Shorewall and static routing?

Kenneth Burgener kenneth at
Fri Aug 10 10:56:29 MDT 2007

Hello, and thanks in advance for any suggestions.  I switched from a
dumb DSL modem doing my firewall and routing to a powerful Linux server
with shorewall (iptables frontend), but I have a small issue with static
routing for my openvpn.  I was hoping someone might be able to shed some
light on this issue that kept me up all last night.  I have everything
working and more than I did with the dumb DSL modem, with the exception
of the static routing.

Summary question:
How do you get shorewall to do a static route?

Long description:
I had my network setup with Qwest DSL with a single IP address, which
was assigned to the DSL modem, and then the network behind was NATed.  I
also had a machine behind the network with OpenVPN installed
( which had a VPN network setup as 10.10.20.x.  I had UDP
port 1194 forward through the NAT to  The default gateway on
all of the machines was, which was the DSL modem.  Because
when a machine connects to the VPN network, and then connects to another
machine on the local network, it appears that it is coming from
10.10.20.x, but none of the machines had this route in their routing
tables, it would route out to the default gateway of, but I
had entered in a static route so that anything arriving to the modem
heading to 10.10.20.x/ would be redirected to 
Any everything worked as expected.

Then I decided to get greedy and wanted a Linux firewall, with shorewall
as my gateway, and I wanted to increase my IP block to 5 so I could have
various IP addresses route to different boxes.  Well I upgraded my Qwest
account, got the 5 addresses, installed shorewall, masqueraded my
internal network and forwarded on the new IP addresses to various
servers using shorewall's DNAT, and everything was happy.  Or so I
thought.  The DNATed traffic works wonderfully, and the masquerading
works great, but the VPN traffic to anything but the VPN server is now
broken.  If I got to any particular machine and add in a static route on
that machine then I can get traffic to that machine fine.  How do I get
my default gateway to do the static routing that my DSL modem was doing

eth0 is the Internet interface
eth1 is the LAN interface

10.10.10.x is the LAN network
10.10.20.x is the VPN virtual network is the gateway (shorewall linux server) address is the vpn server lan address

I have in my rules:
  DNAT            net             lan:  udp     1194 -  65.X.X.X

Here is how I am adding a static route:
  route add -net netmask gw dev eth1

My policy has:
  $FW             net             ACCEPT
  $FW             lan             ACCEPT
  lan             $FW             ACCEPT
  lan             net             ACCEPT

I watch the message log, and it does not appear that shorewall is
dropping any connections, so it appears that I am just doing the routing

Any suggestions?  This all worked with a simple DSL modem, so this
should work with a powerful Linux router, right?

More information about the PLUG mailing list