Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[zEnterHacker]

Hi,

DFL-800 configured with 1 x LAN, 1 x DMZ and 1 x public L2TP VPN Server on EXT interface. External roaming clients connect fine to LAN via the public L2TP server on EXT.

A/
Is it possible to connect to the same public L2TP server on EXT from a standard XP/Vista PC connected to the DMZ net?

B/
If so which rules/routes would be required?

I simply cannot see what I'm missing in order for this to work - help would be appreciated.


Best regards
zEnterHacker

[Fatman]

The normal suggestion would be that you should have your internal hosts connect to your DMZ IP and then write IP rules allowing traffic between the two.

A novel idea would be to set that up and then establish a Sat/Allow rule pair directing LAN traffic headed for your WAN IP using the appropriate service.

Is there a reason this type of setup would not work for you?

L2TP or L2TP over IPsec?

[zEnterHacker]

Hi,

My idea is that I have connected a wireless access point to the DMZ and then the (poteintially dangerous) wireless clients could access the internet through the DMZ, but not access the LAN - this works today with-out any problems.

The VPN server on the firewall is listening on the EXT ip and roaming clients on the internet can connect via L2TP to the interrnal LAN hereby using shares printer etc while on the move - this also works today.

However when a wireless client connected to the inhouse access point (DMZ) whishes to access the LAN using his secure standard roaming VPN connection he cannot do so because I cannot figure out which rules that would do the trick. If a soloution like this could be made there would be no difference in how you would establish VPN connection if you were on the road or if you are wireless connection to the inhouse access point.

The DMZ is not used to host any servers (appart from the access point :-), so I'm looking for some rules, that allows clients on the DMZ net to establish a VPN connection using the same public domain name pointing back to the externel IP if the firewall. The rest of the FW rules are pretty straight forward.

I think this is smart, but it could also be totally insane?

In the above I use the term DMZ, but I guess the problem theoretically also exists for clients on the LAN - since they are also not able to "loopback" VPN connect to EXT VPN server on the firewall - but again what would be the point - they are already connected :@)

Hope you have some ideas - btw. I don't want to use the second WAN for this scenario!

Regards
zEnterHacker

[Fatman]

It sounds like my solution is just the trick you need, create a second L2TP server as per the process you used for the first then publish it in the DMZ's interface IP.  then add the following IP Rules

SAT L2TP_Suite DMZ DMZ_Net core WAN_IP SAT_To;DMZ_IP
Allow L2TP_Suite DMZ DMZ_Net core WAN_IP

[zEnterHacker]

Hi Fatman,

Thanks for the brilliant idea!

I have now more or less duplicated the complete L2TP setup so I now have a separate L2TP server for the DMZ. I can connect to the server from a VISTA client if I use the static DMZ ip as destination for my tunnel, but if I try to connect via the public DNS name of the firewall hereby trying to trigger the SAT/ALLOW rules you gave me, I have no success 

From the logs I can see that the SAT rule is triggered but the next thing I get is a:
LocalUndelivered recvif=DMZ srcip=192.168.0.129 destip=192.168.0.253 ipproto=TCP ipdatalen=32 srcport=49321 destport=1723 tcphdrlen=32 syn=1

...129 is the VISTA client and ...253 is the DMZ if (L2TP server)

Are you sure these two rules are enough to do the  SAT trick?

Btw. I have also set up a PPTP server just to rule out any NAT/SAT problems in IPSEC, but the story is more or less the same - I can connect if I use the DMZ ip as destination but not if I'm using the public DNS as destination.

Any hints would still be appreciated.

Regards zEnterHacker

[Fatman]

My first thought is that your service definition may be off a little bit.

I should ask again because as I recall I took an implicit answer, L2TP or L2TP over IPsec?

I may need to set this up in my lab to offer any better advice, for the time being I would take a hard look at your service set and which step in the process that is failing.

Also at this point I am just thinking out loud, but you might want to see how well it works if you add core as a source interface on the DMZ L2TP tunnel.