Hello All,
I tried to set only VPN to local LAN resources, but it seems not working...
1000 Allow 192.168.30.0 255.255.255.0 to 192.168.0.0 255.255.255.0
2000 Block 192.168.30.0 255.255.255.0 to all
Can someone assist if there is a proper way to do the blocking?
Thanks
Blocking Internet access from SecureNAT users
-
qupfer
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: Blocking Internet access from SecureNAT users
yes, your "solution" can't work.
This Acces-List control the connection betweent vpn-clients and vpn-server. I don't know, what your server ip is, but i assume its in the 192.168.0.0 to 192.168.30.0 range.
So, in your example, your first rule is sensless. Because its a "allow all" rule with the lowest priority. And softether dosn't block anything by default. This means, you allow allowed things.
The second rule (with higher priority) will block anything from clients with IPs in the 192.168.30.0/24 range. And anything means anything, Its inlcuded lan traffic too. And also all control messages like dns/dhcp and so on.
"Block all" is rarely a good idea at the end of the access list. (or at the beginnend, i mean with the highest priority ;) )
You should start with a "block all" rule, followed by a allow all rule, which allow connections to the 192.168.0.0/16 subnet.
Or use your system-firewall (windows-firewall on a windows-server or iptables on linux), what I would prefer.
Edit: and if you use the access-list, don't forgot the "reverse" connection, if they are not included in the rule.
(for example, if you allow 1.2.3.4 to 4.3.2.1, you have also to allow 4.3.2.1 to 1.2.3.4.
But if you allow 192.168.0.0/16 to 192.168.0.0./16, the "reverse-rule" is included.
(192.168.0.0/16 is 192.168.X.X or 192.168.0.0 with subnetmask 255.255.0.0))
This Acces-List control the connection betweent vpn-clients and vpn-server. I don't know, what your server ip is, but i assume its in the 192.168.0.0 to 192.168.30.0 range.
So, in your example, your first rule is sensless. Because its a "allow all" rule with the lowest priority. And softether dosn't block anything by default. This means, you allow allowed things.
The second rule (with higher priority) will block anything from clients with IPs in the 192.168.30.0/24 range. And anything means anything, Its inlcuded lan traffic too. And also all control messages like dns/dhcp and so on.
"Block all" is rarely a good idea at the end of the access list. (or at the beginnend, i mean with the highest priority ;) )
You should start with a "block all" rule, followed by a allow all rule, which allow connections to the 192.168.0.0/16 subnet.
Or use your system-firewall (windows-firewall on a windows-server or iptables on linux), what I would prefer.
Edit: and if you use the access-list, don't forgot the "reverse" connection, if they are not included in the rule.
(for example, if you allow 1.2.3.4 to 4.3.2.1, you have also to allow 4.3.2.1 to 1.2.3.4.
But if you allow 192.168.0.0/16 to 192.168.0.0./16, the "reverse-rule" is included.
(192.168.0.0/16 is 192.168.X.X or 192.168.0.0 with subnetmask 255.255.0.0))
-
klyisd
- Posts: 3
- Joined: Thu Aug 28, 2014 4:35 am
Re: Blocking Internet access from SecureNAT users
I tired with block all first, but now my VPN server won't accept new incoming connections.
I am currently using Secure NAT on 192.168.30.0, where my Office LAN is 192.168.0.0
I end up using port blocking on non Office LAN network.
I am currently using Secure NAT on 192.168.30.0, where my Office LAN is 192.168.0.0
I end up using port blocking on non Office LAN network.
-
qupfer
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: Blocking Internet access from SecureNAT users
Okay, it seems I was wrong with priority-orde. Lower numbers have higher priority. So, your blockall need the highest prioritynumber (and lowest priority). Which means, your first idea was correct. Sorry for confusion ;-).
But attention. SecureNAT uses DHCP and DHCP use broadcast packages. So Destination IP is 255.255.255.255. (and source 0.0.0.0) . You need a special rule for these packages.
This looks like a working solution for me:confusion
But attention. SecureNAT uses DHCP and DHCP use broadcast packages. So Destination IP is 255.255.255.255. (and source 0.0.0.0) . You need a special rule for these packages.
This looks like a working solution for me:confusion
You do not have the required permissions to view the files attached to this post.
-
klyisd
- Posts: 3
- Joined: Thu Aug 28, 2014 4:35 am
Re: Blocking Internet access from SecureNAT users
Thanks! It seems to working with users.
I think it would help a lot of there is presets rules...but this is the best free vpn suite i have seen.
I think it would help a lot of there is presets rules...but this is the best free vpn suite i have seen.