SoftEther VPN User Forum

SoftEther VPN User Forum
https://www.vpnusers.com/

Blocking Internet access from SecureNAT users

https://www.vpnusers.com/viewtopic.php?f=7&t=3576

Page 1 of 1

Blocking Internet access from SecureNAT users

Posted: Thu Aug 28, 2014 6:20 am
by klyisd
Hello All,

I tried to set only VPN to local LAN resources, but it seems not working...

1000 Allow 192.168.30.0 255.255.255.0 to 192.168.0.0 255.255.255.0
2000 Block 192.168.30.0 255.255.255.0 to all

Can someone assist if there is a proper way to do the blocking?
Thanks

Re: Blocking Internet access from SecureNAT users

Posted: Sat Aug 30, 2014 7:06 pm
by qupfer
yes, your "solution" can't work.

This Acces-List control the connection betweent vpn-clients and vpn-server. I don't know, what your server ip is, but i assume its in the 192.168.0.0 to 192.168.30.0 range.
So, in your example, your first rule is sensless. Because its a "allow all" rule with the lowest priority. And softether dosn't block anything by default. This means, you allow allowed things.
The second rule (with higher priority) will block anything from clients with IPs in the 192.168.30.0/24 range. And anything means anything, Its inlcuded lan traffic too. And also all control messages like dns/dhcp and so on.
"Block all" is rarely a good idea at the end of the access list. (or at the beginnend, i mean with the highest priority ;) )

You should start with a "block all" rule, followed by a allow all rule, which allow connections to the 192.168.0.0/16 subnet.
Or use your system-firewall (windows-firewall on a windows-server or iptables on linux), what I would prefer.

Edit: and if you use the access-list, don't forgot the "reverse" connection, if they are not included in the rule.

(for example, if you allow 1.2.3.4 to 4.3.2.1, you have also to allow 4.3.2.1 to 1.2.3.4.
But if you allow 192.168.0.0/16 to 192.168.0.0./16, the "reverse-rule" is included.
(192.168.0.0/16 is 192.168.X.X or 192.168.0.0 with subnetmask 255.255.0.0))

Re: Blocking Internet access from SecureNAT users

Posted: Mon Sep 01, 2014 2:24 am
by klyisd
I tired with block all first, but now my VPN server won't accept new incoming connections.

I am currently using Secure NAT on 192.168.30.0, where my Office LAN is 192.168.0.0

I end up using port blocking on non Office LAN network.

Re: Blocking Internet access from SecureNAT users

Posted: Mon Sep 01, 2014 12:22 pm
by qupfer
Okay, it seems I was wrong with priority-orde. Lower numbers have higher priority. So, your blockall need the highest prioritynumber (and lowest priority). Which means, your first idea was correct. Sorry for confusion ;-).

But attention. SecureNAT uses DHCP and DHCP use broadcast packages. So Destination IP is 255.255.255.255. (and source 0.0.0.0) . You need a special rule for these packages.

This looks like a working solution for me:confusion

Re: Blocking Internet access from SecureNAT users

Posted: Tue Sep 02, 2014 4:10 am
by klyisd
Thanks! It seems to working with users.
I think it would help a lot of there is presets rules...but this is the best free vpn suite i have seen.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/