[Firehol-support] Setting up a multiple interface router

Wojtek Swiatek w at swtk.info
Thu Feb 25 19:27:08 GMT 2016

Hello everyone,

I would like to set up a router/firewall/VPN access point and after a night
of trying I give up and ask for help :)
I am brand new to firehol so apologies for the basic questions.

I get Internet access via a box which provides a default gateway It has a few switch ports to which is connected a server (on
which I will configure Firehol - a Debian 8) and an access point. All
devices (whether wired or wireless) are on

I also have access to an OpenVPN server which creates tun0 on the server
and brings up (on my server), (the OpenVPN peer)
and  (the openVPN gateway).

The server has one NIC eth0 on which I have:
- one IP assigned by the box via DHCP (it can be assumed to be fixed):
- one IP (  created manually which I will use to bind a
bittorent client and a squid proxy to - with the idea to route all outbound
traffic on this IP via the tun0 VPN.

Looks like a brilliant setup :)

I am currently in a safe environment so the first step is to have a
completely open firewall where the following would work (on the server to
start with):
- traceroute www.google.com via the default existing route.
This works.
- traceroute www.google.com via a new default route (created after removing
the one above) via The idea is that a packet sent to google
would go to the default route ( and then be forwarded to tun0
where it would leave to Internet.
These two scenarios would ensure that it is possible to sent a packet (via
a default route, changed between the two scenarios) either via the provider
gw, or via the VPN.

I believe that it would also mean that
- if I have the current "provider" default route (
- and if I bind squid to,
- then setting my browser proxy to would direct the browsing
traffic via  the VPN

Where should I start?

So far I tried the following configuration

--- /etc/firehol/firehol.conf ---
# I do not use IPV6 and keeping it raised an error with the SNAT entry
below which was parsed by ip6tables instead of iptables
# I am not sure if this is a bug but disabling IPV6 here and at GRUB level
fixed at least the error and firehol started

# when traffic leaves the VPN, it should emerge with the special IP
discussed above (the one I am binding squid and transmission to)
snat to outface tun0

# not sure about that one, it was created as part of the automated
configuration build
# I am not sure why I need to handle Internet traffic here, I though it
would be a matter of default route, which goes to an interface, which is
then filtered and routed
interface4 eth0 internet src not "${UNROUTABLE_IPS}" dst
        policy accept

# the interface wich is on the LAN where everyone else at home is
interface4 eth0 lan src "" dst
        policy accept

# the special interface on which I will bind squid and transmission
interface4 eth0 for_nvpn dst
        policy accept

# the VPN intrface. i do not know its IP in advance (it is set by the
interface4 tun0 nvpn
        policy accept

# everything which goes out (including to to google in my example) is
router4 lan2internet inface lan outface internet
        route all accept

router4 lan2for_nvpn inface lan outface for_nvpn
        route all accept

router4 for_nvpn2nvpn inface for_nvpn outface nvpn
        route all accept

--- end of  /etc/firehol/firehol.conf ---

The routing on the server is

root at debian-testing:~# ip route
default via dev eth0 via dev tun0 dev tun0  proto kernel  scope link  src dev eth0  scope link  metric 1000 dev eth0  proto kernel  scope link  src dev eth0  proto kernel  scope link  src dev eth0  proto kernel  scope link  src

I would be really grateful about comments (on the setup and if it OK on the
configuration to bring it to life).

Thank you!

More information about the Firehol-support mailing list