I have a Smoothwall box set up as my main gateway at 192.168.65.1. I also have a Proxmox virtual server at 192.168.65.160 that I use to make outbound VPN connections. Since the Smoothwall box is the default gateway, I want to to set it to route all local 192.168.65.0/24 network traffic bound for VPN destinations (such as the 192.168.1.0/24 subnet) to the 192.168.65.160 address.
Smoothwall is configured with /proc/sys/net/ipv4/ip_forward set to 1. The routing table is set as follows (eth0 = RED interface):
$ ip route
192.168.65.0/24 dev eth1 proto kernel scope link src 192.168.65.1
192.168.1.0/24 via 192.168.65.160 dev eth1
x.x.x.x/xx dev eth0 proto kernel scope link src x.x.x.x
default via x.x.x.x dev eth0
If I ping a VPN address from the Smoothwall box, it works. However, when I try to ping a VPN address from any other host on the local 192.168.65.0/24 subnet, I get a "Destination Port Unreachable" result. If I set a route on the local host to send VPN traffic directly to the 192.168.65.160 gateway, that works. It's only when I try to route VPN traffic through the Smoothwall box that it doesn't get through.
What's going on?
ok, let's begin by just covering the basics... looks like smoothwall may be the issue here...
type the following on the console of your smoothwall and see if this fixes your issue:
please note this is a temporary fix to test if the issue is with smoothwall. if that works, then just add a rule on smoothwall to allow that traffic or add this line to something like rc.local (probably not the best idea... :) )
You need to setup SNAT for that setup to work.
What is happening now is traffic from your lan comes to the firewall and is sent to the promox server which sends it to the destination when the other side responds the promox server sends it to the actual lan host when sent the initial packet but that host rejects it because it expects the reply from the smoothwall box
It seems like your configuration should work. I don't think NAT is what you need here.
Just a thought: Is it possible that Smoothwall refuses to forward packets that attempt to exit it via the same network interface that they entered from (in this case, eth1)? Such traffic might be considered abnormal or suspicious under typical cicumstances, and Smoothwall might be set up to block it on those grounds. Getting "Destination Port Unreachable" messages from ping indicates that you are getting ICMP error messages, which I suspect are being generated by Smoothwall as it rejects those packets.
Does Smoothwall provide logging facilities? If so, you should check the logs to see if my theory holds water.