[Firehol-support] Setting up a multiple interface router

Wojtek Swiatek w at swtk.info
Thu Feb 25 19:27:08 GMT 2016 

Hello everyone,

I would like to set up a router/firewall/VPN access point and after a night
of trying I give up and ask for help :)
I am brand new to firehol so apologies for the basic questions.

I get Internet access via a box which provides a default gateway
192.168.1.1. It has a few switch ports to which is connected a server (on
which I will configure Firehol - a Debian 8) and an access point. All
devices (whether wired or wireless) are on 192.168.1.0/24.

I also have access to an OpenVPN server which creates tun0 on the server
and brings up 10.8.8.77 (on my server), 10.8.8.78 (the OpenVPN peer)
and 10.8.8.1  (the openVPN gateway).

The server has one NIC eth0 on which I have:
- one IP assigned by the box via DHCP (it can be assumed to be fixed):
192.168.1.107
- one IP (192.168.10.10)  created manually which I will use to bind a
bittorent client and a squid proxy to - with the idea to route all outbound
traffic on this IP via the tun0 VPN.

Looks like a brilliant setup :)

I am currently in a safe environment so the first step is to have a
completely open firewall where the following would work (on the server to
start with):
- traceroute www.google.com via the default existing 192.168.1.1 route.
This works.
- traceroute www.google.com via a new default route (created after removing
the one above) via 192.168.10.10. The idea is that a packet sent to google
would go to the default route (192.168.10.10) and then be forwarded to tun0
where it would leave to Internet.
These two scenarios would ensure that it is possible to sent a packet (via
a default route, changed between the two scenarios) either via the provider
gw, or via the VPN.

I believe that it would also mean that
- if I have the current "provider" default route (192.168.1.1)
- and if I bind squid to 192.168.10.10,
- then setting my browser proxy to 192.168.10.10 would direct the browsing
traffic via  the VPN

Where should I start?

So far I tried the following configuration

--- /etc/firehol/firehol.conf ---
# I do not use IPV6 and keeping it raised an error with the SNAT entry
below which was parsed by ip6tables instead of iptables
# I am not sure if this is a bug but disabling IPV6 here and at GRUB level
fixed at least the error and firehol started
ENABLE_IPV6=0

# when traffic leaves the VPN, it should emerge with the special IP
discussed above (the one I am binding squid and transmission to)
snat to 192.168.10.10 outface tun0

# not sure about that one, it was created as part of the automated
configuration build
# I am not sure why I need to handle Internet traffic here, I though it
would be a matter of default route, which goes to an interface, which is
then filtered and routed
interface4 eth0 internet src not "${UNROUTABLE_IPS} 192.168.1.0/24" dst
192.168.1.107
        policy accept

# the interface wich is on the LAN where everyone else at home is
interface4 eth0 lan src "192.168.1.0/24" dst 192.168.1.107
        policy accept

# the special interface on which I will bind squid and transmission
interface4 eth0 for_nvpn dst 192.168.10.10
        policy accept

# the VPN intrface. i do not know its IP in advance (it is set by the
provider)
interface4 tun0 nvpn
        policy accept

# everything which goes out (including to to google in my example) is
permitted
router4 lan2internet inface lan outface internet
        route all accept

router4 lan2for_nvpn inface lan outface for_nvpn
        route all accept

router4 for_nvpn2nvpn inface for_nvpn outface nvpn
        route all accept

--- end of  /etc/firehol/firehol.conf ---

The routing on the server is

root at debian-testing:~# ip route
default via 192.168.1.1 dev eth0
10.8.8.1 via 10.8.8.77 dev tun0
10.8.8.77 dev tun0  proto kernel  scope link  src 10.8.8.78
169.254.0.0/16 dev eth0  scope link  metric 1000
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.107
192.168.10.0/24 dev eth0  proto kernel  scope link  src 192.168.10.10
192.168.20.0/24 dev eth0  proto kernel  scope link  src 192.168.20.20

I would be really grateful about comments (on the setup and if it OK on the
configuration to bring it to life).

Thank you!
WoJ

More information about the Firehol-support mailing list