Firewalld & VPN Forwarding
1. I have a physical host, that has several KVM virtual machines. The physical host's eth0 is on my 192.168.2 network. The .2 network is hard wired via gigabit switch.
2. The physical host also has an interface and network internal to KVM, virbr0, which is 192.168.4 network and used for all of the VM's.
3. I have a VM which acts as a VPN server. It gives out addresses in the 192.168.8 network.
4. For clients in the 192.168.8 network, they can reach servers in the .4 network. Also, servers in the .4 network are able to reach clients with open ports in the .8 network.
5. Clients in the .8 network can NOT reach anything on the .2 network, such as a Raspberry PI. Likewise, things on the .2 network can NOT reach anything on the .8 network. The gateway for .8 is properly configured as the .4 address of the VPN server.
6. If I turn off firewalld on the physical host, then clients in the .8 network CAN reach things in .2, and vice versa.
6.5. IP v4 forwarding is enabled in both the VPN VM and the physical host.
6.6. I have turned on masquerading both on the VPN VM as well as the physical host.
6.7. Enabling and/or disabling firewalld on the VPN VM does not change any of this behavior.
7. I have tried to put both virbr0 and eth0 in the same network Zone in firewalld. I have also tried to put them in different zones and explicitly configure firewalld. Nothing works.
Based on the post noted above, I added the following lines to the firewalld on the physical host. Now I can reach things on .2 from .8, but NOT vice versa.
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o virbr0 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i virbr0 -o eth0 -j ACCEPT