VPN zone traffic to LAN zone getting dropped

Arun,

can you share the L2TP settings, firewall rules and dropped logs?

Thanks

Thanks for quick reply. Here is the info:

L2TP (Remote Access)
Name: MyVPN
Description:
Policy: DefaultL2TP
Action on VPN Restart: Respond Only

Authentication Type: Preshared key
Preshared Key: <preshared key string>

Local WAN Port: Port2 - <My Public IP is automatically filled>
Local ID: I did not enter any local ID

Remote Host: *
Allow NAT Traversal: Checked
Remote LAN Network: Any
Remote ID: I did not enter any remote ID

Local Port: 1701
Remote Port: *

Disconnect when tunnel is idle: Enabled
Idle session time interval: 600

===================
Show VPN Setiings -> L2TP
Enable L2TP box checked

Assign IP from: 10.242.1.0 - 10.242.1.255
Box unchecked: Allow leasing IP address from RADIUS server

Primary DNS server: Other 192.168.250.1 (This is the XG firewall LAN address)

Show Members: arun_l2tp_vpn and Open Group
===================
Rule Name: VPN to LAN

Source Zones: VPN
Source Networks and Devices: Any
During Scheduled Time: All the time

Destination Zones: LAN
Destination Networks: Any
Services: Any

Match known Users: unchecked

Malware scanning: all boxes unchecked

Intrusion Prevention: None
Traffic Shaping Policy: None
Web Policy: None
Application Control: None

Minimum Source HB Permitted: No restriction
Mimimum Destination HB permitted: No restriction

Rewrite source address (Masquerading): Checked
Use Gateway Specific Default NAT Policy: Unchecked
Use Outbound Address: MASQ
Primary Gateway: None
DSCP Marking: Select DSCP Marking (none selected)

In the NAT settings, I have tried various combinations of options, but none worked.

I don't know how to get to the logs, but in Log Viewer, I select Firewall Logs from drop down list and then filter on ppp0 as In Interface.
This is typically what I see. The DNS requests are being denied.

2017-07-24 15:35:39 Local ACL Denied arun_l2tp_vpn 0 ppp0 - 10.242.1.1 :UDP (1511) 192.168.250.1 :UDP (53) 02002 Open PCAP

Thanks for quick reply. Here is the info:

L2TP (Remote Access)
Name: MyVPN
Description:
Policy: DefaultL2TP
Action on VPN Restart: Respond Only

Authentication Type: Preshared key
Preshared Key: <preshared key string>

Local WAN Port: Port2 - <My Public IP is automatically filled>
Local ID: I did not enter any local ID

Remote Host: *
Allow NAT Traversal: Checked
Remote LAN Network: Any
Remote ID: I did not enter any remote ID

Local Port: 1701
Remote Port: *

Disconnect when tunnel is idle: Enabled
Idle session time interval: 600

===================
Show VPN Setiings -> L2TP
Enable L2TP box checked

Assign IP from: 10.242.1.0 - 10.242.1.255
Box unchecked: Allow leasing IP address from RADIUS server

Primary DNS server: Other 192.168.250.1 (This is the XG firewall LAN address)

Show Members: arun_l2tp_vpn and Open Group
===================
Rule Name: VPN to LAN

Source Zones: VPN
Source Networks and Devices: Any
During Scheduled Time: All the time

Destination Zones: LAN
Destination Networks: Any
Services: Any

Match known Users: unchecked

Malware scanning: all boxes unchecked

Intrusion Prevention: None
Traffic Shaping Policy: None
Web Policy: None
Application Control: None

Minimum Source HB Permitted: No restriction
Mimimum Destination HB permitted: No restriction

Rewrite source address (Masquerading): Checked
Use Gateway Specific Default NAT Policy: Unchecked
Use Outbound Address: MASQ
Primary Gateway: None
DSCP Marking: Select DSCP Marking (none selected)

In the NAT settings, I have tried various combinations of options, but none worked.

I don't know how to get to the logs, but in Log Viewer, I select Firewall Logs from drop down list and then filter on ppp0 as In Interface.
This is typically what I see. The DNS requests are being denied.

2017-07-24 15:35:39 Local ACL Denied arun_l2tp_vpn 0 ppp0 - 10.242.1.1 :UDP (1511) 192.168.250.1 :UDP (53) 02002 Open PCAP

Arun,

thanks for sharing info. UPD 53 is DNS requests traffic. Go to VPN > Show VPN Settings > L2TP and fill DNS with your internal DNS server (if you need to access internal resources by name).

If it is not enough, create a reverse rule LAN TO VPN.

Let us know

Thanks

Finally it is working. I had taken screen captures of UTM settings. Following those, here is what I had to do to get everything working:

a) Create a rule for allowing VPN connected phone to access internet and other common services

Source: VPN, Any host

Destination: WAN, Any host

Services; DNS, HTTP, HTTPS, NTP, Gmail Ports and so on.

Rewrite source address (Masquerading): checked

Use Gateway Specific Default NAT Policy: checked

b) Create a rule for allowing VPN to access LAN:

Source; VPN, Any host

Desination: LAN, Any host

Service: Any

Rewrite source address (Masquerading): checked

Use Gateway Specific Default NAT Policy: checked

 c) In VPN->Show VPN Settings, defined the DNS server as the server in my LAN zone (I run my own DNS server). This server is defined as the DNS server in XG DNS settings also.

Now everything is working. When phone is connected to VPN, I can ping hosts on my LAN. I have not tested RDP/SSH connectivity, but I am sure it will work. It seems that no matter what I do, XG does not allow any kind of access to its own IP (not even ping) from the phone when connected via VPN. Since I was trying to use the XG IP address as DNS server in the hope that it will forward queries to my LAN DNS server, the DNS access was being denied. It just would not have worked.

If I disable any of the above firewall rules, internet access on the phone stops working when connected to VPN. I think this is because I am using DNS server in the LAN zone, so if VPN to LAN rule is disabled, the VPN connected device cannot reach DNS server. If a public DNS server like 8.8.8.8 is configured in VPN settings, then there is no need for the VPN to LAN zone rule.

Thanks for all your help.

Arun