Wednesday, January 2, 2019

Best Practices for Configuring Routes for a VPN Server with No Physical DMZ?

I work for a small company with no physical DMZ but we wanted to use a separate interface on our SonicWall connected directly to the VPN server as a sort of DMZ.

Everything appeared to work fine after configuring the rules except the VM can't route any traffic internally because the default gateway is the DMZ interface and that VLAN can't route any traffic internally. To fix this I manually added a route for our internal IP range to go out the internally facing interface using Route ADD. My Manager said he doesn't want it done that way, but also didn't say how it should be done.

I'm not a network admin, but my current understanding is that Windows only automatically adds routes for the networks that the NICs are on. So If I have 192.168.1.0, 192.168.2.0, 192.168.3.0, etc, networks internally, but my server has an externally facing default route as a DMZ, then it can't route to 192.168.2.0 or 192.168.3.0 without manually adding routes. If I ping 192.168.2.1 it will go out the DMZ interface unless I manually add a route.

Is there some other way Windows is supposed to identify what your internal networks? Maybe from ADSS? Is using Route ADD bad practice?



No comments:

Post a Comment