0003646: Traffic not routed from RED to OpenVPN connected network

Please see now our new Bugtracker system: JIRA

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0003646

Endian Firewall

Network related (VPN, uplinks)

public

2011-04-27 16:41

2011-05-23 14:50

Reporter

baldy

Assigned To

baldy

Priority

normal

Severity

block

Reproducibility

always

Status

resolved

Resolution

fixed

Platform

OS Version

Product Version

2.4.1

Target Version

Fixed in Version

Summary

0003646: Traffic not routed from RED to OpenVPN connected network

Description

After replacing an EFW 2.2 machine due to hardware failure the portforward to servers connected on the remote end of an OpenVPN connection no longer works.

Additional Information

Setup is as follows.

ISP(62.x.x.x)-Internal(192.168.0.0/24)-OpenVPN-Other Network(192.168.200.0/24).

With 2.2 I could use the firewall to forward ports from RED to the 192.168.200 network.
With 2.4 the same config no longer works.

Logfiles show that packets are accepted on RED, but no further information is shown.

root@zeilcentrum:~ # ip route show
0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241
62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110
default via 62.216.20.1 dev eth1
root@zeilcentrum:~ # ip rule
0: from all lookup local
10: from all to 0.0.0.0/24 lookup main
10: from all to 192.168.0.0/24 lookup main
10: from all to 192.168.200.0/24 lookup main
10: from all to 62.216.20.0/24 lookup main
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
200: from 62.216.20.110 lookup uplink-main
32766: from all lookup main
32767: from all lookup default
root@zeilcentrum:~ # ip route show table all
0.0.0.0/24 dev eth1 table uplink-main proto kernel scope link
default via 62.216.20.1 dev eth1 table uplink-main proto kernel src 62.216.20
.110
0.0.0.0/24 dev eth1 proto kernel scope link src 62.216.20.110
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
192.168.200.0/24 dev tap1 proto kernel scope link src 192.168.200.241
62.216.20.0/24 dev eth1 proto kernel scope link src 62.216.20.110
default via 62.216.20.1 dev eth1
local 192.168.0.254 dev br0 table local proto kernel scope host src 192.168.
0.254
broadcast 192.168.0.255 dev br0 table local proto kernel scope link src 192.
168.0.254
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127
.0.0.1
broadcast 192.168.200.255 dev tap1 table local proto kernel scope link src 1
92.168.200.241
broadcast 62.216.20.0 dev eth1 table local proto kernel scope link src 62.21
6.20.110
broadcast 192.168.0.0 dev br0 table local proto kernel scope link src 192.16
8.0.254
broadcast 192.168.200.0 dev tap1 table local proto kernel scope link src 192
.168.200.241
local 62.216.20.110 dev eth1 table local proto kernel scope host src 62.216.
20.110
local 192.168.200.241 dev tap1 table local proto kernel scope host src 192.1
68.200.241
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1

broadcast 62.216.20.255 dev eth1 table local proto kernel scope link src 62.
216.20.110
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 42949
67295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
fe80::/64 dev tap1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294
967295
unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi
t 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 163
76 hoplimit 4294967295
local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0
mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::204:75ff:fefe:6829 via :: dev lo table local proto none metric 0
mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::250:fcff:fe2b:9226 via :: dev lo table local proto none metric 0
mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::146e:4ff:fec2:2aa2 via :: dev lo table local proto none metric 0
mtu 16436 advmss 16376 hoplimit 4294967295
ff02::1:2 via ff02::1:2 dev tap1 metric 0
cache mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967
295
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
ff00::/8 dev tap1 table local metric 256 mtu 1500 advmss 1440 hoplimit 429496
7295
unreachable default dev lo table 0 proto kernel metric -1 error -101 hoplimi
t 255
.

Notes
(0006295) baldy (reporter) 2011-05-10 17:14	Issue can be closed. Adding a source NAT rule for ANY to the OpenVPN connection with the specified ports in combination with the original port forwards resolves the issue. Regards, Baldy

(0006435) baldy (reporter) 2011-05-23 14:50	No fix needed, behaviour changed between 2.2 and 2.4

Issue History
Date Modified	Username	Field	Change
2011-04-27 16:41	baldy	New Issue
2011-05-10 17:14	baldy	Note Added: 0006295
2011-05-10 17:14	baldy	Note Added: 0006296
2011-05-10 17:15	baldy	Note Deleted: 0006296
2011-05-23 14:50	baldy	Note Added: 0006435
2011-05-23 14:50	baldy	Status	new => resolved
2011-05-23 14:50	baldy	Resolution	open => fixed
2011-05-23 14:50	baldy	Assigned To	=> baldy

Relationships