SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003646: Traffic not routed from RED to OpenVPN connected network - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003646Endian FirewallNetwork related (VPN, uplinks)public2011-04-27 16:412011-05-23 14:50
Reporterbaldy 
Assigned Tobaldy 
PrioritynormalSeverityblockReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Summary0003646: Traffic not routed from RED to OpenVPN connected network
DescriptionAfter replacing an EFW 2.2 machine due to hardware failure the portforward to servers connected on the remote end of an OpenVPN connection no longer works.
Additional InformationSetup is as follows.

ISP(62.x.x.x)-Internal(192.168.0.0/24)-OpenVPN-Other Network(192.168.200.0/24).

With 2.2 I could use the firewall to forward ports from RED to the 192.168.200 network.
With 2.4 the same config no longer works.

Logfiles show that packets are accepted on RED, but no further information is shown.

root@zeilcentrum:~ # ip route show
0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241
62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110
default via 62.216.20.1 dev eth1
root@zeilcentrum:~ # ip rule
0: from all lookup local
10: from all to 0.0.0.0/24 lookup main
10: from all to 192.168.0.0/24 lookup main
10: from all to 192.168.200.0/24 lookup main
10: from all to 62.216.20.0/24 lookup main
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
200: from 62.216.20.110 lookup uplink-main
32766: from all lookup main
32767: from all lookup default
root@zeilcentrum:~ # ip route show table all
0.0.0.0/24 dev eth1 table uplink-main proto kernel scope link
default via 62.216.20.1 dev eth1 table uplink-main proto kernel src 62.216.20
.110
0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241
62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110
default via 62.216.20.1 dev eth1
local 192.168.0.254 dev br0 table local proto kernel scope host src 192.168.
0.254
broadcast 192.168.0.255 dev br0 table local proto kernel scope link src 192.
168.0.254
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127
.0.0.1
broadcast 192.168.200.255 dev tap1 table local proto kernel scope link src 1
92.168.200.241
broadcast 62.216.20.0 dev eth1 table local proto kernel scope link src 62.21
6.20.110
broadcast 192.168.0.0 dev br0 table local proto kernel scope link src 192.16
8.0.254
broadcast 192.168.200.0 dev tap1 table local proto kernel scope link src 192
.168.200.241
local 62.216.20.110 dev eth1 table local proto kernel scope host src 62.216.
20.110
local 192.168.200.241 dev tap1 table local proto kernel scope host src 192.1
68.200.241
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1

broadcast 62.216.20.255 dev eth1 table local proto kernel scope link src 62.
216.20.110
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 42949
67295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
fe80::/64 dev tap1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi
t 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 163
76 hoplimit 4294967295
local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0
 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0
 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::250:fcff:fe2b:9226 via :: dev lo table local proto none metric 0
 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::146e:4ff:fec2:2aa2 via :: dev lo table local proto none metric 0
 mtu 16436 advmss 16376 hoplimit 4294967295
ff02::1:2 via ff02::1:2 dev tap1 metric 0
    cache mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967
295
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
ff00::/8 dev tap1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi
t 255
.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0006295)
baldy (reporter)
2011-05-10 17:14

Issue can be closed.

Adding a source NAT rule for ANY to the OpenVPN connection with the specified ports in combination with the original port forwards resolves the issue.

Regards,

Baldy
(0006435)
baldy (reporter)
2011-05-23 14:50

No fix needed, behaviour changed between 2.2 and 2.4

- Issue History
Date Modified Username Field Change
2011-04-27 16:41 baldy New Issue
2011-05-10 17:14 baldy Note Added: 0006295
2011-05-10 17:14 baldy Note Added: 0006296
2011-05-10 17:15 baldy Note Deleted: 0006296
2011-05-23 14:50 baldy Note Added: 0006435
2011-05-23 14:50 baldy Status new => resolved
2011-05-23 14:50 baldy Resolution open => fixed
2011-05-23 14:50 baldy Assigned To => baldy

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker