Shell Bypassing Firewall Rules
-
I assume VPN1 is the default route/gateway here?
Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?
Do the VPN client connections have different gateway IPs?
Steve
-
Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.
Steve
-
@stephenw10 said in Shell Bypassing Firewall Rules:
I assume VPN1 is the default route/gateway here?
Also that traffic coming from the client is going through a policy routing rules sending it via VPN2?
Do the VPN client connections have different gateway IPs?
Steve
Yes VPN1 is the default, assuming
Default gateway IPv4in routing tab is the correct place to set it.
Policy routing rules? Do you mean in the rules under the firewall tabFirewall/Rules/LAN? If so then yes I set a rule there that's supposed to redirect it to VPN2.
Yes, they're different.@stephenw10 said in Shell Bypassing Firewall Rules:
Hmm, OK I was able to replicate that to some extent and it was because I had an auto outbound NAT rule for the VPN tunnel subnet. In my case it was out the WAN directly. Removing that (setting do no NAT) stopped that happening.
Steve
So check mark the
Do not NAT - Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rulesbox? Just want to make sure that this is the correct one.Thanks.
-
This post is deleted! -
Yes that. So you should not ever be NATing the VPN2 tunnel subnet as a source out of the VPN1 interface.
Steve
-
@stephenw10 said in Shell Bypassing Firewall Rules:
Yes that. So you should not ever be NATing the VPN2 tunnel subnet as a source out of the VPN1 interface.
Steve
Alright I've tried setting that option but I don't know which one to set it on so I tried setting it on the
192.168.1.0/24NAT mappings which ended up blocking the internet while using a browser but the shell was still able to access the internet. I have others if you want me to try those,127.0.0.0/8,10.0.0.0/8, and10.0.0.0/24.Once again sorry, I'm not really familiar with networks in general so I really hope that made sense.
-
It's the actual VPN2 tunnel subnet you need to prevent NATing so that's the IP given to the VPN2 client when it connects.
Do you actually have 10.0.0.0/8 as an internal subnet? That's ludicrously huge if so.
That rule might be covering the VPN2 subnet and making this happen.
Steve
-
@stephenw10 said in Shell Bypassing Firewall Rules:
It's the actual VPN2 tunnel subnet you need to prevent NATing so that's the IP given to the VPN2 client when it connects.
Do you actually have 10.0.0.0/8 as an internal subnet? That's ludicrously huge if so.
That rule might be covering the VPN2 subnet and making this happen.
Steve
AH HA! It worked! Thanks for all the help! Also yeah, I have auto rules/mappings for
10.0.0.0/8and10.0.0.0/24, ended up setting both of them toDo not NATbecause I didn't know which one to set it on. Also any idea why I have that set and is it a bad thing or something? Oh and lastly, what exactly doesDo not NATdo? I've tried looking it up but it got a bit confusing... >.< -
10.0.0.0/8 is probably wrong unless you have a number if subnets that are inside that as internal networks. If you're not using any 10.x.x.x subnets then you don't need those at all. Remember they might be VPN tunnel subnets which you might need to NAT'd for internet access.
Steve
-
@stephenw10 said in Shell Bypassing Firewall Rules:
10.0.0.0/8 is probably wrong unless you have a number if subnets that are inside that as internal networks. If you're not using any 10.x.x.x subnets then you don't need those at all. Remember they might be VPN tunnel subnets which you might need to NAT'd for internet access.
Steve
Ah, and sorry for the delayed response. Think I'll just leave them, doesn't seem to hurt anything if I do. Also thanks for all the help, really appreicate it! :D ^.^
