Hi, > > $ ping 192.168.11.1 > > PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data. > > From 192.168.1.1 icmp_seq=1 Destination Host Unreachable > > > > On orion (68.199.193.42): > > [393874.843186] FORWARD REJECT IN=eth1 OUT=br0 > > MAC=0c:c4:7a:a9:18:df:4c:ed:fb:bb:47:93:08:00 SRC=192.168.1.7 > > DST=192.168.11.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47549 DF > > PROTO=ICMP TYPE=8 CODE=0 ID=26710 SEQ=2258 > > > As explained in Shorewall FAQ 17, when packets are dropped/rejected in > the FORWARD chain, it means that either the SOURCE or the DEST does not > fall into any zone. In this case, the DEST is not in any zone > (192.168.11.0/24) does not appear anywhere in the ruleset).
The 192.168.11.0/24 network is behind the other endpoint (remote) gateway. I need to have that network listed in the local gateway's hosts file? How do I determine which interface they should be bound to in interfaces? br0 is the external interface on the local gateway. # shorewall show zones Shorewall 5.2.0.4 Zones at orion.inside.example.com - Mon Jan 28 15:53:11 EST 2019 fw (firewall) vpn (ipv4) ext (ipv4) br0:0.0.0.0/0 int (ipv4) eth1:0.0.0.0/0 dmz (ipv4) wyck1 (ipv4) br0:192.168.11.0/24 wyck2 (ipv4) br0:192.168.10.0/24 I'm also confused on which document I'm supposed to be following. This one says it was last updated in Jun, 2018, but only references kernel 2.6. I'm of course using kernel-4.19. I'm assuming I also follow that document? http://shorewall.net/VPNBasics.html Does any of this configuration change since I'm using libreswan instead of openvpn? libreswan does not create a tun or ppp interface. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
