On Thu, 27 Apr 2006, Ludwig Nussel wrote:
Jonathan Baxter wrote:
On Thursday 27 April 2006 16:42, Ludwig Nussel wrote:
Jonathan Baxter wrote:
[...] But nothing works from left-to right; neither the SuSE router box itself, nor
The router itself cannot reach the subnet on the other side if you use it's external IP as source. You'd need a second tunnel for that.
I think I understand what you're getting at. If the external IP address is the source address the packets won't get redirected down the tunnel, because the tunnel's source is the internal network.
Exactly.
[...]
I have explicitly disabled NAT of packets between the two subnets by adding the following line to the fw_custom_before_port_handling() section of /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \! 192.168.200.0/24 -j MASQUERADE
But if I do as Ludwig suggests and set FW_MASQ_NETS="0/0,!192.168.200.0/24" in /etc/sysconfig/SuSEfirewall2 then the firewall drops the packets from 192.168.1.2 altogether - they never make it to the external interface on the SuSE router at all. I get the following in /var/log/firewall:
SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth2 SRC=192.168.1.2 DST=192.168.200.2
So I guess the left->right packets are not making it down the tunnel, but I am still confused as to why not.....
Me too. I wouldn't be surprised if it is a bug in SuSEfirewall2. You are probably the first person that actually uses those features in a real world setup :-)
we have firewalls with slackbased bootcd and use SFW2 and ipsec vpn running for more than a year now :: FW_MASQ_DEV="eth1" FW_MASQ_NETS="192.168.1.0/24 192.168.2.0/24" no FW_FORWARD_ thing but simple route entries. cheers -- --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+