[Firehol-support] Strange problem when routing between many interface

Tsaousis, Costa costa at tsaousis.gr
Mon Mar 2 09:04:59 GMT 2015

Simon, do you have logs of the dropped packets?

If you don't, the packets get routed, but their replies do not come
back. You should be able to verify this with tcpdump too.
If I am correct, you are having a routing problem, not a firewalling
one. This explains why masqueraded packets work and non-masqueraded
packets do not work.


On Mon, Mar 2, 2015 at 10:43 AM, Simon Szustkowski <mail at simonszu.de> wrote:
> Hi Costa,
> thanks for your help. I really appreciate it.
> I think i have implemented the masquerading stuff with marks like you said,
> using the daily FireHOL build from yesterday.
> However, i still have the problem that the routers don't forward any traffic
> at all, if they don't masquerade.
> For reference, my config now looks like this:
> #
> # $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
> #
> version 6
> internet_if="eth0"
> openvpn_if="tun0"
> dn42_if="tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 tun11"
> # Define a mark to mark all packets originating from the openvpn interface
> markdef masq 2
> # Mark the packets to masquerade when they are received from ${openvpn_if}
> Interface
> custommark4 masq 1 PREROUTING inface "${openvpn_if}"
> # Masquerade packets going out on ${dn42_if} and ${internet_if} Interfaces
> masquerade4 "${dn42_if}" custommark masq 1
> masquerade4 "${internet_if}" custommark masq 1
> interface "${internet_if}" internet
> (...some rules for accepting services traffic and stuff...)
> # Define the tun2 Interface for CA-based Openvpn
> interface4 "${openvpn_if}" openvpn
> # Define the other OpenVPN connections as DN42. Accept Ping and BGP
> interface4 "${dn42_if}" dn42
> (...some rules for accepting BGP and OSPF traffic...)
> # Accept packets coming from openvpn_if and leaving through internet_if
> router4 openvpn2internet inface "${openvpn_if}" outface "${internet_if}"
> route all accept
> # Do not accept packets coming from internet_if and leaving through
> openvpn_if
> router4 internet2openvpn inface "${internet_if}" outface "${openvpn_if}"
> # Allow forwarding between the dn42 peers
> router4 dn422dn42 inface "${dn42_if}" outface "${dn42_if}"
> route all accept
> # Accept packets coming from openvpn_if and leaving through dn42_if
> router4 openvpn2dn42 inface "${openvpn_if}" outface "${dn42_if}"
> route all accept
> # Do not accept packets coming from dn42_if and leaving through openvpn_if
> router4 dn422openvpn inface "${dn42_if}" outface "${openvpn_if}"
> So, all packets originating from openvpn_if are marked, and later
> masqueraded when forwarding to dn42 or the internet. Packets from dn42 to
> dn42 aren't touched at all, and packets originating from the internet aren't
> forwarded at all.
> However, i can confirm that firehol seems to create the correct iptables
> commands in the explain mode when i try to reproduce the corresponding
> router commands for dn422dn42.
> When defining the router, it creates very many commands like
> /sbin/iptables -t filter -A FORWARD -i tun11 -o tun11 -j out_dn422dn42
> for every possible combination of the interfaces tun1 to tun11, also for the
> in_dn422dn42. After issuing "route all accept", it creates two important
> iptables commands, namely:
> # Complex rules for rules_all() for server 'all'
> /sbin/iptables -t filter -A in_dn422dn42 -m conntrack --ctstate
> /sbin/iptables -t filter -A out_dn422dn42 -m conntrack --ctstate ESTABLISHED
> However, when i try to ping across this routing host, there is a packet loss
> of 100%. I have noticed that in the old configuration i mailed you
> yesterday, there was a similar behaviour. The firewall did only forward
> packets which were masqueraded, when i tried to comment out the masquerading
> statements for debug purposes, it was also dropping any traffic which it
> should forward.
> I can reliable reproduce this in the new config. When i mark packets
> originating from the dn42 to get masqueraded as well, they get forwarded,
> but not, when i don't mark them.
> So, basically, i have narrowed down the global masquerading issue to work
> correctly, but it still seems that i only have the choice between
> "masquerade and forward" or "do not masquerade and drop". But how can i
> achieve the "do not masquerade and forward"?
> Thanks again for your help. Firehol is a great piece of software, and i like
> it very much, but i still am not 100% sure how to configure it correctly.
> Yours, Simon

More information about the Firehol-support mailing list