Two Network Problems

[thomas]

I did understand you.
I have only one VPN server in the "List of servers" of the gateway machine, and 3 ADSL lines.
The thing is, that when I did my tests, I had only one ADSL line, and the firewall was fully opened.
So believe me, I did all the tests I could imagine.
I am pretty sure that, for some other reason, my VPN is considered as external to my network.

Now I have 3 ADSL lines, and in each one I forward a different port (x,y,z), to the same port on the ebox's external interface (z)
All works but I have to consider the VPN as external network.
It's functional (and pretty secure as I submit the source network in the firewall), but This is very very strange.

[Sam Graf]

That is strange. I have absolutely no rules in "Filtering rules from external networks to internal networks" and have no problems with eBox-to-eBox VPN. (I have had to play with internal network rules to get some things working as expected, but I have not, so far, experienced a case where eBox acts as if the VPN interface is external.) I can't think of what I might be doing differently.

I have no eBoxes with multiple ADSL connections so have no experience relevant to eBox VPNs there.

[thomas]

I think that we are talking for different things.
I am talking about a client to Vpn connection and not for an eBOX to eBOX vpn connection.
I connect my client outside of the ADSL modems to the ebox's VPN server which is behind the ADSL modems.
I have never tried the ebox to ebox VPN.
Anyway. Thx for your replies.

[Sam Graf]

Ah, sorry.

In my case, however, there is no difference between the basic way an eBox-to-eBox VPN and a road warrior VPN works when it comes to firewall rules. Both work with no rules, as I mentioned above, in "Filtering rules from external networks to internal networks." They are, of course, different VPN servers and different interfaces (on the same machine), but not entirely different sets of firewall rules.

[Javier Amor Garcia]

Which address are you using to access samba, mail, etc.. services?. The VPN interface address?.
You must use a internal interface address instead of the VPN address, so you will use the same rules that other internal connections.

[thomas]

As I described in another post, I have servers with different Ip Addresses, in different internal (using the ebox's logic) networks.
I have only one external Interface and 5 internal interfaces. My servers are in the internal interfaces.

[Javier Amor Garcia]

Thomas,
 have you tried to make your vpn server to list in only one interface?. Maybe this will solve your problems with multiples lines. If it works in one interface and you need to listen on another ones you could make multiple servers, one for each interface. I know this is not optimal but it could work.

For the firewall thing the VPN is intended only as a access medium to the advertised networks, so you have to try to connect to the advertised networks addresses not the VPN addresses. The firewall rules to be applied depends on whether the advertised network itself is external or internal.

[thomas]

In the beginning I had my vpn listen on the (one) external interface and I forwarded traffic only from one (1) adsl router.
The same happened that time. The same things happen now that I forward traffic from 3 adsl routers.

I have advertised all my internal networks (5) and the one external.
Do you mean that If I (and I do) advertise (among the other internal networks ) and the external one, then my vpn connection will be treaded as external
Do you mean that I mustn't advertise the external network?