Page 1 of 1

FirewallD, Multizone, and VPN Configuration

Posted: 2021/01/07 03:43:42
by brunswickheads
We have the following configuration:

Code: Select all

Client using OpenVPN ---> |-NIC 1 [Public]    VPN Server       NIC 2 [Trusted]-| ---> Target Servers
                          |                [VPN NIC - Trusted]                 |

Client IP:
NIC 1: a.b.c.d/24
NIC 2: w.x.y.z/18
Target Servers: e.f.g.h / e.f.i.j / e.f.k.l

Firewalld is running. There are two active zones "Public" containing NIC 1 and "Trusted" containing NIC 2 and the NIC the VPN creates (

The client wants to get to the target servers. The VPN is allowing traffic to flow through to NIC 2 but there are rules outside our control between NIC 2 and the Target Server that only allows source IPs from the w.x.y.z/18 subnet to be allowed through. The source IP of the packets coming from the VPN is that of NIC 1. I was hoping that we'd be able to masquerade once the client's traffic got to NIC 2.

Is there a way with firewall-cmd rules (rich/direct/...) that would allow us to do source NATting on the client traffic before it gets put on NIC 2? [Also, should the VPN NIC be placed in a different zone?]

Alternatively, is there something we could do in the OpenVPN server?

TIA... Neale

Re: FirewallD, Multizone, and VPN Configuration

Posted: 2021/01/07 11:59:57
by jlehtone
First, firewalld is not recommended for a router. (Both RHEL documentation and Firewalld developers admit that it is not suitable.)
nftables.service is the alternative.

Second, does openvpn service modify firewall rules (via firewalld?) or does it leave rules for you to set?
(Quick browse says: no, you set the rules.)

You have essentially three subnets/NICs:
* WAN behind NIC 1
* LAN behind NIC 2
* VPN behind TUN*

You want to route traffic from VPN to LAN. The LAN does not know about the VPN subnet, so yes, you should sNAT that traffic.
The difference between "masquerade" and "sNAT" is that the former queries the current IP of the NIC and then uses that, while sNAT uses statically set IP address.

It is not clear whether you want to route traffic from LAN to WAN, from VPN to WAN, etc. That affects what else you have to allow through the filter (and NAT). Since firewalld offers next to no support for forwarded traffic, the nftables should be considered.