D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: djm on August 28, 2010, 03:28:05 AM
-
I have a DFL-210 and on its network a computer configured as an OpenVPN server. I have set up the required Allow and NAT rules to allow remote clients to connect to the OpenVPN server. All is working well as long as the OpenVPN clients only want to communicate with the OpenVPN server.
OpenVPN allows clients to communicate with other computers on the server's network as long as you can add a route to the servers gateway to pass all traffic from other computers to the OpenVPN link to the OpenVPN server.
My setup is:
ovpn server<--> d-link<----> another router<--> ovpn client
(192.168.51.2) (192.168.51.1) (192.168.0.1) (192.168.0.70)
(10.8.51.1)<----------------> (10.8.51.6)
If I try to ping say 192.168.51.3 from 192.168.0.70 the log of the DLink router shows
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2010-08-28
14:08:11 Warning RULE
6000051 Default_Rule ICMP lan
192.168.51.3
10.8.51.6
ruleset_drop_packet
drop
ipdatalen=64 icmptype=ECHO_REPLY echoid=44893 echoseq=3
So I then added some rules to allow traffic to go from 192.168.51.0/24 to 10.8.51.0/24 and visa versa.
On a ping attempt the logs change to
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2010-08-28 CONN 192.168.51.3 no_new_conn_for_this_packet
14:24:26 Warning 600013 LogOpenFails ICMP lan 10.8.51.6 drop
I'm not sure how to alleviate this and allow the new connections. Does anyone have any suggestions?
-
Your problem happens because 51.3 tries return packet thru default gateway (DFL), but DFL doesn't know anything about this connection.
There is three ways to fix your situation.
1) Move OVPN server to another subnet/interface on DFL.
By this way, all OVPN<->LAN packets will go thru DFL.
2) Make NAT OVPN->LAN on OVPN server.
By this way, OVPN clients will be masked by OVPN server address and all packets will go under subnet mask (without DFL).
3) Tune DFL to allow packets.
Add route for remote network (as i see, 10.8.510/24) thru OVPN server (192.168.51.2)
Add rule Foward fast lan/all-nets lan/all-nets (or two rules with specified networks)
-
I think I have tried 3 already.
I added
Type Interface Network Gateway Local IP address Metric Monitor this route Comments
Route lan 10.8.51.0/24 192.168.51.2 2 Yes
192.168.51.2 is the OpenVPN server.
Is that what you meant?
With (2) do you mean to add a NAT rule? Something like
Allow_OpenVPN NAT lan lannet core 192.168.51.2 dns-all
Please let me know if I am on the wrong track with either/both of these.
Thanks,
David.
-
_Route
Interface: lan
Network: 10.8.51.0/24
Gateway: 192.168.51.2
Metric: 2 (or 1)
Do not monitor route and change "local IP".
_IP rule
Your NAT rule is for port mapping, do not touch it.
You should make one more
Action: Forward fast
Service: all_services
Source: lan/all-nets
Destination: lan/all-nets
-
The route I now have is:
Type Interface Network Gateway Local IP address Metric Monitor this route Comments
Route lan 10.8.51.0/24 192.168.51.2 192.168.51.2 2 No
The extra rule is:
OpenVPN_allow FwdFast lan all-nets lan all-nets all_services
But the log after an attempted ping is still the same:
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2010-08-28 Warning CONN LogOpenFails ICMP lan 192.168.51.3 no_new_conn_for_this_packet
21:49:11 600013 10.8.51.6 drop
protocol=icmp ipdatalen=64 icmptype=ECHO_REPLY echoid=33907 echoseq=3
Any other suggestions?
-
1) Clear "Local IP address" field in route
2) Did you maked "forward fast" rule?
-
Cleared the "Local IP address" field in route.
If you look above I added a FastFwd rule:
OpenVPN_allow FwdFast lan all-nets lan all-nets all_services
Was that what you meant?
Still no ping response though.
-
I've just noticed that if I try ssh-ing to the DLink router that the default_rule gets used (and drops packets).
i.e. ssh from 192.168.0.70 (alias 10.8.51.6) to 192.168.51.1
The log I get is:
Date Severity Category/ID Rule Proto Src/DstIf Src/DstIP Src/DstPort Event/Action
2010-08-29 Warning RULE Default_Access_Rule TCP lan 10.8.51.6 51768 ruleset_drop_packet
11:37:41 6000051 192.168.51.1 22 drop
ipdatalen=40 tcphdrlen=40 syn=1
I'm not sure why the rule
2 OpenVPN_allow Allow any 10.8.51.0/24 any 192.168.51.0/24 all_services
wasn't used instead.
-
In your rule change Allow to ForwardFast (i'm talking about it 3rd time!), make source/destination lan/all-nets lan/all-nets.
-
Hi, if you look at my replies #4 and #6 I believe I already have what you suggest.
-
I even tried making the ForwardFast rule the very first in the rule set. Still no luck.
-
Show your forward fast rule by screenshot.
-
Screenshot of rule: (http://www.flickr.com/photos/50857871@N04/4936954409/) http://www.flickr.com/photos/50857871@N04/4936954409/ (http://www.flickr.com/photos/50857871@N04/4936954409/)
-
Try to ping, check log.
Also show routes.
-
Route: http://www.flickr.com/photos/50857871@N04/4937658764/ (http://www.flickr.com/photos/50857871@N04/4937658764/)
Log from ping followed by ssh to DLink via OpenVPN: http://www.flickr.com/photos/50857871@N04/4937668322/ (http://www.flickr.com/photos/50857871@N04/4937668322/)
-
Make route into "main" routing table.
-
That did the trick. I thought that a routing group was just a way of grouping related routes but that they had the same result as if on the main routing table. Obviously not the case.
Thanks everyone for their help.
P.S. I tried to post this last entry many times but kept getting "database errors".
-
Hi!
I know it's been some time but I'm still having great difficulties with exactly the same situation as djm. It's been almost 48 hours configuring but no luck or anything at all.
Client connects just fine to server (which is in lannet 192.168.1.0/24 as 192.168.1.2) so my SAT and allow rules should be okey. Ovpn routed virtual network is 10.8.51.0/24 and my ovpn server gets the ip 10.8.51.1 and client 10.8.51.6. I have also set following IP-rules:
1. FwdFast lan/allnets lan/allnets all_services
2. Allow any/lannet any/ovpnnet all_services
3. Allow any/ovpnnet any/lannet all_services
Also I have in main routing table following:
Route Lan 10.8.51.0/24 192.168.1.2 with metric 2 and no local ip address or monitoring.
When I check my active routing table I can see the above route but nothing works. If I ping from client to 10.8.51.1 or anything else it just gets dropped with default_ruleset. src/dest. ip:s show in logs 10.8.51.6/10.8.51.1. I guess I'm missing something essential because my routes obviously doesn't work.
Sry I don't have any screenshots or log entries until tomorrow but I would appreciate if somebody could help me with this.
-
I had 4 locations that I needed the same setup. Each had slightly different setup and configurations in the DFL-210. With one site I had to remove some rules I already had to enable it to work. Maybe you too have some pre-existing rules that are causing a hindrance.