In an office we have 2 internet links, one goes to a router which contains all our vpns and routes to our vpn destinations and one which goes to a fw which is for internet traffic only.
default gateway is the router, and out comcast, this then has a default route pointing to the firewall which is used for internet. traffic flow for vpn destinations is user > router > vpn tunnel via comcast. traffic for internet traffic is user > router > firewall > internet.
router and fw have lan leg in the same subnet.
Im in the middle of splitting 2 departments into 2 subnets so we can make use of each internet link, default gateway will be router for one (removing the redirect default), and the other department will use the firewall for gateway.
When i set my gateway to be the firewall i am unable to ssh to vpn destinations. I have a route on the firewall pointing to the router for vpn destinations. Ping works fine. so user > fw > redirected to router > vpn tunnel > end device.
Ping is fine, but when i try to ssh to a device destined via vpn i cannot connect. A wireshark shows that traffic is going both ways but im seeing "tcp acked unknown segment".
Traffic outbound is user > fw (10.1.10.1) > router (10.1.10.10) > vpn. traffic inbound would be vpn > router (10.1.10.10) > user. Inbound traffic does not go via the firewall as fw, router, and user have leg in same LAN.
Whats going on here? is it because inbound is not hitting the firewall, rather its coming direct to the user? the redirect default works when router is gateway, but not when firewall is gateway.
No comments:
Post a Comment