Open VPN I must be doing something wrong. - Page 3

windozeuser · 03-30-2009, 02:07 PM

The choices for source interface are, External, DMZ, Internal, Less trust, More Trusted. I have a rule that allows Source Less trusted destination any source IP 172.16.0.9 (the remote IP) and destination IP any, traffic type any. No dice.

windozeuser · 03-30-2009, 02:08 PM

That's got to be the problem, that I don't have VPN as source interface.

windozeuser · 03-30-2009, 02:24 PM

A radical idea... I rebooted untangle and got the option on the source interface.

andrew50 · 03-30-2009, 02:27 PM

crap, that is usually one of my first sugesstions along with power cycling the item in the rack...I posted it in another thread this morning, but not here.

and then ?

windozeuser · 03-30-2009, 02:54 PM

Ok. Think this is resolved with your AWESOME help.

Solution was making the gateway the untangle server. Dude, I feel like I should buy you a beer

andrew50 · 03-30-2009, 03:11 PM

glad I could help!

sky-knight · 03-30-2009, 03:28 PM

You shouldn't ever make a UT bridge the gateway. The fix is to define a static route for the OpenVPN address pool, and remote subnets on the other side of the site-to-site tunnel, in your router.

Also, as for ping... UT's packet filter by default prevents all ICMP traffic. So ping will never work unless you kick the packet filter.

windozeuser · 03-30-2009, 03:47 PM

sky-knight i'd like to briefly discuss about the UT bridging the gateway. I have a large deployment coming up and part of this is evaluating untangle as a solution.

do you mean the untangle should never be put directly behind a firewall?

andrew50 · 03-31-2009, 09:52 AM

Quote:

Originally Posted by windozeuser

sky-knight i'd like to briefly discuss about the UT bridging the gateway. I have a large deployment coming up and part of this is evaluating untangle as a solution.

do you mean the untangle should never be put directly behind a firewall?

I believe he means a bridged untangle should not be the gateway, but the device on the other side of it should be..

sky-knight · 03-31-2009, 11:10 AM

Yes, UT in bridge mode isn't setup to be a gateway of anything. If you make it the gateway you will "fix" OpenVPN at the expense of breaking everything else. You need to configure your routing equipment responsible for each segment for the VPN links.

03-30-2009, 02:07 PM	#21 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	The choices for source interface are, External, DMZ, Internal, Less trust, More Trusted. I have a rule that allows Source Less trusted destination any source IP 172.16.0.9 (the remote IP) and destination IP any, traffic type any. No dice. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 02:08 PM	#22 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	That's got to be the problem, that I don't have VPN as source interface. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 02:24 PM	#23 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	A radical idea... I rebooted untangle and got the option on the source interface. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 02:54 PM	#25 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	Ok. Think this is resolved with your AWESOME help. Solution was making the gateway the untangle server. Dude, I feel like I should buy you a beer __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 03:28 PM	#27 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	You shouldn't ever make a UT bridge the gateway. The fix is to define a static route for the OpenVPN address pool, and remote subnets on the other side of the site-to-site tunnel, in your router. Also, as for ping... UT's packet filter by default prevents all ICMP traffic. So ping will never work unless you kick the packet filter. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

03-30-2009, 02:27 PM	#24 (permalink)
andrew50 Master Untangler Join Date: Mar 2008 URLs submitted: 6 Posts: 143	crap, that is usually one of my first sugesstions along with power cycling the item in the rack...I posted it in another thread this morning, but not here. and then ?

03-30-2009, 03:11 PM	#26 (permalink)
andrew50 Master Untangler Join Date: Mar 2008 URLs submitted: 6 Posts: 143	glad I could help!

03-30-2009, 03:47 PM	#28 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	sky-knight i'd like to briefly discuss about the UT bridging the gateway. I have a large deployment coming up and part of this is evaluating untangle as a solution. do you mean the untangle should never be put directly behind a firewall? __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-31-2009, 11:10 AM	#30 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	Yes, UT in bridge mode isn't setup to be a gateway of anything. If you make it the gateway you will "fix" OpenVPN at the expense of breaking everything else. You need to configure your routing equipment responsible for each segment for the VPN links. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879