Shell Bypassing Firewall Rules

Rawr44

Hello, so I don't really know that much about networks so forgive me if this is a really simple fix. Alright so I have two VPN connections and lets call them VPN1 and VPN2. Currently the rules are set up so that all the traffic goes through VPN1 and if the vpn goes down, nothing is routed and the internet goes down as expected. But for some reason if I go into the command prompt/shell and try curl --interface ovpnc2 icanhazip.com with ovpnc2 being VPN2, what comes back is the IP for VPN1. Also happens if I try using traceroute. I have also tried putting the hostname into an alias and even tried just using it's ip 116.202.244.153 so that it redirects to VPN2 but it still always shows VPN1's IP. It only happens if I use the command prompt/shell and not if I use a browser, using a browser on another computer gives VPN2's IP which is what I want. Been trying to figure this out for hours but I really can't think of anything else to try that might fix it. Any help would be greatly appreciated, thanks! :D ^.^

Also I keep getting this...
ERROR Post content was flagged as spam by Akismet.com

stephenw10

I assume VPN1 is the default route/gateway here?

Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?

Do the VPN client connections have different gateway IPs?

Steve

stephenw10

Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.

Steve

Rawr44

@stephenw10 said in Shell Bypassing Firewall Rules:

I assume VPN1 is the default route/gateway here?

Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?

Do the VPN client connections have different gateway IPs?

Steve

Yes VPN1 is the default, assuming Default gateway IPv4 in routing tab is the correct place to set it.
Policy routing rules? Do you mean in the rules under the firewall tab Firewall/Rules/LAN? If so then yes I set a rule there that's supposed to redirect it to VPN2.
Yes, they're different.

@stephenw10 said in Shell Bypassing Firewall Rules:

Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.

Steve

So check mark the Do not NAT - Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules box? Just want to make sure that this is the correct one.

Thanks.

Rawr44

This post is deleted!

stephenw10

Yes that. So you should not ever be NATing the VPN2 tunnel subnet as a source out of the VPN1 interface.

Steve

Rawr44

@stephenw10 said in Shell Bypassing Firewall Rules:

Yes that. So you should not ever be NATing the VPN2 tunnel subnet as a source out of the VPN1 interface.

Steve

Alright I've tried setting that option but I don't know which one to set it on so I tried setting it on the 192.168.1.0/24 NAT mappings which ended up blocking the internet while using a browser but the shell was still able to access the internet. I have others if you want me to try those, 127.0.0.0/8, 10.0.0.0/8, and 10.0.0.0/24.

Once again sorry, I'm not really familiar with networks in general so I really hope that made sense.

stephenw10

It's the actual VPN2 tunnel subnet you need to prevent NATing so that's the IP given to the VPN2 client when it connects.

Do you actually have 10.0.0.0/8 as an internal subnet? That's ludicrously huge if so.

That rule might be covering the VPN2 subnet and making this happen.

Steve

Rawr44

@stephenw10 said in Shell Bypassing Firewall Rules:

It's the actual VPN2 tunnel subnet you need to prevent NATing so that's the IP given to the VPN2 client when it connects.

Do you actually have 10.0.0.0/8 as an internal subnet? That's ludicrously huge if so.

That rule might be covering the VPN2 subnet and making this happen.

Steve

AH HA! It worked! Thanks for all the help! Also yeah, I have auto rules/mappings for 10.0.0.0/8 and 10.0.0.0/24, ended up setting both of them to Do not NAT because I didn't know which one to set it on. Also any idea why I have that set and is it a bad thing or something? Oh and lastly, what exactly does Do not NAT do? I've tried looking it up but it got a bit confusing... >.<

stephenw10

10.0.0.0/8 is probably wrong unless you have a number if subnets that are inside that as internal networks. If you're not using any 10.x.x.x subnets then you don't need those at all. Remember they might be VPN tunnel subnets which you might need to NAT'd for internet access.

Steve

Rawr44

@stephenw10 said in Shell Bypassing Firewall Rules:

10.0.0.0/8 is probably wrong unless you have a number if subnets that are inside that as internal networks. If you're not using any 10.x.x.x subnets then you don't need those at all. Remember they might be VPN tunnel subnets which you might need to NAT'd for internet access.

Steve

Ah, and sorry for the delayed response. Think I'll just leave them, doesn't seem to hurt anything if I do. Also thanks for all the help, really appreicate it! :D ^.^