This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing to internal network doesn't work

Hi,

i set up a PPTP VPN by following this guide: https://community.sophos.com/kb/en-us/116036

The VPN connection works. However, i can't reach the local network, neither via RDP, ping or whatever.

A traceroute from an internal server to the vpn client stops at the gateway. Same happens from the client.

The firewall log shows that the rule is executed (green, when trying from both sites) but it doesn't seem to get through.

I also deactivated the local firewall but the issue is still the same.

Any ideas?

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago

Hi Peter and welcome to the UTM Community!

What insights do you get from doing #1 in Rulz?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Cosworth over 6 years ago in reply to BAlfson

- Firewall log shows it's being forwarded

- Intrusion prevention log doesn't show anything

- Application control is disabled

- Advanced Threat Protection is zero
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Peter Cosworth

The .43.2 IP is the one assigned by the UTM from "VPN Pool (PPTP)" or ???

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Cosworth over 6 years ago in reply to BAlfson

Yes!
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Peter Cosworth

Does #3.1 in Rulz help?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Cosworth over 6 years ago in reply to BAlfson

Unfortunately not :(

Devices in the LAN must have the IP of "Internal (Address)" as their default gateway.

--> All devices use the utm as default gateway

Never connect two NICs into the same, physical Ethernet segment unless bridging or creating a LAG.

--> This isn't the case

When adding an interface, don't forget the Masquerading rule for the new network behind the UTM.

--> Done, no effect
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Cosworth over 6 years ago in reply to BAlfson

Would you be able to check the configuration with me? We could use teamviewer.

Next week would work for me.
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Cosworth over 6 years ago in reply to BAlfson

I might add that i also can't ping an external host from the network (i.e. google.com) even though this is allowed in the icmp rules :/.
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 6 years ago in reply to Peter Cosworth

Have you checked the Firewall Advanced section Connection Tracking helpers? is PPTP ticked?

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel
0 Argo over 6 years ago in reply to Peter Cosworth

and for one of the application we use internally (very old RDP outbound route) I had to create a DNAT rule.

for traffic From RDP Server

Using Service Microsoft Remote Desktop (RDP)

Going to Ext/Int Interface (IP not network)

Change Destination to Int/Ext Interface (IP not network, again)

took me w while to work this one out with help from Sophos Support (on the phone for over 2 hours - very helpful - can't thank them enough)

Hope this helps Peter

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Argo over 6 years ago in reply to Peter Cosworth

and for one of the application we use internally (very old RDP outbound route) I had to create a DNAT rule.

for traffic From RDP Server

Using Service Microsoft Remote Desktop (RDP)

Going to Ext/Int Interface (IP not network)

Change Destination to Int/Ext Interface (IP not network, again)

took me w while to work this one out with help from Sophos Support (on the phone for over 2 hours - very helpful - can't thank them enough)

Hope this helps Peter

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 6 years ago in reply to Argo

I don't understand, Jason - how about pictures? Where's the RDP server? Where are the clients?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel