[Shorewall-users] redirecting pseudo-internal traffic

Paul Gear paulgear@bigfoot.com
Mon, 29 Apr 2002 20:25:44 +1000

Steve Estes wrote:

> ...
> My situation is that I have two sites both behind shorewall 1.2.12
> running an ipsec connection between them. We play various and sundry
> games over this connection and it works quite well. The quandry I am
> having is when we play LAN based games, all is well. When we play
> externally administrated games (Gamespy, Westwood online, Battlenet,
> etc.), what happens is that one of us creates the game and the other
> tries to attach to it via the game admin. The game gets the external
> addr from the admin and tries to connect that way. Now connections
> coming in through the front door are correctly routed to the game
> creator. But when I try to connect to this game, I'm also told to
> connect to his external IP but because of the tunnel, my connection
> does not go to his front door but rather directly to his fw box
> through the tunnel and is thus not routed correctly and I can't
> join. :-( Now I have a workaround for this which was to include a
> rule that took connections coming in off the gateway (ipsec tunnel)
> destined for the game ports and forwarded to the creators IP. That
> works fine too if a little restrictive but that's okay for the few
> times we actually go out that way. But when we switch back to lan
> gaming, the workaround rule has broken lan gaming if the game
> creator is at a different (local)  IP than the one the rule is
> forwarding to because the workaround rule is picking up ANY
> destination, not just the destination being the FW and forwarding
> them.

I'm not sure if i'm understanding your configuration here, properly,
Steve, but it seems to me that the solution to these problems is not
firewall rules, but a little creative routing.

Tell me if i've got this right:

   * Your setup is:
        o an external game server, say
        o your IP, say external and internal
        o your peer's IP, say external and internal
        o your LAN clients, say 10.1.10.*
        o your peer's LAN clients, say 10.2.10.*
   * Your situation is:
        o connections work between 10.1.10.* and 10.2.10.* fine
        o when you use the external game server, your connections
          between 10.1.10.* and don't work without an extra

Have i understood this right?

Assuming it is right, i think what you need to do is add a host route
from to via when your IPsec link comes up.
There may be dynamic routing daemons that will do this for you
automatically - i'm not very familiar with them.  Another option could
be using some sort of bridging across your IPsec link - don't know
much about that either.  :-)

Another cause of your problem could be that the game in question is
actually sending the local system's IP address in the contents of its
packets.  If that's the case, there's not much you can do without an
application-level proxy.