Jerry Vonau
2003-Jun-07 17:33 UTC
RE: [Shorewall-users] can't connect to private lan on other side of tunnel from loc zone
Hi All: never mind, forgot to set the proxyarp flag for the internal interface..... put that echo in the start file and all is well... Thanks Anyway Jerry -----Original Message----- From: Jerry Vonau [SMTP:jvonau@shaw.ca] Sent: Saturday, June 07, 2003 03:41 PM To: Shorewall-Users (E-mail) Subject: [Shorewall-users] can''t connect to private lan on other side of tunnel from loc zone Hi All: Here is a strange one... I have a vpn set-up between a couple of locations, It''s using a ppp interface. I''m using Shorewall-1.4.4b and an out of the box 2.4.20-18.8 kernel from redhat. I''m able to ping/connect from the firewall itself to anything on the other end of the tunnel... I''m unable to make a connection to 2 of the remote lans 10.2.0.0/24 and 10.1.14.0/24 from a machine in the loc zone, while I''m able to connect to a machine that is only accessible through the 10.1.14.0/24 lan. There is nothing showing up in /var/log/messages... Here is the routing: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 139.142.212.5 0.0.0.0 255.255.255.255 UH 0 0 0 eth2 10.2.0.150 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 10.1.14.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 204.225.120.230 10.1.14.1 255.255.255.255 UGH 0 0 0 ppp0 139.142.212.0 0.0.0.0 255.255.255.240 U 0 0 0 eth0 10.1.14.0 10.2.0.1 255.255.255.0 UG 0 0 0 ppp0 10.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 10.5.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 139.142.212.14 0.0.0.0 UG 0 0 0 eth0 The interfaces file: #ZONE INTERFACE BROADCAST OPTIONS net eth0 139.142.212.15 norfc1918,tcpflags,blacklist loc eth1 10.255.255.255 dhcp dmz eth2 detect - ppp+ - - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hosts: sarg ppp+:10.2.0.0/24 jer ppp+:10.3.0.0/24 nff1 ppp+:10.1.14.0/24 nff2 ppp+:$NFF2 NFF2 is defined in the params file, this is the only connection that does work through the tunnel from the loc zone.. zones: #ZONE DISPLAY COMMENTS net Net Internet sarg SARG Sarg''s Lan jer jerry jerry''s house nff1 ship nff in shipping nff2 nffftp nff''s ftp loc Local Local networks dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT loc dmz ACCEPT loc jer ACCEPT info loc sarg ACCEPT info loc nff1 ACCEPT info loc net ACCEPT nff1 loc ACCEPT info sarg loc ACCEPT info jer loc ACCEPT info loc loc ACCEPT info dmz net ACCEPT info net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE attached is a dump of shorewall status: This is the last piece that I need to get working. Everything else is working just great. Just to recap, from the firewall, though the tunnel, everything works. From the loc zone, just one of them works, strange that the one that works uses public ip addresses, but is only accessible from the 10.1.14.0 network, while the private ip addresses on the remote lan don''t. Not to sure where to look for this one... What have I overlooked?? If I didn''t summit a file that is needed to troubleshoot this, just tell me... Thanks in Advance Jerry Vonau << File: shore.dmp >> << File: ATT00002.txt >>