I’m in the process of setting up a VPN to allow me access to my local LAN and while I have access to the internet, I still don’t have access to the LAN of my home network that I really need the VPN for.
What firewall policies and/or static routing is necessary to make this work? I currently have a LAN Out firewall policy permitting an IP group encompassing the VPN user IP pool to the internal LAN’s network address.
I feel like I am missing something stupid but can’t figure out what it is. Can someone here help?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
If this is a UDM device and you’re using the GUI to setup your VPN server, you shouldn’t need static routing. By default, your VPN clients should be able to access your LANs.
What block/deny firewall rules do you currently have in place?
It’s a USG on latest firmware and controller software, if that helps any.
As for block/deny rules - Beyond those there by default, I have 3 main deny rules:
- LAN In - Deny Specific VLANs from accessing the internet (security cameras, SAN, etc)
- LAN In - Deny All - Private VLANS (prevents private vlans from accessing other private vlans unless otherwise allowed above)
- LAN Local - Deny Router Interface Ping (prevents internal subnets from pinging gateway IPs)
Right now I have a rule above all these denies that permits any IP address in the IP Group I defined for the VPN subnet to access a specific IP address in my LAN for a proof of concept. As of yet it still doesn’t work.
ETA - I disabled my main private VLAN to private VLAN deny and things started working so… it leads me to think that both a) the deny mentioned above was blocking the traffic, but more confusingly b) the Allow rule I created isn’t working.
ETA 2 - Been watching this video ad nauseam trying to get this to work. I’ve mirrored his config exactly and it still won’t work.
As of right now I’ve narrowed it down to the Deny rule on LAN In that blocks inter-vlan routing on the private subnets. Once I disable that, everything seems to work just fine. But… the video above says the rules that apply to the VPN SHOULD be on the LAN Out ruleset.
I’ve even gone as far as disabling the LAN In deny all, then disabling the LAN Out permit rule, and it fails. Telling me that, somehow, the LAN In deny all rule is getting in the way?
I am very confused.
