Hi, i use shorewall 3.2.2 on a bering 3.x box with two isp providers, I''ve setup 3 openvpn that during startup add this routing rules: ip route add 192.168.11.0/24 dev tun0 table ADSL ip route add 192.168.0.0/24 dev tun0 table ADSL ip route add 192.168.11.0/24 dev tun1 table HDSL ip route add 192.168.0.0/24 dev tun1 table HDSL ip route add 10.9.0.0/24 dev tun0 the problem is that when i was not using shorewall to handle the routing table for the two internet lines, when the bering box was completely started, the routing tables showed correctly those entry, now that I''ve setup the files providers,tcrules and route_rules, the routing i try to add in the openvpn configuration file does not show up. It seems that because the openvpn daemon start before shorewall, when shorewall start it clears all the entries in those two defined tables. So to fix the problem, I''ve move those entries from the openvpn config file, to the started config file of shorewall. Maybe it''s just a matter of changing the startup order of the two daemons, but would like some suggestions. thanks. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
From: Giacomo Lancella> It seems that because the openvpn daemon start before shorewall, > when shorewall start it clears all the entries in those two defined tables. > So to fix the problem, I''ve move those entries from the openvpn config > file, to the started config file of shorewall. Maybe it''s just a matter of > changing the startup order of the two daemons, but would like some > suggestions.Just have Shorewall start early, and in any case before OpenVPN; it''s not a good idea to start OpenVPN when the setup of the general-purpose networking stuff is not yet complete. Give OpenVPN a higher number than the one used by Shorewall if your distro uses a SysV-like startup method, or use an equivalent method. A question for the Shorewall developers: would it be possible to change the default startup "position" (first lines of the /etc/init.d/shoreall script, for the "chkconfig" command) from the current 25 to 20? This would solve the startup order issue very easily (OpenVPN uses 24). Elio ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Sat, 2006-08-26 at 10:49 +0200, Giacomo Lancella wrote:> So to fix the problem, I''ve move those entries from the openvpn config > file, to the started config file of shorewall. Maybe it''s just a > matter of changing the startup order of the two daemons, but would > like some suggestions.Now that you have Shorewall, I think that a better solution is to not add OpenVPN rules to the secondary routing tables at all but rather use routing rules to cause the main table to be used for traffic being sent to OpenVPN: #SOURCE DEST PROVIDER PRIORITY - 192.168.11.0/24 main 1000 - 192.168.0.0/24 main 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Now, it doesn''t matter in which order you start the services. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Elio, I''ve changed the startup order so that openvpn start right after shorewall, but the problem is that if i restart shorewall because of some modification, the same routing tables defined in "providers", get cleared again, and the entries added to those tables by the openvpn daemon configuration files disappears. If i use shorewall restart/stop with the -n option nothing is touched. The problem is if i do some mod in for examples tcrules or route_rules and then do a shorewall restart -n, the new entry does not show up (because of the -n option). So i think that the solution is to let shorewall (maybe in the started config file) handle the routing stuff in the openvpn config files and delete the "up ./routes.up" from the openvpn config files. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Tom, i agree with those guys! Apart considering shorewall the best software to handle netfilter, i appreciate very much just the fact that you have the patient to respond to "often" malformed/incorrect/...etc. questions (maybe like mine!). Anyway, i agree with your solution. But i need anyway to add a routing entry for the remote private subnet behind the vpn, like "ip route add 192.168.11.0/24 dev tun0" otherwise the main table do not know where to route. And that entry is in the vpn conf file. Maybe I''m wrong! So I''ve used the started config file to add that and other entries. If this is to long i understand and you can skip reading further, but I''ll show you my configuration: wan1(ADSL) wan2(HDSL) | vpn1 | vpn2 | | ---------bering------ --------- dmz | | LAN providers: (I''ve not use balance because the hdsl is not flat, and i don''t want that line used without been permitted by tcrules/route_rules #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONSCOPY ADSL 1 1 main eth0 85.35.219.17 track eth2,eth3 HDSL 2 2 main eth1 85.35.220.2 track eth2,eth3 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net1 ipv4 net2 ipv4 dmz ipv4 loc ipv4 vpn1 ipv4 vpn2 ipv4 vpn3 ipv4 knock ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE interfaces:( i don''t use routefilter, otherwise with my setup, rules in tcrules does not work) #ZONE INTERFACE BROADCAST OPTIONS net1 eth0 detect routeback,norfc1918,blacklist net2 eth1 detect routeback,norfc1918,blacklist dmz eth2 detect blacklist loc eth3 detect blacklist vpn1 tun0 detect vpn2 tun1 detect vpn3 tun2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE route_rules: #SOURCE DEST PROVIDER PRIORITY 172.16.33.211 - HDSL 1000 172.16.33.82 192.168.11.82 HDSL 1000 172.16.33.13 192.168.11.252 HDSL 1000 172.16.33.11 192.168.0.0/24 HDSL 1000 172.16.33.11 192.168.11.0/24 HDSL 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE masq: ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth3 85.35.219.18 eth1 eth3 85.35.220.4 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE started: (here i add the routing entries that previously was added by the openvpn config file, but since they are cleared when i restart shorewall I''ve put them here) ############################################################################### # Add vpn remotes subnets to the to ISP tables so that i can chose which one to use from tcrules/route_rules ip route add 192.168.11.0/24 dev tun0 table ADSL ip route add 192.168.0.0/24 dev tun0 table ADSL ip route add 192.168.11.0/24 dev tun1 table HDSL ip route add 192.168.0.0/24 dev tun1 table HDSL # Default routes ip route add 192.168.11.0/24 dev tun0 ip route add 192.168.0.0/24 dev tun0 ip route add 10.9.0.0/24 dev tun0 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE Probably i''ve done some mistakes in my implementation, or there is a better way to do those things! That''s why I''ve posted my conf. With this setup everything works well, the questions are: 1. I''ve move default route added by the openvpn configs to the started config file because they get cleared as soon as i start/restart shorewall (only the adding to the extra tables, the default routes remain there). Starting openvpn daemon after shorewall do not seem to solve, because as soon a i restart shorewall the extra tables are cleared again. But this is no big problem i can use the started config file. 2. i''ve cleared he routefilter option, otherwise the tcrules doesn''t works. 3. I''m trying to see if i can do some automatic changing in case of one isp fail, to the default routes and route_rules / tcrules files. But this i think is out of scope here. That''s all. Again thanks a lot. Now that you have Shorewall, I think that a better solution is to not add OpenVPN rules to the secondary routing tables at all but rather use routing rules to cause the main table to be used for traffic being sent to OpenVPN: #SOURCE DEST PROVIDER PRIORITY - 192.168.11.0/24 main 1000 - 192.168.0.0/24 main 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Now, it doesn''t matter in which order you start the services. -Tom ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642