SSL VPN Split tunneling - when enabled I can't access my internal network.

Here are my network IPs:

VPN Pool (SSL)- 10.242.2.0/24
Internal Network - 10.100.16.0/20

Hi eddiejk,

Have you tried to download the new configuration after making a change to the Remote access profile? 

If you configure a full tunnel SSL VPN, you would need a firewall rule for the SSL VPN network and an MASQ rule to access the internet.

Thanks, 

I have a firewall rule that was created by the SSL VPN profile.  I need to create one for VPN Pool (SSL) to access Internet?  I created a MASQ rule so VPN Pool (SSL) so it can access Internal network.

Hi Eddie and welcome to the UTM Community!

The "Any" object gives strange results in several places.  Try:

If you don't want to allow all access, then you will want to de-select 'Automatic firewall rules' and make your own.  You might also want to add "VPN Pool (SSL)" to 'Allowed Networks' in Web Filtering.

Cheers - Bob

Hi Eddie and welcome to the UTM Community!

The "Any" object gives strange results in several places.  Try:

If you don't want to allow all access, then you will want to de-select 'Automatic firewall rules' and make your own.  You might also want to add "VPN Pool (SSL)" to 'Allowed Networks' in Web Filtering.

Cheers - Bob

Hi Bob,

I added Internet IPv4 instead of Any and put my internal networks, but I still can't access my servers.  Do you think I need to create the firewall rules?

Thanks

Eddie

If I do a route print, I can see my local network when split tunneling is disabled, but once it's enabled I can't see it anymore.

Eddie, please show a picture of the Edit of the Remote Access Profile.

Cheers - Bob

This screenshot shows the three routes I need.  The 10.100.16.0, 10.100.20.0 and 10.100.30.0.

This shows the routes when split tunneling is disabled.

Not sure what you're doing to enable/disable split tunneling.

I still think your real problem is your 10.0.0.0/8 subnet.  That's got to be creating routing problems with the smaller 10. subnets.

Cheers - Bob

Hi Bob,

Yes, you are correct.  That 10.0.0.0/8 subnet was created by our corporate IT so all of our work laptops have that.  I tried using a different laptop and it did work.