OpenWrt Forum Archive

Topic: Where to find a firewall guru?

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
seppax
5 Oct 2017, 08:36

Hi guys,

anyone particulary skilled on firewall rules, zones and settings willing to help in finding out an IPSEC traffic tunneling issue?

Looking forward for you!
Thanks in advance.

Post #2
ulmwind
5 Oct 2017, 10:19

Oh, I remember the issue about a year ago, when IPSEC connection was working only in disabled firewall. It remained unresolved. We can revise it, what is your issue?

Post #3
seppax
5 Oct 2017, 10:38

Hi ulmwind,

thanks for replying.
You mean that there is a main 'bug' not allowing IPSEC (Strongswan) to work if firewall is enabled?

Basically the issue is that it works inbound but not outbound:

[LAN1]---[IPSEC Server]--------(WAN)------[OpenWRT]---[LAN2]

The IPSEC tunnel is established correctly
I'm sitting on LAN2 and would like to reach LAN1

From LAN2 they can reach me, sniffing the traffic on (WAN) I can see that the traffic is ESP encapsulated. A PING goes through and gets a reply. Wonderful!

But if from LAN1 I try to PING something on LAN2, no ESP traffic is performed, but the PING is rather sent as pure routing, despite rules and tables (see some details in topic id=72226)

Hope you can help.

Post #4
eduperez
5 Oct 2017, 12:22

If you can stablish a IPSEC connection, then it does not look like a firewall issue, but a routing problem on the "IPSEC Server" machine. That machine must be configure to route all traffic destined to LAN2 through the IPSEC interface, but seems to be configured to use the WAN interface.

Post #5
seppax
5 Oct 2017, 19:10

Hi eduperez,

no, not ecxactly

The traffic for LAN2 coming from LAN1 is traveling along the WAN link inside ESP packets.
Means that any traffic for LAN2 is 'directed into the IPSEC tunnel.
LAN1 knows how to reach LAN2 and it is done via IPSEC.

In the opposite way, LAN2 does not even try to put the data inside the IPSEC tunnel.
When something is sent from LAN2 to LAN1 it is not put inside ESP packets but it is sent in 'pure' IP.

[LAN1]-->["ESP data" -->  IPSEC TUNNEL]-->(WAN)-->[IPSEC TUNNEL --> "ESP data"]--->[OpenWRT]--->[LAN2]

[LAN1]--[IPSEC TUNNEL]--(WAN)--[IPSEC TUNNEL]---[OpenWRT]<--[LAN2]
                                              X <----------------------------------+

The point is: why does OpenWRT not put the data for LAN1 destination into the tunnel, even if routing paths are correct, IPSEC result does know remote LAN subnets, table '220' is correctly shown...?

(Last edited by seppax on 5 Oct 2017, 19:13)

Post #6
eduperez
6 Oct 2017, 12:35

Ok, so I mixed LAN1 and LAN2. But if OpenWrt is sending packets for LAN1 on the open, then it looks like a routing problem on the OpenWrt device. Are you sure the routing tables are correct on that device?

The discussion might have continued from here.