Need help understanding nethserver Firewall

Situation: I have setup multiple nethservers locally whereas one nethserver is acting as firewall. The other two have only one nic for green network, and have roles of a domain controller and a file & printserver. On a remote Host there is another nethserver serving external services like mail and nextcloud. Every nethserver is a vm within ProxMox and all are members of an AD domain, which was created on pdc nethserver. The IPsec site2site tunnel is created between an opnsense router (also a VM on ProxMox) on the remote site and a local physical router. Routing from remote lan to local lan and from local lan to remote lan works fine and was tested by ping. Now from remote LAN to local LAN everything works fine. I can access shares, and everything. On the remote OPNsense router I have additionally configured a OVPN server for roadwarriors. Clients can connect to it fine. The routing from OVPN to remote red and local lan is working too. I can ping resources on those networks. Pinging the connected roadwarrior ip from the local firewall the local firewall telling me operation not permitted. Pinging the OVPN network from the remote firewall there is no reply either. I dont know, but maybe thats normal?

Now I need to enable access to resources behind and including the firewalls from the OVPN roadwarrior, I tried everything that came to my mind, but cannot get this configured successfully. The OVPN network was added to trusted networks on the firewalls, and under settings I also activated access to firewalls servermanager from red interface and added the cidr of the OVPN. While I can access the webinterface of the remote firewall (which successfully replies to ping), I cannot reach the local firewalls webinterface, nor any ressource behind this nethservers firewall, as long as shorewall is active. As soon as I type shorewall clear on the nethserver firewalls (remote and local), I can immediately access all ressources, be it webinterfaces or access to windows shares. I was even able to join the ovpn roadwarrior to the domain while shorewall was inactive (shorewall clear). As soon as I type signal-event firewall-adjust, the local neth firewall stops repyling to ping and refuses access, while doing this on remote firewall it at least still replies to ping, and lets me access its servermanager. Just realized that on remote firewall I had fail2ban active and my ip was in jail, so I unbannined it. I created a network share on remote firewall but could not access it from roadwarrior with active shorewall. What instead works is a port forwarding. I tried with forwarding rdp port to an internal windows vm on remote nethwork behind remote nethserver firewall and could log in to it even with shorewall active. The same does not work on local nethfirewall which is not surprising as the local nethfirewall does not reply to ping while shorewall active.

So I added following rules in local and remote firewalls:

source: ovpn lan cidr
destination: green
service: any


source: green
destination: ovpn lan cidr
service: any

but these rules are either wrong or ignored by shorewall. I also tried to create a zone ovpn with the same iprange of the ovpn lan and then create similar rules with the zone instead of the cidr object, but that all did not help either, to access internal resources from ovpn roadwarrior while shorewall is active.

How can I enable access to these ressources from ovpn with shorewall active?

Access to local resources from remote host attached through ipsec tunnel works fine btw. Its just from roadwarrior -> ovpn -> ipsec -> local where it does not work, as long as shorewall is active.

I really think, I am close to a perfect setup, but desperately need help on this last step to get my infrastructure ready for rolling :slight_smile:

Error message on firewalls:

Jun 1 11:55:58 [hostname] kernel: Shorewall:ovpn2fw:REJECT:IN=eth1 OUT= MAC=[x.y.z] SRC=[ovpn roadwarrior ip] DST=[ip of red ip of local nethserver] LEN=60 TOS=0x00 PREC=0x00 TTL=125 ID=26696 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=29

Jun 1 11:38:16 [hostname] kernel: Shorewall:ovpn2fw:REJECT:IN=eth1 OUT= MAC=[x.y.z] SRC=[ovpn roadwarrior ip] DST=[ip of red ip of local nethserver] LEN=52 TOS=0x00 PREC=0x00 TTL=125 ID=26692 DF PROTO=TCP SPT=49855 DPT=9090 WINDOW=64240 RES=0x00 SYN URGP=0

How can this be modified?

iptables -L |grep ovpn2fw
ovpn2fw all – [my ovpn cidr] anywhere policy match dir in pol none
Chain ovpn2fw (1 references)
LOG all – anywhere

iptables -L |grep fw2ovpn
fw2ovpn all – anywhere [my ovpn cidr] policy match dir out pol none
Chain fw2ovpn (1 references)
LOG all – anywhere anywhere limit: up to 1/sec burst 10 mode srcip LOG level info prefix “Shorewall:fw2ovpn:REJECT:”

IPS, Threatshield and WebProxy & Filter & Fail2ban were all deactivated to be sure they dont interfere.

A final thought. Maybe I will later on try to establish the IPsec tunnel from remote OVPN router to the local nethserver firewall by forwarding ESP traffic and ports 4500 and 500 udp from physical local router to local nethserver firewall.

I am making some progress. Digging through /var/log/messages, I have seen an error Duplicate zone name (ovpn) followed by /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart failed, and later also firewall-adjust failed, so I deleted the ovpn Zone, I had created which removed those failures in /var/log/messages. And now the local firewall and the other nethservers behind started replying to pings and the servermanager of the firewall neth is accessible from ovpn lan. Furthermore creating rdp port forwarding to internal windows client works too.

What still does not work is an allow any rule, but I read this could be because of DPI installed? Does that mean that I have either to uninstall nethserver-ndpi or create rules for any service I want to allow through?

What I need to know now is which rules or port forwardings I need to establish, in order to let a windows client connect like it was in the green network, meaning accessing shares, the domain controller and everything. I hope, there is an easy way to establish this. What I dont understand why this connection works without any rules from remote lan connected via IPsec in contrary to OVPN roadwarrior client.

And if that is not easy to accomplish, would it make more sense and would domain accesses to green ressources be easier possible, if the site2site vpn is created between remote opnsense router and the nethserver firewall directly? And if so, what are the pros and cons for IPsec or OVPN site2site tunnel?

Thanks in advance for any comments that will help me establish connectivity from roadwarrior to domain ressources. :slight_smile:

Edit to add, that I uninstalled nethserver-ndpi just for testing purpose as I wanted to see if then an ovpn_lan to green rule with ports any would work although in the end I want to use dpi to strengthen the security anyway. The result is, that shorewall refuses to start without it.

Jun 1 18:30:01 [hostname] shorewall: /usr/share/shorewall/lib.common: line 93: 5689 Terminated $SHOREWALL_SHELL $script options @
Jun 1 18:30:01 [hostname] systemd: shorewall.service: main process exited, code=exited, status=143/n/a

So I installed deep packet inspection again.

@support_team desperately need a bit of help here. :pray:

I’d really like to understand why a rule or local rule ovpn lan (comming from red) -> green does not work. Only port forwardings seem to work for me.

Today I had my heureka moment, and solved all above mentioned problems, by changing one endpoint of the ipsec tunnel. Instead of making it from the remote opnsense router to the local firewall, I created an ipsec tunnel from remote nethserver to the local firewall. Then after adding a static route in opnsense everything is good now. I can access internal domain ressources from my roadwarrior so the problem is solved, and I did not need two phase 2 entries in IPsec configuration, as the roadwarrior is routed through the remote nethserver. I think this post can be deleted, as it does not really serve any informations potentially usefull for user reads, so thanks for deleting it. :slight_smile:

Thank you for sharing your problem and usecase. I think it would be good for reference to keep this in our forums. I can imagine more members are in the situation of having a domain with an offsite server for online services.

A post was split to a new topic: Overlapping zone name