Not sure where to post this, it's a Firewall / VPN / DNS question. Mod please move if need be.
---
Spoof protection:
Disabled -> Works
- LAN https access Astaro private:Y public:Y, DNS:Y
- VPN https access Astaro private:Y public:Y, DNS:Y
Normal -> Works
- LAN https access Astaro private:Y public:Y, DNS:Y
- VPN https access Astaro private:Y public:Y, DNS:Y
Strict -> Broken
- LAN https access Astaro private:Y public:N, DNS:Y
- VPN https access Astaro private:N public:Y, DNS:N
DEFINITION = Strict: The gateway will also drop and log all packets which have a destination IP for an interface but arriving on an interface other than assigned, that is, if it arrives on an interface for which it is not destined. For example, those packets will be dropped that were sent from an external network to the IP address of the internal interface which is supposed to accept packets from the internal network only.
Tunneled to destination IP: VPN Pool (L2TP), but what is considered the destination interface?
Is VPN Pool (L2TP) also a virtual interface, or is the definition talking about en0 or en1?
What is happening here? Should I remove VPN Pool masq, do I need NAT rule in addition or instead?
Is there a workaround to this OTHER than reducing security?
Also, what can be done about LAN losing reverse access to Astaro public?
---
Current config
SG125 FW 9.301-2 Pattern 74075
en0 LAN
en1 ISP1
en2 ISP2 (standby)
Using Astaro's DNS server with two OpenDNS Host definitions, ISP forwarding off. No other DNS server.
DNS 1 OpenDNS -> interface:any
DNS 2 OpenDNS -> interface:any
Followed KB for default L2TP over IPsec scenario.
VPN Pool (L2TP) = IP[:D]efaults, added user_network:no static, interface:any
VPN Pool (L2TP) added to DNS / NTP / Masq / IPS / Web Filter
No NAT rules.
Added pf top rule for VPN Pool (L2TP) & user_network -> ANY -> LAN
IPS on default
Web filter top profile for vpn user_network: Standard / Allow all
This thread was automatically locked due to age.