Hi,
On 7/6/21 4:31 PM, Justin Pryzby wrote:
Shorewall @ "Public Server":
/rules
ACCEPT net $FW:AA.AA.AA.AA tcp 12345
DNAT net vpn:10.10.10.99 tcp 12345 -
AA.AA.AA.AA
Shorewall @ "Private Edge"
/rules
ACCEPT vpn lan:10.10.10.99 tcp 12345
DNAT vpn lan:10.10.10.99 tcp 12345 -
10.10.10.99
By default, DNAT includes ACCEPT. So the first step is to remove the redundant
ACCEPT.
I'd put it in for attempts at some additional logging awhile ago, & neglected
to remove. thx!
but FAILs to route back over the VPN link; I don't see the traffic return via
intfc = vpn0.
it's instead appearing on the EXTERNAL interface
Where does that mis-routeback need to get fixed? so the traffic return is via
"Private Edge" *vpn0*, NOT *eth0*?
You haven't shown the rest of your config - maybe it's missing the routeback
option.
Trying to follow docs/examples and assemble this step by step; Thought I'd
gotten that right already :-/
Atm,
@ "Private Edge"
/interfaces
net EXT_IF
optional,physical=$EDGE_EXTIF,dhcp,tcpflags,nosmurfs,logmartians=1,sourceroute=0
vpn VPN_IF
optional,physical=$EDGE_VPNIF,logmartians=0,routeback=1
- INT_IF
physical=$EDGE_INTIF,dhcp,tcpflags,logmartians=1,routefilter=0,routeback=1
Hm. Need to dig around to see if it's correct to keep the routeback=1 on both VPN
& INT intfcs ...
Anything missing/wrong jump out?
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
