We run multiple Untangle firewalls in router mode at difference branches. Currently we are on 11.0.1~svn20150118r39522release11.0-1wheezy. We use IPSec to VPN our branch connections to our main site where we have our email and web servers hosted for internal use. We have an issue where the real IP address of what is connecting to our servers, either through IPSec VPN tunnels or via port forwarding is not what we are seeing on our servers. We are getting the local Untangle IP address instead of the remote address. This affects our logging and IP filters on servers. For example, our apache logs are full of the same IP address of 10.10.1.1 which is our local untangle IP even though the actual visitor is across the Internet or on the other side of our VPN tunnel. Here is our network diagram.
IMG_0424 - Copy.JPG
The apache logs below show me accessing a webserver from different VPN networks (10.10.2.100, 10.10.3.108, and 10.10.4.15) and from the Internet via port forwarding . As you can see, with the exception of some local connections, all of the sources show up as 10.10.1.1.
We could deal with the port forwarding coming through as the local Untangle IP using a reverse proxy, but having to reverse proxy everything on our LAN and DMZ isn't going to work. We came from using PFSense where we somehow avoided this issue. One thing of note is that in the Untangle session viewer, it shows the correct remote source IP address connecting to the server. Anyone have any suggestions to have it keep the source IP in the packet? I am unsure why it rewrites the packet using the LAN interface as the source and would love to "override" this behavior. Otherwise there is no way to do any additional ACL on any traffic coming through the Untangle IPSec VPN.
SOLVED!
Thanks to reading SKY-KNIGHT's #6 post here: http://forums.untangle.com/openvpn/3...more-help.html I found out that the way Untangl;e does NAT is much different then I am used to and I had a catch all outbound NAT Rule setting that was NATing all of my VPN traffic. Thank you very much sky-night, that little post solved a major headache!
IMG_0424 - Copy.JPG
The apache logs below show me accessing a webserver from different VPN networks (10.10.2.100, 10.10.3.108, and 10.10.4.15) and from the Internet via port forwarding . As you can see, with the exception of some local connections, all of the sources show up as 10.10.1.1.
Code:
10.10.1.1 - - [29/Mar/2015:01:51:23 -0500] "GET /new/shoutbox/update.php?_=1427611881785 HTTP/1.1" 200 1698 "http://intranet/new/shoutbox/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.99 - - [29/Mar/2015:01:51:24 -0500] "GET /new/shoutbox/update.php?_=1427611882505 HTTP/1.1" 200 1698 "http://intranet/new/shoutbox/" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
10.10.1.1 - - [29/Mar/2015:01:51:24 -0500] "GET /new/shoutbox/update.php?_=1427611882509 HTTP/1.1" 200 1698 "http://intranet/new/shoutbox/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:24 -0500] "GET /new/shoutbox/update.php?_=1427611882534 HTTP/1.1" 200 1698 "http://intranet/new/shoutbox/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.8 - - [29/Mar/2015:01:51:24 -0500] "GET /new/shoutbox/update.php?_=1427611882585 HTTP/1.1" 200 1698 "http://intranet/new/shoutbox/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:24 -0500] "GET /new HTTP/1.1" 301 476 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:24 -0500] "GET /new/ HTTP/1.1" 200 1062 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/newmenu HTTP/1.1" 301 489 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/shoutbox HTTP/1.1" 301 492 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.19 - - [29/Mar/2015:01:51:25 -0500] "GET /new/weather/parsons.html HTTP/1.0" 200 672 "-" "-"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/ipinfo/ipinfo.php HTTP/1.1" 200 375 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/weather/cityselector.php HTTP/1.1" 200 489 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/billfactor/ HTTP/1.1" 200 918 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/facebook-new/ HTTP/1.1" 200 937 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/google/ HTTP/1.1" 200 560 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/newmenu/ HTTP/1.1" 200 2277 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/shoutbox/ HTTP/1.1" 200 2249 "http://intranet/new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/ipinfo/styles.css HTTP/1.1" 200 547 "http://intranet/new/ipinfo/ipinfo.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/billfactor/css/feedget.min.css HTTP/1.1" 200 1114 "http://intranet/new/billfactor/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/billfactor/js/feedget-1.1.1.min.js HTTP/1.1" 200 3451 "http://intranet/new/billfactor/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/facebook-new/css/feedget.min.css HTTP/1.1" 200 1138 "http://intranet/new/facebook-new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/facebook-new/js/feedget-1.1.1.min.js HTTP/1.1" 200 3451 "http://intranet/new/facebook-new/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/newmenu/menu.css HTTP/1.1" 200 1743 "http://intranet/new/newmenu/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/newmenu/smooth-php-cal.css HTTP/1.1" 200 1555 "http://intranet/new/newmenu/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/newmenu/style.css HTTP/1.1" 200 2751 "http://intranet/new/newmenu/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
10.10.1.1 - - [29/Mar/2015:01:51:25 -0500] "GET /new/calendar/smooth-php-cal-min.js HTTP/1.1" 200 3701 "http://intranet/new/newmenu/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"SOLVED!
Thanks to reading SKY-KNIGHT's #6 post here: http://forums.untangle.com/openvpn/3...more-help.html I found out that the way Untangl;e does NAT is much different then I am used to and I had a catch all outbound NAT Rule setting that was NATing all of my VPN traffic. Thank you very much sky-night, that little post solved a major headache!