Forum Discussion

Aspirant

Jul 30, 2015

VPN client access to DMZ systems on Netgear ProSafe SRX5308

Greetings, I have Netgear ProSafe SRX5308 with the latest firmware for present moment - 4.3.3-5. I have WAN 1 configured (lets say public IP 7.7.7.7) - it works fine, does not matter for curr...

Mentor

Jul 31, 2015

Approaching the issue from a different angle...

Why are these servers in the DMZ in the first place? In most cases servers placed in a DMZ are put there to allow "controlled" remote access, either from the public internet, or from a private intranet - the reason for having a DMZ is to separate these servers from the main network, so as to limit exposure to the main network should one of the servers be compromised.

If you have no intent to provide this access, then there is no reason to have a DMZ, and once this access has been permitted, why would you then need separate access via a VPN? Why would you not use the primary access method already established?

Integration

Aspirant

Jul 31, 2015

"Why are these servers in the DMZ in the first place? " - those servers are Apache HTTPd servers, so they will be "NAT"ed to public network when configuration done, but only HTTPs protocal will be exposed. But I need ssh access to hose servers to update contnent and configuration. Sure putting those in DMZ and restrict access I protect my internal LAN from get used in case HTTP server will be hacked, so attacked can not get deeper in my LAN.

"why would you then need separate access via a VPN? " - I explaned that from my first post, from time to time I have to work from the road, so I should be able to access HTTP servers in DMZ over ssh at any time, when I am in the office or I am at home.

Routing answers. I do not think that trafic from VPN client to DMZ should go over LAN segment since Netgear router has interface in VPN and DMZ, I mentioned that _rules_ I am created for LAN-DMZ probably should be applyed to VPN-DMZ traffic too, since I see no separate rules place for VPN-DMZ.

Below my routing table on client after I connected to Netgear VPN using L2TP and got 172.17.172.2 address (L2TP network is 172.16.17.0/24). As you can see this VPN address I got from Netgear router 172.17.172.2 is default gateway. I can reach 172.16.0.0/16 LAN servers wihout any extra routing and cannot 172.17.172.0/24 DMZ servers. I would like to be able to reach DMZ servers same way as LAN servers from VPN. Here 192.168.1.x my home network (192.168.1.73 my private IP in home network). 91.XXX.XXX.XXX is public IP of Netgear router.

C:\TEMP>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0c 29 fa 89 7c ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
0x10004 ...00 ff 98 8c 2b 82 ...... Juniper Network Connect Virtual Adapter - Shrew Soft Miniport Filter
0x20005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.17.172.2 172.17.172.2 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.73 11
91.XXX.XXX.XXX 255.255.255.255 192.168.1.1 192.168.1.73 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.17.172.2 255.255.255.255 127.0.0.1 127.0.0.1 50
172.17.255.255 255.255.255.255 172.17.172.2 172.17.172.2 50
192.168.1.0 255.255.255.0 192.168.1.73 192.168.1.73 10
192.168.1.73 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.73 192.168.1.73 10
224.0.0.0 240.0.0.0 192.168.1.73 192.168.1.73 10
224.0.0.0 240.0.0.0 172.17.172.2 172.17.172.2 1
255.255.255.255 255.255.255.255 172.17.172.2 172.17.172.2 1
255.255.255.255 255.255.255.255 192.168.1.73 192.168.1.73 1
255.255.255.255 255.255.255.255 192.168.1.73 10004 1
Default Gateway: 172.17.172.2
===========================================================================
Persistent Routes:
None

WBR, Andre

fordem
Mentor
Jul 31, 2015
There's something odd about that routing table - for starters it has multiple default routes - and only one of them can actually work.

What VPN client are you using, and is it configured for "full tunnelling"?
- Integration
  Aspirant
  Jul 31, 2015
  This is standard Windows XP VPN client, nothing special.
  
  Below variant for Windows 7 standard VPN client. First route - no VPN, just my home network, second one when I established VPN connection to Netgear L2TP server.
  
  C:\>route print (NO VPN)
  ===========================================================================
  Interface List
  15...00 0c 29 63 ab ae ......Intel(R) PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
  22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.73 266
  127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
  127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
  127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
  192.168.1.0 255.255.255.0 On-link 192.168.1.73 266
  192.168.1.73 255.255.255.255 On-link 192.168.1.73 266
  192.168.1.255 255.255.255.255 On-link 192.168.1.73 266
  224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
  224.0.0.0 240.0.0.0 On-link 192.168.1.73 266
  255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
  255.255.255.255 255.255.255.255 On-link 192.168.1.73 266
  ===========================================================================
  Persistent Routes:
  Network Address Netmask Gateway Address Metric
  0.0.0.0 0.0.0.0 192.168.1.1 Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
  If Metric Network Destination Gateway
  1 306 ::1/128 On-link
  1 306 ff00::/8 On-link
  ===========================================================================
  Persistent Routes:
  None
  ======================================
  ======================================
  C:\>route print (VPN established)
  ===========================================================================
  Interface List
  23...........................switch-07
  15...00 0c 29 63 ab ae ......Intel(R) PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
  11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
  ===========================================================================
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.73 4491
  0.0.0.0 0.0.0.0 On-link 172.17.172.2 11
  91.XXX.XXX.XXX 255.255.255.255 192.168.1.1 192.168.1.73 4236
  127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
  127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
  127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
  172.17.172.2 255.255.255.255 On-link 172.17.172.2 266
  192.168.1.0 255.255.255.0 On-link 192.168.1.73 4491
  192.168.1.73 255.255.255.255 On-link 192.168.1.73 4491
  192.168.1.255 255.255.255.255 On-link 192.168.1.73 4491
  224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
  224.0.0.0 240.0.0.0 On-link 192.168.1.73 4492
  224.0.0.0 240.0.0.0 On-link 172.17.172.2 11
  255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
  255.255.255.255 255.255.255.255 On-link 192.168.1.73 4491
  255.255.255.255 255.255.255.255 On-link 172.17.172.2 266
  ===========================================================================
  Persistent Routes:
  Network Address Netmask Gateway Address Metric
  0.0.0.0 0.0.0.0 192.168.1.1 Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
  If Metric Network Destination Gateway
  1 306 ::1/128 On-link
  1 306 ff00::/8 On-link
  ===========================================================================
  Persistent Routes:
  None
  
  Sure for Windows 7 behavior is same, when I established VPN connection to Netgear I can access my 172.16.0.0/24 LAN and cannot 192.168.172.0/24 DMZ (except 192.168.172.254 which is Netgear interface in that DMZ VLAN). Sure I can for example RDP to some server in LAN (e.g. 172.16.0.100) and then ssh to DMZ but I do not want extra step and see no reason whyt I should have it here if Netgear router is actually handle those DMZ, LAN, VPN traffic.
  
  TIA, Andre.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

Learn More

Forum Discussion

VPN client access to DMZ systems on Netgear ProSafe SRX5308

Related Content

Orbi Systems Manual Factory Reset Process

Blocked telemetry system

NETGEAR ProSafe Router

NETGEAR ProSAFE GS752TP

NETGEAR ProSAFE Plus Switch GS105PE

NETGEAR Academy

ProSupport for Business