Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 955 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTPservices Definition collides with DNS for VPN

sfischer
Hi,

I have 2 external WAN Interfaces. WAN1 handles SSL VPNs and WAN2 handles FTP and HTTP traffic. WAN1 owns primary uplink IP.
 
I have the following policy routes:
1. INT -> WebSurfing -> WAN2
2. INT -> FTP -> WAN2
with VPN established, that works.

If I change the 2. policy Route from FTP to FTPServices, which includes (FTP, FTPES and FTP_Port_Range_IANA), VPN works, but without DNS lookups.

FTP_Port_Range_IANA is defined by: 1:65535 → 49152:63000

Looks like that port range 49152 to 63000 overlaps DNS requests from VPN clients and will be routed through the wrong interface WAN2 and not WAN1.

How can I solve that ?


This thread was automatically locked due to age.
  • 0
    Stefan, have you done a packet capture to confirm this?  Do you have your internal DNS listed first for DNS on 'Remote Access >> Advanced'?  Do you also have policy routes for the "VPN Pool (SSL)"?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    in Advanced Tab I have my internal DNS server Ip Addr set.

    I have no Policy Route for VPN SSL.

    If I set one, doesn't it inferre with Uplink Monitoring Actions ?
  • 0
    In your first post, did you mean bandwidth pools instead of routes - do the traffic selectors include the traffic from the VPN?

    Again, have you seen the DNS packets go out the wrong interface?

    Have you double-checked that you have the correct IP of your internal DNS on the 'Advanced' page?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    DNS entry is correct.

    I meant Interface&Routing->StaticRoutes->PolicyRoutes
  • 0
    Do you have "Internet" and "Internal (Network)" in 'Local networks' of the SSL VPN definition? (or "Any")

    Do you have a masq rule for "VPN Pool (SSL)" out the WAN1 interface?

    Can you reach our Bluehost webserver from a VPNconnection? http://69(dot)89(dot)20(dot)44/

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    thanks for your tipps. The Any definition in SSL local Networks did it.

    Stefan
Cookie Information Banner