I've got 2 routers, both running shorewall, and a server.
I'm trying to get routeback working correctly for the following config.
Currently, inbound traffic gets to its intended DEST, but the reply routes back
over the wrong path.
I'm missing some some route(back) config; the DNAT rules don't appear
sufficient.
Any hints/suggestions as to what I've missed?
My config is:
Router1
(1) Ext IP: xx.xx.xx.242
intfc: eth0
(2) VPN IP: 10.1.1.1
intfc: wg0
shorewall:
DNAT net wg:172.16.10.50 tcp 993 -
xx.xx.xx.242
Router2
(3) Ext IP: xx.xx.xx.242
intfc: eth0
(4) VPN IP: 10.1.1.2
intfc: wg0
(5) Int IP: 172.16.10.100
intfc: enp3s0
shorewall:
DNAT wg lan:172.16.10.50 tcp 993 -
172.16.10.50
Server1
(6) IP: 172.16.10.50
intfc: enp4s0
With those DNAT rules Connections from the public 'net (@, device IP
zz.zz.zz.150) to
xx.xx.xx.242:993
flow
(1) -> (2) -> (4) -> (5) -> (6)
@ (6), tcpdump sees
14:38:58.192550 IP 172.16.10.50.993 > zz.zz.zz.150.18902: Flags [S.],
seq 3410154891, ack 3469383179, win 65160, options [mss 1460,sackOK,TS val
739099690 ecr 1066052,nop,wscale 7], length 0
14:38:58.230329 IP zz.zz.zz.150.35136 > 172.16.10.50.993: Flags [S],
seq 1529885957, win 65535, options [mss 1380,sackOK,TS val 1066360 ecr
0,nop,wscale 7], length 0
BUT,
that *reply* from (6) does *not* route BACK over the VPN link (wg0 -> wg0).
It instead flows
(6) -> (5) -> (3)
, i.e., out Router2's *external*, not vpn, intfc
(6) -> (5) -> (4)
@ (3), tcpdump sees
14:39:59.435306 IP 172.16.10.50.993 > zz.zz.zz.150.50494: Flags [S.],
seq 3090332302, ack 686924393, win 65160, options [mss 1460,sackOK,TS val
739143850 ecr 1067584,nop,wscale 7], length 0
I need to 'tell' SW to route replies from
172.16.10.50:993
back out via the wg0->wg0 path, IF AND ONLY IF it's arrived via that path.
How's that correctly done here?
I'm guessing DNAT rule params, &/or MARKing the traffic somewhere ...
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
