Hi guys,
Hope this finds you well,
I'm having issues configuring a DNAT correctly.
The end goal is to create a full tunnel SSL VPN profile that has access out to the internet only, denying all connections to the local network. This topic has been broached in the community here before but everything I've found isn't working for me.
As I understand it, from reading through the relevant topics is, the "Internet IPv4" network definition in the SSL VPN profile routes all traffic through the UTM so a full tunnel is created, and the job of the DNAT is to black hole the packets destined for the internal network before they hit the VPN config, based on rulz. So when set up correctly, the DNAT should reroute the traffic into this black hole before the VPN config gets the chance to route requests to the internal network, and that because there is an order of preference to the way packets are handled, this is the only way to achieve the desired result before the VPN routes the traffic itself, meaning that firewall rules would be ineffective.
However, I have tried to configure this every which way I can think of now, and have so far been unable to get the desired result I'm looking for.
I currently have a full tunnel set up* but i can't prevent internal network access. Any help with this would be greatly appreciated.
(*IP and WebRTC both change, but my DNS is leaking on windows 10, I think this is because of the new way windows handles DNS, as I get a full tunnel on my iPhone. Any thoughts?)
Below is my current configuration and explanation as to why the settings are there - If anything is wrong please let me know, I have included this firstly so if i misunderstand anything you guys can tell me, and secondly as a reference for anyone who may find it useful in the future.
SSL VPN profile:
users and groups: VPN user group A (using a group so users can be added and removed from the group easily and will inherit all the correct settings.)
Local Networks: Internet IPv4
Automatic firewall rule checked
This creates the routing for the full tunnel so all traffic passes through the UTM.
Web filtering Local networks: added VPN user group A network
This gives the VPN user benefits of web filtering in exchange for a little overhead.
Masquerading NAT: VPN user group A network>External WAN interface
This gives the VPN user group access to the internet via the external WAN interface (the benefits of using Masquerading NAT is your external IP can change and your NAT won't be affected)
NAT:
Position: 1
Rule: DNAT
From: VPN user group A network
Service: Any
Going to: Internal network
change to: black hole (random 'host' IP, unused private address 10.255.255.15)
service left blank
Automatic firewall rule checked
Supposed to drop traffic going to the internal network from the VPN profile, but its still getting through currently.
Some wider configuration for context:
- A second SSL VPN profile for split tunnel access to internal network only is set up and working correctly. This is a remote box so no suggestions that kill my access please :D
- UTM is nested behind a router so double NATing is occurring. However full tunnel internet access works as intended, as does VPN etc. The issue is disabling local network access, but i mention just in case.
Is my current understanding about how this all should work correct?
Can you see where I'm going wrong here?
Is there any best practice i'm missing?
Thanks for your help
This thread was automatically locked due to age.
