On 07/03/2017 02:05 PM, Klaus Agnoletti wrote: > Hi, > > Let me describe my setup: > > I have an opnsense firewall running with OpenVPN at home (WAN ip > is 10.49.141.10 - a crazy IP plan at my provider. It does translate into > a real, routable IP at some point). In the same building on the same > switch (kinda internal, hence the ip) is my Linux server (running Debian > 8.8) on 10.49.157.2. > > My Linux server runs openvpn client, connecting to my opnsense firewall > at home. > > Local LAN at home is 10.20.30.0/24 <http://10.20.30.0/24>. Local LAN on > my Linux server (used for VMs etc) is 10.20.40.0/24 <http://10.20.40.0/24>. > > OpenVPN tunnel network is 10.100.100.0/24 <http://10.100.100.0/24>. > Opnsense server is 10.100.100.1, Linux server is 10.100.100.2 > > Some weird stuff is going on. I have followed the instructions > on http://shorewall.net/OPENVPN.html and allowed all traffic between the > two subnets. Yet some OpenVPN traffic is blocked and I can't send > traffic over VPN from the Linux server itself. However, the VMs running > on the Linux server can, and I can send traffic to the VMs from my home > LAN over the vpn as well. > > I see a lot of firewall messages like this: > > [466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2 > DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP > TYPE=8 CODE=0 ID=21078 SEQ=1 > > [466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2 > DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP > TYPE=8 CODE=0 ID=21102 SEQ=1 > > When I try to ping from my Linux server to the opnsense firewall's > internal LAN ip (10.20.30.1) or the remote end of the tunnel network. > And I don't understand that. I am guessing that is why I can't ping. > > Can anyone help me out? > > > I have attached the shorewall dump as requested in the posting instructions. >
Your fw->vpn policy is REJECT and you have no Ping(ACCEPT) rule from fw->vpn. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
