Routing to internal network doesn't work

Hi,

 

i set up a PPTP VPN by following this guide: https://community.sophos.com/kb/en-us/116036

The VPN connection works. However, i can't reach the local network, neither via RDP, ping or whatever.

A traceroute from an internal server to the vpn client stops at the gateway. Same happens from the client.

The firewall log shows that the rule is executed (green, when trying from both sites) but it doesn't seem to get through.

I also deactivated the local firewall but the issue is still the same.

 

Any ideas?

  • Hi Peter and welcome to the UTM Community!

    What insights do you get from doing #1 in Rulz?

    Cheers - Bob

  • In reply to BAlfson:

    - Firewall log shows it's being forwarded

    - Intrusion prevention log doesn't show anything

    - Application control is disabled

    - Advanced Threat Protection is zero

  • In reply to Peter Cosworth:

    The .43.2 IP is the one assigned by the UTM from "VPN Pool (PPTP)" or ???

    Cheers - Bob

  • In reply to Peter Cosworth:

    Does #3.1 in Rulz help?

    Cheers - Bob

  • In reply to BAlfson:

    Unfortunately not :(

     

    Devices in the LAN must have the IP of "Internal (Address)" as their default gateway.

    --> All devices use the utm as default gateway

    Never connect two NICs into the same, physical Ethernet segment unless bridging or creating a LAG.

    --> This isn't the case

    When adding an interface, don't forget the Masquerading rule for the new network behind the UTM.

    --> Done, no effect

  • In reply to BAlfson:

    Would you be able to check the configuration with me? We could use teamviewer.

    Next week would work for me.

  • In reply to BAlfson:

    I might add that i also can't ping an external host from the network (i.e. google.com) even though this is allowed in the icmp rules :/.

  • In reply to Peter Cosworth:

    Have you checked the Firewall Advanced section Connection Tracking helpers? is PPTP ticked?

  • In reply to Peter Cosworth:

    and for one of the application we use internally (very old RDP outbound route) I had to create a DNAT rule.

     

    for traffic From RDP Server

    Using Service Microsoft Remote Desktop (RDP)

    Going to Ext/Int Interface (IP not network)

    Change Destination to Int/Ext Interface (IP not network, again)

     

    took me w while to work this one out with help from Sophos Support (on the phone for over 2 hours - very helpful - can't thank them enough)

     

    Hope this helps Peter

  • In reply to JasonFell:

    I don't understand, Jason - how about pictures?  Where's the RDP server?  Where are the clients?

    Cheers - Bob

  • In reply to JasonFell:

    Yes, it's ticked.

  • In reply to Peter Cosworth:

    I would bet it's a routing issue. 192.168.43.0/24 is not the default for PPTP Pool on UTM, so I take it you have changed to accommodate it into some existing LAN. I would start by looking where the reply from your server to the packet coming from 192.168.43.2 if going. You might find out it's not going back to the UTM at all.

    Regards,

    Giovani

  • In reply to giomoda:

    I also tried different networks and used the default for L2TP. Nothing works.

    Anyone able to help me?

  • In reply to Peter Cosworth:

    Hi Peter.

    You should try a tcpdump on the internal interface while testing the communication and see if packets are getting through and back. This kind of issues normally lies on the fact that the destination server does not know how to reply to the packets it receives.

    Regards,

    Giovani