Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[mikejh69]

sorry if this has allready been covered I have looked through the board and cannot see anyone having the same issue
here goes
I have a dlink dfl260
new out of box yesterday
I have set it up to allow vvpn connections to the l2tp server this works fine (tested by connecting laptop to wan port on same range of ip adresses then browsing local net)
however i am getting a problem connecting to the internet from the lan
lannet 192.168.0.0/24 lan ip is 192.168.0.1
dmz 174.xxx.xxx.xx dmz net 174.x.xx.xxx.0/24
wan net 192.168.1.0/24 wangw 192.168.1.1 wan ip 192.168.1.200
also all-nets is set to 0.0.0.0/0

I can get a responce from anything on the wan net ie 192.168.1.x without any issues

the standard ip filters lan-inet look to be sensible as do the routes
 i have been through the user manual to no avail
if i connect to the router on the otherside of the dlink all is good so i know that i have a connection to the net
 any ideas would be appreciated
many thanks
mike

[juanjo]

...... ¿ and .........?

The firewall is configured as transparent mode or no ??
Clients are in the same net as lan net or no ??
Clients have gateway ip as firewall ip or no ??

[mikejh69]

firewall not in transparent mode
clients all on lan net
gate way set to firewall ip address and dns set to lan gateway (dns works )
thanks for comoing back to me

[danilovav]

Start ping -t from client
Go to Status > Connections - can you see it?
Go to Status > Logs - can you see it?
Did you changed anything in Rules > IP rules > lan_to_wan?
Show Status > Routes

[juanjo]

Hi:

As I understand, your problem is the internet access from lan.

I need more data about your network topology, but as I can see your clients on the lan net have access to internet by the wan interface, and in the wan interface you have one router that is NATing ports.

In that case you need configure the firewall as transparent mode and configure the lan and wan interfaces of the firewall and the router interface in the same subnet with different ip, and the gateway ip must be the router ip.

If this is not as I tell you please, give more data.

Regards

[mikejh69]

ok network as follows
internal clients on lannet 192.168.0.0/24 lan ip on router 192.168.0.1 net mask 255.255.255.0
forget dmz not in use
one ipsec tunnel working fine connecting on wan interface can browse internal net (it terminates on the dfl260 as l2tp server)
wan 192.168.1.0/24 gw 192.168.1.1 wan interface ip 192.168.1.200

router beyond this is on 192.168.1.1 and if i connect direct to it i can browse net so its not blocking anything
below answers to other qs regarding ping routes etc ect
i appreciate all the assistance
   FIN_RCVD        TCP        lan:192.168.0.99:1730        core:192.168.0.1:443        17
    FIN_RCVD        TCP        lan:192.168.0.99:1731        core:192.168.0.1:443        17
    UDP        UDP        lan:192.168.0.99:58978        wan:192.168.1.1:53        103
    UDP        UDP        lan:192.168.0.99:54021        wan:192.168.1.1:53        27
    FIN_RCVD        TCP        lan:192.168.0.99:1728        core:192.168.0.1:443        17
    UDP        UDP        lan:192.168.0.99:59170        wan:192.168.1.1:53        37
    UDP        UDP        lan:192.168.0.99:64779        wan:192.168.1.1:53        53
    TCP_OPEN        TCP        lan:192.168.0.99:1739        core:192.168.0.1:443        262144
Above is connection table
Routing table contents (max 100 entries)
    Flags           Network           Interface           Gateway           Local IP           Metric   
           192.168.0.1       core       (Iface IP)              0
           172.17.100.254       core       (Iface IP)              0
           192.168.1.2       core       (Iface IP)              0
           127.0.0.1       core       (Iface IP)              0
           192.168.1.0/24       wan                     100
           172.17.100.0/24       dmz                     100
           192.168.0.0/24       lan                     100
           224.0.0.0/4       core       (Iface IP)              0
           0.0.0.0/0       ipsec-tunnel                     90
           0.0.0.0/0       wan       192.168.1.1              100

In the "Flags" field of the routing tables, the following letters are used:
O: Learned via OSPF   X: Route is Disabled

Now ip rules
And routes
1
  drop_smb-all
  Drop
  lan
  lannet
  wan
  all-nets
  smb-all

2
  allow_ping-outbound
  NAT
  lan
  lannet
  wan
  all-nets
  ping-outbound

3
  allow_ftp-passthrough_av
  NAT     lan
  lannet
  wan
  all-nets
  ftp-passthrough-av

4
  allow_standard
  NAT     lan
  lannet
  wan
  all-nets
  all_tcpudp


Type 
Interface 
Network 
Gateway 
Local IP address 
Metric 
Monitor this route 
Comments 

  Route
  ipsec-tunnel
  all-nets
        90   No   Direct route for network all-nets over interface ipsec-tunnel.
  Route
  wan
  wannet
        100   No   Direct route for network wannet over interface wan.
  Route
  wan
  all-nets
  wan_gw
    100   No   Default route over interface wan.
  Route
  dmz
  dmznet
        100   No   Direct route for network dmznet over interface dmz.
  Route
  lan
  lannet
        100   No   Direct route for network lannet over interface lan.
 
  Right-click on a row for further options.
 Logging
   Next 100 >>

Date   Severity   Category/ID   Rule    Proto   Src/DstIf   Src/DstIP   Src/DstPort   Event/Action
2012-01-11
09:53:18   Warning   RULE
6000051   Default_Rule   TCP   lan   192.168.0.99
199.47.218.148   2052
80   ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:16   Warning   RULE
6000051   Default_Rule   ICMP   lan   192.168.0.99
209.85.229.94      ruleset_drop_packet
drop         
ipdatalen=40 icmptype=ECHO_REQUEST echoid=768 echoseq=2560
2012-01-11
09:53:15   Warning   RULE
6000051   Default_Rule   TCP   lan   192.168.0.99
199.47.218.148   2052
80   ruleset_drop_packet
drop         
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:14   Warning   RULE
6000051   Default_Rule   TCP   lan   192.168.0.99
199.47.218.148   2051
80   ruleset_drop_packet
drop         
ipdatalen=28 tcphdrlen=28 syn=1
2012-01-11
09:53:11   Warning   RULE
6000051   Default_Rule   ICMP   lan   192.168.0.99
209.85.229.94      ruleset_drop_packet
drop         

[mikejh69]

ok i have tried
1 set both wan and lan interface to transparent
wan ip range 192.168.1.0/24 wan ip 192.168.1.254 wan gateway 192.168.1.1
lan net 192.168.1.0/24 lan ip 192.168.1.253
the router ip of the second router is 192.168,1,1
transparent mode set on both lan and wan interhaces
lggomg says

 Next 100 >> 
Date Severity Category/ID Rule  Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2012-01-11
14:12:22 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
199.47.218.148 3807
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:22 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
199.59.149.198 3806
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:21 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
199.47.218.148 3803
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:19 Warning RULE
6000051 Default_Rule ICMP lan
 192.168.1.99
209.85.229.94
 ruleset_drop_packet
drop
ipdatalen=40 icmptype=ECHO_REQUEST echoid=768 echoseq=7168 
2012-01-11
14:12:19 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
199.59.149.198 3806
80 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
173.194.34.105 3800
443 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
213.199.177.155 3805
443 ruleset_drop_packet
drop
ipdatalen=28 tcphdrlen=28 syn=1 
2012-01-11
14:12:18 Warning RULE
6000051 Default_Rule TCP lan
 192.168.1.99
213.199.177.155 3804Flags       Network       Interface       Gateway       Local IP       Metric     
  D    192.168.1.1   wan         100
  D    192.168.1.99   lan         100
  D    192.168.1.5   wan         100
  D    192.168.1.7   wan         100
     192.168.1.254   core   (Iface IP)      0
     172.17.100.254   core   (Iface IP)      0
     192.168.1.253   core   (Iface IP)      0
     127.0.0.1   core   (Iface IP)      0
     172.17.100.0/24   dmz         100
     192.168.1.0/24   switched         100
     192.168.1.0/24   switched         100
     224.0.0.0/4   core   (Iface IP)      0
     0.0.0.0/0   ipsec-tunnel         90
     0.0.0.0/0   wan   192.168.1.1      100
connection as State        Proto        Source        Destination        Timeout     
  UDP    UDP    core:0.0.0.0:0    core:192.168.1.254:1701    4 
  UDP    UDP    lan:192.168.1.99:55473    wan:192.168.1.1:53    85 
  UDP    UDP    wan:85.255.209.109:500    core:192.168.1.253:500    4 
  UDP    UDP    wan:85.11.194.39:500    core:192.168.1.253:500    4 
  UDP    UDP    wan:202.152.177.32:500    core:192.168.1.253:500    13 
  UDP    UDP    lan:192.168.1.99:65054    wan:192.168.1.1:53    33 
  UDP    UDP    lan:192.168.1.99:63523    wan:192.168.1.1:53    112 
  TCP_OPEN    TCP    lan:192.168.1.99:4089    core:192.168.1.254:443    262144 
ping resolves name to ip but still mno web acesss or ping  help

443 ruleset_drop_packet
drop
routes show as

[mikejh69]

er iy looks like it could be the rules as the loigging say drop packet ruleset 600051 default rule
cant find it any where HELP 

[juanjo]

lan ip on router 192.168.0.1 net mask 255.255.255.0
...............
wan 192.168.1.0/24 gw 192.168.1.1 wan interface ip 192.168.1.200

router beyond this is on 192.168.1.1 and    

Two routers??
One suggestion:

forget vpn tunnels first.

Try first to give internet access to your clients and after that try VPNs.
Be clear with the device that give you access to internet and configure the firewall according to the that device.

- Transparent mode is used when you have one xDSL router NATing ports.
- Non transparent mode is used for modems such as cable modems, and in that case, wan parameters are provided by your ISP by fixed IP or by DHCP.

Regards

[mikejh69]

thats what i have sorry its and adsl router forwarding everything every where
and the vpn tunnels work nicely inbound
at a loss as to why this wont allow web traffic outbound as the rule says to but the logs say drop grrrr

[mikejh69]

think i will reset to mfactory defaults and start again
will the box allow web gtraffic out by default ?

[juanjo]

think i will reset to mfactory defaults and start again
will the box allow web gtraffic out by default ?

Yes, you will get it, but you must to configure your firewall (LAN interface, WAN interface) and the ADSL ROUTER interface in the same subnet and the firewall must be in transparent mode.

Regards

[mikejh69]

thanks on to it now

[New_Bie]

Hey there Mikejh69! I would like to know what happened on your case if the recommended steps did work or not because I really find this interesting and I would like to know as well what are the workarounds on this.

[mikejh69]

ok update
i have reset the unit to factory default
set lan wan and gae way all in the same range as the incoming adsl router with that routers(incoming ) address as the gateway also set wan and lan interface in transparent mode
and yes it now works on the internet .......
all clients on the lan side can access the wan yipeeeeeee
as soon as i enable the ipsec tunnel i lose internet connectivity grr
as i have 2008 server on the lan i an going to pass vpn and remote desktop ports to it and let it authenticate and connect them as I have ran out of time for setting up this l2tp server and tunnel but hey thats my fault not the devices or any on here should have allocated more time to this tssk