|
USG 200
Anon
2013-Jun-20 11:52 am
USG 200 No Internet over L2TP VPNHi
We have set up our USG 200 L2TP VPN however users can only access things internally.
We are just using the Default_L2TP_VPN_Connection with Active Directory authentication.
What firewall\route settings do we need to add so that the Internet is available?
Thanks |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jun-20 7:25 pm
See this example for required policy routes and firewall settings » L2TP VPN on USG - quick how-to |
|
|
USG 200 to USG 200
Anon
2013-Jun-21 7:30 am
to USG 200
Hi
I have looked at that example however don't understand it as there is mention of TUNNEL etc. and I do not see where this fits in to our setup.
We are using the Default_L2TP_VPN_Connection, that doesn't seem to use TUNNEL but uses IPsec_VPN.
Can someone give some advice on getting the Default_L2TP_VPN_Connection able to access the Internet?
Thanks |
|
USG 200 |
USG 200 to USG 200
Anon
2013-Jun-21 7:40 am
to USG 200
Hi
Followed that example but still can't access the Internet.
How hard can it be!
Thanks |
|
USG 200 |
USG 200 to USG 200
Anon
2013-Jun-21 7:42 am
to USG 200
Hi I've done screenshots of the pages showing the setup. I'm confused as the firewall shows that the traffic is being accepted, so I guess it must be something to do with the routes? Or could it be the DNS server\gateway, where are these set and what should they be set too?
|
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to USG 200
I used the tunnel setup at home here and it worked. I have since reset my router and no longer have the setup so I should re do it and post observations which may or may not help. Its not fun but its not too difficult. |
|
|
USG 200 to USG 200
Anon
2013-Jun-21 8:55 am
to USG 200
Hi
Can someone see something wrong with the above?
There appears to be no firewall issues from the log, so it must be something else.
Thanks |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 3 edits |
Anav
Premium Member
2013-Jun-21 11:00 pm
OKay only thing seemingly out of whack is two policy route rules, I only have your rule 2. (why is rule 1 there??) |
|
Anav |
to USG 200
Hey Brano,, some questions regarding the following instructions in your link: "6) Create required firewall rules To access your LAN
(If you want to allow your L2TP to access LAN and internet change LAN1 in below to ANY)"
This is not possible. There is no way to create a FW rule that is from Tunnel to Any. I tried and got cLi errors and buggered up the router (I cannot access FW rules anymore but luckily router is not frozen - will have to go back to a clean install point). -- |
|
|
|
glad to heard that Anav, i've never succeed to have Internet acces over L2TP VPN |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
2 edits |
Brano
MVM
2013-Jun-23 9:52 pm
Gents I'm using L2TP VPN from my Android phone to browse internet on daily basis and it works. Here are all my firewall rules for your inspiration. L2TP_VPN is what TUNNEL used to be in my How-To (I've just created custom zone with more descriptive name). Rule #11 is the key.
Also make sure you have a policy route to route L2TP to internet. In my case it's the policy #9.
...hope this helps
|
|
|
i don't understand your policy #9 you want all your traffic go out ? |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2013-Jun-24 8:59 am
said by asgatlat:i don't understand your policy #9 you want all your traffic go out ? My question is how is that diff from policy rule 1. Thanks for jpegs! |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2013-Jun-24 7:04 pm
I've re-uploaded my policy routing screenshot showing the descriptions. Rule #1 is to access my VDSL modem for management purposes sitting on wan1 side (my internet connection is pppoe through wan1_ppp) Rules #2 to #7 are for my various site-to-site IPSec tunnels Rule #8 is my dynamic IPSec for L2TP Rule #9 is default catch all internet access. |
|
|
sorry for my low skills, here is my firewall and policy screenshot : for the firewall i've tested to activate 3# but internet not work i also try to activate route policy #2 but also no internet connection |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
1 edit |
Brano
MVM
2013-Jun-25 8:59 pm
You have to remember that firewall and policy rules are evaluated from number 1 to last number (doesn't matter how the rules are sorted on the screen) and when a match is found the rule is applied and no further rule evaluation is done. So the order and numbering matters! ...with that in mind re-think your rules |
|
Brano |
Brano
MVM
2013-Jun-26 10:09 pm
You also need to fix your rules. You seem to have some duplicates and overlapping rules. Also start with the wide open rules, any,any, any. If things start working then lock the rules down to specific source and destination. This applies to both firewall and routing. |
|
|
ok thanks for your advice ! i'm not at work this week, will try it next week |
|
|
TurboRabbit to USG 200
Anon
2013-Jun-29 7:28 pm
to USG 200
I'm not sure if this will help anyone but... I deleted the route entry and added back. Once I did that I can now surf the internet over my vpn connection. Setting for route as followed...
* Configuration: enabled (checked), desc (any) * Criteria: User (any), Incoming (any - Excl Zywall), source address (L2tp_pool), dest address (any), dscp (any), schedule (none), service (any) * Next-hop: type (auto) * dscp marking: dscp marking (preserve) * address translation: Source network address translation (outgoing-interface) |
|