On 1/13/19 11:21 AM, C. Cook wrote: > >> What you are trying to do *will never work*. You are accepting web >> connections on the public IP address on the Shorewall router, port >> forwarding them to the web server who is trying to reply out of the WG >> server. There are two problems with this idea: >> >> a) The WG server can't reverse the effect of the DNAT in the router, so >> the responses are going out with the wrong source IP. >> >> b) Even if DNAT were not involved, you would likely be sending packets >> out through one ISP with source addresses assigned to another ISP. Those >> are subject to being dropped. >> >> -Tom > > Understand. But I only arrived here after my sites went down with no > mods to the webserver VM, and a full day of trying to get them back up. > > And my goal is ultimately to move my server to the outgoing VPN, but > that's low priority. Sites out is high priority. >
The obvious fix is to change the web server's default gateway back to the Shorewall router. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users