I am trying shorewall as my previous post With alisias on eth1 loc and 4 pptp client vpns. The odd thing is when I enter one of the vpns in interfaces such as vpn1 it works. But if I enter the vpn in the hosts file shorewall blocks the vpns. shorewall/hosts #ZONE HOST(S) OPTIONS loc eth1:192.168.25.0/24 loctw eth1:192.168.50.0/24 locsa eth1:192.168.75.0/24 vpntw ppp+:!192.168.50.0/24 vpnsa ppp+:!192.168.75.0/24 #vpn3 ppp+:!192.168.3.0/24 interfaces net eth0 detect routefilter,norfc1918,tcpflags - eth1 192.168.25.255,192.168.50.255,192.168.75.255 - ppp+ now if I comment out vpnsa in hosts and enter vpnsa in interfaces it works (meaning the tunnel can talk :). I can not figure out what the trouble is. Thanks Mike
> I am trying shorewall as my previous post With alisias on eth1 loc and > 4 pptp client vpns. > The odd thing is when I enter one of the vpns in interfaces such as vpn1 > it works. > But if I enter the vpn in the hosts file shorewall blocks the vpns. > > shorewall/hosts > > #ZONE HOST(S) OPTIONS > loc eth1:192.168.25.0/24 > loctw eth1:192.168.50.0/24 > locsa eth1:192.168.75.0/24 > vpntw ppp+:!192.168.50.0/24 > vpnsa ppp+:!192.168.75.0/24 > #vpn3 ppp+:!192.168.3.0/24 > > > interfaces > net eth0 detect routefilter,norfc1918,tcpflags > - eth1 192.168.25.255,192.168.50.255,192.168.75.255 > - ppp+ > > now if I comment out vpnsa in hosts and enter vpnsa in interfaces it works > (meaning the tunnel can talk :). > I can not figure out what the trouble is. > > Thanks > > MikeI am thinking after some archive search I do not have modprobe ip_conntrack_pptp modprobe ip_nat_pptp could this be the trouble and does that require kernal recompile?
Hi Mike, first of all: Did you read http://www.shorewall.net/PPTP.htm ? On Sunday 26 June 2005 04:44, Mike Lander wrote:> > I am trying shorewall as my previous post With alisias on eth1 loc and > > 4 pptp client vpns. > > The odd thing is when I enter one of the vpns in interfaces such as vpn1 > > it works. > > But if I enter the vpn in the hosts file shorewall blocks the vpns. > > > > shorewall/hosts > > > > #ZONE HOST(S) OPTIONS > > loc eth1:192.168.25.0/24 > > loctw eth1:192.168.50.0/24 > > locsa eth1:192.168.75.0/24 > > vpntw ppp+:!192.168.50.0/24 > > vpnsa ppp+:!192.168.75.0/24 > > #vpn3 ppp+:!192.168.3.0/24 > > > > > > interfaces > > net eth0 detect routefilter,norfc1918,tcpflags > > - eth1 192.168.25.255,192.168.50.255,192.168.75.255 > > - ppp+ > > > > now if I comment out vpnsa in hosts and enter vpnsa in interfaces it > > works (meaning the tunnel can talk :). > > I can not figure out what the trouble is. > > > > Thanks > > > > Mike >I didn''t really understand your setup. 3 possibilities: 1. Shorewall itself is the PPTP-server => no module needed 2. PPTP-server is behind shorewall => simple DNAT is needed. 3. PPTP-Clients behind shorewall connecting to the SAME external server => ip_nat_pptp module is needed In last case you have to recompile iptables and kernel. I guess you setup is case 3. Am I on the right way? HTH, Alex> I am thinking after some archive search I do not have > modprobe ip_conntrack_pptp > modprobe ip_nat_pptp > could this be the trouble and does that require kernal recompile? > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
> I am trying shorewall as my previous post With alisias on eth1 locand 4> pptp client vpns. > The odd thing is when I enter one of the vpns in interfaces such as vpn1it> works. > But if I enter the vpn in the hosts file shorewall blocks the vpns. > > shorewall/hosts > > #ZONE HOST(S) OPTIONS > loc eth1:192.168.25.0/24 > loctw eth1:192.168.50.0/24 > locsa eth1:192.168.75.0/24 > vpntw ppp+:!192.168.50.0/24 > vpnsa ppp+:!192.168.75.0/24 > #vpn3 ppp+:!192.168.3.0/24 > > > interfaces > net eth0 detect routefilter,norfc1918,tcpflags > - eth1 192.168.25.255,192.168.50.255,192.168.75.255 > - ppp+ > > now if I comment out vpnsa in hosts and enter vpnsa in interfaces itworks> (meaning the tunnel can talk :). > I can not figure out what the trouble is. > > Thanks > > Mike > >Mike: To fully debug this, please post the entire config, as tested. There are some finer points in the other files that may have an effect on what happens here(I''m thinking order of the zones). In your example above, it''s hard to tell what the vlan/business/zone/interface relationship is. The more detail you provide, the clearer the picture becomes for the rest of us. Just to clarify, what did the entry in interfaces look like, when it worked for you? This then needs to be taken in context, with what is in the rest of your config, at that point. If your "loctw" is using 192.168.50.0/24 why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file, we are defining what netblocks, on/or through an interface, belong to what zones. Off the top of my head, think the way "I might" do it would be: zones: biz1 biz2 biz3 loc net interfaces: net eth0 detect routefilter,norfc1918,tcpflags - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 - ppp+ hosts: loc eth1:192.168.X.X/24 biz1 eth1:192.168.50.0/24 biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> biz2 eth1:192.168.75.0/24 biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> biz3 you get the idea.... biz3 policy: #SOURCE DEST POLICY (at the top) biz3 biz3 ACCEPT biz2 biz2 ACCEPT biz1 biz1 ACCEPT (before the reject/drop policy) biz1 biz2 NONE biz2 biz1 NONE biz1 biz3 NONE biz3 biz1 NONE biz2 biz3 NONE biz3 biz2 NONE 192.168.X.X would be the primary ip address of the loc zone, unused by any bizX zones, that one is for your use only. Without the config files and the output shorewall status, everything is just a guess.... Hope it helps. Jerry
> Hi Mike, > > first of all: Did you read http://www.shorewall.net/PPTP.htm ? > > > On Sunday 26 June 2005 04:44, Mike Lander wrote: >> > I am trying shorewall as my previous post With alisias on eth1 loc >> > and >> > 4 pptp client vpns. >> > The odd thing is when I enter one of the vpns in interfaces such as >> > vpn1 >> > it works. >> > But if I enter the vpn in the hosts file shorewall blocks the vpns. >> > >> > shorewall/hosts >> > >> > #ZONE HOST(S) OPTIONS >> > loc eth1:192.168.25.0/24 >> > loctw eth1:192.168.50.0/24 >> > locsa eth1:192.168.75.0/24 >> > vpntw ppp+:!192.168.50.0/24 >> > vpnsa ppp+:!192.168.75.0/24 >> > #vpn3 ppp+:!192.168.3.0/24 >> > >> > >> > interfaces >> > net eth0 detect routefilter,norfc1918,tcpflags >> > - eth1 192.168.25.255,192.168.50.255,192.168.75.255 >> > - ppp+ >> > >> > now if I comment out vpnsa in hosts and enter vpnsa in interfaces it >> > works (meaning the tunnel can talk :). >> > I can not figure out what the trouble is. >> > >> > Thanks >> > >> > Mike >> > > I didn''t really understand your setup. > 3 possibilities: > > 1. Shorewall itself is the PPTP-server => no module needed > 2. PPTP-server is behind shorewall => simple DNAT is needed. > 3. PPTP-Clients behind shorewall connecting to the SAME external server => > ip_nat_pptp module is needed > > In last case you have to recompile iptables and kernel. > > I guess you setup is case 3. Am I on the right way? > > HTH, > Alex > >> I am thinking after some archive search I do not have >> modprobe ip_conntrack_pptp >> modprobe ip_nat_pptp >> could this be the trouble and does that require kernal recompile?Thank you Alex, Am I using this linux box from an offsite sale that is using pptp clients on the Linux server to connect to muliple stores at a automall. So in short the offsite server is connecting to pptpd servers listening at the dealerships, and the offsite server is connecting with ppp clients at the firewall not behind it. First I set up the offsite end with 4 pptp clients at the offsite server and got that working. All the dealers are having an offsite sale. Since I had a pptp server listening at all their dealerships I used a linux box at the offsite sale to connect all 4 of the ones I support to the automall so all the pptp servers are at the automall. The offsite sale is linux 4 ppp clients on the server. After getting all the tunnels working I wanted to provide security between these dealers. So I aliased eth1 after setting this up when I pinged the first dealer I get this. Thanks Mike Jun 26 11:21:52 66-224-62-110 pptp[25029]: anon log[logecho:pptp_ctrl.c:670]: Echo Reply received. Jun 26 11:22:44 66-224-62-110 kernel: Shorewall:all2all:REJECT:IN=ppp0 OUT= MAC= SRC=10.3.85.104 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=57018 PROTO=2
>> I am trying shorewall as my previous post With alisias on eth1 loc > and 4 >> pptp client vpns. >> The odd thing is when I enter one of the vpns in interfaces such as vpn1 > it >> works. >> But if I enter the vpn in the hosts file shorewall blocks the vpns. >> >> shorewall/hosts >> >> #ZONE HOST(S) OPTIONS >> loc eth1:192.168.25.0/24 >> loctw eth1:192.168.50.0/24 >> locsa eth1:192.168.75.0/24 >> vpntw ppp+:!192.168.50.0/24 >> vpnsa ppp+:!192.168.75.0/24 >> #vpn3 ppp+:!192.168.3.0/24 >> >> >> interfaces >> net eth0 detect routefilter,norfc1918,tcpflags >> - eth1 192.168.25.255,192.168.50.255,192.168.75.255 >> - ppp+ >> >> now if I comment out vpnsa in hosts and enter vpnsa in interfaces it > works >> (meaning the tunnel can talk :). >> I can not figure out what the trouble is. >> >> Thanks >> >> Mike >> >> > Mike: > > To fully debug this, please post the entire config, as tested. There are > some finer points in the other files that may have an effect on what > happens here(I''m thinking order of the zones). In your example above, > it''s hard to tell what the vlan/business/zone/interface relationship is. > The more detail you provide, the clearer the picture becomes for the rest > of us. Just to clarify, what did the entry in interfaces look like, when > it > worked for you? This then needs to be taken in context, with what is in > the rest of your config, at that point. If your "loctw" is using > 192.168.50.0/24 > why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file, we > are defining what netblocks, on/or through an interface, belong to what > zones. > > Off the top of my head, think the way "I might" do it would be: > zones: > biz1 > biz2 > biz3 > loc > net > > interfaces: > net eth0 detect routefilter,norfc1918,tcpflags > - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 > - ppp+ > > hosts: > loc eth1:192.168.X.X/24 > biz1 eth1:192.168.50.0/24 > biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> > biz2 eth1:192.168.75.0/24 > biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> > biz3 you get the idea.... > biz3 > > policy: > #SOURCE DEST POLICY > (at the top) > biz3 biz3 ACCEPT > biz2 biz2 ACCEPT > biz1 biz1 ACCEPT > (before the reject/drop policy) > biz1 biz2 NONE > biz2 biz1 NONE > biz1 biz3 NONE > biz3 biz1 NONE > biz2 biz3 NONE > biz3 biz2 NONE > > 192.168.X.X would be the primary ip address of the loc zone, > unused by any bizX zones, that one is for your use only. > Without the config files and the output shorewall status, > everything is just a guess.... Hope it helps.Thanks Jerry, I posted my config a minute ago Hopefully it will show up If not I will repost. In the above example. If I comment out biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> in the hosts file and enter "biz2" in interfaces instead of hosts I can commiuncate throught the pptp tunnel. With the entry in the hosts file I get this from /var/log/messages Jun 26 11:39:24 66-224-62-110 kernel: Shorewall:all2all:REJECT:IN=ppp0 OUT= MAC= SRC=10.3.85.104 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=15254 PROTO=2
>> Hi Mike, >> >> first of all: Did you read http://www.shorewall.net/PPTP.htm ? >> >> >> On Sunday 26 June 2005 04:44, Mike Lander wrote: >>> > I am trying shorewall as my previous post With alisias on eth1 loc >>> > and >>> > 4 pptp client vpns. >>> > The odd thing is when I enter one of the vpns in interfaces such as >>> > vpn1 >>> > it works. >>> > But if I enter the vpn in the hosts file shorewall blocks the vpns. >>> > >>> > shorewall/hosts >>> > >>> > #ZONE HOST(S) OPTIONS >>> > loc eth1:192.168.25.0/24 >>> > loctw eth1:192.168.50.0/24 >>> > locsa eth1:192.168.75.0/24 >>> > vpntw ppp+:!192.168.50.0/24 >>> > vpnsa ppp+:!192.168.75.0/24 >>> > #vpn3 ppp+:!192.168.3.0/24 >>> > >>> > >>> > interfaces >>> > net eth0 detect routefilter,norfc1918,tcpflags >>> > - eth1 192.168.25.255,192.168.50.255,192.168.75.255 >>> > - ppp+ >>> > >>> > now if I comment out vpnsa in hosts and enter vpnsa in interfaces it >>> > works (meaning the tunnel can talk :). >>> > I can not figure out what the trouble is. >>> > >>> > Thanks >>> > >>> > Mike >>> >> >> I didn''t really understand your setup. >> 3 possibilities: >> >> 1. Shorewall itself is the PPTP-server => no module needed >> 2. PPTP-server is behind shorewall => simple DNAT is needed. >> 3. PPTP-Clients behind shorewall connecting to the SAME external server >> => >> ip_nat_pptp module is needed >> >> In last case you have to recompile iptables and kernel. >> >> I guess you setup is case 3. Am I on the right way? >> >> HTH, >> Alex >> >>> I am thinking after some archive search I do not have >>> modprobe ip_conntrack_pptp >>> modprobe ip_nat_pptp >>> could this be the trouble and does that require kernal recompile? > > > Thank you Alex, > Am I using this linux box from an offsite sale that is using pptp > clients on the > Linux server to connect to muliple stores at a automall. So in short the > offsite server > is connecting to pptpd servers listening at the dealerships, and the > offsite > server > is connecting with ppp clients at the firewall not behind it. > > First I set up the offsite end with 4 pptp clients at the offsite server > and > got that working. > All the dealers are having an offsite sale. Since I had a pptp server > listening at all > their dealerships I used a linux box at the offsite sale to connect all 4 > of > the ones I support > to the automall so all the pptp servers are at the automall. The offsite > sale is linux 4 ppp clients on the server. > After getting all the tunnels working I wanted to provide security > between these dealers. > So I aliased eth1 after setting this up when I pinged the first dealer I > get > this. > > Thanks > Mike > > Jun 26 11:21:52 66-224-62-110 pptp[25029]: anon > log[logecho:pptp_ctrl.c:670]: Echo Reply received. > Jun 26 11:22:44 66-224-62-110 kernel: Shorewall:all2all:REJECT:IN=ppp0 > OUT> MAC= SRC=10.3.85.104 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 > ID=57018 > PROTO=2Sorry I thing the above is ppp broadcast to firewall the correct is below Jun 26 11:58:33 66-224-62-110 kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.75.77 DST=10.3.85.15 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=52760 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=29973
I am trying shorewall as my previous post With alisias on eth1 loc> and 4 >> pptp client vpns. >> The odd thing is when I enter one of the vpns in interfaces such as vpn1 > it >> works. >> But if I enter the vpn in the hosts file shorewall blocks the vpns. >> >> shorewall/hosts >> >> #ZONE HOST(S) OPTIONS >> loc eth1:192.168.25.0/24 >> loctw eth1:192.168.50.0/24 >> locsa eth1:192.168.75.0/24 >> vpntw ppp+:!192.168.50.0/24 >> vpnsa ppp+:!192.168.75.0/24 >> #vpn3 ppp+:!192.168.3.0/24 >> >> >> interfaces >> net eth0 detect routefilter,norfc1918,tcpflags >> - eth1 192.168.25.255,192.168.50.255,192.168.75.255 >> - ppp+ >> >> now if I comment out vpnsa in hosts and enter vpnsa in interfaces it > works >> (meaning the tunnel can talk :). >> I can not figure out what the trouble is. >> >> Thanks >> >> Mike >> >> > Mike: > > To fully debug this, please post the entire config, as tested. There are > some finer points in the other files that may have an effect on what > happens here(I''m thinking order of the zones). In your example above, > it''s hard to tell what the vlan/business/zone/interface relationship is. > The more detail you provide, the clearer the picture becomes for the rest > of us. Just to clarify, what did the entry in interfaces look like, when > it > worked for you? This then needs to be taken in context, with what is in > the rest of your config, at that point. If your "loctw" is using > 192.168.50.0/24 > why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file, we > are defining what netblocks, on/or through an interface, belong to what > zones. > > Off the top of my head, think the way "I might" do it would be: > zones: > biz1 > biz2 > biz3 > loc > net > > interfaces: > net eth0 detect routefilter,norfc1918,tcpflags > - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 > - ppp+ > > hosts: > loc eth1:192.168.X.X/24 > biz1 eth1:192.168.50.0/24 > biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> > biz2 eth1:192.168.75.0/24 > biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> > biz3 you get the idea.... > biz3 > > policy: > #SOURCE DEST POLICY > (at the top) > biz3 biz3 ACCEPT > biz2 biz2 ACCEPT > biz1 biz1 ACCEPT > (before the reject/drop policy) > biz1 biz2 NONE > biz2 biz1 NONE > biz1 biz3 NONE > biz3 biz1 NONE > biz2 biz3 NONE > biz3 biz2 NONE > > 192.168.X.X would be the primary ip address of the loc zone, > unused by any bizX zones, that one is for your use only. > Without the config files and the output shorewall status, > everything is just a guess.... Hope it helps. > > JerryI am just getting the jest of your suggestions here Jerry, btw the local zone will be seperated for any other dealers that would like to use this box at the offsite sale since it will have wireless access to this box. They will be in tents desking car deals wirelessly. If you buy the car you go into a college (where the sale is) and get finaceing inside where everything is wired. Thanks Mike
>> Mike: >> >> To fully debug this, please post the entire config, as tested. There are >> some finer points in the other files that may have an effect on what >> happens here(I''m thinking order of the zones). In your example above, >> it''s hard to tell what the vlan/business/zone/interface relationship is. >> The more detail you provide, the clearer the picture becomes for the rest >> of us. Just to clarify, what did the entry in interfaces look like, when >> it >> worked for you? This then needs to be taken in context, with what is in >> the rest of your config, at that point. If your "loctw" is using >> 192.168.50.0/24 >> why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file, we >> are defining what netblocks, on/or through an interface, belong to what >> zones. >> >> Off the top of my head, think the way "I might" do it would be: >> zones: >> biz1 >> biz2 >> biz3 >> loc >> net >> >> interfaces: >> net eth0 detect routefilter,norfc1918,tcpflags >> - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 >> - ppp+ >> >> hosts: >> loc eth1:192.168.X.X/24 >> biz1 eth1:192.168.50.0/24 >> biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> >> biz2 eth1:192.168.75.0/24 >> biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> >> biz3 you get the idea.... >> biz3 >> >> policy: >> #SOURCE DEST POLICY >> (at the top) >> biz3 biz3 ACCEPT >> biz2 biz2 ACCEPT >> biz1 biz1 ACCEPT >> (before the reject/drop policy) >> biz1 biz2 NONE >> biz2 biz1 NONE >> biz1 biz3 NONE >> biz3 biz1 NONE >> biz2 biz3 NONE >> biz3 biz2 NONE >> >> 192.168.X.X would be the primary ip address of the loc zone, >> unused by any bizX zones, that one is for your use only. >> Without the config files and the output shorewall status, >> everything is just a guess.... Hope it helps. >> >> JerryThanks Jerry is was the order of the zones, got it working Mike
Subject: [Shorewall-users] Vpn Trouble TROULBLE FIXED!!!!!!!!!!!!!!!!!!!> >> Mike: > >> > >> To fully debug this, please post the entire config, as tested. Thereare> >> some finer points in the other files that may have an effect on what > >> happens here(I''m thinking order of the zones). In your example above, > >> it''s hard to tell what the vlan/business/zone/interface relationshipis.> >> The more detail you provide, the clearer the picture becomes for therest> >> of us. Just to clarify, what did the entry in interfaces look like,when> >> it > >> worked for you? This then needs to be taken in context, with what isin> >> the rest of your config, at that point. If your "loctw" is using > >> 192.168.50.0/24 > >> why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file,we> >> are defining what netblocks, on/or through an interface, belong towhat> >> zones. > >> > >> Off the top of my head, think the way "I might" do it would be: > >> zones: > >> biz1 > >> biz2 > >> biz3 > >> loc > >> net > >> > >> interfaces: > >> net eth0 detect routefilter,norfc1918,tcpflags > >> - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 > >> - ppp+ > >> > >> hosts: > >> loc eth1:192.168.X.X/24 > >> biz1 eth1:192.168.50.0/24 > >> biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> > >> biz2 eth1:192.168.75.0/24 > >> biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> > >> biz3 you get the idea.... > >> biz3 > >> > >> policy: > >> #SOURCE DEST POLICY > >> (at the top) > >> biz3 biz3 ACCEPT > >> biz2 biz2 ACCEPT > >> biz1 biz1 ACCEPT > >> (before the reject/drop policy) > >> biz1 biz2 NONE > >> biz2 biz1 NONE > >> biz1 biz3 NONE > >> biz3 biz1 NONE > >> biz2 biz3 NONE > >> biz3 biz2 NONE > >> > >> 192.168.X.X would be the primary ip address of the loc zone, > >> unused by any bizX zones, that one is for your use only. > >> Without the config files and the output shorewall status, > >> everything is just a guess.... Hope it helps. > >> > >> Jerry > Thanks Jerry is was the order of the zones, got it working > > Mike >I like it when I spend time in my garden, come back and the problem is resolved. ;-) With no need to crack the config files.... Glad you picked up on the first line hint. Now for your update, FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.50.2 DST=10.19.227.194 remember the <netblock of ''home'' lan> entry. The DST is the home lan right? Jerry
> Subject: [Shorewall-users] Vpn Trouble TROULBLE FIXED!!!!!!!!!!!!!!!!!!! > > >> >> Mike: >> >> >> >> To fully debug this, please post the entire config, as tested. There > are >> >> some finer points in the other files that may have an effect on what >> >> happens here(I''m thinking order of the zones). In your example above, >> >> it''s hard to tell what the vlan/business/zone/interface relationship > is. >> >> The more detail you provide, the clearer the picture becomes for the > rest >> >> of us. Just to clarify, what did the entry in interfaces look like, > when >> >> it >> >> worked for you? This then needs to be taken in context, with what is > in >> >> the rest of your config, at that point. If your "loctw" is using >> >> 192.168.50.0/24 >> >> why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts file, > we >> >> are defining what netblocks, on/or through an interface, belong to > what >> >> zones. >> >> >> >> Off the top of my head, think the way "I might" do it would be: >> >> zones: >> >> biz1 >> >> biz2 >> >> biz3 >> >> loc >> >> net >> >> >> >> interfaces: >> >> net eth0 detect routefilter,norfc1918,tcpflags >> >> - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 >> >> - ppp+ >> >> >> >> hosts: >> >> loc eth1:192.168.X.X/24 >> >> biz1 eth1:192.168.50.0/24 >> >> biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> >> >> biz2 eth1:192.168.75.0/24 >> >> biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> >> >> biz3 you get the idea.... >> >> biz3 >> >> >> >> policy: >> >> #SOURCE DEST POLICY >> >> (at the top) >> >> biz3 biz3 ACCEPT >> >> biz2 biz2 ACCEPT >> >> biz1 biz1 ACCEPT >> >> (before the reject/drop policy) >> >> biz1 biz2 NONE >> >> biz2 biz1 NONE >> >> biz1 biz3 NONE >> >> biz3 biz1 NONE >> >> biz2 biz3 NONE >> >> biz3 biz2 NONE >> >> >> >> 192.168.X.X would be the primary ip address of the loc zone, >> >> unused by any bizX zones, that one is for your use only. >> >> Without the config files and the output shorewall status, >> >> everything is just a guess.... Hope it helps. >> >> >> >> Jerry >> Thanks Jerry is was the order of the zones, got it working >> >> Mike >> > I like it when I spend time in my garden, come back and the > problem is resolved. ;-) With no need to crack the config files.... > Glad you picked up on the first line hint. Now for your update, > > FORWARD:REJECT:IN=eth1 OUT=ppp0 > SRC=192.168.50.2 DST=10.19.227.194 > > remember the <netblock of ''home'' lan> entry. The DST is the > home lan right? > > JerryHere is my host file hope that is what you meant by <netblock of ''home'' lan> I spoke to soon on FIXED I had swithed from one working VPN to other and the vpn I left had broke. Shorewall is blocking the traffic because somewhere in the config there is a problem #ZONE HOST(S) OPTIONS loctw eth1:192.168.50.0/24 loctw ppp+:192.168.50.0/24,!192.168.25.0/24 locsa eth1:192.168.75.0/24 locsa ppp+:192.168.75.0/24,!192.168.25.0/24 loc eth1:192.168.25.0/24 #vpn3 ppp+:192.168.3.0/24
> >> >> Mike: > >> >> > >> >> To fully debug this, please post the entire config, as tested.There> > are > >> >> some finer points in the other files that may have an effect onwhat> >> >> happens here(I''m thinking order of the zones). In your exampleabove,> >> >> it''s hard to tell what the vlan/business/zone/interfacerelationship> > is. > >> >> The more detail you provide, the clearer the picture becomes forthe> > rest > >> >> of us. Just to clarify, what did the entry in interfaces look like, > > when > >> >> it > >> >> worked for you? This then needs to be taken in context, with whatis> > in > >> >> the rest of your config, at that point. If your "loctw" is using > >> >> 192.168.50.0/24 > >> >> why exclude 192.168.50.0/24 from the "vpntw" zone? In this hostsfile,> > we > >> >> are defining what netblocks, on/or through an interface, belong to > > what > >> >> zones. > >> >> > >> >> Off the top of my head, think the way "I might" do it would be: > >> >> zones: > >> >> biz1 > >> >> biz2 > >> >> biz3 > >> >> loc > >> >> net > >> >> > >> >> interfaces: > >> >> net eth0 detect routefilter,norfc1918,tcpflags > >> >> - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 > >> >> - ppp+ > >> >> > >> >> hosts: > >> >> loc eth1:192.168.X.X/24 > >> >> biz1 eth1:192.168.50.0/24 > >> >> biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> > >> >> biz2 eth1:192.168.75.0/24 > >> >> biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> > >> >> biz3 you get the idea.... > >> >> biz3 > >> >> > >> >> policy: > >> >> #SOURCE DEST POLICY > >> >> (at the top) > >> >> biz3 biz3 ACCEPT > >> >> biz2 biz2 ACCEPT > >> >> biz1 biz1 ACCEPT > >> >> (before the reject/drop policy) > >> >> biz1 biz2 NONE > >> >> biz2 biz1 NONE > >> >> biz1 biz3 NONE > >> >> biz3 biz1 NONE > >> >> biz2 biz3 NONE > >> >> biz3 biz2 NONE > >> >> > >> >> 192.168.X.X would be the primary ip address of the loc zone, > >> >> unused by any bizX zones, that one is for your use only. > >> >> Without the config files and the output shorewall status, > >> >> everything is just a guess.... Hope it helps. > >> >> > >> >> Jerry > >> Thanks Jerry is was the order of the zones, got it working > >> > >> Mike > >> > > I like it when I spend time in my garden, come back and the > > problem is resolved. ;-) With no need to crack the config files.... > > Glad you picked up on the first line hint. Now for your update, > > > > FORWARD:REJECT:IN=eth1 OUT=ppp0 > > SRC=192.168.50.2 DST=10.19.227.194 > > > > remember the <netblock of ''home'' lan> entry. The DST is the > > home lan right? > > > > Jerry > Here is my host file hope that is what you meant by <netblock of ''home''lan>> > I spoke to soon on FIXED I had swithed from one working VPN to other andthe> vpn I left had broke. > Shorewall is blocking the traffic because somewhere in the config thereis a> problem > > #ZONE HOST(S) OPTIONS > loctw eth1:192.168.50.0/24 > loctw ppp+:192.168.50.0/24,!192.168.25.0/24 > locsa eth1:192.168.75.0/24 > locsa ppp+:192.168.75.0/24,!192.168.25.0/24 > loc eth1:192.168.25.0/24 > #vpn3 ppp+:192.168.3.0/24 >#ZONE HOST(S) OPTIONS loctw eth1:192.168.50.0/24 loctw ppp+:192.168.50.0/24,!192.168.25.0/24,10.19.227.0/24 10.19.227.0/24 is the home lan on the other end of the tunnel right? Jerry
----- Original Message ----->> >> >> Mike:>> >> >> >> >> >> To fully debug this, please post the entire config, as tested. > There >> > are >> >> >> some finer points in the other files that may have an effect on > what >> >> >> happens here(I''m thinking order of the zones). In your example > above, >> >> >> it''s hard to tell what the vlan/business/zone/interface > relationship >> > is. >> >> >> The more detail you provide, the clearer the picture becomes for > the >> > rest >> >> >> of us. Just to clarify, what did the entry in interfaces look like, >> > when >> >> >> it >> >> >> worked for you? This then needs to be taken in context, with what > is >> > in >> >> >> the rest of your config, at that point. If your "loctw" is using >> >> >> 192.168.50.0/24 >> >> >> why exclude 192.168.50.0/24 from the "vpntw" zone? In this hosts > file, >> > we >> >> >> are defining what netblocks, on/or through an interface, belong to >> > what >> >> >> zones. >> >> >> >> >> >> Off the top of my head, think the way "I might" do it would be: >> >> >> zones: >> >> >> biz1 >> >> >> biz2 >> >> >> biz3 >> >> >> loc >> >> >> net >> >> >> >> >> >> interfaces: >> >> >> net eth0 detect routefilter,norfc1918,tcpflags >> >> >> - eth1 192.168.X.X,192.168.25.255,192.168.50.255,192.168.75.255 >> >> >> - ppp+ >> >> >> >> >> >> hosts: >> >> >> loc eth1:192.168.X.X/24 >> >> >> biz1 eth1:192.168.50.0/24 >> >> >> biz1 ppp+:192.168.50.0/24,<netblock of ''home'' lan> >> >> >> biz2 eth1:192.168.75.0/24 >> >> >> biz2 ppp+:192.168.75.0/24,<netblock of ''home'' lan> >> >> >> biz3 you get the idea.... >> >> >> biz3 >> >> >> >> >> >> policy: >> >> >> #SOURCE DEST POLICY >> >> >> (at the top) >> >> >> biz3 biz3 ACCEPT >> >> >> biz2 biz2 ACCEPT >> >> >> biz1 biz1 ACCEPT >> >> >> (before the reject/drop policy) >> >> >> biz1 biz2 NONE >> >> >> biz2 biz1 NONE >> >> >> biz1 biz3 NONE >> >> >> biz3 biz1 NONE >> >> >> biz2 biz3 NONE >> >> >> biz3 biz2 NONE >> >> >> >> >> >> 192.168.X.X would be the primary ip address of the loc zone, >> >> >> unused by any bizX zones, that one is for your use only. >> >> >> Without the config files and the output shorewall status, >> >> >> everything is just a guess.... Hope it helps. >> >> >> >> >> >> Jerry >> >> Thanks Jerry is was the order of the zones, got it working >> >> >> >> Mike >> >> >> > I like it when I spend time in my garden, come back and the >> > problem is resolved. ;-) With no need to crack the config files.... >> > Glad you picked up on the first line hint. Now for your update, >> > >> > FORWARD:REJECT:IN=eth1 OUT=ppp0 >> > SRC=192.168.50.2 DST=10.19.227.194 >> > >> > remember the <netblock of ''home'' lan> entry. The DST is the >> > home lan right? >> > >> > Jerry >> Here is my host file hope that is what you meant by <netblock of ''home'' > lan> >> >> I spoke to soon on FIXED I had swithed from one working VPN to other and > the >> vpn I left had broke. >> Shorewall is blocking the traffic because somewhere in the config there > is a >> problem >> >> #ZONE HOST(S) OPTIONS >> loctw eth1:192.168.50.0/24 >> loctw ppp+:192.168.50.0/24,!192.168.25.0/24 >> locsa eth1:192.168.75.0/24 >> locsa ppp+:192.168.75.0/24,!192.168.25.0/24 >> loc eth1:192.168.25.0/24 >> #vpn3 ppp+:192.168.3.0/24 >> > > #ZONE HOST(S) OPTIONS > loctw eth1:192.168.50.0/24 > loctw ppp+:192.168.50.0/24,!192.168.25.0/24,10.19.227.0/24 > > 10.19.227.0/24 is the home lan on the other end of the tunnel right? > > JerryThats correct for one of the home lans yes Mike