[WLANware] VPN - 2 seperate WLAN interfaces
lynxis
lynxis at c-base.org
Tue Jan 15 21:48:56 CET 2013
Hallo Peter,
wieso hast du so viele "forwarding"-Regeln definiert?
Ich bin jetzt mal davon ausgegangen, das das experimentel war ;).
Die Firewall fragt sich immer "Wer hat die Verbindung initiiert?". Das heisst,
eine forwarding Regel von 'lan' nach 'wan' deckt auch den Rueckkanal ab.
Ich hab die Config an mehreren Stellen editiert und die ganze Masse an forwarding geloescht.
Falls es nicht hilft, hast du schon geschaut, ob es vielleicht eine Iprangekollision
mit der Ipaddresse gibt, die der vpn-Server dir zuweist?
Gruss
lynxis
PS. Ich hab leider keinen 1043 zur Hand um es zu testen. Falls es nicht klappt, teste ich das morgen nochmal durch.
Ein paar Aenderungen erklaere ich nochmal.
# es gibt kein vlan3 in der switchconfig. Der ifname-Eintrag wird nur benoetigt,
# falls das VPN zusaetzlich per Kabel rausgegeben werden soll. Dafuer muesste aber
# noch die switch-config angepasst werden.
config 'interface' 'wifi'
- option 'ifname' 'eth0.3'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '10.0.1.1'
# diese optionen gelten nur fuers proto dhcp
config 'interface' 'vpn'
option 'ifname' 'tun0'
- option 'defaultroute' '0'
- option 'peerdns' '0'
option 'proto' 'none'
# grundsaetzchlich sollte forwarding verboten, damit die netze nicht ueberall draufzugreifen koennen
# !!wichtig!! mtu_fix damit tcp auch sicher durch den tunnel funktioniert.
config zone
option 'name' 'vpn'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
- option 'forward' 'ACCEPT'
+ option 'forward' 'REJECT'
option 'masq' '1'
+ option 'mtu_fix' '1'
option 'network' 'vpn'
### Hier faengt die neue Config an:
/etc/config/wireless
config 'wifi-device' 'wlan0'
option 'type' 'mac80211'
option 'macaddr' 'f8:d1:11:3a:b5:fc'
option 'hwmode' '11ng'
option 'htmode' 'HT20'
list 'ht_capab' 'SHORT-GI-40'
list 'ht_capab' 'DSSS_CCK-40'
option 'channel' 'auto'
option 'txpower' '17'
option 'country' 'DE'
config 'wifi-iface'
option 'device' 'wlan0'
option 'mode' 'ap'
option 'network' 'wifi'
option 'ssid' 'wifiVPN'
option 'encryption' 'psk2'
option 'hidden' '0'
option 'key' '*****'
option 'disabled' '0'
config 'wifi-iface'
option 'device' 'wlan0'
option 'mode' 'ap'
option 'network' 'lan'
option 'ssid' 'wifiUNI'
option 'encryption' 'psk2'
option 'hidden' '0'
option 'key' '*****'
option 'disabled' '0'
/etc/config/network
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'ifname' 'eth0.1'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.2.1'
option 'netmask' '255.255.255.0'
config 'interface' 'wan'
option 'ifname' 'eth0.2'
option 'proto' 'dhcp'
config 'interface' 'wifi'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '10.0.1.1'
option 'netmask' '255.255.255.0'
config 'interface' 'vpn'
option 'ifname' 'tun0'
option 'proto' 'none'
config 'switch'
option 'name' 'rtl8366rb'
option 'reset' '1'
option 'enable_vlan' '1'
config 'switch_vlan'
option 'device' 'rtl8366rb'
option 'vlan' '1'
option 'ports' '1 2 3 4 5t'
config 'switch_vlan'
option 'device' 'rtl8366rb'
option 'vlan' '2'
option 'ports' '0 5t'
/etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '1'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'zone'
option 'name' 'vpn'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'network' 'vpn'
config 'rule'
option 'name' 'Allow-DHCP-Renew'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'name' 'Allow-Ping'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'family' 'ipv4'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-DHCPv6'
option 'src' 'wan'
option 'proto' 'udp'
option 'src_ip' 'fe80::/10'
option 'src_port' '547'
option 'dest_ip' 'fe80::/10'
option 'dest_port' '546'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Input'
option 'src' 'wan'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
list 'icmp_type' 'router-solicitation'
list 'icmp_type' 'neighbour-solicitation'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'rule'
option 'name' 'Allow-ICMPv6-Forward'
option 'src' 'wan'
option 'dest' '*'
option 'proto' 'icmp'
list 'icmp_type' 'echo-request'
list 'icmp_type' 'destination-unreachable'
list 'icmp_type' 'packet-too-big'
list 'icmp_type' 'time-exceeded'
list 'icmp_type' 'bad-header'
list 'icmp_type' 'unknown-header-type'
option 'limit' '1000/sec'
option 'family' 'ipv6'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'zone'
option 'name' 'wifi'
option 'network' 'wifi'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'forwarding'
option 'src' 'wifi'
option 'dest' 'vpn'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
More information about the WLANware
mailing list