Route external OpenVPN IP(s) to DMZ



  • Hello,

    I already posted this question in the German support forum, but I couldn't solve the problem yet. We are using an external VPN provider to get one (later multiple) static IPv4 addresses. We configured the connection as OpenVPN client and this is working absolutely fine. Connection is working and we created a new interface "PTYOPENVPN" so that we can route the traffic to a host in our DMZ network. What we have done so far:

    Configured a 1:1 NAT for the external VPN IP:

    Configured the firewall rules for the new interface:

    (192.168.1.5 is the host in the DMZ network)

    Configured the DMZ rules so that the traffic from 192.168.1.5 goes trough the VPN-Gateway address:

    The DMZ-host 192.168.1.5 is now using the external VPN-IP for outgoing connections. But the trouble begins with incoming connects to the VPN-IP: The packets go trough the firewall and are reaching the DMZ-host, the host responds but this packet never goes through the VPN-Connection.

    Packet capture of an ICMP request, PTYOPENVPN interface:

    
    14:16:26.260278 IP 91.X.X.X > 46.X.X.X: ICMP echo request, id 3064, seq 1, length 64
    14:16:26.286193 IP 87.X.X.X > 46.X.X.X: ICMP host 91.X.X.X unreachable - admin prohibited filter, length 36
    14:16:27.298591 IP 91.X.X.X > 46.X.X.X: ICMP echo request, id 3064, seq 2, length 64
    14:16:27.364441 IP 87.X.X.X > 46.X.X.X: ICMP host 91.X.X.X unreachable - admin prohibited filter, length 36
    
    

    Packet capture of an ICMP request, DMZ interface:

    
    14:15:07.886133 IP 91.X.X.X > 192.168.1.5: ICMP echo request, id 3058, seq 1, length 64
    14:15:07.886515 IP 192.168.1.5 > 91.X.X.X: ICMP echo reply, id 3058, seq 1, length 64
    14:15:07.912525 IP 87.X.X.X > 192.168.1.5: ICMP host 91.X.X.X unreachable - admin prohibited filter, length 36
    14:15:08.921498 IP 91.X.X.X > 192.168.1.5: ICMP echo request, id 3058, seq 2, length 64
    14:15:08.921893 IP 192.168.1.5 > 91.X.X.X: ICMP echo reply, id 3058, seq 2, length 64
    14:15:08.981996 IP 87.X.X.X > 192.168.1.5: ICMP host 91.X.X.X unreachable - admin prohibited filter, length 36
    
    

    tcpdump on DMZ-Host:

    
    15:36:25.208405 IP 91.X.X.X > 192.168.1.5: ICMP echo request, id 3917, seq 631, length 64
    15:36:25.208724 IP 192.168.1.5 > 91.X.X.X: ICMP echo reply, id 3917, seq 631, length 64
    15:36:26.020968 IP 91.X.X.X > 192.168.1.5: ICMP echo request, id 3982, seq 358, length 64
    15:36:26.021333 IP 192.168.1.5 > 91.X.X.X: ICMP echo reply, id 3982, seq 358, length 64
    15:36:26.047909 IP 87.X.X.X > 192.168.1.5: ICMP host 91.X.X.X unreachable - admin prohibited filter, length 36
    
    

    91.X.X.X: external Host which starts the ping
    192.168.1.5: Internal DMZ-Host
    46.X.X.X: static VPN-IP
    87.X.X.X: seems to be the next hop (router) from our provider, connected on WAN interface

    We never got packets from 46.X.X.X back to 91.X.X.X through the VPN interface. I already searched the forum for similar problems, but I only found topics related on using the VPN tunnel for all (or part of) the LAN/DMZ network, which is already working for us. What I'm trying to do (easy example):

    Request:
    External Host -> Port 80 on static VPN-IP -> Port 80 on DMZ-Host 192.168.1.X
    Response:
    DMZ-Host Reply -> VPN -> External Host

    I guess that I only need to change some of the existing configuration - any help would be greatly appreciated :-)



  • Did you ever get this working?  This is incredibly similar to something I'm looking to do and have not had much luck with it.


Log in to reply