On 04/25/2018 11:24 AM, Norman Henderson wrote: > Hello, > > I have a WiFi internet access Device that: > - has a Web GUI > - has an embedded UDP-based SIP server > - acts as a NAT router to send traffic to the internet > - has a fixed IP of 192.168.1.1 > - will only talk locally to the 192.168.1.0/24 <http://192.168.1.0/24> > network: all other addresses are routed to the internet, including other > "private" addresses > - none of the above can be reconfigured. > > I have a local network 10.1.0.0/24 <http://10.1.0.0/24> and some other > interconnected 10.x and 192.168.x networks. There are other, different > Internet access devices behind other Shorewall firewalls that aren't > relevant here. > > I need to: > - hide 192.168.1.0/24 <http://192.168.1.0/24> from the rest of my > network, since it's used elsewhere > - access the Web GUI from multiple clients on 10.1.0.x and ideally > other private addresses > - access the SIP server via UDP from at least one, preferably several > clients on 10.1.0.x and ideally other private addresses > - access the Internet via the Device from 10.1.0.x and ideally other nets > > So, I set up a separate Shorewall box with a Wifi card attempting > one-to-one NAT. I decided to consider the 192.168.1.x net (wlan1, where > the device lives) is the "internal" side since I want to make the > device, on 192.168.1.1, visible to the so-called "external" 10.1.0.x net > for Web GUI and SIP access. The Shorewall box has an address of > 10.1.0.251 for its own management purposes and I assigned another > address 10.1.0.252 for access to the Device; both of those are on vlan1. > > /etc/shorewall/nat > #EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL > 10.1.0.252 vlan1 192.168.1.1 no no > > The problem was that traffic initiating from the so-called external side > (10.1.0.x clients) was retaining the true addresses and the Device > doesn't know how to route back. I.e., on the wlan1 side, I was seeing > 10.1.0.3 > 192.168.1.1 with no responses. So, I added: > > /etc/shorewall/snat > #ACTION SOURCE DEST ... > MASQUERADE 0.0.0.0/0 <http://0.0.0.0/0> wlan1 > > For all of these tests, to keep it simple: > /etc/shorewall/rules > ACCEPT all+ all+ > > And, that works nicely - for a while. There is no problem accessing the > Web GUI via TCP. It's hard to test for reasons I won't disclose, and not > as important, but I suspect it would continue to work for tcp going > through the Device to the Internet. > > The issue is the UDP-based SIP server embedded in the Device. It works > for some time after a reboot (hours I think), but then I start to see > the so-called external addresses 10.1.0.x appear untranslated on the > wlan1 interface and as I said, the Device can't reply to those. > > This is Shorewall 5.1.12.3 on Ubuntu 16.04.4 LTS (Xenial). Yes, I was > lazy and just installed the Ubuntu package, if you tell me the latest > Shorewall version will make a difference I can certainly try it. However > I am thinking this is more a flaw in my approach. > > What am I doing wrong? Is there a completely different approach I should > take? >
Norm, Are you doing any 'reload's or 'restart's after reboot. The usual cause of failure to NAT UDP is that a packet is processed while the applicable NAT rule is not in place. On a new install, with RESTART=restart in shorewall.conf, this can happen if you use the 'restart' command. It shouldn't happen with 'reload'; it should also not happen with 'restart' if RESTART=reload. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
