Ah! Of course!
I would more say that the policies aren't there, so there's no specific
ACCEPT. But now there is, and thanks for pointing that out - it appears to
work now.
Thanks for saving my headache :-)
/klaus
tir. 4. jul. 2017 kl. 00.55 skrev Tom Eastep <[email protected]>:
> On 07/03/2017 02:05 PM, Klaus Agnoletti wrote:
> > Hi,
> >
> > Let me describe my setup:
> >
> > I have an opnsense firewall running with OpenVPN at home (WAN ip
> > is 10.49.141.10 - a crazy IP plan at my provider. It does translate into
> > a real, routable IP at some point). In the same building on the same
> > switch (kinda internal, hence the ip) is my Linux server (running Debian
> > 8.8) on 10.49.157.2.
> >
> > My Linux server runs openvpn client, connecting to my opnsense firewall
> > at home.
> >
> > Local LAN at home is 10.20.30.0/24 <http://10.20.30.0/24>. Local LAN on
> > my Linux server (used for VMs etc) is 10.20.40.0/24 <
> http://10.20.40.0/24>.
> >
> > OpenVPN tunnel network is 10.100.100.0/24 <http://10.100.100.0/24>.
> > Opnsense server is 10.100.100.1, Linux server is 10.100.100.2
> >
> > Some weird stuff is going on. I have followed the instructions
> > on http://shorewall.net/OPENVPN.html and allowed all traffic between the
> > two subnets. Yet some OpenVPN traffic is blocked and I can't send
> > traffic over VPN from the Linux server itself. However, the VMs running
> > on the Linux server can, and I can send traffic to the VMs from my home
> > LAN over the vpn as well.
> >
> > I see a lot of firewall messages like this:
> >
> > [466008.549077] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
> > DST=10.100.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50286 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=21078 SEQ=1
> >
> > [466075.669821] Shorewall:fw-vpn:REJECT:IN= OUT=tun0 SRC=10.100.100.2
> > DST=10.20.30.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=46799 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=21102 SEQ=1
> >
> > When I try to ping from my Linux server to the opnsense firewall's
> > internal LAN ip (10.20.30.1) or the remote end of the tunnel network.
> > And I don't understand that. I am guessing that is why I can't ping.
> >
> > Can anyone help me out?
> >
> >
> > I have attached the shorewall dump as requested in the posting
> instructions.
> >
>
> Your fw->vpn policy is REJECT and you have no Ping(ACCEPT) rule from
> fw->vpn.
>
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
