Results 1 to 7 of 7
  1. #1
    Untanglit
    Join Date
    Feb 2016
    Posts
    19

    Default I can't ping internal network when connected to VPN

    Remote users can ping UT server IP address, but not access internal network via FQDN or IP.

    Internet --> Comcast modem (10.1.10.1) --> UT server (10.1.10.60 / 172.16.2.1) --> 2019 Windows domain server (DNS and DHCP server) (172.16.2.10)

    I attempted to put the modem into bridge mode, but they don't have a static IP and it kept messing up, so I put it back into router mode with firewall disabled. I configured a static route in the modem from 10.1.10.1 to 172.16.2.0

    I have configured the Comcast modem with port forwarding of 443 and 1194 to the UT server.
    UT server is configured with it's own address space, and I have checked and unchecked NAT OpenVPN traffic.
    UT Group is configured for Full Tunnel and to push DNS of the internal DNS server.
    Exported network is configured for the internal private network of 172.168.2.0/24.

  2. #2
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,288

    Default

    Is 1194 set to udp? Should be. Did you export the internal networks?
    CMcNaughton likes this.

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,107

    Default

    Do the users connect to OpenVPN?
    Are you testing from outside your network?
    If you are using Comcast as a router, how are you setting the external IP of the OpenVPN settings?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untanglit
    Join Date
    Feb 2016
    Posts
    19

    Default

    Quote Originally Posted by donhwyo View Post
    Is 1194 set to udp? Should be. Did you export the internal networks?
    1194 UDP/TCP forwarded. And, yes, I exported the internal networks.

  5. #5
    Untanglit
    Join Date
    Feb 2016
    Posts
    19

    Default

    Quote Originally Posted by jcoffin View Post
    Do the users connect to OpenVPN?
    Are you testing from outside your network?
    If you are using Comcast as a router, how are you setting the external IP of the OpenVPN settings?
    Yes.

    Yes.

    I have to manually input the external IP for OpenVPN client to reflect the site public IP.

  6. #6
    Untanglit
    Join Date
    Feb 2016
    Posts
    19

    Default

    Routes:

    = IPv4 Rules =
    0: from all lookup local
    100: from all fwmark 0xfe00/0xff00 lookup 1000
    220: from all lookup ipsec
    32766: from all lookup main
    32767: from all lookup default
    50000: from 10.1.10.60 lookup uplink.1
    70001: from all fwmark 0x100/0xff00 lookup uplink.1
    900000: from all lookup balance
    1000000: from all lookup uplink.1

    = IPv4 Table main =
    10.1.10.0/24 dev eth0 proto kernel scope link src 10.1.10.60
    10.1.10.1 dev eth0 scope link
    172.16.2.0/24 dev br.eth1 proto kernel scope link src 172.16.2.1
    172.16.144.0/24 via 172.16.144.2 dev tun0
    172.16.144.2 dev tun0 proto kernel scope link src 172.16.144.1
    192.0.2.0/30 dev br.lxc proto kernel scope link src 192.0.2.1
    192.0.2.200/30 dev utun proto kernel scope link src 192.0.2.200

    = IPv4 Table balance =
    default via 10.1.10.1 dev eth0

    = IPv4 Table default =

    = IPv4 Table local =
    broadcast 10.1.10.0 dev eth0 proto kernel scope link src 10.1.10.60
    local 10.1.10.60 dev eth0 proto kernel scope host src 10.1.10.60
    broadcast 10.1.10.255 dev eth0 proto kernel scope link src 10.1.10.60
    broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
    local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
    local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
    broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
    broadcast 172.16.2.0 dev br.eth1 proto kernel scope link src 172.16.2.1
    local 172.16.2.1 dev br.eth1 proto kernel scope host src 172.16.2.1
    broadcast 172.16.2.255 dev br.eth1 proto kernel scope link src 172.16.2.1
    local 172.16.144.1 dev tun0 proto kernel scope host src 172.16.144.1
    broadcast 192.0.2.0 dev br.lxc proto kernel scope link src 192.0.2.1
    local 192.0.2.1 dev br.lxc proto kernel scope host src 192.0.2.1
    broadcast 192.0.2.3 dev br.lxc proto kernel scope link src 192.0.2.1
    local 192.0.2.200 dev utun proto kernel scope host src 192.0.2.200
    broadcast 192.0.2.200 dev utun proto kernel scope link src 192.0.2.200
    broadcast 192.0.2.203 dev utun proto kernel scope link src 192.0.2.200

    = IPv4 Dynamic Routing =

    = IPv4 Table uplink.1 =
    default via 10.1.10.1 dev eth0

    = IPv4 Route Rules =


    = IPv6 Rules =
    0: from all lookup local
    220: from all lookup ipsec
    32766: from all lookup main

    = IPv6 Table main =
    ::1 dev lo proto kernel metric 256 pref medium
    fe80::/64 dev br.lxc proto kernel metric 256 pref medium
    fe80::/64 dev utun proto kernel metric 256 pref medium
    fe80::/64 dev tun0 proto kernel metric 256 pref medium

    = IPv6 Table default =

    = IPv6 Table local =
    local ::1 dev lo proto kernel metric 0 pref medium
    local fe80::bc51:c8ff:fe61:8b7 dev br.lxc proto kernel metric 0 pref medium
    local fe80::d749:1346:600e:dfc1 dev tun0 proto kernel metric 0 pref medium
    local fe80::e8e5:5dff:feee:78c3 dev utun proto kernel metric 0 pref medium
    ff00::/8 dev br.lxc metric 256 pref medium
    ff00::/8 dev utun metric 256 pref medium
    ff00::/8 dev tun0 metric 256 pref medium

    = IPv6 Table uplink.1 =

    = IPsec Rules =
    Server tab (Ihave checked and uncked NAT OpenVPN Traffic to test):
    Mosa1.jpg

    Groups tab:
    Mosa2.jpg

    Exported Network tab:
    Mosa3.jpg

    Comcast Port Forwarding tab:
    Mosa4.jpg

    Comcast Static Routes tab:
    Attached Images Attached Images
    Last edited by jmichaelrush; 10-17-2020 at 06:27 AM.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,093

    Default

    Well first things first... stop manually using IP addresses.

    Config -> Network -> Hostname

    Select use Manually Specified Address, and feed that box the real IP, or a DNS name that resolves to the real IP. That way the scripts are written correctly from the start!

    Next... 172.16.144.0/24 is your OpenVPN address pool range. Your route for that traffic is wrong... not sure where you got that other 172 range, but in this case... your router is incorrect, also the gateway address is Untangle's. So that needs to be 10.1.10.60.

    After that, you get to kick Windows firewall on all the machines in your office, because they will not accept anything, much less ping from a remote network they're now clearly seeing.
    Last edited by sky-knight; 10-17-2020 at 07:49 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2