Default deny rule IPv4 (1000000103) over layer 2 VPN it should NOT be using
-
Getting "Default deny rule IPv4 (1000000103)"
I am trying to RDP from SRV01 to SRV02 all on the machines are okay.
I have a firewall rule and nat rule in FW02 that nats if you rdp to the transit interface on the FW02 it forwards to SVR2 and i can see in the log on FW02 it is allowed, but then on FW01 i see that it is blocked with the "Default deny rule IPv4 (1000000103)" -
Why do you NAT and not route?
Can you please show your settings/Firewall Rules with screenshots?-Rico
-
@Rico, My hero,hopefully
Threw in the Firewall log that allowed the traffic.
Bonus Info.
There is another server on the 192.168.1.0/24 net where there is a nat rule that allowes from the same net as SRV01 to another server in the same Lan but here there is a forward from 8080 to 80. this works. and i do not see any trafic on FW01 on this traffic. -
@lean-on-he said in Default deny rule IPv4 (1000000103) over layer 2 VPN it should NOT be using:
There is another server on the 192.168.1.0/24 net where there is a nat rule that allowes from the same net as SRV01 to another server in the same Lan
This is another example of why NAT is a curse on networking. It causes people to do dumb things. The proper solution is to move to IPv6, and avoid this sort of nonsense. Having 2 networks with the same IP address can only cause problems. I first came across this sort of issue several years ago, while travelling for work. I'd be in a hotel and try to connect home via VPN. But since the hotel network used the same addresses as my home network, I couldn't access anything on my home network. I had to move my network to an address range that is not commonly used.
-
@JKnott
I think you misunderstood.
The 192.168.1.0/24 is 1 lan over a layer 2 tunnel, so using the same IP's in 2 different net does not cause the problem.Connecting from the same place.
I can connect to the server 192.168.1.53:8080
I cannot connet to the server 192.168.1.50:3389
