PepVPN Version 5.0.0 connects a local Balance 20 and a remote Surf SOHO.
The SOHO has an outbound firewall rule that blocks access to 192.168.0.0/16
Its single WiFi SSID is assigned to a VLAN that has inter-VLAN routing disabled.
The VLAN is 192.168.99.x with layer 2 isolation enabled.
Firmware 6.3.4
Its untagged LAN is 192.168.9.x
The event log shows the firewall often blocks traffic to assorted 192.168.x.x subnets. This is expected - iOS devices are always trying to contact internal IPs on port 7000. Below is a sample of this blocked traffic being logged
Jul 28 08:46:08 Denied CONN=vlan SRC=192.168.99.101 DST=192.168.7.58 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=24945 DF PROTO=TCP SPT=56808 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x2
Jul 28 08:46:06 Denied CONN=vlan SRC=192.168.99.101 DST=192.168.7.58 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=12679 DF PROTO=TCP SPT=56808 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x2
Jul 28 08:46:05 Denied CONN=vlan SRC=192.168.99.101 DST=192.168.7.58 LEN=64 TOS=0x00 PREC=0x00 TTL=62 ID=49690 DF PROTO=TCP SPT=56808 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x2
Fine. As expected.
However, why does the Balance 20 see traffic incoming on the VPN from the Surf SOHO that was blocked by the Surf SOHO? A sample of this traffic from the event log is shown below. The CONN is vpn.
Jul 28 08:46:52 Denied CONN=vpn SRC=192.168.99.101 DST=192.168.1.193 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=22542 DF PROTO=TCP SPT=56812 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x4
Jul 28 08:46:52 Denied CONN=vpn SRC=192.168.99.101 DST=192.168.1.106 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=13822 DF PROTO=TCP SPT=56813 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x4
Jul 28 08:46:50 Denied CONN=vpn SRC=192.168.99.101 DST=192.168.1.106 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=35845 DF PROTO=TCP SPT=56813 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x4
Jul 28 08:46:50 Denied CONN=vpn SRC=192.168.99.101 DST=192.168.1.193 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=41649 DF PROTO=TCP SPT=56812 DPT=7000 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x4
The Balance 20 also blocks outbound access to all 192.168.0.0/16 networks. Its untagged LAN is 10.1.x.x The Balance 20 has no WiFi and no iOS devices talking to it.
I am over my head on the topic of site to site VPNs. This setup has been in place for years and worked fine. Never noticed an issue until iOS devices started connecting to the Surf SOHO and spewing out dozens of requests to port 7000.
I don’t understand how anything destined for a private IP was able to get out of the VLAN that is the Wifi on the Surf SOHO, let alone how it traveled over the site to site VPN to the Balance 20.
Thanks in advance.