03-13-2018 01:39 PM
I have been looking through the forums and still having an issue. Disclaimer that I am a EdgeRouter Noob but familiar with firewalls in general. We are using firmware version 1.10.0 (most recent firmware). This is configured with an IPSEC s2s vpn without vti.
So ill say it was a heck of a time just getting the tunnel established. For whatever reason the WAN interface wasn't responding. Finally got that working.
Remote = EdgeRouter side Network = 192.168.0.0/24 GW = 192.168.0.1 coming out of eth2. eth0 is the WAN port
Local = Sonicwall side Network = 192.168.1.0/24 GW = 192.168.1.1
My pc's behind the Edgerouter are able to ping through the tunnel to where they need to be on my local network. My local network can ONLY get to the GW of the edgerouter and no further.
The check box to create local firewall and NAT rules was checked with at the creation of the VPN. I know that it has to be a firewall rule but I cannot for the life of me find where it is (there are no firewall rules listed in the GUI that would block any traffic to that interface, unless there is a hidden implicit deny somewhere).
Any pointers will be appreciated
03-13-2018 02:47 PM
Can you share the (sanitized) configuration snippet of the EdgeRouter VPN,firewall and NAT configuration? When you use the IPsec auto-firewall feature, then you do not need to manually create any firewall or NAT rules.
When pinging, make sure that the devices are not blocking ICMP requests in their local firewalls (Windows does this by default). Another thing you can check are the ingress and egress VPN traffic counters when you run:
show vpn ipsec sa
If the return traffic is leaving the EdgeRouter (in and out counters are both increasing) then it is possible that the Sonicwall is blocking the inbound traffic.
Ben Pin - EdgeMAX Support
03-14-2018 08:32 AM
That is a really good point. I wont have access to the location until tomorrow, but the most likely reason to me now seems to be the windows firewall... Didn't even consider it since I haven't had to think about that for such a long time. If thats it I may just ram my head through a wall .
Ill update as soon as I can test.