Why can't I access the Internet through my IPSec or SSL VPN?

Article #:

Product:

Version:

KB-96

Unified Threat Management

Inverness onwards

Summary:

I am no longer able to access the Internet via my IPSec or SSL VPN after updating my Smoothwall to Inverness.

Problem:

Typically, VPNs are used to allow access to internal resources from remote locations. However, there are some cases where access to the Internet must be made through a VPN tunnel — for example, if you want remote users to go through the Firewall first when browsing to the Internet on remote networked devices.

Since upgrading the Smoothwall to the Inverness release, you may find that such users are blocked from accessing the Internet this way. Even ping commands may fail.

Solution:

Due to the extensive Firewall changes, an explicit rule must be added to allow access from the IPSec or SSL VPN interface to the external network.

  1. Go to Network > Firewall > Firewall rules.
  2. Create a firewall rule, noting the following:
Inbound interfaces — Select the interface that handles all your VPN traffic
Outbound interfaces — Select the interface externally-bound network traffic is routed through

Tip: If you have more than one external interface and want to route traffic through them all, choose All external interfaces here. This option is still valid even if only one external interface exists.

Action — From the drop-down list, select Accept.

Tip: Firewall rules are applied in a top-down approach. Move this rule above any block rules you have in place.

The above creates a basic internal → external VPN rule. With the new consolidated firewall, you can also:

  • Specify the Source IP addresses to match traffic originating from those specified. Leave this parameter blank to match traffic coming from all IP addresses.
  • Specify the Destination IP addresses to which access is permitted. Leave this parameter blank to allow traffic all IP addresses.
  • If using an IP address range or subnet for Source IP address or Destination IP address you can exclude IP addresses in that range from matching the rule.
  • Specify the Services that matching traffic uses.Leave this parameter blank to match traffic using any service.
  • Specify the Applications (Apps) that are used by the matching network traffic. Leave this parameter blank to match traffic from any application.
  • Specify the user Groups that matching traffic originates from.Leave this parameter blank to match traffic from any group.
  • Choose whether to Log matching traffic to the Firewall log.
  • Choose whether to drop or reject (Action) all matching network traffic

For a detailed description of how to create and manage firewall rules, go to https://help.smoothwall.net/Inverness/Content/ui/admin/ipfilter/forward.htm.

Attribution:

Last updated:

Author:

Contributions by:

24th March 2017

Samantha Nair

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.