ipcop support

For starters, I am using IPCop 2.0.4 and I have the following configuration:
RED: public ip -> IPCop -> GREEN(10.2.24.1)/ORANGE(10.3.24.1)/OpenVPN(10.171.10.1)

I have two issues, and they may or may not be related. The first is when connecting to the VPN (using OpenVPN GUI) I can no longer access the network I am on, meaning I lose internet access etc. The subnet on the VPN client's end is 192.168.2.1.

The second issue, is that once connected via VPN I can access the ipcop webgui, but I cannot access any of the devices in the GREEN network. I cannot ping them or connect to the file server running on 10.2.24.5.

I've been trying to mess with firewall rules to allow access on ports from the VPN to the GREEN network, and I have also enabled push routes on the OpenVPN advanced settings page. Im out of ideas as to what is causing either of these issues. I've looked at some of the posts on the forums and see that it might be an issue with NATTING or routing tables. The only NAT device is IPCop. If it is a routing issue, I don't know that I fully understand what I need to do in order to accomplish it safely.

Any ideas?

Thanks, sharf.

Update: I fixed the first issue with the LAN getting disconnected when I use the VPN. I had to turn off tunnel all traffic in the push routes section of the advanced settings. I do have push routes to green enabled, and I set a firewall rule for internal traffic to allow all traffic from the OpenVPN to the GREEN network. That still does not work, whenever I try and ping anything, I get a response from the IPCop box (10.171.10.1) saying the destination port is unreachable.

Hi Sharf,

You probably don't have the gateway info correctly set at the destination.
The destination needs to know how to reply to a request from a different subnet.
EG: I'm on OpenVPN subnet with IP 192.168.1.100 & I want to connect to a Green destination with IP 192.168.100.100
The Green destination needs to know that it uses the same gateway to reply to 192.168.1.X as it uses for replying to 192.168.100.x requests.

HTH

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

That's what I gathered from looking around. That sounds like I need to tell every client to respond in a particular way (which I have no idea how to do, and sounds like a lot of work) or that I need to let the firewall handle that...if possible. I have no idea how to even begin searching for a way to do this, what should I try first?

Thanks, sharf.

You haven't said anything about what you are actually trying to connect to.
Routers, Printers, PC's what O/S that type of thing?
Does what you are trying to connect to get IP, Gateway / routes, DNS from the IPC DHCP?

If yes I would start looking for info on how to set multiple gateways via the DHCP.
Probably a Google search for DNSMasq DHCP options would be a good place to start.
If you can find the right info you can probably set it from IPC DHCP.
Once you have the right command you will need to edit the file "/var/ipcop/dhcp/dnsmasq.local"
Make a backup first & be careful not to break it.

Remember if it's only a couple of things you want to connect to it's probably easier to set at the device manually.

No I'm not being difficult I did it manually on my network devices, WiFi router & printers.

HTH

PS: Don't forget to restart the DHCP service after editing.

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

It's just occurred to me to ask another question.
In your destination F/W what do you have as primary & secondary DNS settings for DHCP server?

On my red interface I let the ISP supply the settings.
On my GREEN DHCP settings I have the Green NIC as Primary (internal name resolution) & 8.8.8.8 (Google) as secondary as I don't trust my ISP to always get it right.

Others on this forum have told me in the past this is wrong but it works for me especially with VPN & OpenVPN running. (Wish I could work out how to push routes with VPN on 2.x)

With push routes enabled this should at least get you a ping response from machines on the Green end.
Not sure about other options at the moment.

Firewall Rules are a factor too.

HTH.

EDIT: I just did some quick testing over a OpenVPN connection I have, works perfectly to a printer web GUI on the remote end as long as DHCP DNS is set for Green NIC as Primary & remote destination is set for DHCP & not static..

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

I'm not quite sure what you're talking about...I'm having a hard time visualizing the settings you're talking about. I have DHCP set up for my GREEN nic to use Comodo Secure DNS (instead of my ISP) Both primary and secondary are the two Comodo DNS servers. On my OpenVPN advanced settings I have it set to push routes for green. With this set up, all my GREEN computers work perfectly, and the Roadwarrior can connect, and access the IPCop Webgui. In this configuration though, the Roadwarrior cannot ping any GREEN device, I get a response from the IPCop machine saying destination port unreachable. I also cannot use my FTP client to connect to the server on GREEN. Idealy I would like to access ALL GREEN devices from the Roadwarrior, but access to just one device (the server) would be sufficient. I would also need access to a server on my ORANGE nic from the VPN.

I don't know if that helped you any.

Thanks, sharf.

OK I understand.

So first what to do:
On IPC Goto > Services > DHCP.
Under the Green section of DHCP Settings:
Change the Primary DNS to your IPC Green NIC IP.
Change the Secondary DNS to any DNS you prefere on the net.
Of course click save.

Go to any Green machine you want to connect to a make sure it has renewed it's DHCP lease since the changes. (I assume you have them set for Dynamic IP via DHCP & not fixed)

Connect OpenVPN and see how you go.

I think on Orange network you will have to set the IP, Gateway, DNS manually on each machine.

HTH

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

I never understood the reasoning behind setting up a secondary DNS OUTSIDE your Firewall (assuming you're setting the Primary up as IPCOP).

If IPCOP is down, then the Outside DNS will be unreachable.

If you run HOSTS in IPCOP, then going outside will bypass those entries.

If IPCOP is down, you have bigger problems then name resolution, especially if you're letting IPCOP do your DHCP as well.

YMMV

_________________
For the 2.5^15th time :: Better Details = Better Answers

Hi VS,

Yes I think so too but it makes it work for me.
Even back with 1.4.21 I used this set up, it just works with the VPN's & Hosts running.

My theory is the RED DNS settings let IPC do all the hard work, but like I said here in OZ I don't trust the ISP's.
So for internal machines I set them to use the IPC as the primary & then in my case Google as the secondary.
So if my ISP / IPC cant find it at least Google should.

Before I started using this config I would get not found errors all the time.

Cheers.

PS: YMMV?

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

I've got some pretty important file transfers going, so I'll have to try the DNS tomorrow. But I have to figure that there is a better, more practical way to make VPNs work...They are deployed on a mass scale for businesses, and this method seems like a bit of a kludge, but I'll give it a shot.

That design is broken. Your internal machines will only use secondary if the primary is down.

_________________


-=[ If you want answers: provide lots of information, including tiny details! ]=-

It may be broken but it's how I solved some problems with name lookups through my ISP as well as others for my friends.

It works, I know it works, I'll accept that unless someone can show me a better way that actually works.

Remember sometimes the shortest route between two points is a straight line in the opposite direction.

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

I tried changing the DNS server to the IPCop GREEN NIC, and no luck, still no connection. What else should I try?

thanks, sharf.

Try checking DNS, Gateway & Firewall settings at destination.

What network is the destination on? Green Blue Orange?

Can your Terminal on the destination IPCop ping the machine you want to connect to?

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

There was nothing at the destination (GREEN 10.2.24.24) preventing connection, I changed the DNS to what you suggested, and the gateway was normal it has internet access. The Roadwarrior (10.110.47.6) can ping the IPCop (10.110.47.1) but can't ping 10.2.24.24, and gets a "destination port unreachable" when trying to ping 10.110.47.24. However 10.2.24.24 can ping 10.110.47.6.

I have just read through your post from early april & the only thing that comes to mind is did you ever create a local firewall rule to allow ipsec red to talk to green?

If not I think you need to but I'm not absolutely sure.
Basic idea is from Firewall rules under internal traffic you need to create a rule that allows IPSEC-RED to talk to GREEN.

Source:
Default interface = IPSEC-RED
Default Network = Open-VPN Network

Destination:
Default Interface = Green
Default network = Green Network

That should open it right up. ??
At least get you a bit further along with testing.

Assuming that works & you get what you want you should tighten up the rule a bit when you finish testing.

Give it a go if it doesn't help delete the rule.

_________________
IPCop 2.0.4 - Copfilter 2.0.91beta3
RED - GREEN - BLUE - IPSec - OpenVPN
Pentium Dual Core 2.6Ghz - 2Gb RAM - 80Gb ATA HDD
Realtek RTL-8110SC/8169SC - 2 x Realtek RTL-8169

I have for a while (with no success) had a firewall rule under internal traffic for the default interfaces as OpenVPN-RW, and the default network as OpenVPN Network. Then the destination default interface is GREEN and the default networks is Green Network. I have use service unchecked and the rule action is accept. I have it logged, and it does not do anything that I can tell (it does not work with or without the rule).