Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 14141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Localhost unable to browse remote VPN client

Kang Soh

Hello,

I'm a relative newbie with regards to VPN/Sophos UTM configuration so everyone's help would be appreciated.

I have a remote NAS configured to connect via PPTP to our Sophos UTM device. It is successfully connected, and is assigned an IP address from the VPN pool.

I am able to ping the assigned IP address from a workstation within the local network. 

However, when I attempt to open the web management interface of the device, or browse to the share, I am unable to do so, and I see the following entry in the firewall log-

2017:09:26-11:04:26 boraamfw1 ulogd[4633]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:25:b3:27:84:50" dstmac="00:1a:8c:46:56:40" srcip="192.168.1.128" dstip="10.242.1.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="54888" dstport="80" tcpflags="SYN"

I have attempted to temporarily allow all traffic through the firewall by creating a "Any-Any-Any" rule, however this does not appear to effect the situation, as the packets are still shown as being dropped in the log.

PPTP connection tracking helper is enabled on the UTM.

Any assistance in troubleshooting this problem would be appreciated.

 

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Kang Soh, and welcome to the UTM Community!

     I haven't tried the following, but I think it might work.  Assuming the Remote device is signed into PPTP as "NAS,"

    1. On the Internal Interface, define an Additional Address "NAS Device" as a /32 
    2. Create a NAT rule with automatic firewall rules:
      • DNAT : Any -> Any -> Internal [NAS Device] (Address) : to NAS (User Network)

    Now, when the NAS device is connected to PPTP Remote Access, you should be able to connect via the Additional Address.

    Did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for the help- I did try as you suggested, but unfortunately I'm still running into the same error/issue.

     

    The log file still shows the same error when I try to do anything other than ping the host. I don't know why ICMP packets get routed/through, but others don't.

     

    Any other ideas would be appreciated.

     

    Thank you

  • 0 in reply to Kang Soh

    Probably some kind of masquerading rule is missing. Are you masquerading pptp to your internal network?

    Sorry, seems trivial, but you are in good hands with Bob.

  • 0 in reply to Billybob

    Might be worth trying, however I did not set it up as I thought that IP masquerading was only required if I wanted the VPN client to be able to use the LAN's gateway for internet traffic?

    I'll can give it a shot however....

    Thanks!

Reply Children
No Data
Unfiltered HTML