Shorewall and static routing?

Gabriel Gunderson gabe at
Fri Aug 10 22:05:26 MDT 2007

On Fri, 2007-08-10 at 10:56 -0600, Kenneth Burgener wrote:
> I have in my rules:
>   DNAT            net             lan:  udp     1194 -
> 65.X.X.X

This looks like a shorewallism.  What does the 65.X.X.X stand for?  Is
that your public IP obfuscated?  If so, I assume the whole thing is
spelled out in your config?

> Here is how I am adding a static route:
>   route add -net netmask gw dev
> eth1

This shouldn't need the "dev eth1" What do you get without it.  Still, I
doubt it makes any difference.

> My policy has:
>   $FW             net             ACCEPT
>   $FW             lan             ACCEPT
>   lan             $FW             ACCEPT
>   lan             net             ACCEPT

> I watch the message log, and it does not appear that shorewall is
> dropping any connections

If you are dropping packet anywhere?  If so, are they *ALL* being
logged?  When I say *ALL* I mean *ALL*.  Otherwise, it's like a
blackhole and troubleshooting is a nightmare.

> so it appears that I am just doing the routing wrong.

Keep it simple.  Try pinging the VPN gw ( from the 10.10.10.X
subnet without using any OpenVPN stuff.  First establish the route and
then try for a VPN connection.  Run tcpdump with the right filters on
both the router and the VPN gw (don't tell me OpenVPN is running on
Windows and doesn't have tcpdump!).

Let us know what you find out.


More information about the PLUG mailing list