Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25
  1. #11
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,366

    Default

    From the first post:
    Site A gets DHCP from a DC at Site A

    Sure the server a is the domain controller, dhcp server, and have static ip
    The world is divided into 10 kinds of people, who know binary and those not

  2. #12
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Quote Originally Posted by dwasserman View Post
    From the first post:
    Site A gets DHCP from a DC at Site A

    Sure the server a is the domain controller, dhcp server, and have static ip
    And none of that matters, because it still needs a default gateway... one that presumably is the local Untangle. If it is not, that other device is what needs the static route.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #13
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,366

    Default

    Ummmmm, all other hosts in lan a route well to site b, only the server cant, where you begin to debug?
    The world is divided into 10 kinds of people, who know binary and those not

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Quote Originally Posted by dwasserman View Post
    Ummmmm, all other hosts in lan a route well to site b, only the server cant, where you begin to debug?
    I don't believe that assertion is true. Because it cannot be true. Either someone has mangled up the local routing table with similar hackery that you've suggested... creating unique and hard to troubleshoot issues such as this. OR the server is using a different router. OR there's a firewall configured somewhere that's blocking it.

    Observing the output of ROUTE PRINT on the server wouldn't be a bad thing.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangler
    Join Date
    Apr 2017
    Posts
    77

    Default

    I'll try to provide a bit more information without giving away proprietary network information...

    OpenVPN between the 2 sites looks like it connects Site A using 67.xx.xxx.140 to Site B 172.xxx.xxx.25

    Whatismyip.com at Site A shows 67.xx.xxx.140, Site B shows 172.xxx.xxx.25, DC at Site A shows 67.xx.xxx.140, Server with Issue at Site A shows 67.xx.xxx.138

    Does something need to be added somewhere to allow communication between Site B and the outside IP of 67.xx.xxx.138? Either another VPN tunnel or a route to that server?

    Please keep in mind that I inherited all of this. I really appreciate everyone's help while I try to navigate through these challenges.

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    I really wish people wouldn't blank out IP addressing...

    There is no such thing as "proprietary network information", they are just numbers and numbers exposed to any number of automated systems that know far more about your network than you do. All you do by hiding them here is make the post harder to read! Which makes it harder for me to help you.

    Now, if I'm understanding this correctly.

    Site A WAN IP: 67.xx.xxx.140
    Site B WAN IP: 172.xxx.xxx.25

    But... whatismyip.com run on the DC at site A reports 67.xx.xxx.138 instead.

    This indicates the Untangle at Site A has TWO WAN IP addresses, you should see both .138, and .140 on External. And, .140 should be the main gateway. From there you need to go look at your NAT Rules, config -> network -> nat rules. You'll find a rule there that matches the internal IP address of your DC, and sets new source to 67.xx.xxx.138.

    This rule is very likely to be misconfigured. I suspect it simply says source address: LAN IP OF DC, NAT Type Custom, New Source 67.xx.xxx.138

    If this is the case you need to add an additional flag to the rule that says destination interface, and select the specific WAN interface that has 67.xx.xxx.138 on it, likely external. Without this additional flag, all traffic from that IP address will be subject to NAT, which will break your VPN access in precisely the way you've described.

    I really question what else is going on that justifies that NAT rule entirely, but for now simply refining it so it doesn't interfere with VPN traffic should address the issue at hand.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangler
    Join Date
    Apr 2017
    Posts
    77

    Default

    I apologize, many sites scold for including entire IP addresses. The DC at Site A reports 67.52.215.140, the SQL server at Site A that cannot communicate with Site B reports an IP address of 67.52.215.138.

    Should the NAT Rule look like this?

    Nat Rule.JPG
    Last edited by ABerndt; 07-21-2021 at 01:16 PM. Reason: Added Screen Shot

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Not destination address, destination INTERFACE.

    You want to match sessions sourced from 192.168.1.8 AND destined to something CONNECTED TO the WAN interface in question, THEN translate to the custom NAT.

    That rule will only fire if that internal server is talking to its public self... which is basically never. Use of interface means anything beyond it as well as what's on it.

    So the rule becomes everything sourced from 192.168.1.8, and heading to the world on this WAN link, is translated to this IP address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangler
    Join Date
    Apr 2017
    Posts
    77

    Default

    Thank you for your patience. I apologize for all of the questions but I am not familiar with these settings. So I would modify the rule to look like this, Nat Rule 2.JPG

    What box(es) should be checked under 'Value' and what will happen to my existing tunnel when I click on 'Save'? Just to clarify, these settings are on the Untangle at Site A where the server is located.

  10. #20
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,119

    Default

    Quote Originally Posted by ABerndt View Post
    Thank you for your patience. I apologize for all of the questions but I am not familiar with these settings. So I would modify the rule to look like this, Nat Rule 2.JPG

    What box(es) should be checked under 'Value' and what will happen to my existing tunnel when I click on 'Save'? Just to clarify, these settings are on the Untangle at Site A where the server is located.
    It's most likely external. But to confirm it's whatever interface has 67.52.215.138 configured on it. You can look at External's IP configuration, and find the IP address in the list of aliases at the bottom.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2