Shorewall users - Jun 2009 - one to one nat

Tom 
Thinking of trashing the netmap idea due to one of the existing 
firewalls needs to much work and is a 2.4 kernel. That is if there
is an easier way to accomplish this.  
    The existing network is currently connected with two wireless bridges
that need to be doglegged around a treeline. The current network is
at layer2 all using the same network ips.  The fix is to add a third bridge
using wds repeater or really the third bridge will be root so the bandwidth
will not be not be cut in half
    While this work is being done I need this vpn so we dont interrupt the
network. For explanation purposes I will use networkA and netB.
    NetworkB is a slave building that has dsl though. NeworkA has a FracT1.
With the wireless bridges down netB will lose connection to their in house
servers.
   netB is also a small amount of nodes around 10.

    This network has some ip''s that are out of my control or require
contacting
people and to say the least is a hassle to change. The two nets have voip PBX
systems to allow voip between them using H323. And one net printer that needs
netA access. I am thinking of changing the voip ips myself since i think I can 
do that. But would like to use one to one nat or something for the printer.
     So if I change netB to 10.10.85.0/24 with netA staying with 10.3.85.0/24.
And use two shorewall boxes to route this with openvpn.
My question is If in networkA server 10.3.85.194 needs to print to former
10.3.85.140 HP printer which will now be 10.10.85.140 would say one to 
one nat work like this?
Firewall A
/etc/shorewall/nat
#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
10.10.85.140.   tun0              10.3.85.194      no                 no

Firewall B
 /etc/shorewall/nat
#EXTERNAL       INTERFACE         INTERNAL      ALL INTERFACES     LOCAL
10.3.85.194     tun0              10.10.85.140.    no                 no

Mike

 


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

I should add this to avoid confusion. I will be changing all IP;s 
in netB to the new 10.10.85.0/24 network. However netA
Is hard to change its nodes to the new network,
netB needs to look as if the Hp printer is still coming
from its old ip 10.3.85.140 while its real ip is 10.10.85.140

Mike



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mike Lander wrote:
> 
> 
> Tom
> Thinking of trashing the netmap idea due to one of the existing
> firewalls needs to much work and is a 2.4 kernel. That is if there
> is an easier way to accomplish this.  
>     The existing network is currently connected with two wireless bridges
> that need to be doglegged around a treeline. The current network is
> at layer2 all using the same network ips.  The fix is to add a third bridge
> using wds repeater or really the third bridge will be root so the bandwidth
> will not be not be cut in half
>     While this work is being done I need this vpn so we dont interrupt the
> network. For explanation purposes I will use networkA and netB.
Why don''t you simply set up a bridged OpenVPN tunnel between the two
sites?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Why don''t you simply set up a bridged OpenVPN tunnel between the two
sites?

Tom

Ok I built a new firewall so that both sides would be the latest and greatest
now I have been studing how to fire up tap and br0 between a few scripts
i have installed I can get the devices up and I am assuming I am creating
a brouter here, and thinking otherwise you have no lan interface if you are
not using a brouter. such as no brouter two interface firewall would be
as follows eth0 wan br0 lan
where as brouter is 
eth0 wan eth1 lan br0 bridged to both  
    I could be way off track here with the expaination of my understanding tell
me if so.
Here is what I have.: 
All I have built so far is one server to try to get one up first and it will be
the server.
Client will follow.
I think I am close here with a few troubles if someone could please take a look

#####
openvpn.conf

server-bridge 10.194.79.191 255.255.255.0 10.194.79.200 10.194.79.202

client-to-client

port 1194
remote 66.224.100.194 1194

verb 5
mute 0

ca /etc/openvpn/keys/honda/ca.crt
cert /etc/openvpn/keys/honda/ca.crt
key /etc/openvpn/keys/honda/ca.key

dh dh1024.pem

proto udp

dev tap0

user nobody

group nogroup

keepalive 10 120

status servers/honda/logs/openvpn-status.log

log-append servers/honda/logs/openvpn.log

comp-lzo

persist-key
persist-tun
push "route 10.194.79.0 255.255.255.0"
#
#These opt will work on the server install
#OFF for now
#push "dhcp-option DNS 10.3.85.15"
#push "dhcp-option WINS 10.3.85.15"
###end  conf

############ /etc/init,d/openvpn_bridge

#my init script has troubles I think I had to edit quite a bit

#  Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged
tap="tap0"

# Define a list of physical ethernet interfaces to be bridged
# with TAP interface(s) above.
#
eth="eth0"
eth_ip="10.194.79.191"
eth_netmask="255.255.255.0"
eth_broadcast="10.194.79.255"

# Path to the system networking script
# For Debian
#NETWORK="/etc/init.d/networking"
# For SuSE
NETWORK="/etc/init.d/network"

# Path to the openvpn start/stop script
OPENVPN_INIT="/etc/init.d/openvpn"

# Path to the openvpn binary
OPENVPN="/usr/sbin/openvpn"

# Path to the brctl binary
BRCTL="/sbin/brctl"

# Path to the ifconfig binary
IFCONFIG="/sbin/ifconfig"

# Path to the route binary
ROUTE="/sbin/route"

do_start(){

for i in $tap; do
$OPENVPN --mktun --dev $i
done

$BRCTL addbr $br

for i in $eth; do
$BRCTL addif $br $i
done

for i in $tap; do
$BRCTL addif $br $i
done

for i in $eth; do
$IFCONFIG $i 0.0.0.0 promisc up
done

for i in $tap; do
$IFCONFIG $i 0.0.0.0 promisc up
done

$IFCONFIG $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

$ROUTE add default gw $default_gw

$OPENVPN_INIT start

}

do_stop(){

$IFCONFIG $br down
$BRCTL delbr $br

for i in $tap; do
$OPENVPN --rmtun --dev $i
$IFCONFIG $i down
$NETWORK force-reload
done

$OPENVPN_INIT stop

}

case "$1" in

start)
        do_start
;;
stop)
        do_stop
;;
restart)
        do_stop
        sleep 1
        do_start
;;
*)
echo "usage: $0 start|stop|restart" >&2
exit 3
;;
esac
exit 0

###end init

#####/var/log/messages after  /etc/init.d/openvpn_bridge start

Jun 11 13:35:29 linux-rwu0 kernel: eth1: no IPv6 routers present
Jun 11 13:35:31 linux-rwu0 kernel: br0: Dropping NETIF_F_UFO since no
NETIF_F_HW_CSUM feature.
Jun 11 13:35:31 linux-rwu0 kernel: device tap0 entered promiscuous mode
Jun 11 13:35:31 linux-rwu0 kernel: r8169: eth0: link up
Jun 11 13:35:31 linux-rwu0 kernel: br0: port 2(tap0) entering learning state
Jun 11 13:35:31 linux-rwu0 kernel: br0: port 1(eth0) entering learning state
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Joining mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: New relevant interface br0.IPv4
for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Registering new address record
for 10.194.79.191 on br0.IPv4.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Withdrawing address record for
10.194.79.191 on br0.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Leaving mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Interface br0.IPv4 no longer
relevant for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Joining mDNS multicast group on
interface br0.IPv4 with address 10.194.79.191.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: New relevant interface br0.IPv4
for mDNS.
Jun 11 13:35:31 linux-rwu0 avahi-daemon[3060]: Registering new address record
for 10.194.79.191 on br0.IPv4.
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Warning: Error redirecting
stdout/stderr to --log file: servers/honda/logs/openvpn.log: No such file or
directory (errno=2)
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Options error: --remote cannot be
used with --mode server
Jun 11 13:35:31 linux-rwu0 openvpn[23762]: Use --help for more information.
Jun 11 13:35:32 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::214:d1ff:fe13:4311 on br0.*.
Jun 11 13:35:33 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::214:d1ff:fe13:4311 on eth0.*.
Jun 11 13:35:33 linux-rwu0 avahi-daemon[3060]: Registering new address record
for fe80::ec29:29ff:fea9:6d16 on tap0.*.
Jun 11 13:35:35 linux-rwu0 nm-system-settings: Adding default connection
''Auto tap0'' for
/org/freedesktop/Hal/devices/net_ee_29_29_a9_6d_16

this is the shell output after starting the init script
its complaining about inet_route not sure if need a lan gateway in
openvpn.conf??
##############
linux-rwu0:/ # /etc/init.d/openvpn_bridge start
Thu Jun 11 13:45:36 2009 TUN/TAP device tap0 opened
Thu Jun 11 13:45:36 2009 Persist state set to: ON
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M]
[[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
                              [netmask N] [mss Mss] [window W] [irtt I]
                              [mod] [dyn] [reinstate] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
       inet_route [-FC] flush      NOT supported
Starting OpenVPN           

############################

ifconfig after init start                                    

br0       Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
          inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
          inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:83 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6188 (6.0 Kb)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:14:D1:13:43:11  
          inet6 addr: fe80::214:d1ff:fe13:4311/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:3851 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:442124 (431.7 Kb)  TX bytes:172003 (167.9 Kb)
          Interrupt:20 Base address:0xe000 

eth1      Link encap:Ethernet  HWaddr 00:16:17:7E:FE:D1  
          inet addr:10.194.79.191  Bcast:10.194.79.255  Mask:255.255.255.0
          inet6 addr: fe80::216:17ff:fe7e:fed1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6806 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3956 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1004116 (980.5 Kb)  TX bytes:1171570 (1.1 Mb)
          Interrupt:23 Base address:0xc000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:580 (580.0 b)  TX bytes:580 (580.0 b)

tap0      Link encap:Ethernet  HWaddr EE:29:29:A9:6D:16  
          inet6 addr: fe80::ec29:29ff:fea9:6d16/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:18 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

 linux-rwu0:/ # /etc/init.d/openvpn_bridge stop

######################################
Thu Jun 11 13:43:49 2009 TUN/TAP device tap0 opened
Thu Jun 11 13:43:49 2009 Persist state set to: OFF
tap0: unknown interface: No such device
Shutting down network interfaces:
    eth0      device: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet
(rev 10)                                                                        
done
    eth1      device: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev
10)                                                                             
done
Shutting down service network  .  .  .  .  .  .  .  .  .                        
done
Hint: you may set mandatory devices in /etc/sysconfig/network/config
Setting up network interfaces:
    eth0      device: Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet
(rev 10)
    eth0      Startmode is ''manual''                           
skipped
    eth1      device: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev
10)
    eth1      IP address: 10.194.79.191/24                                      
done
Setting up service network  .  .  .  .  .  .  .  .  .  .                        
done
Shutting down OpenVPN               

Think I am close???

Thanks 
Mike                 


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects