[Firehol-support] Strange problem when routing between many interface
Simon Szustkowski
mail at simonszu.de
Mon Mar 2 08:43:43 GMT 2015
Hi Costa,
thanks for your help. I really appreciate it.
I think i have implemented the masquerading stuff with marks like you
said, using the daily FireHOL build from yesterday.
However, i still have the problem that the routers don't forward any
traffic at all, if they don't masquerade.
For reference, my config now looks like this:
#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
version 6
internet_if="eth0"
openvpn_if="tun0"
dn42_if="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
# Define a mark to mark all packets originating from the openvpn
interface
markdef masq 2
# Mark the packets to masquerade when they are received from
${openvpn_if} Interface
custommark4 masq 1 PREROUTING inface "${openvpn_if}"
# Masquerade packets going out on ${dn42_if} and ${internet_if}
Interfaces
masquerade4 "${dn42_if}" custommark masq 1
masquerade4 "${internet_if}" custommark masq 1
interface "${internet_if}" internet
(...some rules for accepting services traffic and stuff...)
# Define the tun2 Interface for CA-based Openvpn
interface4 "${openvpn_if}" openvpn
# Define the other OpenVPN connections as DN42. Accept Ping and BGP
interface4 "${dn42_if}" dn42
(...some rules for accepting BGP and OSPF traffic...)
# Accept packets coming from openvpn_if and leaving through internet_if
router4 openvpn2internet inface "${openvpn_if}" outface "${internet_if}"
route all accept
# Do not accept packets coming from internet_if and leaving through
openvpn_if
router4 internet2openvpn inface "${internet_if}" outface "${openvpn_if}"
# Allow forwarding between the dn42 peers
router4 dn422dn42 inface "${dn42_if}" outface "${dn42_if}"
route all accept
# Accept packets coming from openvpn_if and leaving through dn42_if
router4 openvpn2dn42 inface "${openvpn_if}" outface "${dn42_if}"
route all accept
# Do not accept packets coming from dn42_if and leaving through
openvpn_if
router4 dn422openvpn inface "${dn42_if}" outface "${openvpn_if}"
So, all packets originating from openvpn_if are marked, and later
masqueraded when forwarding to dn42 or the internet. Packets from dn42
to dn42 aren't touched at all, and packets originating from the internet
aren't forwarded at all.
However, i can confirm that firehol seems to create the correct iptables
commands in the explain mode when i try to reproduce the corresponding
router commands for dn422dn42.
When defining the router, it creates very many commands like
/sbin/iptables -t filter -A FORWARD -i tun11 -o tun11 -j out_dn422dn42
for every possible combination of the interfaces tun1 to tun11, also for
the in_dn422dn42. After issuing "route all accept", it creates two
important iptables commands, namely:
# Complex rules for rules_all() for server 'all'
/sbin/iptables -t filter -A in_dn422dn42 -m conntrack --ctstate
NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_dn422dn42 -m conntrack --ctstate
ESTABLISHED -j ACCEPT
However, when i try to ping across this routing host, there is a packet
loss of 100%. I have noticed that in the old configuration i mailed you
yesterday, there was a similar behaviour. The firewall did only forward
packets which were masqueraded, when i tried to comment out the
masquerading statements for debug purposes, it was also dropping any
traffic which it should forward.
I can reliable reproduce this in the new config. When i mark packets
originating from the dn42 to get masqueraded as well, they get
forwarded, but not, when i don't mark them.
So, basically, i have narrowed down the global masquerading issue to
work correctly, but it still seems that i only have the choice between
"masquerade and forward" or "do not masquerade and drop". But how can i
achieve the "do not masquerade and forward"?
Thanks again for your help. Firehol is a great piece of software, and i
like it very much, but i still am not 100% sure how to configure it
correctly.
Yours, Simon
More information about the Firehol-support
mailing list