Two Network Problems

[thomas]

Hello
My first (and most important) problem is the vpn connections. I have multiple ADSL lines and I forward a specific port on each of them in my internal ebox router 's port of openvpn server.
When I first setup the vpn server, all worked fine. After that I added the second ADSL line and then the problems began. When I added the third line the problems became bigger. I have setup the mutliple gateway procedures (with weights) and make the one gateway the default gateway. I tried a lot of things but I can't have a stable connection with vpn server. I connect after a lot of retries and when I finally connect I loose the connection (vpn connection failed) after a few minutes.
I tried to forward different ports on the external lines to the same port in the internal ebox router, and I tried to forward the same ports with no luck

My topology

Code: [Select]

                                          -------------

10.10.a.101 ---------|                    |           |-----eth1----10.10.x.0/24

                     |                    |           |-----eth2----10.10.y.0/24

10.10.a.102 ---------|------------ eth5---|           |-----eth0----10.10.z.0/24

                     |                    |   ebox    |-----eth3----10.10.m.0/24

10.10.a.103 ---------|                    |           |-----eth4----10.10.n.0/24

                                          -------------

The second problem has to do with the virtual interfaces. In the external interface when I add a second ip, I cannot connect to the second lan. Specificall my primary ip is 10.10.a.1 and I add the 192.168.a.1. I can still reach clients (ADSL modems) in the 10.10.a.0/24 network, but I cannot even ping clients in the 192.168.a.0/24 networks.

Thx in advance

[thomas]

Third problem - suggestion:
Is it possible to have gui for the vpn trunks in the firewall module?
Is the vpn considered internal or external?

[sixstone]

There was a bug with multigateway configuration, update your ebox-network package to see whether it helps you to solve your issues.

Regarding to your question, VPN interfaces are considered internal.

Best regards,

[thomas]

ok. thx
I understand that vpn is internal, but is there a way to use this 'interface'?
(just like eth0, eth1 etc)

[thomas]

One more.
Is it possible to route through external interface and not do NAT by default? I think that this is possible if I uncheck the external check box in my current external interface, but I am not sure if this is the right way
thx again

[sixstone]

Is it possible to route through external interface and not do NAT by default? I think that this is possible if I uncheck the external check box in my current external interface, but I am not sure if this is the right way

Yes, it is possible. If you modify in /etc/ebox/80firewall.conf the nat_enabled to no, then all your external interfaces will not do NAT.

I understand that vpn is internal, but is there a way to use this 'interface'?
(just like eth0, eth1 etc)

I'm afraid to tell you that current only way is to set the private network as destination/source.

Cheers,

[thomas]

thx.

After a while of using ebox, the only disadvantage for me is the configuration files.
If we edit them by hand, the changes are lost after a modification through the gui.

I would suggest to follow the freepbx 'road'. They have configuration files that "include" custom users' configuration files.

Anyway. This is not the appropriate forum.

Thanx again

[thomas]

I think that there is a mistake about vpn. Even though you say that the vpn is an internal network, ebox considers it as external. Tell me if I am wrong but I must explicit set a rule to firewall in the section 'From External Networks To Internal Networks' to have access to internal lan.
I cannot even ssh to anyone in the internal network from any vpn client if I do not set a rule in the previous section.

[thomas]

I am sure for the above. The vpn network is considered as 'External' network in ebox. I had to add rules to access samba shares, ssh, httpd etc in the section "Filtering rules from external networks to internal networks".
I think that there is a security problem we are forced to add rules to this section to have internal access from the vpn network.

[thomas]

Another problem regarding vpn.
I would like ebox to do another one thing based on the below scematic:

mynet <-> VPN <-> EBOX server <-> EBOX nets

How can I add a static route to EBOX server for mynet?
I need this for the Sip protocol, which 'speaks' directly' to mynet's devices

[robaq]

I am sure for the above. The vpn network is considered as 'External' network in ebox. I had to add rules to access samba shares, ssh, httpd etc in the section "Filtering rules from external networks to internal networks".
I think that there is a security problem we are forced to add rules to this section to have internal access from the vpn network.

Hi thomas,

You are not right, the VPN is considered as internal network.
You should use the second option in firewall configuration called "Filtering rules for internal networks"

Try to add the following rule and you will get it working properly:
Source: any; Destination: any; service: any

If it works for you then change this rule to be more restricted.

[thomas]

I have already tried it. And it didn't work.
After playing a lot with the firewall, I discovered that only if I consider (in my mind) the VPN as external, and if I add the appropriate rules (as I described before) I would have access to my server.
I am sure for what I said before.
I know that this is very strange, but this is what I have to do to access my network through ebox's VPN

[robaq]

How many VPN servers do you have?

[thomas]

Only the ebox's vpn, in front of my network
The ebox machine is acting as router and as a vpn server

[robaq]

You didn't understand me.

If you enter the VPN section you see "List of servers"
What I want to know is how many VPN servers do you have in the table below the "List of servers"?

Maybe I'm wrong but I think that you should configure VPN server for each ADSL line separately (using different UDP ports).