Is it possible to duplicate this Shorewall configuration in IPFire?

jberntsen · 14 July 2023 19:27

I’m looking at a Shorewall VPN configuration for overlapping LANs here that I need to try to duplicate in IPFire.

I think that it may be possible to duplicate the setup listed for Shorewall 4.4.22 or earlier using either a combination of SNAT and DNAT firewall rules in the GUI or by modifying the CUSTOMPREROUTING and CUSTOMPOSTROUTING chains using firewall.local. Based on what I’ve seen for modifying iptables for this, I suspect the latter is the correct way but don’t know for sure either way.

Unfortunately, that method assumes that the firewalls at both ends of the connection can be changed. What I’m really looking to do is duplicate the setup listed for Shorewall 4.4.23 or later. That seems to require that the kernel has rawpost table support in iptables, an xtables-addon if I remember correctly, and I don’t know if IPFire supports that. Does anyone know if this is possible and, if so, how it needs to be configured?

bonnietwin · 15 July 2023 09:55

Hi @jberntsen

Welcome to the IPFire community.

xtables-addons was removed from the distribution in Core Update 165 as none of its functions were any longer being used.

I see from the xtables-addons website that it also requires xt_geoip and this module was also removed in Core Updsate 165 and replaced by ipset functionality.
https://blog.ipfire.org/post/ipfire-2-27-core-update-165-released

So you can’t do what you want via xtables-addons but maybe other more knowledgeable people can suggest alternative approaches to achieve what you want in IPFire.

tphz · 15 July 2023 13:53

The systems in the top cloud will access the 192.168.1.0/24 subnet in the lower cloud using addresses in another unused /24. Similarly, the systems in the bottom cloud will access the 192.168.1.0/24 subnet in the upper cloud using a second unused /24.

I think about a simple workaround.

Because the assigned IP addresses of devices at location A cannot be used at location B, so you can use different subnet mask.
For example.

Location A

Netmask:   255.255.255.128 = 25  11111111.11111111.11111111.1 0000000
Wildcard:  0.0.0.127             00000000.00000000.00000000.0 1111111
=>
Network:   192.168.0.0/25        11000000.10101000.00000000.0 0000000 (Class C)
Broadcast: 192.168.0.127         11000000.10101000.00000000.0 1111111
HostMin:   192.168.0.1           11000000.10101000.00000000.0 0000001
HostMax:   192.168.0.126         11000000.10101000.00000000.0 1111110
Hosts/Net: 126                   (Private Internet)

Location B

Netmask:   255.255.255.128 = 25  11111111.11111111.11111111.1 0000000
Wildcard:  0.0.0.127             00000000.00000000.00000000.0 1111111
=>
Network:   192.168.0.128/25      11000000.10101000.00000000.1 0000000 (Class C)
Broadcast: 192.168.0.255         11000000.10101000.00000000.1 1111111
HostMin:   192.168.0.129         11000000.10101000.00000000.1 0000001
HostMax:   192.168.0.254         11000000.10101000.00000000.1 1111110
Hosts/Net: 126                   (Private Internet)

Best