Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 2733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.707-5 - not passing SSL VPN Port

Pedulla

Setting up SSL VPN.  

Getting the default drop on the SSL VPN port, but a profile is turned on.

2021:10:04-14:23:35 pdx ulogd[5227]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth4" srcmac="00:cc:fc:60:c4:22" dstmac="b8:cb:29:b8:28:99" srcip="208.79.209.138" dstip="xxx.xxx.xxx.xxx" proto="6" length="64" tos="0x00" prec="0x20" ttl="45" srcport="58673" dstport="8443" tcpflags="SYN"

It's like the automatic firewall rule is not kicked in; however, WAF opens a port as expected.

What am I missing?

-edit:

Thinking it "might" be my ISP, i moved WAF to 8443 and the port is open to the outside world.

But regardless of the port (443, 8443) SSL-VPN is not opening a port to the outside like it should.

Is there some other setting I've forgotten about to enable SSL-VPN?



This thread was automatically locked due to age.
Parents
  • 0

    I wouldn't use 8443, and would stick with 443 until you can verify your ISP would be blocking it (which I would see no reasons they would, unlike port 25).

    8443 is slotted for other protocol uses/programs.

    This might be a silly question - you added the users who can use VPN, and the network?  (Edit button there in your VPN setup).

    How are you testing the VPN connection?  Are you remote, or trying to do this from behind the UTM?  Can you clarify what you are talking about when you say: 

    Pedulla said:
    But regardless of the port (443, 8443) SSL-VPN is not opening a port to the outside like it should

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin
    Amodin said:
    I wouldn't use 8443, and would stick with 443 until you can verify your ISP would be blocking it (which I would see no reasons they would, unlike port 25).

    My edit notes must and your reply must have passed in the night ;)  My testing method eliminated the ISP.

    Guess I could have been more clear.  I'm just looking for the open port from https://www.whatsmyip.org/port-scanner/ 

    I'm not even to the point of logging in.  If the port isn't open login is pointless.  And again, WAF port(s) get opened when I turn them on.  It's like the SSL-VPN is not setting up the internal FW rule to allow what ever port you configure to accept traffic.

    Amodin said:
    This might be a silly question - you added the users who can use VPN, and the network?  (Edit button there in your VPN setup).

    Yes, users are added.

  • +1 in reply to Pedulla

    Change your Local Networks to 'Internal (Network)' and in the previous screen, change from UDP to TCP under the 'Server Settings' (if you didn't when/if you changed it back).  It should be TCP protocol.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin
    Amodin said:
    change from UDP to TCP

    That was the ticket... But when did UDP stop working? (It's sooo much faster)

  • 0 in reply to Pedulla

    Hah it's been TCP as long as I can remember... Glad it's working for you though!

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    As it turns out, my test was faulty.  The whatsmyip.org port scanner only tests TCP connections.  If it's UDP the test times out like the port was closed   :/    (my bad)

     

    That said, the UTM at my house is setup with UDP and works great.  This one I'm working on now has some other issue I'll keep digging into.

    So try UDP, you'll get a nice little bump in speed because only the encapsulated TCP requests retries, not both inside and outside (as it were).  You'll of course need to change your client config accordingly. 

  • 0 in reply to Pedulla

    I have always used Shields Up! site, he has been in the security scene a long, long time and I love using the tools he has there.  Another resource to try as well.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • 0 in reply to Pedulla

    I have always used Shields Up! site, he has been in the security scene a long, long time and I love using the tools he has there.  Another resource to try as well.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data
Unfiltered HTML