Peplink Balance 380, PPTP VPN, Firmware 6.2.2, unable to access LAN

pdwalker · October 23, 2015, 5:01pm

Problem Solved. Inter-VLAN routing needed to be enabled in my case

Hi All.

When I was running the 5.x firmware, my pptp clients had no problems accessing any computer on the lan

When I upgraded to 6.2.1, my pptp clients could no longer access any lan resources. I could still access the peplink admin interface.

When I upgraded to 6.2.2, I also lost the ability to access the peplink device.

All my windows/mac pptp clients are affected. All the clients are configured to send all traffic through the vpn gateway

My default firewall rules are to allow everything.

I didn’t need any special rules in 5.x to allow my pptp clients to work.

I’ve tried adding rules for the pptp clients in each of the firewall rules.

(lan is 10.10.1.0/24, pptp clients also have a 10.10.1.0/24 address)

Internal Network Firewall Rules (only 1 rule tested at a time)

– Rule: pptp1
– Protocol: any
– Source: 10.10.1.0/24
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp2
– Protocol: any
– Source: any
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp3
– Protocol: any
– Source: 10.10.1.0/24
– Destination: any
– Policy: allow

Inbound Firewall Rules

– Rule: pptp1a
– Protocol: any
– Source: 10.10.1.0/24
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp2a
– Protocol: any
– Source: any
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp3a
– Protocol: any
– Source: 10.10.1.0/24
– Destination: any
– Policy: allow

Outbound Firewall Rules

– Rule: pptp1b
– Protocol: any
– Source: 10.10.1.0/24
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp2b
– Protocol: any
– Source: any
– Destination: 10.10.1.0/24
– Policy: allow

– Rule: pptp3b
– Protocol: any
– Source: 10.10.1.0/24
– Destination: any
– Policy: allow

Yes, I did press “Apply Changes” after every configuration change.

Does anyone know of a way I can debug this problem, or tell me what mistake I am making? At this point, the only thing I can think if is to downgrade the firmware back to the last 5.x version.

Any help/advice/insight would be greatly appreciated.

Jarid_Petermann · October 24, 2015, 4:19am

I would attempt to reconfigure all of your FW rules again.

Per 6.2.2 Release Notes:
– Internal Network Firewall Rules Will Need to Be Reconfigured: To increase protection for traffic running between internal networks, Firmware 6.2.2 introduces the new “Internal Network Firewall Rules” table. If you have previously added firewall rules with both the source and destination pointing to internal networks, please reenter the rules under the new “Internal Network Firewall Rules” table.

pdwalker · October 24, 2015, 10:26am

Hi Jarid,

Thank you for taking the time to reply.

If you have previously added firewall rules with both the source and destination pointing to internal networks, please reenter the rules under the new “Internal Network Firewall Rules” table.

I previously didn’t have any rules with both source and destination pointing to internal networks. Also, my default Internal Network Firewall Rule is everything allow, so I didn’t think this applied to me.

So, I’ve added a new Internal Network Firewall Rule:
Enable: true
Protocol: Any
Source: 10.10.1.0/24
Destination: 10.10.1.0/24
Action: Allow
Event Logging: Enable

and I applied the changes.

When I connect with a client to vpn, I ping my own ip address, and the event shows up in the event log:

Oct 25 09:04:44 Allowed CONN=ppp SRC=10.10.1.234 DST=10.10.1.234 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=33338 PROTO=ICMP TYPE=8 CODE=0 ID=36954 SEQ=7

However, when I try to ping any device on the lan, or the peplink gateway, I get request timeouts and no events are logged in the event log.

So then I’ve added the following rule as the first rule for the Outbound and Inbound Firewall rules:
Enable: true
Protocol: Any
Source: Any
Destination: Any
Action: Allow
Event Logging: Enable

and applied the changes.

Again, I attempted a ping of the peplink gateway, and of a server on the lan. Again, I got request timeouts.

I even disabled every firewall rule on the device except for the above “allow” rules. The default policy for the three firewall tables is allow. Again, the pings returned timeouts.

Do you have any other suggestions? Am I doing something obviously wrong? Is there something else I should try? I’ve already tried a hard reboot, also without success.

Thanks.

TK_Liew · October 25, 2015, 12:11pm

Hi,

IPSec VPN is running on this box? Possible to share the settings?
SpeedFusion is running on this box? Have you enable Send All Traffic To?
Can you share your Outbound Policy?
Can you share your Static Route?

Please open ticket to share info above if they are sensitive. Thank you.

pdwalker · October 25, 2015, 5:17pm

Hi TK,

1/ no ipsec vpn is running.

2/ no speedfusion

3/ Outbound policies

#, Service, Algorithm, Source, Destination, Protocol/Port
1, smtp, least used, any, any, tcp 25
2, <website1>, enforced WAN: WAN1, any, <public ip of website1>, any
3, <website2>, enforced WAN: WAN2, any, <public ip of website2>, any
4, <website3>, enforced WAN: WAN3, any, <public ip of website3>, any
5, <website4>, enforced WAN: WAN3, any, <public ip of website4>, any
6, <website5>, enforced WAN: WAN3, any, <public ip of website5>, any
7, <website6>, enforced WAN: WAN3, any, <public ip of website6>, any
8, HTTPS Persistence, Persistence (Src) (Auto), any, any, TCP 443
9, HTTPS alternate, Persistence (Src) (Auto), any, any, TCP 2083
10, HTTP Persistence, Persistence (Auto), any, any, TCP 80
default, Weighted Balance 6:4:5:0

4/ Static Routes: none.

Is there any other information that I can give you?

TK_Liew · October 25, 2015, 7:51pm

Hi,

May I know Inter-VLAN routing (Network > LAN > Network Settings > Inter-VLAN routing) was enabled after upgraded to v6.2.2? If not please enable it and try again.

pdwalker · October 25, 2015, 7:54pm

You’re right, it was off. I’ve just enabled it, so now I’ll test again.

pdwalker · October 25, 2015, 8:04pm

And that fixed the problem.

Thank you very much!

RalphA · November 17, 2015, 10:18pm

I just installed a new 380 (on 6.2.2 before I even began configuring it) to replace an older 380, and I noticed that PPTP VPN users could not access the local LAN. In troubleshooting the issue I enabled Inter-VLAN Routing. At that point I could no longer access the 380 via its LAN IP, nor could I connect via PPTP at all. I then disabled Inter-VLAN Routing to try to undo the problem I had just caused. That didn’t help anything. I rebooted the 380, and then re-enabled Inter-VLAN Routing again. All is well.
Moral of the story, on a 380 with 6.2.2, a router reboot may be necessary when toggling Inter-VLAN Routing.

RalphA · November 18, 2015, 4:21am

Moral of the story #2… Inter-VLAN Routing appears to be CHECKED by default. Save yourself some hassle and don’t UNcheck it like I did. :o

sitloongs · November 18, 2015, 11:40am

Hi,

Both the discussed issues in this thread are the known issue for firmware version 6.2.2. This is fixed in firmware 6.3. Tentatively firmware version 6.3 RC will available end of this month.

Thank You