I have two vuurmuur Firewalls. On the firewall i also have ipsec running that builds a tunnel between them so that the protected side of each firewall can see the other.
ipsec tunnel builds fine. however, the traffic between them is not routing.
I have the vpn zones defined. And I have each network in the vpn zone and an interface defined for the vpn network (the public ip of the local gateway).
I have looked everywhere on the wiki and forums but cannot seem to find where i can config vuurmuur to exclude traffic to certain ip ranges/network from being NATed. i think this is my problem.
i think i need to get something similar to this into vuurmuur:
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE
can you point me in the right direction?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Vuurmuur is not affecting routing. So it could be that you need to adapt your routing settings for your setup. Additionally, it's better to use SNAT instead of MASQUERADE.
Please give some more detailed information about your setup, so it's more clear what your setup is and what rules you need. Also, if you get them, please share some logs of traffic that is not behaving as you expected...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
private LAN 1 --- FW1 --- (VPN) --- FW2 ----private Lan 2
The VPN is built by ipsec (openswan) on the two Linix Firewalls over the public network.
Vuurmuur is running on the FW boxes as well.
The IPsec tunnel is building just successfully.
Each Firewall is doing SNAT for its private LAN to the Internet and this is working.
When the IPsec tunnel is built, IPsec is automatically putting in a route on each FW. For example the route on FW1 that gets built for the Private Lan 2 is pointed at the public IP of FW1. Similarly for FW2.
My problem is (I think) that traffic from the private LAN 1 destined for the private Lan 2 is being NAT'd at FW1 still. I think i need to exclude from the SNAT any traffic that is destined for the remote private Lan. How can i do this exclusion in Vuurmuur?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Let's try to make sure that your assumption is right first. Could you determine how the traffic is snatted by using tcpdump on the outgoing interface? Please show the output here.
Still your theory does make sense to me. So it's probably right. Doing an exclusion is not something that Vuurmuur supports right now. I'm thinking how it could be done anyway...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
here is an example of a packet coming from the private lan 1 (10.76.1.5) going to private lan 2 (10.1.1.253) . this is a log entry on FW1 in /var/log/messages
To be sure you could maually add the iptables rule you think is needed and see if it works then... Be sure to insert the rule at position 1, not append it, because if it's on the end of the ruleset it's probably not going to be reached...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
to manually insert a iptables rule, can i do this within the contruct of vuurmuur? i did not see anyway in the ncurses interface to 'hand write' an iptables rule.
am i missing that? or is there some other way to include a custom rule within vuurmuur?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No you have to do it outside of Vuurmuur. Beware that Vuurmuur will overwrite it on a reload. To prevent that put the custom rule in the PRE-VRMR-POSTROUTING chain. That makes sure that Vuurmuur won't remove the rule on a reload. You still need to make sure the rule is loaded though, for example at boot.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
our private ip networks are all 10.x.x.x. all these are behind the Firewalls. They are all connected to each other by ipsec tunnels from firewall to firewall.
to support this, the following rules generated by vuurmuur -
without this change, all the traffic to the remote private networks was getting SNAT. once i excluded these private networks from SNAT, the traffic started to flow through the ipsec tunnels just fine.
to test this, i just ran vuurmuur -b. modified the output as noted above and then processed the modified output through bash.
is there any way we can try to manage this in vuurmuur, which is otherwise a very nice tool?
i will also be testing the priority features of vuurmuur as well here (trying to give QOS to voip traffic) if we can get vuurmuur to manage it all.
thanks again
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Vuurmuur is not able to create the rules as you displayed them. The problem is that your ipsec connections use the same interface eth1 as the ethernet connections. I've heard that there is a way to make sure you get unique interfaces for ipsec (ipsec0, ipsec1, etc) using something called 'klips'. I've never used it though, so I don't know how well it works.
I can think of a number of other solutions that would require changes to the Vuurmuur source:
1. create a rule type that can make sure that certain rules in the nat table are not reached. Probably using an accept rule in the nat table.
2. add an option for rules to match on a mark. That way you could set a mark for certain traffic and snat only on marked traffic.
3. there seems to be a policy match, that can do advanced matching on some types of ipsec traffic.
The solution to allow negation of source and/or destination is not something I think fits in the Vuurmuur model of zones, networks, etc. So I'm not considering adding that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am using vuurmuur 0.5.74a2. Great tool so far.
I have two vuurmuur Firewalls. On the firewall i also have ipsec running that builds a tunnel between them so that the protected side of each firewall can see the other.
ipsec tunnel builds fine. however, the traffic between them is not routing.
I have the vpn zones defined. And I have each network in the vpn zone and an interface defined for the vpn network (the public ip of the local gateway).
I have looked everywhere on the wiki and forums but cannot seem to find where i can config vuurmuur to exclude traffic to certain ip ranges/network from being NATed. i think this is my problem.
i think i need to get something similar to this into vuurmuur:
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE
can you point me in the right direction?
Vuurmuur is not affecting routing. So it could be that you need to adapt your routing settings for your setup. Additionally, it's better to use SNAT instead of MASQUERADE.
Please give some more detailed information about your setup, so it's more clear what your setup is and what rules you need. Also, if you get them, please share some logs of traffic that is not behaving as you expected...
I have the following
private LAN 1 --- FW1 --- (VPN) --- FW2 ----private Lan 2
The VPN is built by ipsec (openswan) on the two Linix Firewalls over the public network.
Vuurmuur is running on the FW boxes as well.
The IPsec tunnel is building just successfully.
Each Firewall is doing SNAT for its private LAN to the Internet and this is working.
When the IPsec tunnel is built, IPsec is automatically putting in a route on each FW. For example the route on FW1 that gets built for the Private Lan 2 is pointed at the public IP of FW1. Similarly for FW2.
My problem is (I think) that traffic from the private LAN 1 destined for the private Lan 2 is being NAT'd at FW1 still. I think i need to exclude from the SNAT any traffic that is destined for the remote private Lan. How can i do this exclusion in Vuurmuur?
Let's try to make sure that your assumption is right first. Could you determine how the traffic is snatted by using tcpdump on the outgoing interface? Please show the output here.
Still your theory does make sense to me. So it's probably right. Doing an exclusion is not something that Vuurmuur supports right now. I'm thinking how it could be done anyway...
here is an example of a packet coming from the private lan 1 (10.76.1.5) going to private lan 2 (10.1.1.253) . this is a log entry on FW1 in /var/log/messages
Jan 24 10:09:39 FW1 kernel: vrmr: SNAT IN= OUT=eth1 SRC=10.76.1.5 DST=10.1.1.253 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=54281 SEQ=1
the FW1 is at 10.76.1.252. FW2 is at 10.1.1.253
this ping does not make it. i think because it is getting SNAT treatment. and i cannot figure out how to exclude the 10.1.1.0 network from SNAT.
To be sure you could maually add the iptables rule you think is needed and see if it works then... Be sure to insert the rule at position 1, not append it, because if it's on the end of the ruleset it's probably not going to be reached...
to manually insert a iptables rule, can i do this within the contruct of vuurmuur? i did not see anyway in the ncurses interface to 'hand write' an iptables rule.
am i missing that? or is there some other way to include a custom rule within vuurmuur?
No you have to do it outside of Vuurmuur. Beware that Vuurmuur will overwrite it on a reload. To prevent that put the custom rule in the PRE-VRMR-POSTROUTING chain. That makes sure that Vuurmuur won't remove the rule on a reload. You still need to make sure the rule is loaded though, for example at boot.
our private ip networks are all 10.x.x.x. all these are behind the Firewalls. They are all connected to each other by ipsec tunnels from firewall to firewall.
to support this, the following rules generated by vuurmuur -
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -m limit --limit 30/sec --limit-burst 60 -j LOG --log-prefix "vrmr: SNAT " --log-level info
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j SNAT --to-source 172.102.111.124
needed to really be this...
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/255.255.255.0 ! -d 10.0.0.0/255.0.0.0 -m limit --limit 30/sec --limit-burst 60 -j LOG --log-prefix "vrmr: SNAT " --log-level info
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 10.1.1.0/255.255.255.0 ! -d 10.0.0.0/255.0.0.0 -j SNAT --to-source 172.102.111.124
without this change, all the traffic to the remote private networks was getting SNAT. once i excluded these private networks from SNAT, the traffic started to flow through the ipsec tunnels just fine.
to test this, i just ran vuurmuur -b. modified the output as noted above and then processed the modified output through bash.
is there any way we can try to manage this in vuurmuur, which is otherwise a very nice tool?
i will also be testing the priority features of vuurmuur as well here (trying to give QOS to voip traffic) if we can get vuurmuur to manage it all.
thanks again
Vuurmuur is not able to create the rules as you displayed them. The problem is that your ipsec connections use the same interface eth1 as the ethernet connections. I've heard that there is a way to make sure you get unique interfaces for ipsec (ipsec0, ipsec1, etc) using something called 'klips'. I've never used it though, so I don't know how well it works.
I can think of a number of other solutions that would require changes to the Vuurmuur source:
1. create a rule type that can make sure that certain rules in the nat table are not reached. Probably using an accept rule in the nat table.
2. add an option for rules to match on a mark. That way you could set a mark for certain traffic and snat only on marked traffic.
3. there seems to be a policy match, that can do advanced matching on some types of ipsec traffic.
The solution to allow negation of source and/or destination is not something I think fits in the Vuurmuur model of zones, networks, etc. So I'm not considering adding that.