[Shorewall-users] can't connect to private lan on other side of tunnel from loc zone

Jerry Vonau jvonau at shaw.ca
Sat Jun 7 16:40:38 PDT 2003


Hi All:

Here is a strange one...

I have a vpn set-up between a couple of locations, It's using a ppp interface. 
I'm using Shorewall-1.4.4b and an out of the box 2.4.20-18.8 kernel from 
redhat. I'm able to ping/connect from the firewall itself to anything on the 
other end of the tunnel... I'm unable to make a connection to 2 of the remote 
lans 10.2.0.0/24 and 10.1.14.0/24 from a machine in the loc zone, while I'm 
able to connect to a machine that is only accessible through the 10.1.14.0/24 
lan. There is nothing showing up in /var/log/messages... Here is the routing:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
139.142.212.5   0.0.0.0         255.255.255.255 UH    0      0        0 eth2
10.2.0.150      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
10.1.14.1       0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
204.225.120.230 10.1.14.1       255.255.255.255 UGH   0      0        0 ppp0
139.142.212.0   0.0.0.0         255.255.255.240 U     0      0        0 eth0
10.1.14.0       10.2.0.1        255.255.255.0   UG    0      0        0 ppp0
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ppp0
10.3.0.0        0.0.0.0         255.255.255.0   U     0      0        0 ppp0
10.5.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         139.142.212.14  0.0.0.0         UG    0      0        0 eth0

The interfaces file:
#ZONE	 INTERFACE	BROADCAST	OPTIONS
net	eth0	139.142.212.15		norfc1918,tcpflags,blacklist
loc	eth1	10.255.255.255		dhcp
dmz	eth2	detect			
-	ppp+	-			-			
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

hosts:

sarg        ppp+:10.2.0.0/24
jer         ppp+:10.3.0.0/24
nff1		ppp+:10.1.14.0/24
nff2		ppp+:$NFF2

NFF2 is defined in the params file, this is the only connection that does work 
through the tunnel from the loc zone..

zones:

#ZONE	DISPLAY		COMMENTS
net	Net		Internet
sarg	SARG		Sarg's Lan
jer	jerry		jerry's house
nff1	ship		nff in shipping
nff2	nffftp	nff's ftp
loc	Local		Local networks
dmz	DMZ		Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


policy:

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
fw		net		ACCEPT
loc		dmz		ACCEPT
loc		jer		ACCEPT		info
loc		sarg		ACCEPT		info
loc		nff1		ACCEPT		info
loc		net		ACCEPT

nff1		loc		ACCEPT		info
sarg		loc		ACCEPT		info
jer		loc		ACCEPT		info
loc		loc		ACCEPT		info

dmz		net		ACCEPT		info
net		all		DROP			info
all		all		REJECT		info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

attached is a dump of shorewall status:


This is the last piece that I need to get working.
Everything else is working just great.
Just to recap, from the firewall, though the tunnel, everything works. From the 
loc zone, just one of them works, strange that the one that works uses public 
ip addresses, but is only accessible from the 10.1.14.0 network, while the 
private ip addresses on the remote lan don't. Not to sure where to look for 
this one...
What have I overlooked?? If I didn't summit a file that is needed to 
troubleshoot this, just tell me...

Thanks in Advance

Jerry Vonau





-------------- next part --------------
A non-text attachment was scrubbed...
Name: shore.dmp
Type: application/octet-stream
Size: 50866 bytes
Desc: not available
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030607/9299ab92/shore-0001.obj


More information about the Shorewall-users mailing list