Shorewall users - Feb 2009 - Problem with Openvpn, Multiple ISP and Traffic Shaping

Hi all,
I have a firewall with 4 ethernet interfaces:
eth0 and eth1 are two different ISP providers, eth2 is my local net and 
eth3 is the my DMZ. The interfaces eth4 and eth5 are not used yet.
Firewall is a Debian Linux "etch" with shorewall 4.0.11.
I have a simple configuration as described in the Shorewall 
Documentation Multi ISP.
I have also a little traffic shaping configuration to drive ssh packet 
in and out a specific ISP interface.
Now I''d like to install an Openvpn server because of few Roadwarrior 
users and I want to install it on the firewall.
I think I''m having a routing problem with this. VPN packet reach the 
Roadwarrior user from both the ISP interfaces, not always the same, 
causing packet to be rejected. I don''t know if I have to tag also VPN 
packets or what else to let them to go through the same Interface all 
the time and any suggestion is appreciated :)
Here my configuration files.

providers:
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         
OPTIONS         COPY
EU256   1       1       main    eth1                    62.94.175.33    
track,balance   eth2,eth3,eth4,eth5
EU512   2       2       main    eth0                    83.211.196.65   
track,balance   eth2,eth3,eth4,eth5

tcrules:
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    
TEST    LENGTH  TOS
#                                               PORT(S) PORT(S)
1:P     eth2            0.0.0.0/0       all     -
1:P     eth3            0.0.0.0/0       all     -
#
3:F     eth1            192.168.2.203/24        tcp     22
# FTP per SMS
2:P     eth3:192.168.2.203      0.0.0.0/0       tcp     20,21

tcdevices:
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth1            2000kbit        2000kbit
eth0            2000kbit        2000kbit
eth3            1000mbit        1000mbit

tcclasses:
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
#
eth3            1       500kbit full    1       default
eth3            3       500kbit 1500kbit        2
# Ftp per SMS
eth0            2       200kbit 1500kbit        1       default
#
eth1            4       500kbit 1500kbit        1       default

Thanks for any help!
Daniele



------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Daniele Davolio wrote:
> Now I''d like to install an Openvpn server because of few
Roadwarrior
> users and I want to install it on the firewall.
> I think I''m having a routing problem with this. VPN packet reach
the
> Roadwarrior user from both the ISP interfaces, not always the same, 
> causing packet to be rejected. I don''t know if I have to tag also
VPN
> packets or what else to let them to go through the same Interface all 
> the time and any suggestion is appreciated :)
> Here my configuration files.
We would much rather see the output of ''shorewall dump''
collected as
described at http://www.shorewall.net/support.htm#Guidelines.


------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Daniele Davolio escribió:
> Now I''d like to install an Openvpn server because of few
Roadwarrior
> users and I want to install it on the firewall.
> I think I''m having a routing problem with this. VPN packet reach
the
> Roadwarrior user from both the ISP interfaces, not always the same, 
> causing packet to be rejected. I don''t know if I have to tag also
VPN
> packets or what else to let them to go through the same Interface all 
> the time and any suggestion is appreciated :)
>   
Try to switch the openvpn to use tcp instead of udp.

Regards


-- 
Eduardo Diaz Comellas -- ediaz@ultreia.es
Ultreia Comunicaciones S.L.


------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Hi,
I sent the "shorewall dump" as attachment but Admins rejected it
because
it''s ~95Kb.
Anyway, I''m wondering if I can Tag UDP packet from the Firewall to
drive
them through always the same interface, and how :)

Thanx
Daniele


Eduardo Diaz Comellas wrote:
> Daniele Davolio escribió:
>   
>> Now I''d like to install an Openvpn server because of few
Roadwarrior
>> users and I want to install it on the firewall.
>> I think I''m having a routing problem with this. VPN packet
reach the
>> Roadwarrior user from both the ISP interfaces, not always the same, 
>> causing packet to be rejected. I don''t know if I have to tag
also VPN
>> packets or what else to let them to go through the same Interface all 
>> the time and any suggestion is appreciated :)
>>   
>>     
>
> Try to switch the openvpn to use tcp instead of udp.
>
> Regards
>
>
>   

-- 
=============================================================Daniele Davolio
Master Training S.r.l. - Information Technology Department
Sede Legale: via Timolini, N.18 Correggio (RE) - Italy
Sede Operativa: via Sani N.15 (Int.6) 42100 REGGIO EMILIA (RE)
Tel +39 0522 268059 - +39 0522 1846007
Fax +39 0522 331673
E-Mail d.davolio@mastertraining.it
E-Mail serviziotecnico@mastertraining.it
=============================================================

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

Daniele Davolio wrote:
> Hi,
> I sent the "shorewall dump" as attachment but Admins rejected it
because
> it''s ~95Kb.
You can always forward it to upload@shorewall.net.
> Anyway, I''m wondering if I can Tag UDP packet from the Firewall to
drive
> them through always the same interface, and how :)
Possibly you should read about OpenVPN on a multi-ISP firewall at
http://www.shorewall.net/MultiISP.html#Local. Also, the subject of
marking packets that originate on the firewall has been recently
expanded at both http://www.shorewall.net/traffic_shaping.htm#tcrules
and at http://www.shorewall.net/manpages/shorewall-tcrules.html,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com

El Tuesday 10 February 2009 16:46:01 Eduardo Diaz Comellas
escribió:
> Daniele Davolio escribió:
> > Now I''d like to install an Openvpn server because of few
Roadwarrior
> > users and I want to install it on the firewall.
> > I think I''m having a routing problem with this. VPN packet
reach the
> > Roadwarrior user from both the ISP interfaces, not always the same,
> > causing packet to be rejected. I don''t know if I have to tag
also VPN
> > packets or what else to let them to go through the same Interface all
> > the time and any suggestion is appreciated :)
>
> Try to switch the openvpn to use tcp instead of udp.
>
and use 2.1, that version has support for multi-home setups.

> Regards


-- 
Jorge Armando Medina
Computación Gráfica de México
Web: www.e-compugraf.com
Tel: 55 51 40 72
email: jmedina@e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

I''m sorry for late but I was dealing with other tasks.
Thanks for the suggestions, this one worked for me:

http://www.shorewall.net/MultiISP.html#Local.

But now, I have another situation. The openvpn is connecting and 
working, the packets come IN and OUT from the same eth0 interface. With 
the Shorewall started, the TC is blocking the traffic from the DMZ 
servers to the Road Warrior client.
I''ll explain better. I have a DMZ called "dweb", and two ISP
providers,
both on the "net" zone. I have also some tcrules to mark and regulate 
some traffic. When my Road Warrior connect to the openvpn server on the 
Firewall and he start a Ping to a dweb server through eth3 interface, 
the packets reach the server but the icmp replay are catch somewhere in 
TC on the way back. I can''t understand why. If I comment out the 
"1:P     eth3            0.0.0.0/0       all     -" rule in tcrules
and
restart shorewall, the Road Warriors can reach the "dweb" server as
wanted.
Thanks for any suggestion.

Here are the configuration files:

providers:
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         
OPTIONS         COPY
EU256   1       1       main    eth1                    62.94.175.33    
track,balance   eth2,eth3,eth4,eth5
EU512   2       2       main    eth0                    83.211.196.65   
track,balance   eth2,eth3,eth4,eth5
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

tcdevice
###############################################################################
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
eth1            2000kbit        2000kbit
eth0            2000kbit        2000kbit
#eth1           1000mbit        1000mbit
eth3            1000mbit        1000mbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcrules
###############################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    
TEST    LENGTH  TOS
#                                               PORT(S) PORT(S)
1:P     eth2            0.0.0.0/0       all     -
1:P     eth3            0.0.0.0/0       all     -
#
3:F     eth1            192.168.2.203/24        tcp     22
# FTP per SMS
2:P     eth3:192.168.2.203      0.0.0.0/0       tcp     20,21
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

tcclasses
###############################################################################
#INTERFACE      MARK    RATE    CEIL    PRIORITY        OPTIONS
#
eth3            1       500kbit full    1       default
eth3            3       500kbit 1500kbit        2
# Ftp per SMS
eth0            2       200kbit 1500kbit        1       default
#
eth1            4       500kbit 1500kbit        1       default
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE




Tom Eastep wrote:
> Daniele Davolio wrote:
>   
>> Hi,
>> I sent the "shorewall dump" as attachment but Admins rejected
it because
>> it''s ~95Kb.
>>     
>
> You can always forward it to upload@shorewall.net.
>
>   
>> Anyway, I''m wondering if I can Tag UDP packet from the
Firewall to drive
>> them through always the same interface, and how :)
>>     
>
> Possibly you should read about OpenVPN on a multi-ISP firewall at
> http://www.shorewall.net/MultiISP.html#Local. Also, the subject of
> marking packets that originate on the firewall has been recently
> expanded at both http://www.shorewall.net/traffic_shaping.htm#tcrules
> and at http://www.shorewall.net/manpages/shorewall-tcrules.html,
>
> -Tom
>   

-- 
=============================================================Daniele Davolio
Master Training S.r.l. - Information Technology Department
Sede Legale: via Timolini, N.18 Correggio (RE) - Italy
Sede Operativa: via Sani N.15 (Int.6) 42100 REGGIO EMILIA (RE)
Tel +39 0522 268059 - +39 0522 1846007
Fax +39 0522 331673
E-Mail d.davolio@mastertraining.it
E-Mail serviziotecnico@mastertraining.it
=============================================================

------------------------------------------------------------------------------

Daniele Davolio wrote:
> I''m sorry for late but I was dealing with other tasks.
> Thanks for the suggestions, this one worked for me:
> 
> http://www.shorewall.net/MultiISP.html#Local.
> 
> But now, I have another situation. The openvpn is connecting and 
> working, the packets come IN and OUT from the same eth0 interface. With 
> the Shorewall started, the TC is blocking the traffic from the DMZ 
> servers to the Road Warrior client.
> I''ll explain better. I have a DMZ called "dweb", and two
ISP providers,
> both on the "net" zone. I have also some tcrules to mark and
regulate
> some traffic. When my Road Warrior connect to the openvpn server on the 
> Firewall and he start a Ping to a dweb server through eth3 interface, 
> the packets reach the server but the icmp replay are catch somewhere in 
> TC on the way back. I can''t understand why. If I comment out the 
> "1:P     eth3            0.0.0.0/0       all     -" rule in
tcrules and
> restart shorewall, the Road Warriors can reach the "dweb" server
as wanted.
> Thanks for any suggestion.
> 
> Here are the configuration files:
Go to http://www.shorewall.net/MultiISP.html#id305711 and read.

-Tom

------------------------------------------------------------------------------

Ok! Now it works! Thanks a lot!:)
> Daniele Davolio wrote:
>> I''m sorry for late but I was dealing with other tasks.
>> Thanks for the suggestions, this one worked for me:
>>
>> http://www.shorewall.net/MultiISP.html#Local.
>>
>> But now, I have another situation. The openvpn is connecting and
>> working, the packets come IN and OUT from the same eth0 interface. With
>> the Shorewall started, the TC is blocking the traffic from the DMZ
>> servers to the Road Warrior client.
>> I''ll explain better. I have a DMZ called "dweb", and
two ISP providers,
>> both on the "net" zone. I have also some tcrules to mark and
regulate
>> some traffic. When my Road Warrior connect to the openvpn server on the
>> Firewall and he start a Ping to a dweb server through eth3 interface,
>> the packets reach the server but the icmp replay are catch somewhere in
>> TC on the way back. I can''t understand why. If I comment out
the
>> "1:P     eth3            0.0.0.0/0       all     -" rule in
tcrules and
>> restart shorewall, the Road Warriors can reach the "dweb"
server as
>> wanted.
>> Thanks for any suggestion.
>>
>> Here are the configuration files:
>
> Go to http://www.shorewall.net/MultiISP.html#id305711 and read.
>
> -Tom
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-- 
=====================================================Daniele Davolio
Master Training S.r.l.
Sede Legale: via Timolini, 18 Correggio (RE) - Italy
Sede Operativa: via Sani, 15 Reggio Emilia - Italy
Tel +39 0522 268059 - +39 0522 1846007
Fax +39 0522 331673
E-Mail d.davolio@mastertraining.it
E-Mail serviziotecnico@mastervoice.it
=====================================================


------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com