Hello,
I have a UTM (utm), two hosts (host1 and vpngw) on the LAN behind eth0 of utm and a third host (host2) at another location and connecting to utm via internet uplink on eth1.
Now I want to connect host2 using OpenVPN with tun and routing to my LAN and have some issues with "invalid packets" logged on the utm. I have tried the following:
port 1194 is forwarded from utm to vpngw:1194 using DNAT. That way host2 can connect to vpngw and gets the IP address 10.217.0.2, vpngw having 10.217.0.1. It also gets a route pushed: 192.168.0.0/24 via 10.217.0.1
vpngw has the IP address 192.168.0.75 on the LAN behind utm, host1 has 192.168.0.109. Both have 192.168.0.254 as default gateway, which is the LAN-IP-address of utm. On the UTM I also added a static route (gateway route) for network 10.127.0.0/16 via vpngw.
So, after host2 can join the VPN, gets the route for the LAN pushed and the UTM knows the route back into the VPN I would expect the communication to work without masquerading. However, a ping from host2 to host1 is seen in the tcpdump on vpngw and host1, the reply is only seen on host1 and does not reach vpngw. So no reply gets to host2. Instead the Live-Log on the UTM lists Invalid packets from 192.168.0.109 to 10.127.0.2.
When I add a route on host1 to directly send the replies to vpngw (a la 10.127.0.0/16 via 192.168.0.75), the replies reach vpngw and host2 and the communication works flawlessly. So the reason for my issue must be found on utm.
Is it because packets would be routed back via the same interface they were received? If so, is there a way to solve this on the UTM? I would rather not configure the additional route on every host in my LAN. So I hope that someone can come up with another solution.
This thread was automatically locked due to age.
