[Shorewall-users] Some traffic over OpenVPN doesn't work

Mon, 03 Jul 2017 14:36:07 -0700 

Hi,

Let me describe my setup:

I have an opnsense firewall running with OpenVPN at home (WAN ip
is 10.49.141.10 - a crazy IP plan at my provider. It does translate into a
real, routable IP at some point). In the same building on the same switch
(kinda internal, hence the ip) is my Linux server (running Debian 8.8) on
10.49.157.2.

My Linux server runs openvpn client, connecting to my opnsense firewall at
home.

Local LAN at home is 10.20.30.0/24. Local LAN on my Linux server (used for
VMs etc) is 10.20.40.0/24.

OpenVPN tunnel network is 10.100.100.0/24. Opnsense server is 10.100.100.1,
Linux server is 10.100.100.2

Some weird stuff is going on. I have followed the instructions on
http://shorewall.net/OPENVPN.html and allowed all traffic between the two
subnets. Yet some OpenVPN traffic is blocked and I can't send traffic over
VPN from the Linux server itself. However, the VMs running on the Linux
server can, and I can send traffic to the VMs from my home LAN over the vpn
as well.

I see a lot of firewall messages like this:

[466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21078 SEQ=1

[466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP
TYPE=8 CODE=0 ID=21102 SEQ=1

When I try to ping from my Linux server to the opnsense firewall's internal
LAN ip (10.20.30.1) or the remote end of the tunnel network. And I don't
understand that. I am guessing that is why I can't ping.

Can anyone help me out?


I have attached the shorewall dump as requested in the posting instructions.


Thanks,


/klaus

Attachment: shorewall_dump.txt.bz2
Description: BZip2 compressed data

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to