SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2022-08-12 00:47 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0003646 | Endian Firewall | Network related (VPN, uplinks) | public | 2011-04-27 16:41 | 2011-05-23 14:50 | ||||
Reporter | baldy | ||||||||
Assigned To | baldy | ||||||||
Priority | normal | Severity | block | Reproducibility | always | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 2.4.1 | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0003646: Traffic not routed from RED to OpenVPN connected network | ||||||||
Description | After replacing an EFW 2.2 machine due to hardware failure the portforward to servers connected on the remote end of an OpenVPN connection no longer works. | ||||||||
Additional Information | Setup is as follows. ISP(62.x.x.x)-Internal(192.168.0.0/24)-OpenVPN-Other Network(192.168.200.0/24). With 2.2 I could use the firewall to forward ports from RED to the 192.168.200 network. With 2.4 the same config no longer works. Logfiles show that packets are accepted on RED, but no further information is shown. root@zeilcentrum:~ # ip route show 0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254 192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241 62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110 default via 62.216.20.1 dev eth1 root@zeilcentrum:~ # ip rule 0: from all lookup local 10: from all to 0.0.0.0/24 lookup main 10: from all to 192.168.0.0/24 lookup main 10: from all to 192.168.200.0/24 lookup main 10: from all to 62.216.20.0/24 lookup main 199: from all fwmark 0x7e0/0x7f8 lookup uplink-main 200: from 62.216.20.110 lookup uplink-main 32766: from all lookup main 32767: from all lookup default root@zeilcentrum:~ # ip route show table all 0.0.0.0/24 dev eth1 table uplink-main proto kernel scope link default via 62.216.20.1 dev eth1 table uplink-main proto kernel src 62.216.20 .110 0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254 192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241 62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110 default via 62.216.20.1 dev eth1 local 192.168.0.254 dev br0 table local proto kernel scope host src 192.168. 0.254 broadcast 192.168.0.255 dev br0 table local proto kernel scope link src 192. 168.0.254 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127 .0.0.1 broadcast 192.168.200.255 dev tap1 table local proto kernel scope link src 1 92.168.200.241 broadcast 62.216.20.0 dev eth1 table local proto kernel scope link src 62.21 6.20.110 broadcast 192.168.0.0 dev br0 table local proto kernel scope link src 192.16 8.0.254 broadcast 192.168.200.0 dev tap1 table local proto kernel scope link src 192 .168.200.241 local 62.216.20.110 dev eth1 table local proto kernel scope host src 62.216. 20.110 local 192.168.200.241 dev tap1 table local proto kernel scope host src 192.1 68.200.241 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 62.216.20.255 dev eth1 table local proto kernel scope link src 62. 216.20.110 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294 967295 fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 42949 67295 fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294 967295 fe80::/64 dev tap1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294 967295 unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi t 255 local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 163 76 hoplimit 4294967295 local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::250:fcff:fe2b:9226 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::146e:4ff:fec2:2aa2 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 ff02::1:2 via ff02::1:2 dev tap1 metric 0 cache mtu 1500 advmss 1440 hoplimit 4294967295 ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496 7295 ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967 295 ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496 7295 ff00::/8 dev tap1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496 7295 unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi t 255 . | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
![]() |
|
(0006295) baldy (reporter) 2011-05-10 17:14 |
Issue can be closed. Adding a source NAT rule for ANY to the OpenVPN connection with the specified ports in combination with the original port forwards resolves the issue. Regards, Baldy |
(0006435) baldy (reporter) 2011-05-23 14:50 |
No fix needed, behaviour changed between 2.2 and 2.4 |
![]() |
|||
Date Modified | Username | Field | Change |
2011-04-27 16:41 | baldy | New Issue | |
2011-05-10 17:14 | baldy | Note Added: 0006295 | |
2011-05-10 17:14 | baldy | Note Added: 0006296 | |
2011-05-10 17:15 | baldy | Note Deleted: 0006296 | |
2011-05-23 14:50 | baldy | Note Added: 0006435 | |
2011-05-23 14:50 | baldy | Status | new => resolved |
2011-05-23 14:50 | baldy | Resolution | open => fixed |
2011-05-23 14:50 | baldy | Assigned To | => baldy |
Copyright © 2000 - 2012 MantisBT Group |