[Firehol-support] Strange problem when routing between many interface

Simon Szustkowski mail at simonszu.de
Mon Mar 2 08:43:43 GMT 2015

Hi Costa,

thanks for your help. I really appreciate it.
I think i have implemented the masquerading stuff with marks like you 
said, using the daily FireHOL build from yesterday.
However, i still have the problem that the routers don't forward any 
traffic at all, if they don't masquerade.
For reference, my config now looks like this:

# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $

version 6

dn42_if="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"

# Define a mark to mark all packets originating from the openvpn 
markdef masq 2

# Mark the packets to masquerade when they are received from 
${openvpn_if} Interface
custommark4 masq 1 PREROUTING inface "${openvpn_if}"

# Masquerade packets going out on ${dn42_if} and ${internet_if} 
masquerade4 "${dn42_if}" custommark masq 1
masquerade4 "${internet_if}" custommark masq 1

interface "${internet_if}" internet
(...some rules for accepting services traffic and stuff...)

# Define the tun2 Interface for CA-based Openvpn
interface4 "${openvpn_if}" openvpn

# Define the other OpenVPN connections as DN42. Accept Ping and BGP
interface4 "${dn42_if}" dn42
(...some rules for accepting BGP and OSPF traffic...)

# Accept packets coming from openvpn_if and leaving through internet_if
router4 openvpn2internet inface "${openvpn_if}" outface "${internet_if}"
route all accept

# Do not accept packets coming from internet_if and leaving through 
router4 internet2openvpn inface "${internet_if}" outface "${openvpn_if}"

# Allow forwarding between the dn42 peers
router4 dn422dn42 inface "${dn42_if}" outface "${dn42_if}"
route all accept

# Accept packets coming from openvpn_if and leaving through dn42_if
router4 openvpn2dn42 inface "${openvpn_if}" outface "${dn42_if}"
route all accept

# Do not accept packets coming from dn42_if and leaving through 
router4 dn422openvpn inface "${dn42_if}" outface "${openvpn_if}"

So, all packets originating from openvpn_if are marked, and later 
masqueraded when forwarding to dn42 or the internet. Packets from dn42 
to dn42 aren't touched at all, and packets originating from the internet 
aren't forwarded at all.
However, i can confirm that firehol seems to create the correct iptables 
commands in the explain mode when i try to reproduce the corresponding 
router commands for dn422dn42.
When defining the router, it creates very many commands like

/sbin/iptables -t filter -A FORWARD -i tun11 -o tun11 -j out_dn422dn42

for every possible combination of the interfaces tun1 to tun11, also for 
the in_dn422dn42. After issuing "route all accept", it creates two 
important iptables commands, namely:

# Complex rules for rules_all() for server 'all'
/sbin/iptables -t filter -A in_dn422dn42 -m conntrack --ctstate 
/sbin/iptables -t filter -A out_dn422dn42 -m conntrack --ctstate 

However, when i try to ping across this routing host, there is a packet 
loss of 100%. I have noticed that in the old configuration i mailed you 
yesterday, there was a similar behaviour. The firewall did only forward 
packets which were masqueraded, when i tried to comment out the 
masquerading statements for debug purposes, it was also dropping any 
traffic which it should forward.
I can reliable reproduce this in the new config. When i mark packets 
originating from the dn42 to get masqueraded as well, they get 
forwarded, but not, when i don't mark them.

So, basically, i have narrowed down the global masquerading issue to 
work correctly, but it still seems that i only have the choice between 
"masquerade and forward" or "do not masquerade and drop". But how can i 
achieve the "do not masquerade and forward"?

Thanks again for your help. Firehol is a great piece of software, and i 
like it very much, but i still am not 100% sure how to configure it 

Yours, Simon

More information about the Firehol-support mailing list