Situation: I have setup multiple nethservers locally whereas one nethserver is acting as firewall. The other two have only one nic for green network, and have roles of a domain controller and a file & printserver. On a remote Host there is another nethserver serving external services like mail and nextcloud. Every nethserver is a vm within ProxMox and all are members of an AD domain, which was created on pdc nethserver. The IPsec site2site tunnel is created between an opnsense router (also a VM on ProxMox) on the remote site and a local physical router. Routing from remote lan to local lan and from local lan to remote lan works fine and was tested by ping. Now from remote LAN to local LAN everything works fine. I can access shares, and everything. On the remote OPNsense router I have additionally configured a OVPN server for roadwarriors. Clients can connect to it fine. The routing from OVPN to remote red and local lan is working too. I can ping resources on those networks. Pinging the connected roadwarrior ip from the local firewall the local firewall telling me operation not permitted. Pinging the OVPN network from the remote firewall there is no reply either. I dont know, but maybe thats normal?
Now I need to enable access to resources behind and including the firewalls from the OVPN roadwarrior, I tried everything that came to my mind, but cannot get this configured successfully. The OVPN network was added to trusted networks on the firewalls, and under settings I also activated access to firewalls servermanager from red interface and added the cidr of the OVPN. While I can access the webinterface of the remote firewall (which successfully replies to ping), I cannot reach the local firewalls webinterface, nor any ressource behind this nethservers firewall, as long as shorewall is active. As soon as I type shorewall clear on the nethserver firewalls (remote and local), I can immediately access all ressources, be it webinterfaces or access to windows shares. I was even able to join the ovpn roadwarrior to the domain while shorewall was inactive (shorewall clear). As soon as I type signal-event firewall-adjust, the local neth firewall stops repyling to ping and refuses access, while doing this on remote firewall it at least still replies to ping, and lets me access its servermanager. Just realized that on remote firewall I had fail2ban active and my ip was in jail, so I unbannined it. I created a network share on remote firewall but could not access it from roadwarrior with active shorewall. What instead works is a port forwarding. I tried with forwarding rdp port to an internal windows vm on remote nethwork behind remote nethserver firewall and could log in to it even with shorewall active. The same does not work on local nethfirewall which is not surprising as the local nethfirewall does not reply to ping while shorewall active.
So I added following rules in local and remote firewalls:
source: ovpn lan cidr
destination: green
service: any
accept
and
source: green
destination: ovpn lan cidr
service: any
accept
but these rules are either wrong or ignored by shorewall. I also tried to create a zone ovpn with the same iprange of the ovpn lan and then create similar rules with the zone instead of the cidr object, but that all did not help either, to access internal resources from ovpn roadwarrior while shorewall is active.
How can I enable access to these ressources from ovpn with shorewall active?
Access to local resources from remote host attached through ipsec tunnel works fine btw. Its just from roadwarrior -> ovpn -> ipsec -> local where it does not work, as long as shorewall is active.
I really think, I am close to a perfect setup, but desperately need help on this last step to get my infrastructure ready for rolling
Error message on firewalls:
Jun 1 11:55:58 [hostname] kernel: Shorewall:ovpn2fw:REJECT:IN=eth1 OUT= MAC=[x.y.z] SRC=[ovpn roadwarrior ip] DST=[ip of red ip of local nethserver] LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=26696 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=29
Jun 1 11:38:16 [hostname] kernel: Shorewall:ovpn2fw:REJECT:IN=eth1 OUT= MAC=[x.y.z] SRC=[ovpn roadwarrior ip] DST=[ip of red ip of local nethserver] LEN=52 TOS=0x00 PREC=0x00 TTL=125 ID=26692 DF PROTO=TCP SPT=49855 DPT=9090 WINDOW=64240 RES=0x00 SYN URGP=0
How can this be modified?
iptables -L |grep ovpn2fw
ovpn2fw all – [my ovpn cidr] anywhere policy match dir in pol none
Chain ovpn2fw (1 references)
LOG all – anywhere
iptables -L |grep fw2ovpn
fw2ovpn all – anywhere [my ovpn cidr] policy match dir out pol none
Chain fw2ovpn (1 references)
LOG all – anywhere anywhere limit: up to 1/sec burst 10 mode srcip LOG level info prefix “Shorewall:fw2ovpn:REJECT:”
IPS, Threatshield and WebProxy & Filter & Fail2ban were all deactivated to be sure they dont interfere.
A final thought. Maybe I will later on try to establish the IPsec tunnel from remote OVPN router to the local nethserver firewall by forwarding ESP traffic and ports 4500 and 500 udp from physical local router to local nethserver firewall.