Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 12980 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP IPSEC - unable to access internal pages on iPhone, Works on Android.

gd17 diggin

Hi

I am running UTM 9.506 and unable to figure why i cannot access some of the internal (sophos webadmin, user portal, webui for other devices), do not see any drops on the firewall logs. Everything works flawlessly on my android. Also tried the same with my windows 10 but same result as the iPhone.

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi and welcome to the UTM Community!

    Firewall rule #3 has no effect and should be deleted for clarity.  By definition, all traffic not specifically allowed is dropped by default, so #7 should also be deleted as it provides less information in the logs than does a default drop.

    In the DNS picture, you can delete "Internal (Address)" as it is included in "Internal (Network)."

    What do you mean by "cannot access" things - what would we see if we were in your place?  Are all devices connecting via WiFi?  Can you surf the Internet from all devices?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    iPhone - VPN from a wifi with range 192.168.1.0/24 - Only internet works, but i can ping all the internal address

    iPhone - VPN from a Wifi with a range 172.x.x.x or 10.x.x.x - everything works (Internet, Internal devices incl Sophos WebAdmin/User Portal)

    iPhone - VPN from 3G/4G - everything works (access to Internet, Internal devices incl Sophos WebAdmin/User Portal)

    Android - everything works regardless.

    Thanks

  • 0 in reply to gd17 diggin

    What is your "Internal (Network)" subnet?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to gd17 diggin

    That is the same subnet on both sides of the connection. That is generally not recommended, how would your client now know (or even be able) when to use it's local network and when to send to VPN for something in 192.168.1.0/24?

    If it's not possible to change 1 of the 192.168.1.0 subnets, then you might need to configure NAT inside the VPN so you can use just another subnet for just the VPN-clients.

     

    Edit:

    Oh and by the way your last firewall rule not only is unnecessary but I think it will never ever apply since Any IPv4 as a source means any IPv4 traffic ORIGINATING from the internet going to Any IPv4, so going to any IPv4 address ON THE INTERNET.

    Basically you disallow traffic coming from the internet going back to the internet through your firewall....

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels

    apijnappels said:

    how would your client now know (or even be able) when to use it's local network and when to send to VPN for something in 192.168.1.0/24?

    ,

     

    I thought the "Send all traffic" switch on the iPhone L2TP client will take care of this? Also i still dont understand how it works flawlessly on the Android.

    apijnappels said:
    If it's not possible to change 1 of the 192.168.1.0 subnets, then you might need to configure NAT inside the VPN so you can use just another subnet for just the VPN-clients.

    ,

    Which type of NAT do i need 1:1 or SNAT?

  • 0 in reply to gd17 diggin

    Basic networking.  Try with the Android from the network with 192.168.1.0/24 where the iPhone had routing problems.  If that works, then the client in the Android is not working as it should.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to gd17 diggin

    Basic networking.  Try with the Android from the network with 192.168.1.0/24 where the iPhone had routing problems.  If that works, then the client in the Android is not working as it should.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML