Firewall/NAT

Hi all,

First off, apologies if this isn't the right forum; I'm not sure whether my issue is firewall, routing or VPN related. I believe it's simply a firewall misconfiguration, but my knowledge is limited.

Please see my network diagram here: http://badgerama.com/images/m0n0wall/network.jpg

The problem I'm having, is that VPN clients appear to be denied any kind of access to the 'n-gateway' machine on my internal network. I'm not having trouble getting to any other server on that n-gateway's subnet. For example, I can access the m0n0wall control panel on the www-gateway machine (10.0.0.100), but I can NOT access the m0n0wall control panel on the n-gateway server (10.0.0.101) from the VPN.

This screenshot of my log file shows m0n0wall denying the packets when I try to access the web control panel from the VPN: http://badgerama.com/images/m0n0wall/log.jpg.

This screenshot shows my LAN rules: http://badgerama.com/images/m0n0wall/lan_rules.jpg
This screenshot shows my WAN rules: http://badgerama.com/images/m0n0wall/wan_rules.jpg
This screenshot shows my RADIUS config: http://badgerama.com/images/m0n0wall/radius.jpg


Can anyone shed any light on what I'm doing wrong, or what I need to enable to gain accesss?

Is it the same issue as this: http://forum.m0n0.ch/index.php/topic,1105.0.html

Thanks and regards (and apologies for totally ruining the formatting of this post! 

Tom

Also, I should point out that all of this works perfectly well internally.

For example, a user with a DHCP client at 10.0.0.20 can hit an address of 164.134.85.111, will go through the default gateway at 10.0.0.100, hit the static route and be sent out view the n3-gateway - that all works perfectly. It's just the VPN that causes the problem.

I'm also aware my WAN firewall rules are, erm, rubbish, but I'm afraid at this stage I'm just trying to lock it down and log what it might be that's stopping the traffic.

Thanks and regards.

It looks like your PPTP VPN hasn't setup correctly, because there should be a PPTP tab in your rules section. Try disabling PPTP and re-enabling it.

You will need to add a rule in the PPTP VPN tab to allow clients access to resources.

Hi,

Thanks for your reply, HM.

However, that's not the m0n0wall I'm VPN'ing to; I VPN into the office network via another machine (which does have the PPTP firewall rules tab - for which I have an 'allow all' rule), which then passes specific traffic on to another m0n0wall which simply does NAT (with allow all rules in both directions).

Or do I need to set up a VPN between the 2 m0n0walls?

I'm sure it's a damn firewall rule somewhere, but I can't work out where. I think the n3-gateway machine needs to 'know' about the VPN subnet, but I've even put the internal network on 10.0.0.0/8 and then created firewall rules on the n3-gateway to allow all from the local subnet (i.e. anything on 10.0.0.0/8) but still no dice.

T.

Do you have a static route defined on n-gateway to 172.16.16.0 via 10.0.0.100?

Do you have a static route defined on n-gateway to 172.16.16.0 via 10.0.0.100?

You mean set up a static route on the n3-gateway to route traffic destined to our VPN back through the VPN server...?

Yep. Tried that.

Just as a follow up, I resolved the problem, and rather than something obvious, it was actually something very obscure. Three computers on the office LAN would not 'see' the static routes unless they existed on the domain controller; configuring them on the m0n0wall and using that as the default gateway didn't work - but only for those three PCs. I have no idea why.

I've resolved the problem by adding persistent static routes replicating those stored on m0n0wall (which are quite happily used by every other machine in the office, internal or VPN, DHCP or static). Bizarre.