Welcome Guest, Not a member yet? Create Account  




Question L2TP - cannot reach internal subnet

#1

I'm at a loss trying to work out this problem.  I'm probably missing something very simple but can't work out what it is.

I've configured a l2tp/ipsec configuration so that I can get a client connection from a native Windows 10 client as per the many guides I've seen.  The client can connect and I see the active connection on the router.  I am able to ping 10.255.255.0, but I'm unable to get to anything behind the router.  If I run a 'monitor interfaces' on the router and send large ping packets to 10.255.255.0, I can see the traffic coming in the l2tp0 interface and the reply traffic for the ICMP reply:


Code:
  #   Interface                RX Rate         RX #     TX Rate         TX #
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
dehettfw01 (source: local)
  0   eth0                       0.00B            0       0.00B            0
  1   eth1                      26.00B            0       0.00B            0
  2   eth2                      67.96KiB         49      67.29KiB         47
  3   l2tp0                     63.47KiB         48      63.43KiB         47
  4   lo                         0.00B            0       0.00B            0


However, if I try to ping something behind the router, I see the traffic coming in the l2tp0 interface but nothing gets sent back. 


Code:
 #   Interface                RX Rate         RX #     TX Rate         TX #
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
dehettfw01 (source: local)
 0   eth0                      21.00B            0      21.00B            0
 1   eth1                      26.00B            0       0.00B            0
 2   eth2                      36.15KiB         29     194.00B            1
 3   l2tp0                     31.77KiB         24       0.00B            0
 4   lo                         0.00B            0       0.00B            0


Running a tcpdump on the server I'm trying to reach shows nothing hitting the server so it seems like the traffic is being blocked and I need a firewall rule to allow the traffic, however I don't know where.  I'm using zone policies and I don't have any policies defined for the local device - the way I read it is that should be allowing everything to/from local, and if it were the opposite then I wouldn't be able to establish the l2tp connection in the first place.  I'm unable to run a monitor on the l2tp0 interface by itself as the option just doesn't show in the command, but I can run a tcpdump on the l2tp0 interface on the router, and I see my ICMP packet come in from 192.168.255.1 to the destination behind the router, along with all the other traffic my desktop is trying to send, but nothing seems to leave any other interface of the router.

All of this seems to point to me needing to define XXX->LOCAL and LOCAL->XXX zone policies, but none of the documentation shows this as a requirement to get traffic allowed from an already established l2tp tunnel.  I'm hesitant to go experimenting without knowing the answer for sure given this is a live firewall on the other side of the world and I don't want to lose connectivity to it.

What I don't really understand is the correlation between the assigned l2tp pool (192.168.255.1-192.168.255.255), the 10.255.255.0 address, and the subnet I'm trying to get to (which is completely different to both of these).

Anyway, here's a cut down and sanitized version of my config.


Code:
set firewall group network-group Bad_IPs description 'Naughty IP Ranges'
set firewall group network-group Bad_IPs network '<bad_subnets>'
set firewall group network-group Our_Subnets description 'Our Subnets'
set firewall group network-group Our_Subnets network '<Our_Public_Subnets>'
set firewall group network-group MysqlServers description 'Test MySQL Servers'
set firewall group network-group MysqlServers network '<MySQL_Server>'
set firewall group network-group Remote_Admins network '<Remote_Admin_Host>'
set firewall group network-group DMZ_LAN description 'Hetzner DMZ subnet'
set firewall group network-group DMZ_LAN network '<DMZ_Subnet>'
set firewall group port-group LDAP port 'ldap'
set firewall group port-group LDAP port 'ldaps'
set firewall group port-group MySQL port '3306'
set firewall name dmz2trust default-action 'drop'
set firewall name dmz2trust rule 10 action 'accept'
set firewall name dmz2trust rule 10 log 'disable'
set firewall name dmz2trust rule 10 state established 'enable'
set firewall name dmz2trust rule 10 state related 'enable'
set firewall name dmz2trust rule 20 action 'accept'
set firewall name dmz2trust rule 20 description 'Mysql access to MysqlServers from DMZ'
set firewall name dmz2trust rule 20 destination group network-group 'MysqlServers'
set firewall name dmz2trust rule 20 destination port '3306'
set firewall name dmz2trust rule 20 log 'disable'
set firewall name dmz2trust rule 20 protocol 'tcp'
set firewall name dmz2trust rule 20 source group network-group 'DMZ_LAN'
set firewall name dmz2trust rule 21 action 'accept'
set firewall name dmz2trust rule 21 description 'ICMP access to MysqlServers from DMZ'
set firewall name dmz2trust rule 21 destination group network-group 'MysqlServers'
set firewall name dmz2trust rule 21 log 'disable'
set firewall name dmz2trust rule 21 protocol 'icmp'
set firewall name dmz2trust rule 21 source group network-group 'DMZ_LAN'
set firewall name dmz2trust rule 22 action 'accept'
set firewall name dmz2trust rule 22 description 'Elasticsearch access to MysqlServers from DMZ'
set firewall name dmz2trust rule 22 destination group network-group 'MysqlServers'
set firewall name dmz2trust rule 22 destination port '9200'
set firewall name dmz2trust rule 22 log 'disable'
set firewall name dmz2trust rule 22 protocol 'tcp'
set firewall name dmz2trust rule 22 source group network-group 'DMZ_LAN'
set firewall name dmz2trust rule 23 action 'accept'
set firewall name dmz2trust rule 23 description 'DataService Connection from DMZ'
set firewall name dmz2trust rule 23 destination address '192.168.127.15/32'
set firewall name dmz2trust rule 23 destination port '8090'
set firewall name dmz2trust rule 23 log 'disable'
set firewall name dmz2trust rule 23 protocol 'tcp'
set firewall name dmz2trust rule 23 source group network-group 'DMZ_LAN'
set firewall name dmz2trust rule 30 action 'accept'
set firewall name dmz2trust rule 30 description 'ICMP access to email router from DMZ'
set firewall name dmz2trust rule 30 destination address '192.168.127.50/32'
set firewall name dmz2trust rule 30 log 'disable'
set firewall name dmz2trust rule 30 protocol 'icmp'
set firewall name dmz2trust rule 30 source address '<DMZ_Subnet>'
set firewall name dmz2trust rule 31 action 'accept'
set firewall name dmz2trust rule 31 description 'Port 8080 to email router from DMZ'
set firewall name dmz2trust rule 31 destination address '192.168.127.50/32'
set firewall name dmz2trust rule 31 destination port '8080'
set firewall name dmz2trust rule 31 log 'disable'
set firewall name dmz2trust rule 31 protocol 'tcp'
set firewall name dmz2trust rule 31 source address '<DMZ_Subnet>'
set firewall name dmz2untrust default-action 'drop'
set firewall name dmz2untrust rule 10 action 'accept'
set firewall name dmz2untrust rule 10 log 'disable'
set firewall name dmz2untrust rule 10 state established 'enable'
set firewall name dmz2untrust rule 10 state related 'enable'
set firewall name dmz2untrust rule 1000 action 'accept'
set firewall name dmz2untrust rule 1000 description 'Allow all out'
set firewall name dmz2untrust rule 1000 log 'disable'
set firewall name trust2dmz default-action 'drop'
set firewall name trust2dmz rule 10 action 'accept'
set firewall name trust2dmz rule 10 log 'disable'
set firewall name trust2dmz rule 10 state established 'enable'
set firewall name trust2dmz rule 10 state related 'enable'
set firewall name trust2dmz rule 1000 action 'accept'
set firewall name trust2untrust default-action 'drop'
set firewall name trust2untrust rule 10 action 'accept'
set firewall name trust2untrust rule 10 log 'disable'
set firewall name trust2untrust rule 10 state established 'enable'
set firewall name trust2untrust rule 10 state related 'enable'
set firewall name trust2untrust rule 1000 action 'accept'
set firewall name untrust2dmz default-action 'drop'
set firewall name untrust2dmz 'enable-default-log'
set firewall name untrust2dmz rule 10 action 'accept'
set firewall name untrust2dmz rule 10 log 'disable'
set firewall name untrust2dmz rule 10 state established 'enable'
set firewall name untrust2dmz rule 10 state related 'enable'
set firewall name untrust2dmz rule 20 action 'drop'
set firewall name untrust2dmz rule 20 description 'Drop Traffic From Bad Subnets'
set firewall name untrust2dmz rule 20 log 'disable'
set firewall name untrust2dmz rule 20 source group network-group 'Bad_IPs'
set firewall name untrust2dmz rule 30 action 'accept'
set firewall name untrust2dmz rule 30 description 'Allow all from Our Addresses'
set firewall name untrust2dmz rule 30 log 'disable'
set firewall name untrust2dmz rule 30 source group network-group 'Our_Subnets'
set firewall name untrust2dmz rule 40 action 'accept'
set firewall name untrust2dmz rule 40 log 'disable'
set firewall name untrust2dmz rule 40 protocol 'icmp'
set firewall name untrust2trust default-action 'drop'
set firewall name untrust2trust rule 10 action 'accept'
set firewall name untrust2trust rule 10 log 'disable'
set firewall name untrust2trust rule 10 state established 'enable'
set firewall name untrust2trust rule 10 state related 'enable'
set firewall name untrust2trust rule 20 action 'drop'
set firewall name untrust2trust rule 20 description 'Drop Traffic From Bad Subnets'
set firewall name untrust2trust rule 20 log 'disable'
set firewall name untrust2trust rule 20 source group network-group 'Bad_IPs'
set interfaces ethernet eth0 description 'DMZ Interface'
set interfaces ethernet eth0 address 'y.y.y.y/28'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '52:54:00:72:ae:ca'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 description 'Trust Interface'
set interfaces ethernet eth1 address '192.168.128.38/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '52:54:00:65:08:92'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 description 'Untrust Interface'
set interfaces ethernet eth2 address 'x.x.x.x/27'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 hw-id '00:50:56:00:44:2f'
set interfaces ethernet eth2 smp_affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces loopback 'lo'
set nat 'source'
set protocols static route 0.0.0.0/0 next-hop '<gateway_address>'
set protocols static route 10.0.0.0/8 next-hop '192.168.128.1'
set protocols static route 172.16.0.0/12 next-hop '192.168.128.1'
set protocols static route 192.168.0.0/16 next-hop '192.168.128.1'
set service ssh listen-address '192.168.128.38'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system host-name 'fw01'
set system login user vyos authentication encrypted-password '<removed>'
set system login user vyos authentication plaintext-password ''
set system login user vyos level 'admin'
set system name-server '8.8.8.8'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set vpn ipsec ipsec-interfaces interface 'eth2'
set vpn ipsec nat-networks allowed-network '0.0.0.0/0'
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username <removed> password '<removed>'
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access client-ip-pool start '192.168.255.1'
set vpn l2tp remote-access client-ip-pool stop '192.168.255.255'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret '<removed>'
set vpn l2tp remote-access outside-address '<eth2_address>'
set zone-policy zone dmz default-action 'drop'
set zone-policy zone dmz from trust firewall name 'trust2dmz'
set zone-policy zone dmz from untrust firewall name 'untrust2dmz'
set zone-policy zone dmz interface 'eth0'
set zone-policy zone trust default-action 'drop'
set zone-policy zone trust from dmz firewall name 'dmz2trust'
set zone-policy zone trust from untrust firewall name 'untrust2trust'
set zone-policy zone trust interface 'eth1'
set zone-policy zone untrust default-action 'drop'
set zone-policy zone untrust from dmz firewall name 'dmz2untrust'
set zone-policy zone untrust from trust firewall name 'trust2untrust'
set zone-policy zone untrust interface 'eth2'


Thanks,
Mark
Reply

#2

Just in case anyone stumbles upon this question having the same issue, I worked it out in a lab environment and deployed the solution to the live router.

The answer seems to be that I needed to define a zone for my tunnel interface (l2tp0) and then create rules for each direction I wanted to allow traffic to/from the tunnel connection. So, it looks something like this in the zone-policy...

set zone-policy zone dmz default-action 'drop'
set zone-policy zone dmz from trust firewall name 'trust2dmz'
set zone-policy zone dmz from tunnel firewall name 'tunnel2dmz'
set zone-policy zone dmz from untrust firewall name 'untrust2dmz'
set zone-policy zone dmz interface 'eth0'
set zone-policy zone trust default-action 'drop'
set zone-policy zone trust from dmz firewall name 'dmz2trust'
set zone-policy zone trust from tunnel firewall name 'tunnel2trust'
set zone-policy zone trust from untrust firewall name 'untrust2trust'
set zone-policy zone trust interface 'eth1'
set zone-policy zone tunnel default-action 'drop'
set zone-policy zone tunnel from dmz firewall name 'dmz2tunnel'
set zone-policy zone tunnel from trust firewall name 'trust2tunnel'
set zone-policy zone tunnel from untrust firewall name 'untrust2tunnel'
set zone-policy zone tunnel interface 'l2tp0'
set zone-policy zone untrust default-action 'drop'
set zone-policy zone untrust from dmz firewall name 'dmz2untrust'
set zone-policy zone untrust from trust firewall name 'trust2untrust'
set zone-policy zone untrust from tunnel firewall name 'tunnel2untrust'
set zone-policy zone untrust interface 'eth2'

And then I created all the tunnel2xxx and xxx2tunnel rules, allowing traffic where needed. If the tunnel is not up when you commit the config you'll get a warning about the interface not existing but it still applies and works fine. I'm guessing if I have more than one l2tp connection at a time, I'll get l2tp1, lt2p2, lt2p3 etc so I'd need to add these interfaces to the zone accordingly but I'll cross that bridge if/when I need to.
Reply





Users browsing this thread:
1 Guest(s)