpn net:192.168.1.69:9100 > <http://192.168.1.69:9100> tcp 9100 > > My masq (i try to add 10.1.1.0/24 <http://10.1.1.0/24>) without sense, > and without luck, ofcourse > figueres[~]#cat /etc/shorewall/masq |grep -v \# > wlan0 10.1.3.0/24,\ <http://10.1.3.0/24,\> > 10.1.1.0/24,\ <http://10.1.1.0/24,\> > 10.0.8.0/24 <http://10.0.8.0/24> >
That is required for response packets from the printer to be routed back correctly. From the information you have supplied, I am unable to help you further. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
