Report wireless and/or network connectivity problems in this forum.
Moderator: Moderators
RomanHK
Posts: 794 Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik
Post
by RomanHK » Fri Sep 27, 2019 9:59 am
coolman wrote: I've tried a Sophos UTM connection with openvpn with the same issue, for solve the issue I have set a NAT Masquerade for Internal and external.
How can I replicate this setting with gargoyle?
Edit the
/etc/config/firewall file via ssh and add the following lines to the appropriate zones:
Code: Select all
option masq '1'
option mtu_fix '1'
To apply the changes, restart the firewall:
... or restart the router.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
coolman
Posts: 23 Joined: Mon May 11, 2015 10:35 am
Post
by coolman » Fri Sep 27, 2019 12:32 pm
Hi Roman, thank's for your reply, I've modified the firewall file and rebooted, but nothing change.I can ping ip of gargoyle, the ip of vpn but nothing else, this is my firewall config (that is the default + added the masq and mtu for the 3 forward at the last of file).
Do you have more trick for solve my problem?
thanks
Code: Select all
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'
config include 'tor_include_file'
option path '/etc/tor.firewall'
option reload '1'
config zone 'vpn_zone'
option name 'vpn'
option device 'tun0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
config forwarding 'vpn_lan_forwarding'
option src 'lan'
option dest 'vpn'
config forwarding 'lan_wan_forwarding'
option src 'lan'
option dest 'wan'
option masq '1'
option mtu_fix '1'
config forwarding 'lan_vpn_forwarding'
option src 'vpn'
option dest 'lan'
option masq '1'
option mtu_fix '1'
config remote_accept 'ra_openvpn'
option zone 'wan'
option local_port '1194'
option remote_port '1194'
option proto 'udp'
config forwarding 'vpn_wan_forwarding'
option src 'vpn'
option dest 'wan'
option masq '1'
option mtu_fix '1'
openvpn_gargoyle
Code: Select all
config server 'server'
option internal_ip '10.8.0.1'
option internal_mask '255.255.255.0'
option port '1194'
option proto 'udp'
option cipher 'AES-256-CBC'
option client_to_client 'false'
option duplicate_cn 'false'
option redirect_gateway 'true'
option enabled 'true'
option subnet_access 'true'
option subnet_ip '192.168.10.0'
option subnet_mask '255.255.255.0'
config client 'client'
option enabled 'false'
config allowed_client 'client1'
option id 'client1'
option name 'Client1'
option ip '10.8.0.2'
option remote 'WANIP'
option prefer_vpngateway '0'
option enabled 'true'
RomanHK
Posts: 794 Joined: Sat May 04, 2013 4:18 pm
Location: Czech Republik
Post
by RomanHK » Fri Sep 27, 2019 12:57 pm
The two lines belong only to the "zone". In "forwarding" it does not belong, has no effect and it is wrong
.
Turris Omnia with OpenWrt 21.02 - Tested
Linksys WRT3200ACM with Gargoyle 1.13.x
TL-WR1043ND v2 with Gargoyle 1.10.0
http://gargoyle.romanhk.cz custom builds by gargoyle users
coolman
Posts: 23 Joined: Mon May 11, 2015 10:35 am
Post
by coolman » Fri Sep 27, 2019 3:40 pm
Thanks Roman, i will try to see and try to understand how it works.
Forger38
Posts: 5 Joined: Fri Oct 11, 2019 11:53 am
Post
by Forger38 » Sat Oct 12, 2019 1:29 am
I've tried that and it works, thanks!