Hello,
Hoping something can spot the error I've made in my config as I can't see it.
So what is happening is I've setup l2tp vpn with radius auth on the edgemax pro8 and clients can connect and auth via the radius but can't acess anything on the lan side. They can ping the router ( 10.0.0.1 ) but nothing else.
I've noticed on a client's ipconfig they have a blank gateway and subnet mask of 255.255.255.255
Thanks
firewall {
all-ping enable
broadcast-ping disable
group {
address-group FREEPBX_Media {
address 54.172.60.0/23
address 54.244.51.0/24
address 54.171.127.192/26
address 54.65.63.192/26
address 54.169.127.128/26
address 54.252.254.64/26
address 177.71.206.192/26
description ""
}
address-group FREEPBX_SIP {
address 54.172.60.0/30
address 54.244.51.0/30
address 54.171.127.192/30
address 54.65.63.192/30
address 54.169.127.128/30
address 54.252.254.64/30
address 177.71.206.192/30
description ""
}
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
port-group SRCDS_Servers {
description ""
port 25030
port 25035
port 25040
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
rule 30 {
action accept
description "FreePBX SIP"
destination {
port 5060
}
log disable
protocol tcp_udp
source {
group {
address-group FREEPBX_SIP
}
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 40 {
action accept
description "FreePBX Media"
destination {
port 10000-20000
}
log disable
protocol tcp_udp
source {
group {
address-group FREEPBX_Media
}
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 70 {
action accept
description "SRCDS Servers"
destination {
group {
port-group SRCDS_Servers
}
}
log disable
protocol tcp_udp
source {
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 80 {
action accept
description Synergy
destination {
port 27020
}
log disable
protocol tcp_udp
source {
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 90 {
action accept
description DMR
destination {
port 50000-50003
}
log disable
protocol tcp_udp
state {
established enable
invalid disable
new enable
related enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 21 {
action accept
description L2TP
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 22 {
action accept
description ESP
log disable
protocol esp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description ISP1
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.2.2/24
description ISP2
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 10.0.0.1/24
description Switch
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
lb-local enable
}
}
port-forward {
auto-firewall disable
hairpin-nat enable
lan-interface eth2
rule 1 {
description "Rifle Mod 25030"
forward-to {
address 10.0.0.8
port 25030
}
original-port 25030
protocol tcp_udp
}
rule 2 {
description "Rifle Mod 25035"
forward-to {
address 10.0.0.8
port 25035
}
original-port 25035
protocol tcp_udp
}
rule 3 {
description "Rifle Mod 25040"
forward-to {
address 10.0.0.8
port 25040
}
original-port 25040
protocol tcp_udp
}
rule 4 {
description Synergy
forward-to {
address 10.0.0.30
port 27020
}
original-port 27020
protocol tcp_udp
}
rule 5 {
description "FreePBX Media"
forward-to {
address 10.0.0.4
port 10000-20000
}
original-port 10000-20000
protocol tcp_udp
}
rule 6 {
description "DMR Repeater"
forward-to {
address 10.0.0.80
port 50000-50003
}
original-port 50000-50003
protocol tcp_udp
}
rule 7 {
description "FreePBX SIP"
forward-to {
address 10.0.0.4
port 5060
}
original-port 5060
protocol tcp_udp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative disable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.2
dns-server 8.8.8.8
lease 86400
start 10.0.0.10 {
stop 10.0.0.199
}
static-mapping BASEMENT {
ip-address 10.0.0.10
mac-address XXXXXXXXXXXXX
}
tftp-server-name 10.0.0.4
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface eth0 {
service zoneedit {
host-name mydomain.ca
host-name www.mydomain.ca
host-name vpn.mydomain.ca
host-name home.mydomain.ca
login username
password "password"
}
}
}
forwarding {
cache-size 150
listen-on eth2
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
rule 5003 {
description ISP2Modem
destination {
address 192.168.2.0/24
}
log disable
outbound-interface eth1
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
vpn {
ipsec {
auto-firewall-nat-exclude enable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
allowed-network 10.0.0.0/24 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
mode radius
radius-server 10.0.0.2 {
key somekey
}
}
client-ip-pool {
start 10.0.0.200
stop 10.0.0.250
}
dhcp-interface eth0
dns-servers {
server-1 10.0.0.2
server-2 8.8.8.8
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret somekey2
}
ike-lifetime 3600
}
mtu 1492
}
}
}