Hi,
We have Shorewall setup in a small corp lan. Openvpn is running on the firewall.
We are moving to a new provider so we added a new interface and setup Shorewall
according to the docs. currently we just want to route all traffic to the old
provider. Later we will move services over to the new one.
After adding providers and updating the config, restarted Shorewall and
everything works except Openvpn. VPN clients can connect to the router and
establish a VPN tunnel but traffic is not flowing from the VPN. I have removed
routefilter from the interfaces file but still no luck.
This is a live system so I can''t do a dump until tonight but here are
the config files:
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man
shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,logmartians,nosmurfs
net eth4 detect tcpflags,logmartians,nosmurfs
corp eth1 detect tcpflags,nosmurfs
dmz eth2 detect tcpflags,nosmurfs
kvm eth3 detect tcpflags,nosmurfs
road tun+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 4 - Masq file
#
# For information about entries in this file, type "man
shorewall-masq"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 145.155.111.129 22.147.114.147
eth4 22.147.114.147 145.155.111.129
eth0 eth1 22.147.114.147
eth0 eth2 22.147.114.147
eth0 172.16.189.0/24 22.147.114.147
eth0 172.16.191.0/24 22.147.114.147
eth4 eth1 145.155.111.129
eth4 eth2 145.155.111.129
eth4 172.16.189.0/24 145.155.111.129
eth4 172.16.191.0/24 145.155.111.129
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man
shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
# Policies for traffic originating from the corp LAN (corp)
#
# on your firewall, change the corp to net policy to REJECT info.
net net DROP
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the corp to net policy to REJECT info.
corp net ACCEPT
corp dmz ACCEPT
corp road ACCEPT
corp kvm ACCEPT
corp $FW REJECT info
corp all REJECT info
# Policies for traffic originating from the DMZ LAN (dmz)
dmz net ACCEPT
dmz $FW REJECT info
dmz corp REJECT info
dmz kvm REJECT info
dmz all REJECT info
# Policies for traffic originating from the kvm
kvm net REJECT
kvm $FW REJECT info
kvm corp REJECT info
kvm all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT
$FW corp REJECT info
$FW dmz REJECT info
$FW kvm REJECT info
$FW all REJECT info
# Policies for traffic originating from VPN
#
road net ACCEPT
road corp ACCEPT
road dmz ACCEPT
road kvm ACCEPT
road $FW ACCEPT
road all DROP info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net corp DROP info
net dmz DROP info
net kvm DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Providers File
#
# For information about entries in this file, type "man
shorewall-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
ISP1 1 1 main eth0 145.155.111.254
track,balance eth1,eth2,eth3,tun+
ISP2 2 2 main eth4 22.147.114.254
track,balance eth1,eth2,eth3,tun+
#
# Shorewall version 4 - route_rules File
#
# For information about entries in this file, type "man
shorewall-route_rules"
#
# For additional information, see http://www.shorewall.net/MultiISP.html
##############################################################################
#SOURCE DEST PROVIDER PRIORITY
eth1 - ISP1 1000
eth1 - ISP1 1000
- 172.16.189.0/24 ISP1 1000
- 172.16.191.0/24 ISP1 1000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 4 - Routestopped File
#
# For information about entries in this file, type "man
shorewall-routestopped"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-routestopped.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
eth1 172.16.10.0/24
eth2 172.16.20.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man
shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
############################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
# Accept DNS connections from the firewall to the network
DNS/ACCEPT $FW net
# Accept SSH connections
SSH/ACCEPT corp $FW
# Accept dhcp connections
ACCEPT corp $FW udp 67
ACCEPT dmz $FW udp 67
ACCEPT kvm $FW udp 67
# Allow Ping from the corp network
Ping/ACCEPT corp $FW
# Reject Ping from "bad" net zone.. and prevent your log from being
flooded..
#Ping/REJECT net $FW
ACCEPT $FW corp icmp
ACCEPT $FW net icmp
#
DNAT net dmz:172.16.20.34:8080 tcp 8080 - 145.155.111.129
DNAT net dmz:172.16.20.34:80 tcp 80 - 145.155.111.129
DNAT net dmz:172.16.20.34:5222 tcp 5222 - 145.155.111.129
DNAT net dmz:172.16.20.34:5223 tcp 5223 - 145.155.111.129
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
###############################################################################
# /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
# match your setup
#
# This program is under GPL
# [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005,
# 2006,2007 - Tom Eastep (teastep@shorewall.net)
#
# For information about the settings in this file, type "man
shorewall.conf"
#
# Additional information is available at
# http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# C O M P I L E R
# (setting this to ''perl'' requires installation of
Shorewall-perl)
###############################################################################
SHOREWALL_COMPILER
###############################################################################
# L O G G I N G
###############################################################################
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE
LOGBURST
LOGALLNEW
BLACKLIST_LOGLEVEL
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
IPTABLES
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE
IPSECFILE=zones
LOCKFILE
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RSH_COMMAND=''ssh ${root}@${system} ${command}''
RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}''
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=0
EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 4 - Tunnels File
#
# For information about entries in this file, type "man
shorewall-tunnels"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:tcp:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
corp ipv4
dmz ipv4
kvm ipv4
road ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
TIA
Pete
______________ ______________ ______________ ______________
Sent via the KillerWebMail system at petefleming.com
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Pete wrote:> Hi, > > We have Shorewall setup in a small corp lan. Openvpn is running on the firewall. We are moving to a new provider so we added a new interface and setup Shorewall according to the docs. currently we just want to route all traffic to the old provider. Later we will move services over to the new one. > > After adding providers and updating the config, restarted Shorewall and everything works except Openvpn. VPN clients can connect to the router and establish a VPN tunnel but traffic is not flowing from the VPN. I have removed routefilter from the interfaces file but still no luck.CAREFULLY read the documentation about route_rules at http://www.shorewall.net/MultiISP.html looking for the word ''OpenVPN''. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Hi all,
I Wish to route all fw traffic to ISP1
But the rule gets ignored ....
In my tcrules file I have only one rule.
0x100 $FW -
with high route marks .
Then after executing a ping from fw->net I found out that successive
pings get routed interchanged to both isp providers.
my providers file is
NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
ISP1 1 0x100 main eth0 10.10.10.1
track,balance eth2,br0
ISP2 2 0x200 main eth1 10.0.12.1
track,balance eth2,br0
shorewall show mangle shows traffic getting marked ok.
Shorewall 3.4.8 Mangle Table at fw - Wed Dec 10 13:46:04 UTC 2008
Counters reset Wed Dec 10 13:44:30 UTC 2008
Chain PREROUTING (policy ACCEPT 1408 packets, 169K bytes)
pkts bytes target prot opt in out source
destination
111 92876 CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 connmark match !0x0/0xff00 CONNMARK restore mask 0xff00
43 6182 routemark all -- eth0 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff00
0 0 routemark all -- eth1 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff00
107 95942 tcpre all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 tcpre all -- eth1 * 0.0.0.0/0
0.0.0.0/0
1228 68313 tcpre all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff00
Chain INPUT (policy ACCEPT 1178 packets, 64120 bytes)
pkts bytes target prot opt in out source
destination
1152 62768 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xff
Chain FORWARD (policy ACCEPT 230 packets, 105K bytes)
pkts bytes target prot opt in out source
destination
230 105K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xff
230 105K tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 17103 packets, 3148K bytes)
pkts bytes target prot opt in out source
destination
0 0 CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 connmark match !0x0/0xff00 CONNMARK restore mask 0xff00
1201 205K tcout all -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x0/0xff00
Chain POSTROUTING (policy ACCEPT 1434 packets, 312K bytes)
pkts bytes target prot opt in out source
destination
1408 308K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xff
1408 308K tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain routemark (2 references)
pkts bytes target prot opt in out source
destination
43 6182 MARK all -- eth0 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x100/0xffffffff
0 0 MARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x200/0xffffffff
43 6182 CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match !0x0/0xff00 CONNMARK save mask 0xff00
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
1201 205K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x100/0xffffffff
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 mark match 0x1/0xff CLASSIFY set 1:11
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 mark match 0x2/0xff CLASSIFY set 1:12
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 mark match 0x3/0xff CLASSIFY set 1:13
0 0 CLASSIFY all -- * eth0 0.0.0.0/0
0.0.0.0/0 mark match 0x4/0xff CLASSIFY set 1:14
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 mark match 0x1/0xff CLASSIFY set 2:11
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 mark match 0x2/0xff CLASSIFY set 2:12
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 mark match 0x3/0xff CLASSIFY set 2:13
0 0 CLASSIFY all -- * eth1 0.0.0.0/0
0.0.0.0/0 mark match 0x4/0xff CLASSIFY set 2:14
Chain tcpre (3 references)
pkts bytes target prot opt in out source
destination
1228 68313 MARK all -- br0 * 0.0.0.0/0
0.0.0.0/0 MARK xset 0x100/0xffffffff
however when I add a rule from Loc->net and mark packets to go through a
particular provider it also looked like both ISPs where used.
Then I replaced the balance option with loose and it the fw->net traffic
got routed through the ISP1 but I am not sure that this package will do
balance for packets that have no specific mark on them :-\
shorewall version 3.4.8
kernel 2.6.25
Thanks for your suggestions
Harry.
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> however when I add a rule from Loc->net and mark packets to go through a > particular provider it also looked like both ISPs where used. > > Then I replaced the balance option with loose and it the fw->net traffic > got routed through the ISP1 but I am not sure that this package will do > balance for packets that have no specific mark on them :-\ > > shorewall version 3.4.8 > kernel 2.6.25 > > Thanks for your suggestionsI personally am not going to spend any time on this without seeing ''shorewall dump'' output. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
OK I''ve just included a shorewall dump in the mail The update on this is that ... Indeed the ping gets routed to ISP1 I also can see the reply comming in ( tcpdump ) however ping or fping lies there dead .... Mean while #ip route get IP_ADDRESS shows the particular address I was pinging as it was supposed to be routed through ISP2 My interfaces file is ----------------------------------------------------------- net eth0 detect net eth1 detect dmz eth2 detect loc br0 detect routeback ----------------------------------------------------------- I Wish to route all fw traffic to ISP1 But the rule gets ignored .... In my tcrules file I have only one rule. 0x100 $FW - 0x100 br0 0.0.0.0 with high route marks . Then after executing a ping from fw->net I found out that successive pings get routed interchanged to both isp providers. my providers file is NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 0x100 main eth0 10.10.10.1 track,balance eth2,br0 ISP2 2 0x200 main eth1 10.0.12.1 track,balance eth2,br0 shorewall show mangle shows traffic getting marked ok. however when I add a rule from Loc->net and mark packets to go through a particular provider it also looked like both ISPs where used. Then I replaced the balance option with loose and it the fw->net traffic got routed through the ISP1 but I am not sure that this package will do balance for packets that have no specific mark on them :-\ shorewall version 3.4.8 kernel 2.6.25 ------------ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> Indeed the ping gets routed to ISP1 > I also can see the reply comming in ( tcpdump ) > however ping or fping lies there dead ....Probably being dropped as martians -- but you''ll never know it since you haven''t enabled martian logging.> > I Wish to route all fw traffic to ISP1 > But the rule gets ignored ....Which is described as a possible problem in the Shorewall Multi-ISP documentation in the section entitled "Applications Running on the Firewall".> > > In my tcrules file I have only one rule. > > 0x100 $FW - > 0x100 br0 0.0.0.0 > > with high route marks . > > Then after executing a ping from fw->net I found out that successive > pings get routed interchanged to both isp providers. > > my providers file is > NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 0x100 main eth0 10.10.10.1 > track,balance eth2,br0 > ISP2 2 0x200 main eth1 10.0.12.1 > track,balance eth2,br0 > > shorewall show mangle shows traffic getting marked ok. > > > however when I add a rule from Loc->net and mark packets to go through a > particular provider it also looked like both ISPs where used. > > Then I replaced the balance option with loose and it the fw->net traffic > got routed through the ISP1 but I am not sure that this package will do > balance for packets that have no specific mark on them :-\The only thing that ''loose'' does is that it causes one routing rule per external interface to be omitted (the rule that allows applications to bind to a particular interface''s address to force the application use that interface). Specifying ''loose'' is an alternative to the technique of configuring your applications themselves to use a specific interface. It should work fine provided that you don''t need to use that technique. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> > The only thing that ''loose'' does is that it causes one routing rule per > external interface to be omitted (the rule that allows applications to > bind to a particular interface''s address to force the application use > that interface). Specifying ''loose'' is an alternative to the technique > of configuring your applications themselves to use a specific interface. > It should work fine provided that you don''t need to use that technique. > >Sorry Shorewall Geek, this really got me confused ... If say openvpn is running on firewall should by started with a) --locall 0 or b) --local xx.xx.xx.xx ??? Thanks. Regards Harry. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:>> The only thing that ''loose'' does is that it causes one routing rule per >> external interface to be omitted (the rule that allows applications to >> bind to a particular interface''s address to force the application use >> that interface). Specifying ''loose'' is an alternative to the technique >> of configuring your applications themselves to use a specific interface. >> It should work fine provided that you don''t need to use that technique. >> >> > Sorry Shorewall Geek, > this really got me confused ... > > If say openvpn is running on firewall should by started with > a) --locall 0 > or > b) --local xx.xx.xx.xx > ???You are running an OpenVPN server. So as long as you have ''track'' specified on your providers, it doesn''t make any different. Note though, if you use --local xx.xx.xx.xx then your clients can only connect using one of your providers unless you run two instances of OpenVPN (one on each address). ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Fri, Dec 12, 2008 at 1:47 AM, Harry Lachanas <grharry@freemail.gr> wrote:> > If say openvpn is running on firewall should by started with > a) --locall 0 > or > b) --local xx.xx.xx.xx > ??? >And if you''re running with multiple interfaces, you better be running OpenVPN 2.1RC with --multihome. Otherwise things get messy. Prasanna. -- Want to manage multiple office networks? Want to securely connect all your locations? Want to do it in a budget? www.elinanetworks.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/