Shorewall users - Jun 2004 - shorewall and vpn

Ok here is my network setup, I hope it shows properly:

Internet --- Shorewall Box 1 -- VPN (openvpn)
               |                 |
               |           Shorewall 2 / Web Server 2
               |
               |
              LAN -- Web Server 1


Lan segment has multiple web servers and mail servers
etc. All of that is working perfect.

Now we have added an additional web server connected
via a vpn, and for certain external ip''s on Shorewall
1, we want to redirect them to the new web server over
the vpn to shorewall 2. Our problem is that the apache
logs on shorewall 2 show shorewall 1''s vpn IP and not
the actual remote client''s ip.

The current masq file on shorewall 1 looks like this:
Eth0	eth1
Tun0	0.0.0.0/0

The masq file on shorewall 2 is empty.

If we remove the Tun0 line, connections are forwarded
to shorewall 2 properly with the remote client''s ip.
However the connections are blocked and show up in
/var/log/messages as "martian source" on shorewall 2.

Also, in our interfaces files, we are only using the
blacklist option, I didnt see any others that may fix
this in the documentation.

Is there any way we can get the clients ip to be
passed to shorewall 2''s web server via the vpn and
still have all traffic come in/out of shorewall 1? I''m
thinking we may be SOL as we have looked in the faq
and docs and cant find any thing...but perhaps someone
on the list has an idea.

Thanks in advance!


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

gunpow@yahoo.com wrote:
> Ok here is my network setup, I hope it shows properly:
> 
> Internet --- Shorewall Box 1 -- VPN (openvpn)
>                |                 |
>                |           Shorewall 2 / Web Server 2
>                |
>                |
>               LAN -- Web Server 1
> 
> 
> Lan segment has multiple web servers and mail servers
> etc. All of that is working perfect.
> 
> Now we have added an additional web server connected
> via a vpn, and for certain external ip''s on Shorewall
> 1, we want to redirect them to the new web server over
> the vpn to shorewall 2. Our problem is that the apache
> logs on shorewall 2 show shorewall 1''s vpn IP and not
> the actual remote client''s ip.
> 
> The current masq file on shorewall 1 looks like this:
> Eth0	eth1
> Tun0	0.0.0.0/0
> 
> The masq file on shorewall 2 is empty.
> 
> If we remove the Tun0 line, connections are forwarded
> to shorewall 2 properly with the remote client''s ip.
> However the connections are blocked and show up in
> /var/log/messages as "martian source" on shorewall 2.
> 
> Also, in our interfaces files, we are only using the
> blacklist option, I didn’t see any others that may fix
> this in the documentation.
> 
> Is there any way we can get the clients ip to be
> passed to shorewall 2''s web server via the vpn and
> still have all traffic come in/out of shorewall 1? I''m
> thinking we may be SOL as we have looked in the faq
> and docs and cant find any thing...but perhaps someone
> on the list has an idea.
> 
Your Shorewall2 box effectively has two incoming internet connections so 
you would need to configure the routing as described in Shorewall FAQ 
32; note that your problem involves *incoming* connections so you need 
to pay close attention to the information supplied by Martin Brown.

Also, you need to somewhat disable the routing described in FAQ 32 
because I assume that you don''t want normal outgoing connections to be 
load balanced between Shorewall 2''s internet connection and the tunnel.

In summary, this question really has nothing to do with Shorewall and 
rather involves policy routing. The LARTC mailing list is probably a 
better source of information in such cases.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net