|
|
|||
Traffic between two vpn networks
Hello All,
I am looking for some help on an issue with have two vpn networks. my current system layout I unable to route traffic from the VPN user on 10.8.0.34 to the Web server on the local lan 10.7.1.2. The VPN server 10.8.0.1 can ping the 10.7.1.2 address fine but the user cannot. I have tried everything and my brain is falling apart lol. the PF.conf for the first bsd openvpn box (10.8.0.1) Code:
#Variables ######################## ext_if="sis0" #Internet srv_if="sis1" #Server link drc_if="sis2" #DRAC link vps_if="tun0" #VPN interface that runs as server (for user connection) vpc_if="tun1" #VPN interface that runs as client (for server connection) ovpn=1194 #Initial set up ######################## #set skip on lo #scrub in #Redirects & NAT ######################## #Redirect traffic over FSP VPN from FSP to the server #rdr pass on $vps_if from any to any -> 192.168.1.2 #rdr pass on $vps_if from any to any -> 10.8.0.30 pass out on tun0 from 10.8.0.34/32 to any nat-to 10.9.0.5 #Direct traffic over the FAD VPN from the server to the FADs network nat pass on $vpc_if from $vps_if:network to 10.8.254/0 -> $vpc_if #Direct telnet over FAD connection to DRAC #rdr pass on $vpc_if proto tcp from any to any port 23 -> 192.168.2.2 #RULES ######################## #block all #External Interface #Allow VPN connection in pass in on $ext_if proto udp from any to any port $ovpn #Allow SSH in from Evidence Talks #pass in on $ext_if proto tcp from $et to any port ssh pass in on $ext_if proto tcp from any to any port ssh #Allow all out pass out on $ext_if all #Server Interface pass on $srv_if all #DRAC Interface pass on $drc_if all #VPN Server interface pass on $vps_if all #VPN client interface pass on $vpc_if all Code:
## Configuration ##################### #Interfaces ext_if="em0" #Interface to internet int_if="em1" #Internal inteface to network #Ports ovpn="1194" rdp="3389" #Port sets allowed_web_server_ports="{" $rdp mysql "}" #IPs web_ip="10.7.1.2" #Web server IP web_ports="{ http https }" #allowed ports on web server RULES ######################## set skip on lo #block all # HTTP/S allowed and forwarded to web server #Redirect HTTP/S to web server pass in on $ext_if proto tcp from any to any port $web_ports rdr-to $web_ip #Allow RDP and MySQL and redirect to web server - only From ETL pass in on $ext_if proto tcp from $etl_source_ips to any port $allowed_web_server_ports rdr-to $web_ip #NAT traffic from web server to internet pass out on $int_if from $web_ip to any nat-to $ext_if # Allow OpenVPN connections pass in quick on $ext_if proto udp from any to any port $ovpn #VPN # Allow ssh connections from Evidence Talks pass in on $ext_if proto tcp from $etl_source_ips to any port ssh #Allow all out pass out on $ext_if all #Internal Interface - allow anything pass on $int_if all Last edited by J65nko; 28th January 2013 at 12:38 PM. Reason: [code] and [/code] tags ;) |
|
|||
Start simple
First try to get a simple ping working from the laptop to that webserver. I never really used OpenVPN so it will need some adjustments, but I hope you get the idea. Code:
int_if = re0 ext_if = lo2 # just for testing on my single NIC machine vpn_laptop = 10.8.0.34 www_server = 10.7.1.2 # --- default policy # prevent pollution of our pflog0 with NTP packets block quick inet proto udp from any to any port ntp block log all # --- EXTERNAL INTERFACE # --- NAT rule match out inet from ! egress to any nat-to egress pass out quick on $ext_if tagged PING # --- INTERNAL INTERFACE # allow incoming SSH pass in quick on $int_if inet proto tcp from $vpn_laptop to $int_if port ssh # allow incoming ping and tag it! pass in quick on $int_if inet proto icmp from $vpn_laptop to $www_server icmp-type echoreq tag PING
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the Help
Hey guys thanks for the help on this.
im going to check the routing at some point tonight. And TCPdump has helped. i know it makes it down the tun0 adapter and is being passed to tun1 going out but that's as far as i can trace it. i will digest and report |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Giving Two Seperate Networks Internet With PF | EverydayDiesel | OpenBSD Security | 3 | 21st January 2013 09:13 PM |
Attacking networks using electromagnetic interference | J65nko | News | 0 | 17th January 2013 05:33 PM |
Introduction to TCP/IP networks | jggimi | Guides | 18 | 7th September 2012 12:37 PM |
The unknown /etc/networks file | J65nko | Guides | 5 | 22nd January 2010 03:38 AM |
DMZ for two networks users... | maurobottone | OpenBSD Security | 6 | 2nd June 2008 02:57 PM |