Shell Bypassing Firewall Rules



  • Hello, so I don't really know that much about networks so forgive me if this is a really simple fix. Alright so I have two VPN connections and lets call them VPN1 and VPN2. Currently the rules are set up so that all the traffic goes through VPN1 and if the vpn goes down, nothing is routed and the internet goes down as expected. But for some reason if I go into the command prompt/shell and try curl --interface ovpnc2 icanhazip.com with ovpnc2 being VPN2, what comes back is the IP for VPN1. Also happens if I try using traceroute. I have also tried putting the hostname into an alias and even tried just using it's ip 116.202.244.153 so that it redirects to VPN2 but it still always shows VPN1's IP. It only happens if I use the command prompt/shell and not if I use a browser, using a browser on another computer gives VPN2's IP which is what I want. Been trying to figure this out for hours but I really can't think of anything else to try that might fix it. Any help would be greatly appreciated, thanks! :D ^.^

    Also I keep getting this...
    ERROR Post content was flagged as spam by Akismet.com


  • Netgate Administrator

    I assume VPN1 is the default route/gateway here?

    Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?

    Do the VPN client connections have different gateway IPs?

    Steve


  • Netgate Administrator

    Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.

    Steve



  • @stephenw10 said in Shell Bypassing Firewall Rules:

    I assume VPN1 is the default route/gateway here?

    Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?

    Do the VPN client connections have different gateway IPs?

    Steve

    Yes VPN1 is the default, assuming Default gateway IPv4 in routing tab is the correct place to set it.
    Policy routing rules? Do you mean in the rules under the firewall tab Firewall/Rules/LAN? If so then yes I set a rule there that's supposed to redirect it to VPN2.
    Yes, they're different.

    @stephenw10 said in Shell Bypassing Firewall Rules:

    Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.

    Steve

    So check mark the Do not NAT - Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules box? Just want to make sure that this is the correct one.

    Thanks.



  • This post is deleted!

  • Netgate Administrator

    Yes that. So you should not ever be NATing the VPN2 tunnel subnet as a source out of the VPN1 interface.

    Steve


Log in to reply