Afternoon,

I am not sure if I have missed the point or if the firewall is behaving in correctly.

I have LAN 1 configure with an IP of 10.0.0.1/255.255.255.0 this is assigned to VLAN 1 (Untagged) which connects to my switch on the Native VLAN.

I have a VPN Gateway connected to the same switch on the same Native VLAN with an IP of: 10.0.0.254/255.255.255.0

The VPN Gateway is connected to a different internet connection and has its own Public IP.

The VPN gateway is setup such that the VPN Clients get an IP Address from the 10.0.100.0/255.255.255.0 subnet.

I have set a static route in the Draytek that route destination 10.0.100.0/255.255.255.0 via 10.0.0.254 no route is required the other way as the VPN gateway is directly connected to the Native VLAN with 10.0.0.254/255.255.255.0.

The firewall on the Draytek is configured with Default Rule Block and then I have a rule the says LAN > WAN | ANY | ANY | ANY | Pass Immediately.

I then have a rule that says LAN > LAN | ANY | ANY | ANY | Pass Immediately.

The issue is that traffic from 10.0.0.9 on the Native VLAN going to 10.0.100.2 is being blocked by the Default Rule Block.

I have confirmed that with Default Rule set to pass the traffic transits correctly so the issue is definitely at the Draytek,

Have I missed the point somewhere ?

Thanks
Chris

cwager990 wrote:
The issue is that traffic from 10.0.0.9 on the Native VLAN going to 10.0.100.2 is being blocked by the Default Rule Block.

I have confirmed that with Default Rule set to pass the traffic transits correctly so the issue is definitely at the Draytek,

First off, you're not the first to struggle with the Default Block Rule - I gave in and set my own 'Default Block's within the 'Filter Set(s)'. It could be I don't understand it either :wink:

A couple of thoughts :-

Are you sure that in "Firewall >> General Setup", you have the 'Data Filter' set to [x] Enable and the 'Start Filter Set' configured correctly. (In other words, is your filter rule actually being invoked :?:)

If you configure a Syslog Daemon, you can use the [x] Syslog option in the Firewall to confirm which rules are firing (and what they are passing/blocking).

The client at 10.0.0.9/24 is presumably using the Vigor at 10.0.0.1 as its route to 10.0.100.0/24 - even though it could go directly via 10.0.0.254 (if I've drawn out your network correctly). I've always assumed that in such a situation, data coming back the other way is going to take a different route - and miss out the Vigor. If correct - then although possibly not your issue - it can't be 'healthy' :?:

Are you sure that in "Firewall >> General Setup", you have the 'Data Filter' set to [x] Enable and the 'Start Filter Set' configured correctly. (In other words, is your filter rule actually being invoked :?:)

General Setup is below:



Then I have the default rule configure like this:



Then if we look at filter set 2 that's configured as follows:



Syslog below confirms my suspicion that the traffic in question is being blocked:



Further to that the 2860's Firewall Diagnose confirms its being blocked by the Default Block Rule as below:



If I change this to default rule pass you get the following from the Firewall Diagnose:



You then get the following Syslog and traffic flows normally when the VPN client at 10.0.100.2 pings 10.0.0.9 it receives the replies:

The client at 10.0.0.9/24 is presumably using the Vigor at 10.0.0.1 as its route to 10.0.100.0/24 - even though it could go directly via 10.0.0.254 (if I've drawn out your network correctly). I've always assumed that in such a situation, data coming back the other way is going to take a different route - and miss out the Vigor. If correct - then although possibly not your issue - it can't be 'healthy' :?:

I'm not quite sure you have got this so ill try and explain,

10.0.0.1 is the Draytek Vigor this serves as the Gateway of Last Resort for the LAN subnet 10.0.0.0/24.

10.0.0.9 is a NAS that is sitting on the LAN network in Subnet 10.0.0.0/24, connected to SwitchPort 1 - NATIVE VLAN.

10.0.0.254 is an OpenVPN Box connected to SwitchPort 2 - NATIVE VLAN.

10.0.100.0/24 is the Remote IP Range, OpenVPN issues to the clients.

If I was to issue a ping command from the NAS at 10.0.0.9 it will first look in its own routing table, it will determine that its A) not directly connected and B) it doesn't have a route to that destination, as a result it will forward the traffic on to the Default Gateway in this case 10.0.0.1 - The Vigor.

When that traffic hits the Vigor it will look in its routing table and determine its not directly connected, however it has a route to this destination via 10.0.0.254 and forwards the traffic upstream to the OpenVPN box, which in turn uses its routing table to forwards it to the Client.

Now the reply to that ping transits differently,

The reply will first get send back to the OpenVPN Box and will then get send directly to 10.0.0.9 by the OpenVPN box as the routing table on the OpenVPN Box knows its Directly Connected to the 10.0.0.0/24 subnet.

This is healthy and perfectly normal behaviour.

For traffic going in the other direction the reverse is true, and also normal and healthy.

I'm not quite sure you have got this so ill try and explain

That for taking the time to confirm the configuration. That is what I thought was happening...

Now the reply to that ping transits differently...

Yes, that's the bit I don't like

Otherwise, I think your Vigor firewall configuration is logical and correct. Perhaps it's just that Draytek see the logic slightly differently ?

It could be that Rule 3 in Filter Set #2 doesn't fire, because it doesn't see it as a LAN > LAN operation? (It all happens on 10.0.0.0/24, as far the Vigor is concerned). If the Vigor had another LAN network configured, with an IP address on said network, I would say the rule would definitely be invoked. (I'm suggesting something along the lines of a new Network between Vigor and OpenVPN box. Maybe even plug the OpenVPN box directly into the Vigor?

You could make the case that it should work as currently configured - but as it doesn't, I would expect the 2860 to be too long in the tooth to receive updates to functionality like that. I might be wrong though, you could always ask Draytek.

The only other thing I can suggest, is to ditch the "Default Block" and add a new rule to the Filter Set instead, as in, "Block if no further match".