On Sun, Dec 23, 2018 at 10:49:30AM -0800, C. Cook wrote: > On 12/23/18 9:04 AM, Tom Eastep wrote: > > Clearly, your routing table indicates that the packet should be sent out > > of eth0 rather than eth1, and since eth0 doesn't have the 'routeback' > > option, the packet is being dropped in the FORWARD chain (see Shorewall > > FAQ 17). > > Ok on the router in interfaces I've set routeback and routefilter on > eth0 (outside), and routefilter on eth1 (local) and eth2 (dmz).
The DNAT line still isn't matching due to only matching packets to eth1(local). What's the routing table? (Or are there policy routes?) > Lots of REJECTs in the FORWARD chain still but as there's no time I > can't tell how recent they are. And the phone still doesn't connect to > the WireGuard server inside the LAN. You can maybe run date |logger to make a timestampped log. Or configure r/syslog to include timestamps to /var/log/syslog (messages?) On Sun, Dec 23, 2018 at 10:59:09AM -0800, C. Cook wrote: > On 12/22/18 5:04 PM, Justin Pryzby wrote: > > eth0 is "net" but has a private IP ? > No eth0 has a public IP. eth1 and eth2 have private IPs, in separate > class C's. Sorry, right. I saw address beginning with 172 and saw what I anticipated seeing. Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
