Hello, I have a three interface shorewall firewall setup with openvpn server on the same machine. I''m bridgeing eth0 with tap0. I have an windows xp vpn client that is able to connect to the vpn but not ping anything on the internal network. The interfaces on the firewall are as follows: br0 = 10.100.100.200 (LOC) eth0 tap0 eth1 = 10.100.222.1 (DMZ) eth2 = 206.165.217.94 (NET) After I connect to the vpn with the xp sp2 client, the client gets assigned the ipaddress of 10.100.100.117/24 to it''s tap interface. then I try to ping 10.100.100.10 and it only says "Request timed out". I''m sure the problem is somewhere in my shorewall setup, like it''s not allowing traffic from tap0 or vpn, or it allows that traffic in but not out. Please have a look at the attached shorewall dump file. Thank You. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Richard Verdugo wrote:> > Hello, > I have a three interface shorewall firewall setup with openvpn server on > the same machine. I''m bridgeing eth0 with tap0. > I have an windows xp vpn client that is able to connect to the vpn but > not ping anything on the internal network. > > The interfaces on the firewall are as follows: > br0 = 10.100.100.200 <http://10.100.100.200/> (LOC) > eth0 > tap0 > eth1 = 10.100.222.1 <http://10.100.222.1/> (DMZ) > eth2 = 206.165.217.94 <http://206.165.217.94/> (NET) > > After I connect to the vpn with the xp sp2 client, the client gets > assigned the ipaddress of 10.100.100.117/24 <http://10.100.100.117/24> > to it''s tap interface. then I try to ping 10.100.100.10 > <http://10.100.100.10/> and it only says "Request timed out". > > I''m sure the problem is somewhere in my shorewall setup, like it''s not > allowing traffic from tap0 or vpn, or it allows that traffic in but not out. > > Please have a look at the attached shorewall dump file.Looks like you forgot to specify the ''routeback'' option on br0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
I have the routeback option set for the br0 interface. my zones file looks like this: fw firewall road ipv4 net ipv4 loc:road bport4 dmz ipv4 vpn:road bport4 my interfaces file looks like this: road br0 detect routefilter,bridge,routeback net eth2 detect tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback loc br0:eth0 dmz eth1 detect routeback vpn br0:tap0 could something be wrong with this setup? thanks ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Richard Verdugo wrote:> I have the routeback option set for the br0 interface. > > my zones file looks like this: > fw firewall > road ipv4 > net ipv4 > loc:road bport4 > dmz ipv4 > vpn:road bport4 > > my interfaces file looks like this: > road br0 detect routefilter,bridge,routeback > net eth2 detect > tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback > loc br0:eth0 > dmz eth1 detect routeback > vpn br0:tap0 > > > could something be wrong with this setup?If you ''shorewall clear'' while the xp client is connected, can the client access the local net? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> Richard Verdugo wrote: >> I have the routeback option set for the br0 interface. >> >> my zones file looks like this: >> fw firewall >> road ipv4 >> net ipv4 >> loc:road bport4 >> dmz ipv4 >> vpn:road bport4 >> >> my interfaces file looks like this: >> road br0 detect routefilter,bridge,routeback >> net eth2 detect >> tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback >> loc br0:eth0 >> dmz eth1 detect routeback >> vpn br0:tap0 >> >> >> could something be wrong with this setup? > > If you ''shorewall clear'' while the xp client is connected, can the > client access the local net?If so, please: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar up your /etc/shorewall directory and set the archive to support@shorewall.net. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> Tom Eastep wrote: >> Richard Verdugo wrote: >>> I have the routeback option set for the br0 interface. >>> >>> my zones file looks like this: >>> fw firewall >>> road ipv4 >>> net ipv4 >>> loc:road bport4 >>> dmz ipv4 >>> vpn:road bport4 >>> >>> my interfaces file looks like this: >>> road br0 detect routefilter,bridge,routeback >>> net eth2 detect >>> tcpflags,dhcp,routefilter,nosmurfs,logmartians,routeback >>> loc br0:eth0 >>> dmz eth1 detect routeback >>> vpn br0:tap0 >>> >>> >>> could something be wrong with this setup? >> >> If you ''shorewall clear'' while the xp client is connected, can the >> client access the local net? > > If so, please: > > a) shorewall show -f capabilities > /etc/shorewall/caps > b) tar up your /etc/shorewall directory and set the archive to > support@shorewall.net.Make that "...send the archive to..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
After I connected the vpn client then I did the ''shorewall clear'' the client was still not able to ping anything, then I noticed that the vpn client got disconnected when I did the shorewall clear and would not connect until I did shorewall start. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Richard Verdugo wrote:> After I connected the vpn client then I did the ''shorewall clear'' the > client was still not able to ping anything, then I noticed that the vpn > client got disconnected when I did the shorewall clear and would not > connect until I did shorewall start.You then have a rather broken configuration, several aspects of which I don''t understand: a) ''shorewall clear'' removes all iptables rules. So it seems inconceivable that you cannot then connect to the OpenVPN server after executing that command. Do you have code in your extension scripts that might explain that? b) You are using a firewalling bridge configuration yet you don''t seem to restrict traffic through the bridge. So the simple configuration recommended in the Shorewall OpenVPN documentation should work. Or am I missing something? c) You have a miriad of NAT/Masq entries. Please explain what you are trying to accomplish with those. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> Richard Verdugo wrote: >> After I connected the vpn client then I did the ''shorewall clear'' the >> client was still not able to ping anything, then I noticed that the >> vpn client got disconnected when I did the shorewall clear and would >> not connect until I did shorewall start. > > You then have a rather broken configuration, several aspects of which I > don''t understand: > > a) ''shorewall clear'' removes all iptables rules. So it seems > inconceivable that you cannot then connect to the OpenVPN server after > executing that command. Do you have code in your extension scripts that > might explain that? > > b) You are using a firewalling bridge configuration yet you don''t seem > to restrict traffic through the bridge. So the simple configuration > recommended in the Shorewall OpenVPN documentation should work. Or am I > missing something? > > c) You have a miriad of NAT/Masq entries. Please explain what you are > trying to accomplish with those.And please forward a tarball of your configuration as I described in the earlier post. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
I sent my shorewall config to support@shorewall.net as instructed. And regarding those NAT entries we have several machines inside our office that need to be accessible via the internet. That is working perfectly. just fyi, the firewall is a Debian 4.0 system, and the bridge is being created with the bridge-start script that comes with openvpn. The shorewall compiler on this system is perl so I''m using the bridge port set up explained in the docs. Thank you for your help on this. Rich. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Richard Verdugo wrote:> I sent my shorewall config to support@shorewall.net > <mailto:support@shorewall.net> as instructed. > > And regarding those NAT entries we have several machines inside our > office that need to be accessible via the internet. That is working > perfectly. > > just fyi, the firewall is a Debian 4.0 system, and the bridge is being > created with the bridge-start script that comes with openvpn. > The shorewall compiler on this system is perl so I''m using the bridge > port set up explained in the docs. > > Thank you for your help on this.The configuration that you sent doesn''t match the dump. Please: a) /sbin/shorewall restart b) shorewall show chain br0_fwd The last rule in that chain should be an ACCEPT rule with ''br0'' in the ''out'' column. Is that the case? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Yes that''s the case, the out from the shorewall show chain br0_fwd command is Shorewall 4.0.10 Chain br0_fwd at firewall - Tue Jul 1 11:24:19 PDT 2008 Counters reset Tue Jul 1 10:41:55 PDT 2008 Chain br0_fwd (1 references) pkts bytes target prot opt in out source destination 2605 178K dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 74873 11M road2net 0 -- * eth2 0.0.0.0/0 0.0.0.0/0 10373 432K road2dmz 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 250 30202 ACCEPT 0 -- * br0 0.0.0.0/0 0.0.0.0/0 ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Richard Verdugo wrote:> Yes that''s the case,But you still can''t access the local network from the vpn with those rules in place? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
It works!!! I removed openvpn from the server and reinstalled it then made sure the ''client to client'' was enabled and then I discovered I had the wrong server bridge ip address set in the openvpn server.conf file. Apparently I thought I should assign a unique number to the bridge-server in the openvpn server.conf file, and when I gave it the actual ip address of my loc interface it started working. Now I need to figure out how to properly configure shorewall so that when I stop shorewall we still have internet access. thanks for your help I learned alot. Rich. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08