Shorewall Route ip range to another firewall (for vpn connections)

pandersson61 · 09-29-2015, 07:59 AM

Is it possible to route specific ip adresses to a different router on the network?

This is our setup:

10.10.10.1 - A hardware router with configured vpn tunnels (slow)
10.10.10.20 - Linux server running shorewall (fast)

I'd like to run all network traffic through the Linux server. But I'd like to use the hardware router for the vpn tunnels. (Open VPN doesn't support the encryption used on the tunnels, so I can't run the tunnels on the Linux server.)

Example:
The hardware firewall has a configured tunnel to the network 192.168.1.0
So the connection to a tunneled network would be routed like this:

10.10.10.30(Client computer) -> 10.10.10.20 (Linux firewall) -> 10.10.10.1 (Hardware firewall) -> Tunneled to 192.168.1.1

And all other connections would be:
10.10.10.30(Client computer) -> 10.10.10.20 (Linux firewall) -> google.com (or something)

I hope you understand what I'm looking for.
Any help would be very appreciated as the hardware firewall only allows connection speeds < 200mbit.

/Peter

nini09 · 10-01-2015, 02:17 PM

Where is VPN terminator, at Linux or hardware firewall?

pandersson61 · 10-05-2015, 06:36 AM

Thanks for the reply!
The idea is that the hardware firewall will handle all vpn connections while the linux firewall handles all other network traffic.
So the terminator would be on the hardware firewall.

nini09 · 10-05-2015, 02:33 PM

You can use iptable to pass through all ESP packet to hardware firewall. Then Linux firewall will handle other traffic, plain packet.

pandersson61 · 10-06-2015, 03:40 AM

The hardware firewall handles all the vpn connections and the tunnels are always open.
So all the client has to do to connect to the servers via vpn is to connect to:

smb://[ip of the vpn tunnel]

So simple packet filtering will not work.
The end user does not know if they connect to a computer on our local network or a computer connected via vpn.
I will need to route specific ip adresses/ranges to the hardware firewall. While all other traffic goes via the linux server.

Say we have two servers that are connected via vpn.
Those have ip adresses 192.168.1.1 and the other 20.20.20.240.
This is what I want to do:

Code:

----------------------
|                    |
| Clients connnect   |
| via ip or hostname |
----------------------
          |
          |
-------------------------                ---------------------            -------------
| Linux router/firewall |                |                   |            |           |
|                       |                |                   |            |           |
| 192.168.1.1 -------------------------->| Hardware Firewall | ---------> | VPN Hosts |
| 20.20.20.240 ------------------------->|                   |            |           |
|                       |                |                   |            |           |
|                       |                ---------------------            -------------
|                       |
|                       |
|                       |                ----------------
| All other traffic -------------------->| Internet/ISP |
|                       |                |              |
-------------------------                ----------------

This also means that both the linux firewall and the hardware firewall will have different public ip adresses and different internet connections.
I hope you understand what i mean.
And thanks again for helping out