OpenWrt Forum Archive

Topic: WRTSL54GS with Briged LAN+Wireless+OpenVPN (using Shorewall) config

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
borland
1 Jun 2007, 05:08

Hello,

Well, I'd like to have the following polices for the network:

INTIAL:

a. LAN, VPN and WIFI on the same subnet.
b. Essential services (i.e. DHCP and DNS) permitted between hosts on LAN/VPN/WIFI and the router (except for VPN and WIFI)
c. Only LAN and WIFI hosts can initiate connections to WAN.
d. Traffic shaping service for filtering p2p

FUTURE:

a. WIFI hosts can't initiate connections to WAN.
b. WIFI hosts should make a VPN connection (to another VPN server either running on router). Once connected they can initiate any connections to WAN via the VPN tunnel.
c. Only WIFI through VPN can initiate connections to WAN.
d. Roadwarrior VPN connections can't route traffic through WAN

I'm using 192.168.1.0/24 for my local network.

The need for using the same subnet is because i need a broadcast domain. Which i can't do by routing traffic. I need to use other protocols (like IPX) on the VPN and WIFI clients. But also i don't wan't that VPN clients accessing my internet connection.

First I'm tring to setup Shorewall (3.0.5) configuration on White Russian 0.9:

I stared with the following:

#/etc/shorewall/intefaces
wan     eth1            detect                  tcpflags,dhcp,norfc1918,routefilter,nosmurfs
-            br0             192.168.1.255   dhcp

#/etc/shorewall/hosts
lan     br0:eth0
wifi    br0:eth2
vpn     br0:tap0

#/etc/shorewall/policy
$FW      all         ACCEPT
lan         all           ACCEPT
vpn        lan         ACCEPT
wifi        wan     ACCEPT
wifi        lan        ACCEPT
wifi        $FW     DROP        info
vpn        $FW     DROP        info
vpn        wan     DROP        info
wan       all         DROP        info

#/etc/shorewall/masq
eth1            br0

my OpenVPN configuration:

#/etc/openvpn/server.conf
port 12001
proto udp
mode server
tls-server

dev tap0

client-to-client

cipher BF-CBC
auth SHA1

ca /etc/openvpn/keys/ca.crt
dh /etc/openvpn/keys/dh1024.pem
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

local 192.168.1.1

client-config-dir /etc/openvpn/clients

tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo

user nobody
group nobody

keepalive 10 60
persist-key
persist-tun
ping-timer-rem

verb 0




Any help, suggestions, etc may be welcome. Thanks.

Post #2
borland
3 Jun 2007, 17:32

Hi all, i was having troubles configuring the physdev match, for some reason it's not working. I managed to do something similar using subnets.

here is my working shorewall configuration:

#/etc/shorewall/interfaces
net     eth1            detect          tcpflags,dhcp,norfc1918,routefilter,nosmurfs
-         br0             192.168.1.255   dhcp

#/etc/shorewall/hosts
loc     br0:192.168.1.0/24
wifi    br0:192.168.1.128/26
vpn     br0:192.168.1.192/26

#/etc/shorewall/policy
# Policies for traffic originating from the VPN Zone (vpn)
vpn             net             REJECT          info
vpn             $FW             REJECT
vpn             loc             ACCEPT
vpn             wifi            ACCEPT
vpn             all             REJECT          info
# Policies for traffic originating from the Wireless Zone (wifi)
wifi            net             ACCEPT
wifi            loc             ACCEPT
wifi            vpn             ACCEPT
wifi            $FW             REJECT          info
wifi            all             REJECT          info
# Policies for traffic originating from the Local Area Network zone (loc)
loc             wifi            ACCEPT
loc             net             ACCEPT
loc             vpn             ACCEPT
loc             $FW             ACCEPT
loc             all             REJECT          info
# Policies for traffic originating from the firewall ($FW)
$FW             wifi            ACCEPT
$FW             net             ACCEPT
$FW             vpn             ACCEPT
$FW             loc             ACCEPT
$FW             all             REJECT          info
# Policies for traffic originating from the Internet zone (net)
net             wifi            DROP            info
net             vpn             DROP            info
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#/etc/shorewall/tcdevices
eth1            952kbit         110kbit

#/etc/shorewall/tcclasses
eth1            1       20kbit          30kbit          1       tos=0x68/0xfc,tos=0xb8/0xfc #VoIP
eth1            2       full/4          full            2       tcp-ack,tos-minimize-delay  #Interactive
eth1            3       full/4          full            3       default                     #Normal traffic
eth1            4       full/8          full*8/10       4                                   #P2P

#/etc/shorewall/rcrules
1        0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
1        0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                     #Rule 2
1        $FW             0.0.0.0/0       icmp    echo-request                 #Rule 3
1        $FW             0.0.0.0/0       icmp    echo-reply                     #Rule 4
2        0.0.0.0/0       0.0.0.0/0       tcp     22                                     #Rule 5
RESTORE  0.0.0.0/0       0.0.0.0/0       all     -       -       -       0     #Rule 6
CONTINUE 0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0  #Rule 7
4        0.0.0.0/0       0.0.0.0/0       ipp2p:all                                     #Rule 8
SAVE     0.0.0.0/0       0.0.0.0/0       all     -       -       -       !0        #Rule 9


I have to put an entry in the tunnels file for the openvpn tunnel next.

The discussion might have continued from here.