I wanted to put RA VPN users on a seperate IP subnet (mostly for astetics and reporting); however, when it I do that, the VPN client can no longer hit the Internet. If the client configures to use its gateway for Internet, then the client loses access to internal resources. The VPN works perfectly if I put them on the same subnet as LAN users. Here's my scrubbed config. Thanks in advance.
firewall {
all-ping enable
broadcast-ping disable
group {
network-group BOGONs {
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 192.0.0.0/2
network 192.168.0.0/16
network 198.18.0.0/15
network 192.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name Inbound_from_WAN {
default-action drop
description Inbound_from_WAN
enable-default-log
rule 20 {
action accept
description ALLOW_VPN
destination {
port 500,1701,4500
}
protocol udp
}
rule 30 {
action accept
description ALLOW_ESP
protocol esp
}
rule 40 {
action accept
description "Allow Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related disable
}
}
rule 50 {
action drop
description Drop_Invalid
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
rule 60 {
action accept
description Block_BOGONs
log enable
protocol all
source {
group {
network-group BOGONs
}
}
}
}
name LAN_Out {
default-action accept
description ""
rule 1 {
action accept
log disable
protocol udp
source {
address 192.168.10.25
port 53
}
}
rule 2 {
action accept
log disable
protocol udp
source {
address 192.168.10.63
port 53
}
}
rule 3 {
action drop
log disable
protocol udp
source {
address 192.168.10.0/24
port 53
}
}
rule 4 {
action drop
log disable
protocol udp
source {
address 10.99.99.0/24
port 53
}
}
}
name WAN_Local {
default-action drop
description ""
rule 1 {
action accept
description "Allow Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action accept
description ALLOW_VPN
destination {
port 500,1701,4500
}
protocol udp
}
rule 3 {
action accept
description ALLW_ESP
protocol esp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 1.2.3.4/30
duplex auto
firewall {
in {
name Inbound_from_WAN
}
local {
name WAN_Local
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address 10.6.11.1/30
description Mgmt
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
address 192.168.10.1/24
duplex auto
firewall {
in {
name LAN_Out
}
}
poe {
output off
}
speed auto
}
vif 99 {
address 10.99.99.1/24
firewall {
in {
name LAN_Out
}
}
mtu 1500
}
}
loopback lo {
}
switch switch0 {
mtu 1500
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth4
lan-interface eth4.99
wan-interface eth0
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 1.2.3.3 {
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name Internal {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 192.168.10.25
dns-server 208.67.220.220
lease 86400
start 192.168.10.200 {
stop 192.168.10.224
}
unifi-controller 192.168.10.106
}
}
shared-network-name Internal_WLAN {
authoritative disable
subnet 10.99.99.0/24 {
default-router 10.99.99.1
dns-server 192.168.10.25
dns-server 208.67.220.220
lease 86400
start 10.99.99.100 {
stop 10.99.99.149
}
}
unifi-controller 192.168.10.106
}
}
}
dns {
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description Internal
log disable
outbound-interface eth0
protocol all
source {
address 192.168.10.0/24
}
type masquerade
}
rule 5001 {
description Internal
log disable
outbound-interface eth0
protocol all
source {
address 10.99.99.0/24
}
type masquerade
}
rule 5002 {
description NoNat
destination {
address 192.168.0.0/24
}
log disable
outbound-interface eth0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name Internal
login {
user AdminAccount {
authentication {
encrypted-password
plaintext-password
}
level admin
}
}
name-server 192.168.10.25
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
smart-queue Internal_QOS {
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 5mbit
}
wan-interface eth0
}
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
l2tp {
remote-access {
authentication {
}
}
mode radius
radius-server 192.168.10.5 {
key
}
}
client-ip-pool {
start 172.16.37.230
stop 172.16.37.249
}
dns-servers {
server-1 192.168.10.25
}
ipsec-settings {
authentication {
mode pre-shared-secret
}
ike-lifetime 3600
}
outside-address 1.2.3.4
outside-nexthop 1.2.3.3
}
}
}