Access lists questions

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
10nico
Posts: 5
Joined: Fri May 09, 2014 10:01 am

Access lists questions

Post by 10nico » Fri May 09, 2014 3:24 pm

Hello to everyone and thanks for having developed such a nice product!

I have setup the VPN fine and I can connect and ping around my LAN from my remote clients with no problems, however I need to apply some kind of "security policy" to restrict the access the remote clients have.

At the moment I use an openvpn server configured to hand off static ip addresses to my clients, and since each client is identifiable by its source ip, I can apply iptables rules to each remote client to restrict its specific access to some servers and ports.

I have tried to replicate this setup with SoftEther using the "Access List" feature, but there is something that keeps me from achieving my goal.
In all the firewalls I've known in the past 15 years, the default rule is to deny, however in the Access List the default rule seems to be to let packets pass if there is no specific rule that applies.

So I tried to add a "default deny" rule to the bottom of the priority list (it has the highest priority number) but, despite its priority, this rule keeps blocking everything, even the traffic I have explicitly allowed with the other rules above.

Here is my sample rule set

[attachment=0]AccessLists1.jpg[/attachment]

I have searched the documentation, the faqs, the usage examples and also the configuration file ( vpn_server.config ) for a way to revert the default rule from "default allow" to "default deny", but I haven't found anything.

Is this a bug?

My current setup is this:

- Centos 6.2 x64 VM (with promiscuous mode enabled on ESXi)
- 2 nics; 1 exposed to the DMZ and with appropriate firewall rules to allow port 5555, the other exposed to the LAN
- On the linux server there are no iptables rule applied
- Softether version 4.0.6 build 4937 installed on Centos server
- Softether client 4.0.6 build 4937 installed on windows pcs

Please let me know if there is something I can do to kickstart this and replace my current setup with SoftEther.

My best regards,

Michele
You do not have the required permissions to view the files attached to this post.

10nico
Posts: 5
Joined: Fri May 09, 2014 10:01 am

Re: Access lists questions

Post by 10nico » Mon May 12, 2014 3:58 pm

Hello again.

Just an update to this topic I opened some days ago.

With the kind and useful suggestion of user qupfer in another similar topic I have managed to fix my access lists and now it all works as expected.

In the hope to do a useful thing for others, I'm posting the updated configuration as a working example.

To make it work I had to add a new rule to the top with action "Accept" and selected TCP as the protocol, and flagged the box "Verify tcp connection state" and selected the radio button "Established packet"

[attachment=0]AccessLists2.jpg[/attachment]

Hope this helps others! :-)

Good evening,

Michele
You do not have the required permissions to view the files attached to this post.

ercole77
Posts: 8
Joined: Fri Aug 03, 2018 8:05 am

Re: Access lists questions

Post by ercole77 » Fri Aug 03, 2018 8:41 am

Michele you saved my life!

Just one question....i cannot select to ping only one particular subnet without having all the ping traffic blocked.
Did you tried?

ercole77
Posts: 8
Joined: Fri Aug 03, 2018 8:05 am

Re: Access lists questions

Post by ercole77 » Fri Aug 03, 2018 10:17 am

Other problem: with this rule it blocks DHCP also
How to authorize DHCP IP?

ercole77
Posts: 8
Joined: Fri Aug 03, 2018 8:05 am

Re: Access lists questions

Post by ercole77 » Fri Aug 03, 2018 11:13 am

DHCP solved

Pass DHCP connection DstIpv4 = 255.255.255.255 SrcIpv4=0.0.0.0 Protocol=UDP Port=67-68

user65235211
Posts: 2
Joined: Sat Sep 07, 2019 5:39 pm

Re: Access lists questions

Post by user65235211 » Sat Sep 07, 2019 5:53 pm

ercole77 wrote:
Fri Aug 03, 2018 11:13 am
DHCP solved

Pass DHCP connection DstIpv4 = 255.255.255.255 SrcIpv4=0.0.0.0 Protocol=UDP Port=67-68
10nico wrote:
Mon May 12, 2014 3:58 pm
Hello again.

Just an update to this topic I opened some days ago.

With the kind and useful suggestion of user qupfer in another similar topic I have managed to fix my access lists and now it all works as expected.

In the hope to do a useful thing for others, I'm posting the updated configuration as a working example.

To make it work I had to add a new rule to the top with action "Accept" and selected TCP as the protocol, and flagged the box "Verify tcp connection state" and selected the radio button "Established packet"

AccessLists2.jpg

Hope this helps others! :-)

Good evening,

Michele

Thank you both! This worked! Saved me a lot of time! Attaching screenshot of the rule to allow DHCP that ercole77 came up with.

allow_dhcp.JPG
You do not have the required permissions to view the files attached to this post.

Post Reply