EFW Support

The run down of what works and does not work. (EFW 2.2RC3)

1. Client connects to EFW OpenVPN server all traffic passed through OpenVPN
2. Client machine can access EFW web frontened
3. Client can SSH into EFW -> then SSH/Ping from EFW into other machines on Green interface
4. Client cannot access/ping other machines on green directly

where have I gone wrong?
any ideas or am I just hopelessly clueless.

Thanks for the help (if I can be helped).

Jordan

I have the same problem when setting up OpenVPN, is there something in a firewall rule that needs to be changed?

I can connect to the EFW itself, but can't reach a server in the green zone...

I have the exact same problem. I cannot access anything on green from vpn. I can't even access my endian firewall from VPN.
I set an access rule to allow connection to endian firewall from vpn didn't work.
My ip range for vpn is on the same subnet as green just a different range.

I also added Push these networks under the VPN and put my network in there still nothing.
Anybody?????
I am using free endian

I had to go back to Untangle , until I get the endian openvpn setup working.
I want to use Endian because of the proxy caching feature...

OpenVPN works like a charm for me (both 2.3RC and 2.3 final).

Did you guys setup the VPN firewall? There is a pretty big warning on OpenVPN tab: Note: Traffic to this IP pool has to be filtered using the VPN firewall!

Steps to check:
1-On OpenVPN Main Tab-> Check that the IP range falls inside GREEN subnet

2- On OpenVPN Tab->Advanced Push your networks, DNS Servers and Domain.
 I pushed my GREEN network and an extra subnet that I reach via a VPN gateway on GREEN. Both nets works perfect (i can use anything on GREEN AND anything on that extra subnet, a VPN that I routed via a Static Route).

3- Configure VPN Firewall. If you didn't add any rule, you won't have access to anything! As a simple rule add "Any VPN User can access anything".

4- Enable VPN Firewall Logging and check the logs (Both Firewall and OpenVPN Service).

5- Try to determine if external VPN request are reaching the EFW Box. If it reach it, try to enable all log you can to determine what's happening.

OpenVPN Client config must be something like:
client
float
dev tap
proto udp
port 1194
remote <<YourEFWServer>>
resolv-retry infinite
nobind
persist-key
persist-tun
ca <<FirewallCertYouDownloadFromEFW>>
auth-user-pa.s.s.
pull
comp-lzo
Remove the dots in the word pa.s.s.. Stupid profanity filter!!!

Hi, I tested with another endian openvpn...

now I added the VPN firewall but still the same result

source: any, destination: any : allow, service: any...


any other tips on this?
the endian openvpn is running on vmware esxi , endian itself is working good.
The computers to connect to are all VM's...

Could this be the problem?

In case the VM's are windows machines you could check this topic covering the same issue :
http://efwsupport.com/index.php?topic=827.0

Basically You need to either define route to push in the Endian openvpn server or define manually one after the connection has been established -> the gateway will be the address of the internal green ip of endian FW.

The issue is not with Endian but rather the VMWare's network default configuration to not allow promiscuous mode traffic.  You need to disable that feature which keep in mind allows all VM's in that network switch/vlan to see the traffic of every other device (kind of like turning the switch into a hub).

1) Go to the Configuration tab and select Networking.

2) On the vswitch that you want to disable promiscous mode, click on properties.
(If you need to do this per VLAN as well, just click on the the vlan and then edit instead of the vswitch.)

3) On the pop up window, click on edit and select the security tab.

Can anyone confirm bucho's statement regading promiscuous mode?

I can confirm that myself. It did solve the problem! :)

Dashquid (http://dashquid.com)
fatlossprofessional.co.uk (http://fatlossprofessional.co.uk)
fatlossprofessional (http://fatlossprofessional.co.uk/how-to-lose-weight-fast/)
mobilehelper (http://mobilehelper.co.uk)
securetrip (http://securetrip.co.uk)
whichpetcover (http://whichpetcover.com)
google (http://google.com)
abc (http://abc.com)
facebook (http://facebook.com)
craigslist (http://craigslist.com)

Hi Guys!!!

You just new create a firewall rule:

CLIENT2ENDIAN:
GO TO FIREWALL - VPN TRAFFIC (ENABLE)

CREATE A RULE LIKE:

SOURCE: OPENVPN: ANY
DESTINATION: ANY
POLICY: ALLOW


GW2GW:
CREATE A RULE LIKE:
SOURCE IP: ip/mask local
DESTINATION: ip/mask remote
POLICY: ALLOW


I think this can help!
=]