VPN client access to DMZ systems on Netgear ProSafe SRX5308
Greetings,
I have Netgear ProSafe SRX5308 with the latest firmware for present moment - 4.3.3-5.
I have WAN 1 configured (lets say public IP 7.7.7.7) - it works fine, does not matter for current problem.
I have LAN 1 configured for 172.16.0.0/16 local network with 172.16.0.1 IP address for firewall itself.
I have DMZ configured for LAN 4 / DMZ port with 192.168.32.0/24 range and 192.168.32.1 IP address for firewall itself.
I have couple linux hosts in DMZ zone, since I am working on configuring those no need to access from WAN yet, just from internal LAN. I have created LAN-DMZ Outbound rules allowed PING any-any, SSH any-any, HTTPS any-any, so I can ping, ssh or https to servers in DMZ from my local network. This is working just fine.
I am working from home from time to time so I would like to be able to configure those DMZ servers from home, so I configured L2TP server (enabled, set range 172.17.0.1-172.17.0.16, created user). I am able to establish VPN connection from my home, getting 172.17.0.1 IP and able to access any server in my LAN (local network 172.16.0.0/16) but I cannot access / ping any server in DMZ (192.168.32.0/24), even I can ping Netgear IP in DMZ just fine (192.168.32.1). Those DMZ servers have only one IP address in 192.168.32.0/24 subnet (e.g. 192.168.32.10) and default gateway is Netgear IP (192.168.32.1). I cannot find anything on firewall similar to VPN-DMZ rules, only LAN-WAN, DMZ-WAN, LAN-DMZ. I thought VPN users should fail into LAN-DMZ rules, but seems they are:(.
but the answers from moderator is - problem with routing... looks fishy for me. DMZ servers has only 1 IP and default gateway is Netgear Router. VPN clients has default gateway - Netgear router. So this should be nothing extra to configure on "clients" in subnets where Netgear router has interfaces in. You do not have extra routing rules on client to acess LAN from VPN, suppose same way should work to access DMZ from VPN.
Re: VPN client access to DMZ systems on Netgear ProSafe SRX5308
Think about the following ...
1) The VPN client setup tells the client where to send traffic intended for the 172.16 network, does the client know what to do with traffic intended for the 192.168.32 network? Will it send it to the default gateway or will it send it through the VPN tunnel? Try using traceroute and see if the 192.168.32 traffic even gets to the 172.16 network.
2) What makes you think there are no extra routing rules "on client to access LAN from VPN" - presumably a software VPN client is being used here - if you do not configure the routes on the client (see #1) the client will route ALL "non-local" traffic to the default gateway, which will then send it to it's default gateway, which, is most likely the ISP router, and which most likely has been configured to discard all private non routeable traffic. If a router~router VPN is in use, there will be no extra routing rules on the client but there most certainly will be on BOTH routers involved, if not the routers will route all "non-local" traffic as mentioned above, and it will never reach it's intended destination.
3) The only time a router can/will route between networks without being specifically configured to do so is between what are known as "directly connected" networks, and when VPNs are involved, at least one of the networks involved is going to be be a remote network - and just so this last is clear - it is possible to have routers communicate between themselves and dynamically change routes through the use of dynamic routing protocols, however these dynamic routing protocols require specific configuration, even if they do not require the routes to be specified.
Re: VPN client access to DMZ systems on Netgear ProSafe SRX5308
Approaching the issue from a different angle...
Why are these servers in the DMZ in the first place? In most cases servers placed in a DMZ are put there to allow "controlled" remote access, either from the public internet, or from a private intranet - the reason for having a DMZ is to separate these servers from the main network, so as to limit exposure to the main network should one of the servers be compromised.
If you have no intent to provide this access, then there is no reason to have a DMZ, and once this access has been permitted, why would you then need separate access via a VPN? Why would you not use the primary access method already established?
Re: VPN client access to DMZ systems on Netgear ProSafe SRX5308
"Why are these servers in the DMZ in the first place? " - those servers are Apache HTTPd servers, so they will be "NAT"ed to public network when configuration done, but only HTTPs protocal will be exposed. But I need ssh access to hose servers to update contnent and configuration. Sure putting those in DMZ and restrict access I protect my internal LAN from get used in case HTTP server will be hacked, so attacked can not get deeper in my LAN.
"why would you then need separate access via a VPN? " - I explaned that from my first post, from time to time I have to work from the road, so I should be able to access HTTP servers in DMZ over ssh at any time, when I am in the office or I am at home.
Routing answers. I do not think that trafic from VPN client to DMZ should go over LAN segment since Netgear router has interface in VPN and DMZ, I mentioned that _rules_ I am created for LAN-DMZ probably should be applyed to VPN-DMZ traffic too, since I see no separate rules place for VPN-DMZ.
Below my routing table on client after I connected to Netgear VPN using L2TP and got 172.17.172.2 address (L2TP network is 172.16.17.0/24). As you can see this VPN address I got from Netgear router 172.17.172.2 is default gateway. I can reach 172.16.0.0/16 LAN servers wihout any extra routing and cannot 172.17.172.0/24 DMZ servers. I would like to be able to reach DMZ servers same way as LAN servers from VPN. Here 192.168.1.x my home network (192.168.1.73 my private IP in home network). 91.XXX.XXX.XXX is public IP of Netgear router.
Re: VPN client access to DMZ systems on Netgear ProSafe SRX5308
This is standard Windows XP VPN client, nothing special.
Below variant for Windows 7 standard VPN client. First route - no VPN, just my home network, second one when I established VPN connection to Netgear L2TP server.
C:\>route print (NO VPN) =========================================================================== Interface List 15...00 0c 29 63 ab ae ......Intel(R) PRO/1000 MT Network Connection 1...........................Software Loopback Interface 1 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 ===========================================================================
Sure for Windows 7 behavior is same, when I established VPN connection to Netgear I can access my 172.16.0.0/24 LAN and cannot 192.168.172.0/24 DMZ (except 192.168.172.254 which is Netgear interface in that DMZ VLAN). Sure I can for example RDP to some server in LAN (e.g. 172.16.0.100) and then ssh to DMZ but I do not want extra step and see no reason whyt I should have it here if Netgear router is actually handle those DMZ, LAN, VPN traffic.
