My access rules don't work unless I allow all traffic
Posted: Sun Oct 11, 2015 1:23 am
I have a pretty simple bridged VPN setup. It works fine. But I am trying to create a few different user groups who have limited access to only certain servers and resources. And this is where I am failing.
An explanation of the rules in my screenshot:
1-4: DHCP and Allows user authentication to work for everybody.
5-20: An attempt to allow the "AllScripts Servers Only" users group access to a handful of IP addresses
21-22: Should allow the "KCHASTS Only" group RDP access to a single server
23-24: Ping testing? Didn't work.
25-28: Allow DNS to work for the AllScripts Servers Only group. It didn't seem to work.
29-30: Ping testing? Didn't work.
31: Should allow Ping for everybody, right? Doesn't work.
32: If you are in the Super Administrator,'s group all traffic passes. This works!
33-34: Block all access that I didn't otherwise allow (this works, but ends up blocking everything).
The result of these rules is that if you are in the Super Administrators group, you can access everything. And if you are in one of the other two groups, you can't access anything.
Any ideas for me?
I am attaching a ton of information. Hopefully someone can give me a clue.
Here are answers to the common questions about my config:
1. Operating system name and the type of CPU-bits
(e.g. CentOS 6.4 x64)
Debian 3.2.68-1 x64
2. The result of "ifconfig –a" (UNIX) or "ipconfig /all" (Windows)
root@kchvpn:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:29:7a:67:20
inet addr:10.80.80.5 Bcast:10.80.80.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:6720/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:388094 errors:0 dropped:0 overruns:0 frame:0
TX packets:310237 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38247419579 (36.4 MiB) TX bytes:30703401 (29.2 MiB)
3. The result of "uname –a" (UNIX) or "systeminfo" (Windows)
root@kchvpn:~# uname -a
Linux kchvpn 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux
4. The build number of SoftEther VPN
Version 4.18 Build 9570 (English)
5. Which SoftEther VPN component are you using?
Standalone Server
6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
(If there is a NAT or Firewall, you should open a TCP port for the VPN listener.)
Yes, using NAT.
7. Are you using SecureNAT?
(If so, why don't you use the Local Bridge function instead?
The performance of SecureNAT is lower than Local Bridge, and it consumes
much of CPU time. You should not use SecureNAT except very limited situation.)
Please see http://www.softether.org/index.php?titl ... T_Function
No.
8. Your current vpn_server.config or vpn_bridge.config file should be attached on the post.
(You may hide your confidential information on these config files if included)
ATTACHED!
An explanation of the rules in my screenshot:
1-4: DHCP and Allows user authentication to work for everybody.
5-20: An attempt to allow the "AllScripts Servers Only" users group access to a handful of IP addresses
21-22: Should allow the "KCHASTS Only" group RDP access to a single server
23-24: Ping testing? Didn't work.
25-28: Allow DNS to work for the AllScripts Servers Only group. It didn't seem to work.
29-30: Ping testing? Didn't work.
31: Should allow Ping for everybody, right? Doesn't work.
32: If you are in the Super Administrator,'s group all traffic passes. This works!
33-34: Block all access that I didn't otherwise allow (this works, but ends up blocking everything).
The result of these rules is that if you are in the Super Administrators group, you can access everything. And if you are in one of the other two groups, you can't access anything.
Any ideas for me?
I am attaching a ton of information. Hopefully someone can give me a clue.
Here are answers to the common questions about my config:
1. Operating system name and the type of CPU-bits
(e.g. CentOS 6.4 x64)
Debian 3.2.68-1 x64
2. The result of "ifconfig –a" (UNIX) or "ipconfig /all" (Windows)
root@kchvpn:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0c:29:7a:67:20
inet addr:10.80.80.5 Bcast:10.80.80.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7a:6720/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:388094 errors:0 dropped:0 overruns:0 frame:0
TX packets:310237 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38247419579 (36.4 MiB) TX bytes:30703401 (29.2 MiB)
3. The result of "uname –a" (UNIX) or "systeminfo" (Windows)
root@kchvpn:~# uname -a
Linux kchvpn 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux
4. The build number of SoftEther VPN
Version 4.18 Build 9570 (English)
5. Which SoftEther VPN component are you using?
Standalone Server
6. Whether or not there is a NAT or Firewall between your VPN server and the Internet.
(If there is a NAT or Firewall, you should open a TCP port for the VPN listener.)
Yes, using NAT.
7. Are you using SecureNAT?
(If so, why don't you use the Local Bridge function instead?
The performance of SecureNAT is lower than Local Bridge, and it consumes
much of CPU time. You should not use SecureNAT except very limited situation.)
Please see http://www.softether.org/index.php?titl ... T_Function
No.
8. Your current vpn_server.config or vpn_bridge.config file should be attached on the post.
(You may hide your confidential information on these config files if included)
ATTACHED!