Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 9520 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

remote access (PPTP or L2TP) with internal LAN IP never worked

Mast_01

Hello,

here's something i've tried to do over the years in ASG/UTM and never got it to work:

Using PPTP client with the internal LAN DHCP server.

The connection is established correctly, the clients gets an IP from the DHCP server in the LAN... but that's as far as it gets, no traffic passes whatsoever even when i set a packet filter rule for that user network.

 

¿so, what am i doing wrong?.

 

the idea is to replace a windows RRAS server which already has the advantage that it works as a L2 ARP proxy, meaning that a user once it's logged in has FULL ACCESS to the network as if it were plugged into a switch port, for example accessing devices that have NO gateway set or a gateway that's different from the UTM, AFAIK this is not possible with UTM currently....

 

in the live log i even see "found interface eth0 for proxy arp ", but nothing



This thread was automatically locked due to age.
  • 0

    Hi,

    Can you post the related log lines on this issue? Where are you trying to pass the traffic after the VPN connection is established?

    My takes, configure a VPN_LAN and LAN_VPN FW rule.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    i want the pptp clients to have the same addressing as the LAN and full access to it(or whatever i chose to access based on FW rules), regardless of wheter the station accesed routes through the UTM box or not, just like RRAS!(which does a full arp proxy).

     

    for example in tihs scenario:

    lan is 10.10.10.0/24

    UTM is 10.10.10.1

    RRAS server is 10.10.10.5

    there's a server in 10.10.10.10 with gateway 10.10.10.100

     

    with windows RRAS server, PPTP client logs in, gets an address in the 10.10.10.0/24 and can get full traffic access to the 10.10.10.10, regardless of gateway, as it works like an ethernet port to a switch essentially.

     

    with UTM and external DHCP server: PPTP client logs in, gets an address in the 10.10.10.0/24 and.. that's it, no traffic passes.

    with UTM and internal VPN pool: PPTP client logs in, gets an address in the 10.242.1.0/24 range, and ONLY gets access to decies that have UTM as default gateway(which is correct as it's a route to a different network).

     

    the rule from VPN to LAN is already done, i didn't do the LAN_VPN because access to the cloients from the lan is not needed..

     

    there's not much to the log, you can clearly see how in the first case there's ZERO bytes sent

    here's with the ext dhcp:

    2016:10:11-14:25:48 utm pppd-pptp[9282]: Using interface ppp1
2016:10:11-14:25:48 utm pppd-pptp[9282]: MPPE 128-bit stateless compression enabled
2016:10:11-14:25:48 utm pppd-pptp[9282]: DHCPC: Using relay address of '10.10.10.15'
2016:10:11-14:25:48 utm pppd-pptp[9282]: DHCPC: Unicasting to server '10.10.10.35' only
2016:10:11-14:25:48 utm pppd-pptp[9282]: DHCPC: Sending discover...
2016:10:11-14:25:48 utm pppd-pptp[9282]: DHCPC: Sending select for 10.10.10.154...
2016:10:11-14:25:48 utm pppd-pptp[9282]: DHCPC: Lease of 10.10.10.154 obtained, lease time 3600
2016:10:11-14:25:50 utm pppd-pptp[9282]: found interface eth0 for proxy arp
2016:10:11-14:25:50 utm pppd-pptp[9282]: local  IP address 10.242.1.1
2016:10:11-14:25:50 utm pppd-pptp[9282]: remote IP address 10.10.10.154
2016:10:11-14:25:50 utm pppd-pptp[9302]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="ggl" variant="pptp" srcip="190.111.116.149" virtual_ip="10.10.10.154"
2016:10:11-14:36:12 utm pppd-pptp[9282]: LCP terminated by peer (s^TfP^@<M-Mt^@^@^@^@)
2016:10:11-14:36:12 utm pppd-pptp[9282]: Connect time 10.4 minutes.
2016:10:11-14:36:12 utm pppd-pptp[9282]: Sent 0 bytes, received 63310 bytes.
2016:10:11-14:36:12 utm pppd-pptp[9282]: Modem hangup
2016:10:11-14:36:12 utm pppd-pptp[9282]: Connection terminated.

     

    and here's with the usual pool:

    2016:10:11-16:03:19 utm pppd-pptp[25254]: Using interface ppp1
2016:10:11-16:03:19 utm pppd-pptp[25254]: MPPE 128-bit stateless compression enabled
2016:10:11-16:03:21 utm pppd-pptp[25254]: Cannot determine ethernet address for proxy ARP
2016:10:11-16:03:21 utm pppd-pptp[25254]: local  IP address 10.242.1.1
2016:10:11-16:03:21 utm pppd-pptp[25254]: remote IP address 10.242.1.2
2016:10:11-16:03:22 utm pppd-pptp[25265]: id="2201" severity="info" sys="SecureNet" sub="vpn" event="Connection started" username="user" variant="pptp" srcip="190.111.116.149" virtual_ip="10.242.1.2"
2016:10:11-16:11:02 utm pppd-pptp[25254]: Modem hangup
2016:10:11-16:11:02 utm pppd-pptp[25254]: Connect time 7.7 minutes.
2016:10:11-16:11:02 utm pppd-pptp[25254]: Sent 2919 bytes, received 32012 bytes.
2016:10:11-16:11:02 utm pppd-pptp[25254]: MPPE disabled
2016:10:11-16:11:02 utm pppd-pptp[25254]: Connection terminated.
  • 0 in reply to Mast_01

    I bet this still causes routing problems. Does the routing table confirm that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    ¿what routing problem?, if it uses the internal LAN range it should L2 ARP to the client, again, like Win RRAS does, no routing whatsoever(just like a RED tunnel).

    ¿what's the point of having the choice of an external DHCP server if it's not going to work?.

     

    has no one else done this ever?

  • 0 in reply to Mast_01

    All I can tell you was that this used to work, but then, sometime in V7, I think, it started causing routing problems.  I developed a habit of never configuring Remote Access to use the same subnet as any of the ones defined on the LANs.  You can use a different DHCP server if you have enough of them.  If the devs have changed this in newer version of V9, it's news to me.  That's the reason I asked about your routes table - to see if there was any conflict.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    the thing is that any routed connection WONT'T L2 ARP to the LAN, which is what i'd like to have

Unfiltered HTML