Adjust Default Route from SSH Console
Hi All,
I am currently using Firewalla Gold and have installed a Global overlay network on my device.
I am trying to add a Default Route using "ip route" command, so that I can get packets entering the Firewalla from LAN connected devices to route to the overlay network as the default route entry.
Traffic initiated on the Firewalla directly routes via the default route(e.g. if I run a curl command from the SSH console) but traffic from connected devices is still just routing to the WAN(Internet).
Can anyone suggest how I can make my overlay network the default route for connected device traffic ?
Ciaran
-
Hi Firewalla,
Its installed just as a package. I perform the installation in Custom Script which I run at start up.
The new network is available and functioning, so I can connect to Firewalla over my overlay network via SSH. But I just want to force all Internet destined traffic from the LAN connected devices through the overlay network interface.
Ciaran
-
Hi Firewalla Team,
Please find the requested details below.
1) The package I have installed is Zerotier, details of the project can be found here, https://www.zerotier.com/2) Details for installation on Linux can be found here. https://www.zerotier.com/download/
3) I have Signed Up for an account at Zerotier registration page,
https://accounts.zerotier.com/auth/realms/zerotier/protocol/openid-connect/registrations?client_id=zt-central&redirect_uri=https%3A%2F%2Fmy.zerotier.com%2Fapi%2F_auth%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=stateThen I have created a Network as a PRIVATE network(which means only devices that I approve can join the network).
Zerotier_Network_ID: <zeroTierNetworkId>
Designated Netowrk: 10.242.215.0/28I have then installed the Zerotier client onto an AWS UK Linux server and Approved for this sever to "join" my network. This server is assigned the IP address 10.242.215.6 .
On this server I have configured IP forwarding using command, net.ipv4.ip_forward = 1 .I have then created a default route on the Zerotier network as noted here,
0.0.0.0/0 via 10.242.215.6
NOTE: At this stage if I connect to my Zerotier network on another client device, such as my laptop and configure all traffic to "Route via Zerotier", then all Internet traffic is routed through the Zerotier network to the internet via the AWS instance.
4) Then I install Zerotier on my Firewalla Purple. I have created a script "zerotier.sh" which I have placed into the folder /home/pi/.firewalla/config/post_main.d/ .The content of the scipt is shown below, but in short the followiwng is done,
* Zerotier binaaries are installed
* The Zerotier Node Identity files from original install are copied to the correct folder(so that Zerotier views the node as already approved)
* Zerotier service is started
* Firewalla Zerotier node Node is added into the zerotier network <zeroTierNetworkId>.
* Add the Zerotier address as an Allowed SSh listening address
* Set the Override Default route on the Firewalla Purple#######################################################
#!/bin/sh# Define variables
ZEROTIER_NETWORK=<zeroTierNetworkId>
CANARY_URL=https://canarytokens.com/static/images/tags/go21yknk54bme298kn4wch3b6/submit.aspx# Call Canary Token(just provides feedback that script has been executed)
sudo wget $CANARY_URL# In case erotier service is already there, Stop it.
sudo systemctl stop zerotier-one.service# Create the directory where the Zerotier Node identity files must be placed
sudo mkdir /var/lib/zerotier-one# Copy the Save Zerotier Node Identit files to the correct folder(so that Zerotier network treats the node as already approved)
sudo cp /home/pi/.firewalla/config/post_main.d/identity.* /var/lib/zerotier-one/# Install he Zerotier binaries
curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi# Start the Zerotier service
sudo systemctl start zerotier-one.service# Join the Zeotier Node to the existsing network
sudo zerotier-cli join $ZEROTIER_NETWORK# Modify the /etc/ssh/sshd_config file adding the Zerotier IP of the Firewalla Purple as a ListenAddress to allow SSH connections on Zerotier interface
sudo grep -qxF 'ListenAddress 10.242.215.12' /etc/ssh/sshd_config || sudo sed -i '/ListenAddress 192.168.3.1/a ListenAddress 10.242.215.12' /etc/ssh/sshd_config# Provide short delay as otherwise SS Service restart was not picking up updated ListenAddress
sleep 20s# Now Restart the SSH Service so that can now SSH on the Zerotier IP address 10.242.215.12 to the Firewalla purple.
sudo systemctl restart ssh# Set Default Route Override on Zerotier node routing tables
sudo zerotier-cli set $ZEROTIER_NETWORK allowDefault=1#######################################################
It should be noted that the last command updates the routing tables on the device as below, essentially adding these routing entries,0.0.0.0/1 via 10.242.215.6 dev <zeroTierNetworkId> proto static
10.242.215.0/28 dev <zeroTierNetworkId> proto kernel scope link src 10.242.215.12
128.0.0.0/1 via 10.242.215.6 dev <zeroTierNetworkId> proto staticSee full IP Route output here,
$ ip route
0.0.0.0/1 via 10.242.215.6 dev <zeroTierNetworkId> proto static
default via 192.168.178.1 dev wlan0 metric 1
1.0.0.1 via 192.168.178.1 dev wlan0 metric 1
1.1.1.1 via 192.168.178.1 dev wlan0 metric 1
10.242.215.0/28 dev <zeroTierNetworkId> proto kernel scope link src 10.242.215.12
128.0.0.0/1 via 10.242.215.6 dev <zeroTierNetworkId> proto static
192.168.3.0/28 dev br1 proto kernel scope link src 192.168.3.1
192.168.4.0/29 dev br0 proto kernel scope link src 192.168.4.1 linkdown
192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.10
Noting that 192.168.178.0/24 is the WAN network that my Firewalla Purple is connected to.
192.168.3.0/28 is my Wireless LAN network(network to which I have connected my laptp).
I am then able to successfully connect to Firewalla SSH via my Zerotier network, if I then run curl ipinfo.io from the SSH command line(e.g. directly on the Firewalla Purple) then the internet traffic request routes through my AWS server as expected.BUT when I then connect my laptop to the LAN side wireless of the Firewall Purple and acccess the followiwng web address https://ipinfo.io/ the traffic is actually routing to the WAN interface of the Firewalla(and NOT via my AWS server). Instead I would like to be able to route all the internet traffic via the Zerotier network and address 10.242.215.6 as the default route.
I assume I am missing something, but would be very grateful if you could point me in the right direction.
Many Thanks for your guidance.Ciaran
-
Hi Firewalla,
Yes, your assumption is correct, only outbound traffic is my requirement. Essentially, I have two use cases in principle.
1) Primary use case. Connecting device to private WLAN or LAN side of Firewalla Purple and routing Internet traffic into Zerotier network, terminating on another node in AWS which is configured as Zerotier network default route(as I described earlier)
2) When travelling, connecting to my Home network from private WLAN or LAN side device on Firewalla Purple. Where on Home network I have registered a Raspberry PI as a Zerotier device on the home LAN. On the Zerotier network in this case I have configured static routes for my home network subnets. My objective in this case is to avoid opening up Ports on my Public facing router with Port forwarding.
Note, I have already got this(2) working perfectly by setting up an Open VPN connection between my Firewalla Purple and Firewalla Gold over the UDP hole punched Zerotier connection, but would like to eliminate the need for the OpenVPN in this case as Zerotier is already conceptually a VPN).
If I missed any info or you have any queries don't hesitate to ask.
Ciaran
-
We are working on a solution to use Docker containers for all kinds of VPN client implementations. In this case, Zerotier can be implemented using this way. Then the Firewalla box itself will become a Zerotier device and you will be able to access other Zerotier devices from Firewalla's local network.
Hopefully, this solution can be implemeneted in box release 1.974.
-
Hi Firewalla Team,
Thats sounds like positive news. What is currently the ETA for the 1.974 Release ?
Also, as I am not a Docker expert I am hoping that there will be some good guidance documentation to help me work it out.
Anyway, I will keep a look out for the release.
Many Thanks
Ciaran
-
Hi Firewalla Team,
Congratulations on moving the Firewalla Purple to general release after the Crowdfunding completion.
Further to my query above, is it possible to get an update regarding your update 1 month ago where you mentioned.
"We are working on a solution to use Docker containers for all kinds of VPN client implementations. In this case, Zerotier can be implemented using this way. Then the Firewalla box itself will become a Zerotier device and you will be able to access other Zerotier devices from Firewalla's local network.
Hopefully, this solution can be implemeneted in box release 1.974."
As my Firewalla Purple is now running Box Version 1.974, can you confirm if this solution quoted above made it into the 1.974 Release? And depending on the answer when it is likely to become available ?
Thanks
Ciaran
-
Hi Firewalla Team,
I see my Firewalla Purple is now upgraded to Box Version 1.974(799a66ff) in the BETA Program, but I still don't seem to be able to route traffic to Docker running a Custom VPN.
Can you confirm an updated ETA relating to the Docker routing solution you refered to 6months ago? I am waiting to route all traffic on my Firewalla Purple into Zerotier running on Docker.
Ciaran
Please sign in to leave a comment.
Comments
18 comments