Routing all traffic from LAN to Internet over VPN Tunnel in DMZ

I think you need te create a policy route under Interfaces and routing -> static routing -> policy routes with the following settings:

Route type: Gateway route
Source interface: Internal
Source network: Internal (Network)
Service: any (if you want all traffic to be routed this way or ie. Web Surfing for just web surfing protocols and nothing else
Destination network: Internet IPv4 (or if you also use IPv6 you can make a group where you combine Internet IPv4 and IPv6 into 1 group or make an additional route)
Gateway: Your router in DMZ 10.0.0.2

This will send all selected traffic (configured under service) coming from your internal network arriving on the internal interface destined for the internet to the router in your DMZ.

PS. Why do you masquerade your internal network to your DMZ? If you make sure that your router 10.0.0.2 knows how to get to your internal network you can just route from internal to dmz and you don't need to use NAT....

Thanks for your reply. I created under Network Definitions - Type Host - Router with IP 10.0.0.2 , no DHCP / Hostname marked and also Reverse DNS.

Then created Gateway Route with Service Any and Gateway Router 10.0.0.2

Deleted Masquerade from Internal to DMZ

When going to Internet it seems that Internet access is going direct from LAN Internal to WAN Interface, not over the created Gateway route .

Do i have to adapt also the Firewall Rules LAN -> Web Surfing - Internet Ipv4 , to get it work, what I’m missing?

best regards

Hello apijnappels,

After restarting UTM and VPN Router , with created Gateway Rule (Any) i get the following results, connected with Notebook / PC to LAN

- Traceroute to google.com go through 192.168.0.1 -> 10.0.0.2 -> VPN Tunnel -> google.com, so traffic go through tunnel.

- Internet Access is working fine, but when checking public IP, its my Providers IP, not the public one what i should get when surfing through the Tunnel.

- When the Gateway Rule is activated Local Mail Client stop working, IMAP Port 993 , SMTP 465 Closed

Connect Notebook / PC  direct to the VPN Router in DMZ

- Traceroute to google.com go through 192.168.0.1 -> 10.0.0.2 -> VPN Tunnel -> google.com, so traffic also go through tunnel.

- Internet Access works, and getting different Public IP, from VPN so surfing works through the VPN Tunnel

- Mail Client work IMAP / SMTP Ports are open

What setting im missing, to get all work also from LAN Network?

Thx

best Regards

Hello apijnappels,

After restarting UTM and VPN Router , with created Gateway Rule (Any) i get the following results, connected with Notebook / PC to LAN

- Traceroute to google.com go through 192.168.0.1 -> 10.0.0.2 -> VPN Tunnel -> google.com, so traffic go through tunnel.

- Internet Access is working fine, but when checking public IP, its my Providers IP, not the public one what i should get when surfing through the Tunnel.

- When the Gateway Rule is activated Local Mail Client stop working, IMAP Port 993 , SMTP 465 Closed

Connect Notebook / PC  direct to the VPN Router in DMZ

- Traceroute to google.com go through 192.168.0.1 -> 10.0.0.2 -> VPN Tunnel -> google.com, so traffic also go through tunnel.

- Internet Access works, and getting different Public IP, from VPN so surfing works through the VPN Tunnel

- Mail Client work IMAP / SMTP Ports are open

What setting im missing, to get all work also from LAN Network?

Thx

best Regards

I didn't notice earlier, but it's because of your transparent web filtering setup. This will intercept all http(s) traffic from internal (since internal is configured to use it) hence it will not be send using the gateway route.

If you either remove Internal from the web filtering or disable web filtering completely, I think it will work. Or it may also work if you create another gateway route like the first one, but instead of Internal (Network) as source try Internal (Address) so it applies specifically to the UTM itself (this may or may not work, I honestly don't know).

Hello,

Tried to disable web filtering complete, ping / traceroute / nslookup to Google.com over vpn tunnel working, but browsing to Internet not possible.

When i change in GW Rule Internal Network to Internal Address , traffic going direct to Internet not over VPN Tunnel

Tried also with deactivated IDS and Advanced Thread Protections settings, same result. Beside the Masquerading Rules, do I need some special NAT Rules in this Configuration?

Thx

I don't think you need NAT rules since ping, traceroute is working fine. You may need a firewall rule tough allowing the specified traffic (Web surfing) from Internal to DMZ if you don't have this rule yet.

When logged in to the VPN Router I can ping the Sophos DMZ Interface 10.0.0.1, but i cannot ping 192.168.0.1 LAN Interface. When trying to do traceroute to 192.168.0.1 the trace is send over VPN Tunnel and get lost.

I was wondering if i have to add also on the DMZ Router route to LAN Network?

Yes, that would indeed be necessary, otherwise the DMZ router doesn't know where to send the traffic back. You will need to point the internal subnet to the IP-address of the DMZ interface of the UTM.

Internet Access over the VPN Tunnel is working yet.. You where absolute correct, when you mentioned that the web filter transparent setup will intercept with http(s) traffic. So what i did to get it work was:

Web Protection - Filtering Options - Misc

Transparent Mode Skiplist

Add Internal Network

Mark Allow HTTP/S traffic for listed hosts/nets

So the Internet access is working over the Tunnel. But what is not working when connected with LAN Client to VPN Tunnel, the IMAP / SMTP Ports for Gmail are Closed (993, 465, 587) ping is possible

I connected then the Client again direct to the VPN Router and give him IP Config from DMZ Network, Gateway 10.0.0.2 and DNS 10.0.0.1.

When checking then Internet and eMail works fine. All Ports are open through the tunnel.

Here arte the Rules what i have in place yet.

Firewall Rule is still DMZ Network -> Any -> Internet IPv4

Gateway Route Internal - > Internal Network -> Any -> Internet IPv4 - > VPN Router

Any Idea what else I’m missing , why are the ports for mail blocked on LAN Client?

thanks

You need to also allow the desired protocols (imap, smtp, etc) (or choose Email Messaging service group to catch most email protocols at once) from internal to Internet IPv4 in the firewall rules.

Have this Firewall Rule already from Internal -> Email Messaging Group -> IPv4. Doing telnet IMAP / SMTP from LAN Client works, till I activate Policy Gateway Rule, then Mail Ports are closed on LAN Clients

Can you find a clue in the firewall log whether the packet might be stopped (or allowed)?