I have had L2TP configured for vpn remote access for a while. I recently started configuring an openVPN connection with vtun0. I have successfully configured policy based rules to limit the traffic that goes out vtun0. My problem is if vtun0 is enabled, I can no longer access my network remotely with L2TP. My configuration is below. What am I missing.
Thanks
firewall {
all-ping enable
broadcast-ping disable
group {
address-group Shodan {
address 208.180.20.97
address 198.20.69.74
address 198.20.69.98
address 198.20.70.114
address 198.20.99.130
address 93.120.27.62
address 66.240.236.119
address 71.6.135.131
address 66.240.192.138
address 71.6.167.142
address 82.221.105.6
address 82.221.105.7
address 71.6.165.200
address 188.138.9.50
address 85.25.103.50
address 85.25.43.94
address 71.6.146.185
address 71.6.158.166
address 198.20.87.98
address 66.240.219.146
address 209.126.110.38
address 104.236.198.48
address 184.105.247.196
address 141.212.122.112
address 125.237.220.106
address 192.81.128.37
address 74.82.47.2
address 216.218.206.66
address 37.187.114.171
address 184.105.139.67
address 54.81.158.232
address 141.212.122.144
address 141.212.122.128
address 54.206.70.29
description "Shodan and other scanners"
}
network-group BOGONS {
description BOGONS
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
network-group Blocklist {
description "Block scanners by CIDR"
network 74.82.47.0/24
network 184.105.139.0/24
network 184.105.247.0/24
network 216.218.206.0/24
network 185.35.62.0/24
network 185.35.63.0/24
}
network-group PROTECTED_NETWORKS {
description "RFC1918 ranges"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify SOURCE_ROUTE {
rule 10 {
action modify
description "Traffic from Internal to WAN"
modify {
table 1
}
source {
address 10.10.10.0/24
}
}
rule 20 {
action modify
description "Traffic from VLAN 200 to openVPN"
modify {
table 2
}
source {
address 10.10.20.0/24
}
}
rule 30 {
action modify
description "Traffic from L2TP to WAN"
modify {
table 1
}
source {
address 172.10.10.0/24
}
}
}
name GUEST_IN {
default-action accept
description "guest to lan/wan"
rule 20 {
action drop
description "drop guest to lan"
destination {
group {
network-group PROTECTED_NETWORKS
}
}
protocol all
}
}
name GUEST_LOCAL {
default-action drop
description "guest to router"
rule 10 {
action accept
description dns
destination {
port 53
}
log disable
protocol tcp_udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action drop
description "Drop BOGONS"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 40 {
action drop
description "Blocklisted CIDRs"
log enable
protocol all
source {
group {
network-group Blocklist
}
}
}
rule 50 {
action drop
description "Drop Shodan scanners"
log enable
protocol all
source {
group {
address-group Shodan
}
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description ike
destination {
port 500
}
log disable
protocol udp
}
rule 40 {
action accept
description esp
log disable
protocol esp
}
rule 50 {
action accept
description nat-t
destination {
port 4500
}
log disable
protocol udp
}
rule 60 {
action accept
description l2tp
destination {
port 1701
}
ipsec {
match-ipsec
}
log enable
protocol udp
}
rule 70 {
action drop
description "Drop Shodan scanners"
log enable
protocol all
source {
group {
address-group Shodan
}
}
}
rule 80 {
action drop
description "Drop BOGONS"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 90 {
action drop
description "Blocklisted CIDRs"
log enable
protocol all
source {
group {
network-group Blocklist
}
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 172.83.240.203/27
description !Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.0.0.1/24
description "aLittleStrange - Downlink"
duplex auto
firewall {
in {
modify SOURCE_ROUTE
}
}
ip {
ospf {
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
}
speed auto
}
ethernet eth2 {
description Local
disable
duplex auto
speed auto
}
ethernet eth3 {
description Local
disable
duplex auto
speed auto
}
ethernet eth4 {
description Local
disable
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /config/auth/PrivatVPN.ovpn
}
switch switch0 {
mtu 1500
switch-port {
vlan-aware disable
}
}
}
service {
dns {
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for openvpn"
destination {
}
log disable
outbound-interface vtun0
protocol all
source {
}
type masquerade
}
rule 5001 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
snmp {
community public {
authorization ro
}
contact "Bobby Shea"
location aLittleStrange
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
unms {
connection wss://unms.alittlestrange.home:443+THEXGVKFmDHYZkpeej0NeYbalpP4iDCQaYSGEWGIIgkAAAAA+allowUntrustedCertificate
}
}
system {
domain-name alittlestrange.home
flow-accounting {
disable-memory-table
ingress-capture post-dnat
interface eth0
netflow {
enable-egress {
engine-id 1
}
engine-id 0
server 10.10.10.118 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 9
}
syslog-facility daemon
}
gateway-address 172.83.240.193
host-name aLittleStrange-Outbound
login {
user bobby {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 10.10.10.116
name-server 10.10.10.2
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec disable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Denver
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
}
l2tp {
remote-access {
authentication {
local-users {
username bobby {
password ****************
}
}
mode local
}
client-ip-pool {
start 172.10.10.5
stop 172.10.10.15
}
dns-servers {
server-1 10.10.10.116
server-2 10.10.10.2
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-lifetime 3600
lifetime 3600
}
outside-address 172.83.240.203
}
}
}