Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7
Accepted Solution

No internet while on VPN

While connected to my VPN I have no internet service anybody offer some help as to what I'm missing, or have wrong?

Also in the VPN section I see auto-firewall-nat-exclude disable if I enable that can I remove all the manual entries I've created? To enable it can i just simply change the config to say enable and upload it? or do i need to do it via ssh if so what do i enter to do that?

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group BOGONS {
            description "Invalid WAN Networks"
            network 10.0.0.0/8
            network 100.64.0.0/10
            network 127.0.0.0/8
            network 169.254.0.0/16
            network 172.16.0.0/12
            network 192.0.0.0/24
            network 192.0.2.0/24
            network 192.168.0.0/16
            network 198.18.0.0/15
            network 198.51.100.0/24
            network 203.0.113.0/24
            network 224.0.0.0/3
        }
        port-group L2TP/IPSec {
            description "L2TP/IPSec Ports"
            port 50
            port 500
            port 1701
            port 4500
        }
        port-group Plex {
            description "Port For Plex Server Access"
            port 32400
        }
        port-group QNAP {
            description "Ports Used By QNAP"
            port 8080
            port 443
            port 1723
            port 21
            port 56779-56789
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_In {
        default-action accept
        description "LAN To LAN"
    }
    name LAN_Local {
        default-action accept
        description "LAN To Router"
    }
    name WAN_In {
        default-action drop
        description "Packets From WAN To LAN"
        enable-default-log
        rule 1 {
            action accept
            description "Allow Established/Related"
            log enable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            protocol all
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "Drop BOGON source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description QNAP
            destination {
                group {
                    port-group QNAP
                }
            }
            log enable
            protocol tcp_udp
        }
        rule 5 {
            action accept
            description Plex
            destination {
                group {
                    port-group Plex
                }
            }
            log disable
            protocol tcp_udp
        }
        rule 6 {
            action accept
            description L2TP/IPSec
            destination {
                group {
                    port-group L2TP/IPSec
                }
            }
            log enable
            protocol tcp_udp
        }
        rule 7 {
            action accept
            description GRE
            log enable
            protocol gre
        }
    }
    name WAN_Local {
        default-action drop
        description "Packets From WAN To Router"
        enable-default-log
        rule 1 {
            action accept
            description "Allow Established/Related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop Invalid"
            log enable
            state {
                invalid enable
            }
        }
        rule 3 {
            action drop
            description "Drop BOGON Source"
            log enable
            protocol all
            source {
                group {
                    network-group BOGONS
                }
            }
        }
        rule 4 {
            action accept
            description "Rate Limit ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
        rule 5 {
            action accept
            description L2TP/IPSec
            destination {
                group {
                    port-group L2TP/IPSec
                }
            }
            log enable
            protocol tcp_udp
        }
        rule 6 {
            action accept
            description GRE
            log enable
            protocol gre
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 10.0.1.1/24
        aging 300
        description Bridge
        firewall {
            in {
                name LAN_In
            }
            local {
                name LAN_Local
            }
        }
        hello-time 2
        max-age 20
        priority 0
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        address dhcp
        description WAN
        duplex auto
        firewall {
            in {
                name WAN_In
            }
            local {
                name WAN_Local
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description NAS
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "UniFi AP"
        duplex auto
        poe {
            output 24v
        }
        speed auto
    }
    ethernet eth3 {
        description DirecTV
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        description Ooma
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        bridge-group {
            bridge br0
        }
        description Switch
        mtu 1500
        switch-port {
            interface eth2
            interface eth3
            interface eth4
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface br0
    rule 1 {
        description QNAP
        forward-to {
            address 10.0.1.3
        }
        original-port 8080
        protocol tcp
    }
    rule 2 {
        description QNAP
        forward-to {
            address 10.0.1.3
        }
        original-port 443
        protocol tcp
    }
    rule 3 {
        description "Robbies MacBook"
        forward-to {
            address 10.0.1.6
        }
        original-port 5900
        protocol tcp_udp
    }
    rule 4 {
        description "Plex Server"
        forward-to {
            address 10.0.1.3
        }
        original-port 32400
        protocol tcp_udp
    }
    rule 5 {
        description FTP
        forward-to {
            address 10.0.1.3
        }
        original-port 21
        protocol tcp
    }
    rule 6 {
        description "Ambers Air"
        forward-to {
            address 10.0.1.7
            port 5900
        }
        original-port 5901
        protocol tcp_udp
    }
    rule 7 {
        description WebDAV
        forward-to {
            address 10.0.1.3
        }
        original-port 8081
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            description "LAN eth1 - eth4"
            subnet 10.0.1.0/24 {
                default-router 10.0.1.1
                dns-server 10.0.1.1
                lease 86400
                ntp-server 10.0.1.1
                start 10.0.1.2 {
                    stop 10.0.1.174
                }
                static-mapping Ambers_MacBook_Air {
                    ip-address 10.0.1.7
                    mac-address 64:76:BA:91:A0:5E
                }
                static-mapping QNAP_NAS {
                    ip-address 10.0.1.3
                    mac-address 00:08:9B:E0:7D:B6
                }
                static-mapping Robbies_MacBook_Pro {
                    ip-address 10.0.1.6
                    mac-address 3c:15:c2:b9:7e:6e
                }
                static-mapping Samsung_ML-1865w {
                    ip-address 10.0.1.20
                    mac-address 00:15:99:93:d6:97
                }
                static-mapping UniFi_AP {
                    ip-address 10.0.1.2
                    mac-address 24:A4:3C:0A:01:9B
                }
                time-server 10.0.1.1
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name “Removed”
                    login “Removed”
                    password “Removed”
                }
            }
        }
        forwarding {
            cache-size 0
            listen-on br0
            system
        }
    }
    gui {
        https-port 443
        listen-address 10.0.1.1
    }
    nat {
        rule 5010 {
            description "Masquerade For Internet"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 10.0.1.1
        port 22
        protocol-version v2
    }
    upnp {
        listen-on br0 {
            outbound-interface eth0
        }
    }
}
system {
    host-name EdgeRouter
    ipv6 {
        disable
    }
    login {
        banner {
            post-login "Welcome to EdgeMAX"
            pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED! \n\n "
        }
        user Robbie {
            authentication {
                encrypted-password “Removed”
                plaintext-password ""
            }
            full-name "Robbie Bott"
            level admin
        }
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    package {
        repository squeeze {
            components "main contrib non-free"
            distribution squeeze
            password ""
            url http://ftp.us.debian.org/debian/
            username ""
        }
        repository squeeze-updates {
            components "main contrib"
            distribution squeeze/updates
            password ""
            url http://security.debian.org/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username “Removed” {
                        password “Removed”
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.2.1
                stop 10.0.2.10
            }
            dhcp-interface eth0
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret “Removed”
                }
                ike-lifetime 3600
            }
            mtu 1024
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.5.0.4677648.140620.1301 */

 


Accepted Solutions
Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7

Re: No internet while on VPN

So I think this means I have forwarding enabled on my br0??

dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name “Removed”
                    login “Removed”
                    password “Removed”
                }
            }
        }
        forwarding {
            cache-size 0
            listen-on br0
            system

 Correct??

 

So if i wanted to have the VPN clients use the router dns, I would :

configure
set service dns forwarding options "listen-address=10.0.1.1"
commit
save

 ???

And if i wanted to use googles dns for VPN I would:

configure
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
commit
save

 

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: No internet while on VPN

The "auto" setting is for site-to-site IPsec tunnels (not L2TP/IPsec) so you should keep the manual entries for now. Could you clarify if the VPN itself is working (can access router's LAN for example) but can't access Internet from the VPN client through the VPN?

Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7

Re: No internet while on VPN

You are correct on the client when I connect to the VPN, I can type my routers internal ip and access it, along with my NAS. However I do not have internet, while connected to the VPN on the client.
Regular Member
Posts: 367
Registered: ‎05-09-2014
Kudos: 128
Solutions: 7

Re: No internet while on VPN

i wonder, by "do not have internet", is possible that DNS is failing/missing? can you ping 208.67.222.222? but not "google.com" for example?

Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7

Re: No internet while on VPN

[ Edited ]
 
image.jpg
image.jpg
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: No internet while on VPN

I don't see "dns-servers" setting under l2tp in the config, so are you using hard-coded DNS server on the client? Try "set vpn l2tp remote-access dns-servers server-1 208.67.222.222", for example, so that the L2TP server will return the specified DNS server to the client. If you want the clients to use the router as DNS server (DNS forwarding), set the IP to be the router's own IP address (but then also see this thread for DNS forwarding setting).

Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7

Re: No internet while on VPN

So I think this means I have forwarding enabled on my br0??

dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name “Removed”
                    login “Removed”
                    password “Removed”
                }
            }
        }
        forwarding {
            cache-size 0
            listen-on br0
            system

 Correct??

 

So if i wanted to have the VPN clients use the router dns, I would :

configure
set service dns forwarding options "listen-address=10.0.1.1"
commit
save

 ???

And if i wanted to use googles dns for VPN I would:

configure
set vpn l2tp remote-access dns-servers server-1 8.8.8.8
set vpn l2tp remote-access dns-servers server-2 8.8.4.4
commit
save

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: No internet while on VPN

Yeah either way should work, though there may be other issues after that, so try it and see what's next.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: No internet while on VPN


@RobbieBott wrote:

So I think this means I have forwarding enabled on my br0??

dns {
        dynamic {
            interface eth0 {
                service dyndns {
                    host-name “Removed”
                    login “Removed”
                    password “Removed”
                }
            }
        }
        forwarding {
            cache-size 0
            listen-on br0
            system

 Correct??

 



cache-size 0???  Not sure how that will affect things.

Member
Posts: 275
Registered: ‎11-29-2013
Kudos: 262
Solutions: 7

Re: No internet while on VPN

At zero the router is not cacheing DNS correct? Or do I have that thought entirely wrong?

Most everything I have seen shows 150, however I have seen a post that showed 1000.

So right now I'm testing to see if there is a noticable speed difference.

Any downfall to no cacheing?

Highlighted
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: No internet while on VPN

Cacheing is used to store domain name resolution so that the router doesn't have to go to the public nameservers every time it is used.  Theoretically, with no cacheing, when you clink on a link on this (or any) site, a request will need to be made from the public nameservers to remember who ubnt.com is.  In reality, your computer does some resolution cacheing itself, so this may not be as bad as it sounds.  Anyway, you get the idea.