Routing problem?

Hi.

First of all hello, I'm Piotr.

I have some problems with setting my UTM Virtual Appliance.

Here is my situation:

Host PC witch CentOS 8.1 and KVM as hypervisor.

3 virtual machines:

 - first is Sophos UTM;

 - second is CentOS 8.1 for services;

 - third is CentOS 8.1 for games.

Host PC has two network cards. One (lets call it eth2) is for Internet (WAN) access, the other (eth1) is for local LAN.

WAN NIC has random IP set, and LAN had IP from local subnet.

In Sophos virtual machine I have 3 NICs:

 - eth1 is connected though bridge0 to eth1 (LAN) on host and has IP address from local subnet

 - eth2 - bridge1 to eth2 (WAN) on host and has IP address as given by ISP. MAC is also changed.

 - eth5 is added manually and I will come back to it later.

Bridges are set because KVM manager in CentOS said that vmtap (which connects directly to host NICs) sometimes doesn't allow connection with host and it was correct in my case. I could log in on console but was unable to ping my UTM.

This configuration works perfectly when I'm locally connected to network in my house. Problem starts when I want to connect by using VPN, when I'm at work. I can connect to all virtual machines, using their local addresses. I'm unable to contact with host PC. I can log into one of virtual CentOS instances and then to host PC, but I want/need direct access to host.

I can ping host from other VMs and vice versa. The host can't ping UTM but has Internet access. What I can't do is connect to host through UTM SSL VPN.

This is where eth5 appeared. I'm using it for host only network and I can ping host by using this interface. Host can also ping UTM. I called this dedicated network “Management” and added some rules that when something is trying to reach this subnet it should use eth5. With all this set I still can't reach Host PC when I'm connected by VPN.

This is why I'm looking here for help. Please tell me what settings from my UTM do you need and I'll paste it here.

I hope the description is clear enough.

  • Hi  

    Is it possible for you to draw a simple network diagram with IP schema mentioned in it? Also, share the configuration for SSL VPN remote access. 

  • In reply to Jaydeep:

    Thank you for answer.

    Here is my network schema. I hope it's more clear now. I can do it better but I have no idea what software use for it.

    My SSL VPN Configuration look like this:

  • In reply to Piotr Pytynski:

    This is enough for further troubleshooting.

    I wanted to know if you can check the packet flow using TCPDUMP by SSHing into UTM 9? I don't see any issues with configuration. The only thing that I can think of is Local Windows Firewall on your Host PC not allowing remote subnets to RDP. Please check the packet flow and see if it's the UTM or the Host PC not responding to traffic.

    To monitor the packet flow, please take SSH access (refer to this KBA https://community.sophos.com/kb/en-us/133645) and then enter the following command to check the packet flow:

    tcpdump -nei any host <IP of Host PC> and host <SSL_VPN_IP of your work laptop> and port <RDP Port>

    After applying this, when you attempt RDP of the Host PC, you will see packets coming in from tun0 (which is SSL VPN virtual interface) and being sent out from the LAN interface to Host PC. It will give you an idea about what's going on with the traffic. 

  • In reply to Jaydeep:

    Here is part of the output:

    foxior:/home/login # tcpdump -nei any host 192.168.101.1 and host 192.168.7.2 and port 3389
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    13:37:02.286650 In ethertype IPv4 (0x0800), length 68: 192.168.7.2.64731 > 192.168.101.1.3389: Flags [ S], seq 1151135653, win 64240, options [mss 1306,nop,wscale 8,nop,nop,sackOK], length 0

    I look like it's correctly passed forward.

    The Host PC is also CentOS Linux with KVM as hypervisor for virtualization, but I can use it through RDP also.

    I'll try to force its firewall to let VPN Subnet in.

    Is there an option to fake my VPN IP for this specific host? For example when I connect with VPN I get IP 192.168.7.2, but whet I try to connect with Host PC it sees my IP as UTM's IP (192.168.6.1 instead of 192.168.7.2).

  • In reply to Piotr Pytynski:

    Yes, it is possible to do that. I was going to suggest that but I thought it would be too soon to suggest. You can actually create a SNAT, with Destination as your Host PC and changed Source to LAN interface IP and select RDP as services.

    Also, please post more lines from TCPDUMP. This one only shows traffic coming into UTM.

  • In reply to Jaydeep:

    I posted only this much because all the lines were the same:

    Here is the output in the same time from Host PC:

    So maybe it gets forwarded correctly but the answer from Host PC is blocked.