I’ve seen there are a lot of topic about similar question, but still not found any solutions (hope isn’t a problem )
Actually i’ve installed a NethServer on a site, with a single green interface (LAN, network 192.168.10.x/24), after i’ve installed the OpenVPN module and configured a server RoadWarrior (authentication only certificate).
I want to connect from external, (VPN host 2 network), and since the NethServer isn’t the router/firewall, there is a forwarding by my router (I call my public IP on the VPN port, and the router redirect the call to 192.168.10.114)
The connection work at the first try! but not all works correctly, I can only ping the NethServer (192.168.10.114), but I can’t reach other host on LAN
So i’ve tried to use my NethServer as a gateway for an host, after that the host become contactable, but it can’t reach internet; i’ve read that the trick it can be shorewall clear, but if the NethServer restart this don’t remain
I have 2 questions: 1: there is a way to ping or connect the rest of LAN without using NS as gateway? in the logs there is a “shorewall sfilter drop packets”, and I don’t know how to modify it (I have the basic firewall module installed). 2: if there is no way to do it, how to make shorewall clear definitive?
you should try putting a routing rule on your router/firewall (the device that is the default gateway of your network) that for the ip class you have assigned to the vpn, the gateway is the ip address of the nethserver
you have assigned to the vpn the class 192.168.3.0/24
the ip of your nethserver is 192.168.1.10
You have to create a router rule on the firewall/router so for addresses 192.168.3.0/24 the gateway is 192.168.1.10
i’ve already tried it, and still don’t work, I think isn’t a problem of the router, but of the shorewall; the forward work and I reach the NS, I don’t think that the route is ruled by the router once I’m connected to the VPN server
Also try checking that in the Nethserver configuration interface (cockpit), under “system” → “Trusted networks,” the network class associated with the VPN is entered.
From the above example there should be a 192.168.3.0 network with netmask 255.255.255.0
If it is not there try entering it.
However, the point in the previous post also applies, if the gateway is not the nethserver, the other devices will respond to the ping of the vpn to the router/gateway and not to the nethserver running the VPN.
The rule described above is precisely to redirect the responses from the router to the nethserver, which will then forward it into the VPN.
already checked and updated the trusted network, is not that.
I understood the point in the previous post, but is not that the problem, I reach the NethServer with my VPN, so it’s the NethServer that should forward my request to the LAN that block my request;
I’m actually working on the same place with a VPN on Zentyal, my goal is to substitute it, but Zentyal works in the same way:
call to public IP, forward by the router to the private IP of Zentyal, and I can connect to all devices on LAN.
I do the same with NethServer, call public IP, forward by the router to the private IP of NS (192.168.10.114) but i can only see him
You will ylso need a route on your router pointing to “the other side” and using your NethServer as a gateway / router…
At the moment, if you’re pinging from Site 2 to Site 1, your servers will try to respond. As they only have a default route (to your router) they will send the responce to the ping there. That router doesn’t (yet) know about any “other” site, and forwards the packets to the Internet, your Provider.
And your provider, correctly, discards internal IP packets…
→ Your router needs to know how to route packets destined for the other Site…
today I’ve replicated the same situation on another site, this time with a different router (PosteMobile), and this time too the route on it didn’t work; i can reach NS, hosts that have him as gateway, but not the rest of LAN.
I keep thinking that the problem is the shorewall on NS, for 3 reasons:
first: with another router, nothing changed, it’s so strange that 2 router on 2 can’t make a static route
second: If i trace the packets, they arrive to NS and to the other host, but the packets for the unreachable host are stopped at NS IP
third: although I don’t understand how it works shorewall (also because it also won’t let me to go on internet when it’s up), in the log I keep see it drops packets, it seems this are related to the connection to internet (?), but I’m not sure about that: