Thank you Tom. Actually I have RESTART=reload in shorewall.conf and, I'm
90% sure I've seen this happen without any intervention to the system
(shorewall restart, or anything else). Are there other potential causes?
Best, Norm
On Thu, Apr 26, 2018 at 4:36 PM, Tom Eastep <teas...@shorewall.net> wrote:
> On 04/25/2018 11:24 AM, Norman Henderson wrote:
> > Hello,
> >
> > I have a WiFi internet access Device that:
> > - has a Web GUI
> > - has an embedded UDP-based SIP server
> > - acts as a NAT router to send traffic to the internet
> > - has a fixed IP of 192.168.1.1
> > - will only talk locally to the 192.168.1.0/24 <http://192.168.1.0/24>
> > network: all other addresses are routed to the internet, including other
> > "private" addresses
> > - none of the above can be reconfigured.
> >
> > I have a local network 10.1.0.0/24 <http://10.1.0.0/24> and some other
> > interconnected 10.x and 192.168.x networks. There are other, different
> > Internet access devices behind other Shorewall firewalls that aren't
> > relevant here.
> >
> > I need to:
> > - hide 192.168.1.0/24 <http://192.168.1.0/24> from the rest of my
> > network, since it's used elsewhere
> > - access the Web GUI from multiple clients on 10.1.0.x and ideally
> > other private addresses
> > - access the SIP server via UDP from at least one, preferably several
> > clients on 10.1.0.x and ideally other private addresses
> > - access the Internet via the Device from 10.1.0.x and ideally other
> nets
> >
> > So, I set up a separate Shorewall box with a Wifi card attempting
> > one-to-one NAT. I decided to consider the 192.168.1.x net (wlan1, where
> > the device lives) is the "internal" side since I want to make the
> > device, on 192.168.1.1, visible to the so-called "external" 10.1.0.x net
> > for Web GUI and SIP access. The Shorewall box has an address of
> > 10.1.0.251 for its own management purposes and I assigned another
> > address 10.1.0.252 for access to the Device; both of those are on vlan1.
> >
> > /etc/shorewall/nat
> > #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
> > 10.1.0.252 vlan1 192.168.1.1 no no
> >
> > The problem was that traffic initiating from the so-called external side
> > (10.1.0.x clients) was retaining the true addresses and the Device
> > doesn't know how to route back. I.e., on the wlan1 side, I was seeing
> > 10.1.0.3 > 192.168.1.1 with no responses. So, I added:
> >
> > /etc/shorewall/snat
> > #ACTION SOURCE DEST ...
> > MASQUERADE 0.0.0.0/0 <http://0.0.0.0/0> wlan1
> >
> > For all of these tests, to keep it simple:
> > /etc/shorewall/rules
> > ACCEPT all+ all+
> >
> > And, that works nicely - for a while. There is no problem accessing the
> > Web GUI via TCP. It's hard to test for reasons I won't disclose, and not
> > as important, but I suspect it would continue to work for tcp going
> > through the Device to the Internet.
> >
> > The issue is the UDP-based SIP server embedded in the Device. It works
> > for some time after a reboot (hours I think), but then I start to see
> > the so-called external addresses 10.1.0.x appear untranslated on the
> > wlan1 interface and as I said, the Device can't reply to those.
> >
> > This is Shorewall 5.1.12.3 on Ubuntu 16.04.4 LTS (Xenial). Yes, I was
> > lazy and just installed the Ubuntu package, if you tell me the latest
> > Shorewall version will make a difference I can certainly try it. However
> > I am thinking this is more a flaw in my approach.
> >
> > What am I doing wrong? Is there a completely different approach I should
> > take?
> >
>
> Norm,
>
> Are you doing any 'reload's or 'restart's after reboot. The usual cause
> of failure to NAT UDP is that a packet is processed while the applicable
> NAT rule is not in place. On a new install, with RESTART=restart in
> shorewall.conf, this can happen if you use the 'restart' command. It
> shouldn't happen with 'reload'; it should also not happen with 'restart'
> if RESTART=reload.
>
> -Tom
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
