fredbert
Subscriber
- 6,083
- 2,431
- NAS
- DS1520+, DS218+, DS215j
- Router
- RT2600ac
- MR2200ac
- RT6600ax
- WRX560
- Operating system
- macOS
- Mobile operating system
- iOS
Background
I'm using VPN Plus server and the SSL-VPN service. The IP address pool for this service (or Object as it is termed in the package) is different to my LAN subnets.
On the NAS there are some web services that are Internet accessible via the reverse proxy, with router port forwards and firewall rules. There are some web services that I have accessible only from the LANs (inc. VPN client subnets). These use specific TCP ports either directly or via the reverse proxy.
Issue
When connected using the VPN Plus app/agent, I can access the Internet-facing web services. But I cannot access the private-LAN-only web services.
Solution
After testing the DSM firewall, which allows LAN subnets to access, static routes in DSM and SRM, the 'fix' is within the SRM firewall. I recall previous investigations and finding that SRM treats the VPN services in VPN Plus to be on the Internet interface, not the internal. So any firewall rule that is set to allow All LAN interfaces to wherever (e.g. LANs or anywhere) will not be applied to VPN clients, and so they will not get LAN service access.
My firewall policy is configured with rules that never use All source interfaces, they all specify whether the rule is for Internet, LAN, or specific LAN sources. In earlier SRM there were no assignable interface in the rules.
Why were Internet-facing web services accessible? Because there are already SRM firewall rules and port forwards that allow this 'external' access, and the VPN clients pass these rules. But there are no SRM firewall rules to allow Internet access to the LAN-only web services.
The Fix
You need a SRM firewall rule where:
Why the VPN services are placed on the Internet edge seems odd, since I and others will be using private IP subnets (RFC 1918). You don't expect those on the external interface, though ISPs will use private addressing within their infrastructure prior to breaking out to the Internet. So, ISPs can route RFC1918 addressing and these is a minuscule chance they might use that source subnet that you have allowed in your firewall rules. More a risk if the firewall rule source IP subnet isn't exactly the same as used in VPN Plus, where one would hope SRM has routing set up to/from itself and its VPN server gateways.
I'm using VPN Plus server and the SSL-VPN service. The IP address pool for this service (or Object as it is termed in the package) is different to my LAN subnets.
On the NAS there are some web services that are Internet accessible via the reverse proxy, with router port forwards and firewall rules. There are some web services that I have accessible only from the LANs (inc. VPN client subnets). These use specific TCP ports either directly or via the reverse proxy.
Issue
When connected using the VPN Plus app/agent, I can access the Internet-facing web services. But I cannot access the private-LAN-only web services.
Solution
After testing the DSM firewall, which allows LAN subnets to access, static routes in DSM and SRM, the 'fix' is within the SRM firewall. I recall previous investigations and finding that SRM treats the VPN services in VPN Plus to be on the Internet interface, not the internal. So any firewall rule that is set to allow All LAN interfaces to wherever (e.g. LANs or anywhere) will not be applied to VPN clients, and so they will not get LAN service access.
My firewall policy is configured with rules that never use All source interfaces, they all specify whether the rule is for Internet, LAN, or specific LAN sources. In earlier SRM there were no assignable interface in the rules.
Why were Internet-facing web services accessible? Because there are already SRM firewall rules and port forwards that allow this 'external' access, and the VPN clients pass these rules. But there are no SRM firewall rules to allow Internet access to the LAN-only web services.
The Fix
You need a SRM firewall rule where:
- Protocol: TCP/UDP
- Source interface: Internet (or All, if you really must)
- Source IP: your VPN Plus object IP subnets.
- Destination interface: All, LAN, or a specific LAN (All if you want the VPN clients to access the Internet too; LAN if just LAN devices).
- The rest of the rule is whatever you need to allow access to.
Why the VPN services are placed on the Internet edge seems odd, since I and others will be using private IP subnets (RFC 1918). You don't expect those on the external interface, though ISPs will use private addressing within their infrastructure prior to breaking out to the Internet. So, ISPs can route RFC1918 addressing and these is a minuscule chance they might use that source subnet that you have allowed in your firewall rules. More a risk if the firewall rule source IP subnet isn't exactly the same as used in VPN Plus, where one would hope SRM has routing set up to/from itself and its VPN server gateways.
