Routing all traffic from LAN to Internet over VPN Tunnel in DMZ

I think you need te create a policy route under Interfaces and routing -> static routing -> policy routes with the following settings:

Route type: Gateway route
Source interface: Internal
Source network: Internal (Network)
Service: any (if you want all traffic to be routed this way or ie. Web Surfing for just web surfing protocols and nothing else
Destination network: Internet IPv4 (or if you also use IPv6 you can make a group where you combine Internet IPv4 and IPv6 into 1 group or make an additional route)
Gateway: Your router in DMZ 10.0.0.2

This will send all selected traffic (configured under service) coming from your internal network arriving on the internal interface destined for the internet to the router in your DMZ.

PS. Why do you masquerade your internal network to your DMZ? If you make sure that your router 10.0.0.2 knows how to get to your internal network you can just route from internal to dmz and you don't need to use NAT....

Thanks for your reply. I created under Network Definitions - Type Host - Router with IP 10.0.0.2 , no DHCP / Hostname marked and also Reverse DNS.

Then created Gateway Route with Service Any and Gateway Router 10.0.0.2

Deleted Masquerade from Internal to DMZ

When going to Internet it seems that Internet access is going direct from LAN Internal to WAN Interface, not over the created Gateway route .

Do i have to adapt also the Firewall Rules LAN -> Web Surfing - Internet Ipv4 , to get it work, what I’m missing?

best regards

Internet Access over the VPN Tunnel is working yet.. You where absolute correct, when you mentioned that the web filter transparent setup will intercept with http(s) traffic. So what i did to get it work was:

Web Protection - Filtering Options - Misc

Transparent Mode Skiplist

Add Internal Network

Mark Allow HTTP/S traffic for listed hosts/nets

So the Internet access is working over the Tunnel. But what is not working when connected with LAN Client to VPN Tunnel, the IMAP / SMTP Ports for Gmail are Closed (993, 465, 587) ping is possible

I connected then the Client again direct to the VPN Router and give him IP Config from DMZ Network, Gateway 10.0.0.2 and DNS 10.0.0.1.

When checking then Internet and eMail works fine. All Ports are open through the tunnel.

Here arte the Rules what i have in place yet.

Firewall Rule is still DMZ Network -> Any -> Internet IPv4

Gateway Route Internal - > Internal Network -> Any -> Internet IPv4 - > VPN Router

Any Idea what else I’m missing , why are the ports for mail blocked on LAN Client?

thanks

You need to also allow the desired protocols (imap, smtp, etc) (or choose Email Messaging service group to catch most email protocols at once) from internal to Internet IPv4 in the firewall rules.

Have this Firewall Rule already from Internal -> Email Messaging Group -> IPv4. Doing telnet IMAP / SMTP from LAN Client works, till I activate Policy Gateway Rule, then Mail Ports are closed on LAN Clients

Can you find a clue in the firewall log whether the packet might be stopped (or allowed)?

Yes, When Policy Gateway Rule is activated, FW Log information is that access to 993 is Droped.

I add then for testing DMZ Network -> ANY - > Internal Network FW Rule, but still get Droped

Dont know what else can be interfering?

I believe 192.168.0.0/24 is your internal network, the above example shows that from your host 192.168.0.10 outgoing traffic to 66.102.1.109 (which is Internet IPv4) on port 993 is default dropped. That would indicate that you don't have a firewall rule allowing the traffic on port 993 (IMAP SSL).

Maybe IMAP SSL is not inside your Email Messaging group...

See my picture on how the firewall rule should look like (I also ticked 'Log traffic' so that if it is allowed, it will also be displayed in the firewall log).

Please see here the Firewall Rules

Yes, Internal Network is 192.168.0.0 /24

Email Messaging Group has the Services

IMAP / 143

IMAP SSL / 993

POP 3 / 110

POP3 SSL / 995

SMTP / 25

SMTP SSL / 465

When I disable the Gateway Route the Client can connect, please see here

When I enable the Gateway Route again, the same Client is Droped

Here is also the Config of the Gateway Rule

Could you create another firewall rule (like 6) but instead of using Internal (Network) as source create a new "Network" definition also als 192.168.0.0/24 and make sure that under Advanced interface is listed as << any >> (this is default).

It's a little bit a guess, but please try this and let us know what happens.

Created yet the following

Deactivated Rule 6 and add this instead

Same Result, when i activate Policy Route , surfing over VPN Tunnel work, but Mail Ports closed, and FW Log show Drop

When disabling Policy Route, eMail works fine Ports are Open, but surfing over VPN Tunnel did not work 

Good that it works now and indeed a little strange since you had both internal -> internet IPv4 and internal -> dmz and dmz -> internet IPv4 allow rules IIRC.

Perhaps someone can explain why in this case specifically "any" is required, I don't have an explanation for it.

I was just wondering if I should change all rules with destination Internet IPv4 to Any?

Personally I wouldn't do that because any is really any.... Sometimes you just want rules to apply to traffic going to the internet and not for traffic going to any location (dmz, or other (sub)nets you may have).

ok will keep this in mind. Thanks a Lot for your Help

best Regards