Hello,
I have a WiFi internet access Device that:
- has a Web GUI
- has an embedded UDP-based SIP server
- acts as a NAT router to send traffic to the internet
- has a fixed IP of 192.168.1.1
- will only talk locally to the 192.168.1.0/24 network: all other
addresses are routed to the internet, including other "private" addresses
- none of the above can be reconfigured.
I have a local network 10.1.0.0/24 and some other interconnected 10.x and
192.168.x networks. There are other, different Internet access devices
behind other Shorewall firewalls that aren't relevant here.
I need to:
- hide 192.168.1.0/24 from the rest of my network, since it's used
elsewhere
- access the Web GUI from multiple clients on 10.1.0.x and ideally other
private addresses
- access the SIP server via UDP from at least one, preferably several
clients on 10.1.0.x and ideally other private addresses
- access the Internet via the Device from 10.1.0.x and ideally other nets
So, I set up a separate Shorewall box with a Wifi card attempting
one-to-one NAT. I decided to consider the 192.168.1.x net (wlan1, where the
device lives) is the "internal" side since I want to make the device, on
192.168.1.1, visible to the so-called "external" 10.1.0.x net for Web GUI
and SIP access. The Shorewall box has an address of 10.1.0.251 for its own
management purposes and I assigned another address 10.1.0.252 for access to
the Device; both of those are on vlan1.
/etc/shorewall/nat
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
10.1.0.252 vlan1 192.168.1.1 no no
The problem was that traffic initiating from the so-called external side
(10.1.0.x clients) was retaining the true addresses and the Device doesn't
know how to route back. I.e., on the wlan1 side, I was seeing 10.1.0.3 >
192.168.1.1 with no responses. So, I added:
/etc/shorewall/snat
#ACTION SOURCE DEST ...
MASQUERADE 0.0.0.0/0 wlan1
For all of these tests, to keep it simple:
/etc/shorewall/rules
ACCEPT all+ all+
And, that works nicely - for a while. There is no problem accessing the Web
GUI via TCP. It's hard to test for reasons I won't disclose, and not as
important, but I suspect it would continue to work for tcp going through
the Device to the Internet.
The issue is the UDP-based SIP server embedded in the Device. It works for
some time after a reboot (hours I think), but then I start to see the
so-called external addresses 10.1.0.x appear untranslated on the wlan1
interface and as I said, the Device can't reply to those.
This is Shorewall 5.1.12.3 on Ubuntu 16.04.4 LTS (Xenial). Yes, I was lazy
and just installed the Ubuntu package, if you tell me the latest Shorewall
version will make a difference I can certainly try it. However I am
thinking this is more a flaw in my approach.
What am I doing wrong? Is there a completely different approach I should
take?
Thanks for any advice,
Norm
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
