Can someone look at my config file and see why I can't connect to my VPN? I'm trying to use my MacBook and iPhone to connect to my home network.
eth1 is my primary LAN. I have an AT&T MicroCell connected to eth2 that should be wide open (I hope anyhow). Seems since I connected it directly to eth2 and took it off my primary LAN I'm getting better connections with it.
I really just want my VPN to access my primary network (10.0.1.0/24), but I put the 0.0.0.0/0 option last trying to get it to work. No go.
Not sure if I have a firewall rule that is preventing it.
Also, can someone verify that my DMZ (eth2) is isolated and can't connect to my primary LAN (eth1) with the firewalls/settings I have?
Thanks!!
firewall {
all-ping enable
broadcast-ping disable
group {
address-group CAM {
address 10.0.1.80-10.0.1.82
description Cameras
}
address-group GUEST {
address 10.0.3.0/24
description "Guest VLAN"
}
address-group LAN {
address 10.0.1.0/24
description LAN
}
address-group MANAGEMENT {
address 10.0.5.0/24
description "Management VLAN"
}
address-group TV {
address 10.0.2.0/24
description "TV VLAN"
}
network-group DMZ {
description DMZ
network 10.0.4.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name DMZ_In {
default-action accept
description ""
rule 1 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 2 {
action drop
description TV
destination {
address 10.0.2.0/24
}
log disable
protocol all
}
rule 3 {
action drop
description Guest
destination {
address 10.0.3.0/24
}
log disable
protocol all
}
rule 4 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name DMZ_Local {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name Guest_In {
default-action accept
description "Guest Access"
rule 10 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 20 {
action drop
description TV
destination {
address 10.0.2.0/24
}
log disable
protocol all
}
rule 30 {
action drop
description DMZ
destination {
address 10.0.4.0/24
}
log disable
protocol all
}
rule 40 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name Guest_Local {
default-action accept
description "Local Guest"
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name InterVLAN1 {
default-action accept
description "Primary LAN"
rule 20 {
action drop
description "VLAN2 Drop"
destination {
address 10.0.2.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.2.0/24
}
}
rule 30 {
action drop
description "VLAN3 Drop"
destination {
address 10.0.3.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.3.0/24
}
}
rule 40 {
action drop
description "VLAN4 Drop"
destination {
address 10.0.4.0/24
group {
}
}
log disable
protocol all
source {
address 10.0.4.0/24
}
}
rule 41 {
action accept
description "VPN Accept"
destination {
address 10.0.0.10-10.0.0.20
}
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
}
name TV_In {
default-action accept
description ""
rule 1 {
action drop
description LAN
destination {
address 10.0.1.0/24
}
log disable
protocol all
}
rule 2 {
action drop
description Guest
destination {
address 10.0.3.0/24
}
log disable
protocol all
}
rule 3 {
action drop
description DMZ
destination {
address 10.0.4.0/24
}
log disable
protocol all
}
rule 4 {
action drop
description Management
destination {
address 10.0.5.0/24
}
log disable
protocol all
}
}
name TV_Local {
default-action accept
description ""
rule 1 {
action accept
description DNS
destination {
port 53
}
log disable
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 1 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 4 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow L2TP for Remote VPN Server"
destination {
port 500,1701
}
log disable
protocol udp
}
rule 30 {
action accept
description "Allow ESP for Remote VPN Server"
log disable
protocol 50
}
rule 40 {
action accept
description "Allow NAT Traversal for Remote VPN Server"
destination {
port 4500
}
log disable
protocol udp
}
rule 50 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description "Xfinity Internet"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 10.0.1.1/24
description "Nix Intranet"
duplex auto
firewall {
in {
}
local {
name InterVLAN1
}
out {
}
}
speed auto
vif 2 {
address 10.0.2.1/24
description "TV Internet Access"
firewall {
in {
name TV_In
}
local {
name TV_Local
}
}
}
vif 3 {
address 10.0.3.1/24
description "Guest Internet Access"
firewall {
in {
name Guest_In
}
local {
name Guest_Local
}
}
}
}
ethernet eth2 {
address 10.0.4.1/24
description DMZ
duplex auto
firewall {
in {
name DMZ_In
}
local {
name DMZ_Local
}
}
mtu 1492
speed auto
}
ethernet eth3 {
address dhcp
description "Backup Access"
duplex auto
speed auto
}
ethernet eth4 {
disable
duplex auto
speed auto
}
ethernet eth5 {
disable
duplex auto
speed auto
}
ethernet eth6 {
disable
duplex auto
speed auto
}
ethernet eth7 {
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
rule 1 {
description "Luca Bedroom Camera"
forward-to {
address 10.0.1.80
port sanitized
}
original-port sanitized
protocol tcp
}
rule 2 {
description "Luca Playroom Camera"
forward-to {
address 10.0.1.81
port sanitized
}
original-port sanitized
protocol tcp
}
rule 3 {
description "Bentley Camera"
forward-to {
address 10.0.1.82
port sanitized
}
original-port sanitized
protocol tcp
}
rule 4 {
description "MicroCell 123 UDP"
forward-to {
address 10.0.4.2
port 123
}
original-port 123
protocol udp
}
rule 5 {
description "MicroCell 4500 UDP"
forward-to {
address 10.0.4.2
port 4500
}
original-port 4500
protocol udp
}
rule 6 {
description "MicroCell 500 UDP"
forward-to {
address 10.0.4.2
port 500
}
original-port 500
protocol udp
}
rule 7 {
description "MicroCell 443 TCP"
forward-to {
address 10.0.4.2
port 443
}
original-port 443
protocol tcp
}
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DMZ {
authoritative disable
subnet 10.0.4.0/24 {
default-router 10.0.4.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 31536000
static-mapping PHONE-MICROCELL {
ip-address 10.0.4.2
mac-address sanitized
}
}
}
shared-network-name Guest {
authoritative disable
subnet 10.0.3.0/24 {
default-router 10.0.3.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 86400
start 10.0.3.100 {
stop 10.0.3.150
}
}
}
shared-network-name LAN1 {
authoritative disable
subnet 10.0.1.0/24 {
default-router 10.0.1.1
dns-server 10.0.1.1
lease 432000
start 10.0.1.140 {
stop 10.0.1.255
}
numerous static MAP’s removed for space
}
unifi-controller 10.0.1.100
}
}
shared-network-name TV {
authoritative disable
subnet 10.0.2.0/24 {
default-router 10.0.2.1
dns-server 75.75.75.75
dns-server 8.8.8.8
lease 31536000
static-mapping TV-EXERCISEROOM {
ip-address 10.0.2.5
mac-address sanitized
}
static-mapping TV-LIVINGROOM {
ip-address 10.0.2.2
mac-address sanitized
}
static-mapping TV-LIVINGROOMDVD {
ip-address 10.0.2.3
mac-address sanitized
}
static-mapping TV-MASTERBEDROOM {
ip-address 10.0.2.4
mac-address sanitized
}
static-mapping TV-PLAYROOM {
ip-address 10.0.2.6
mac-address sanitized
}
}
}
}
dns {
dynamic {
interface eth0 {
service dyndns {
host-name name.domainname.com
login sanitized
password sanitized
}
web dyndns
}
}
forwarding {
cache-size 150
listen-on eth1
listen-on eth1.2
listen-on eth1.3
listen-on eth2
options listen-address=10.0.1.1
system
}
}
gui {
http-port sanitized
https-port sanitized
older-ciphers enable
}
nat {
rule 1 {
description Cameras
inbound-interface eth0
inside-address {
address 10.0.1.80-10.0.1.82
port sanitized
}
log disable
protocol tcp
type destination
}
rule 2 {
description MicroCell
inbound-interface eth0
inside-address {
address 10.0.4.2
}
log disable
protocol all
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
upnp {
listen-on eth1 {
outbound-interface eth0
}
listen-on eth1.2 {
outbound-interface eth0
}
}
}
system {
domain-name sanitized
host-name router
login {
user sanitized {
authentication {
encrypted-password sanitized
}
full-name ""
level admin
}
}
name-server 75.75.75.75
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
ipv6 {
forwarding enable
pppoe disable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username sanitized {
password sanitized
}
}
mode local
}
client-ip-pool {
start 10.0.0.10
stop 10.0.0.20
}
dns-servers {
server-1 10.0.1.1
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret sanitized
}
ike-lifetime 3600
}
mtu 1500
outside-address sanitized.45
outside-nexthop sanitized.1
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1104 */