History / Status

• Incomplete - more notes will be added

Introduction

I've been using IPCop for some years at home now. So when we changed ISPs at work I migrated the firewall to IPCop. And that is where my troubles began. SNAT was a breeze. But static routes were a pain.

I have the following configuration at work.

 
             /-------[Cisco ASA (VPN)]------\
            /                                \
Internet (RED)----------[FIREWALL]----------(GREEN) local LAN
                               \  \ 
                                \  \--------(ORANGE) servers on the internet
                                 \ 
                                  \---------(BLUE) wireless network

Lets get going.

Setting Up SNAT

The Problem

Some services on the perfer or demand that responses come from the same ip address they are talking to. SMTP is a great example. SNAT resolves the problem.

The Solution

In my configuration eth2 is the RED interface. You need to change it to the interface that your RED is on. You only want SNAT to happen when packets are leaving the RED interface. You'll cause all sorts of problems if you leave it out.

 
# Do source natting for the internal server. Change 192.168.x.254 to x.x.x.227
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s YOUR-INTERNAL-SERVER -o eth2 -j SNAT --to-source YOUR-EXTERNAL-IP

# Accept PING traffic (we need this to allow our external site monitors to ping the actual server)
/sbin/iptables -A CUSTOMFORWARD -p icmp -d YOUR-INTERAL-SERVER -j ACCEPT

Static Routes

The problem

Work has a Cisco ASA providing a VPN to the parent company and IPCop is the default gateway. So I needed IPCop to route packets going to the parent company to the ASA.

The Solution

The easy part. Add the static routes. See the example below.

 
#route traffic for the parent company to the cisco asa
route add -net 192.168.1.0/24 gw 192.168.200.154
route add -net 192.168.9.0/24 gw 192.168.200.154

Didn't work, did it. It does work partially. Remember IPCop is a firewall. This next section beats the cop down so the static routes work. The example below is a brute force solution and you should fine tune it for your setup. The rule below is inserted as the first item in the forward chain to override IPCop.

 
# allow all traffic for 192.168.0.0/16 networks on green only
# this deals with routing to/from the cisco vpn
iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

Here's an example: Your local network is 192.168.1.0/24. IPCop has the address 192.168.1.254. The VPN device has an ip address of 192.168.1.200. The network on the other end of the vpn has ip block 192.168.2.0/24.

Set the static route with the following:

 
route add -net 192.168.2.0/24 gw 192.168.1.200 

Next set the iptables rules:

 
iptables -I FORWARD -i eth0 -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT

Conclusion

It works and life is good.

Links

IPCOP - http://www.ipcop.org
OpenVPN IPCOP addon - http://home.arcor.de/u.altinkaynak/openvpn.html
OpenVPN - http://www.openvpn.net

Comments