No announcement yet.

Internal services (VPN) from multiple gateways

  • Filter
  • Time
  • Show
Clear All
new posts

  • Internal services (VPN) from multiple gateways

    At the moment all "internal" services are only available with the default gateway.
    Should be nice if these can be used from multiple gateways.

    Feature request:
    Support for using "internal services" (like ssl vpn) with multiple gateways at the same time.

  • #2
    GTA greatly appreciates your feedback. However, the issue surrounding this lies with the firewall's ISP. Firewall services such as SSL VPN, do listen and attempt to respond on all ports (all EXTERNAL interfaces and aliases). When a request for an SSL VPN connection comes in on an EXTERNAL interface which is not the firewall's default gateway, the firewall does indeed respond properly, NATed to the IP address of the incoming gateway, however, due to the way packet routing works, the responses are sent out of the firewall's default gateway (where the firewall sends all non-local traffic). It is then up to that ISP whether they allow for traffic which sources from a different public IP range than what their router is expecting. Some ISPs allow this others do not.


    • #3
      This works for services behind NAT rules, for example RDP to a server on PROTECTED can be made from Gateway1 (ISP-A) en also from Gateway2 (ISP-B) when using two NAT rules.
      Source based routing works perfectly with NAT.

      The GTA internal services work different, so that it is not possible to do this for example to SSL VPN.
      There should be a mechanism that routes the packets to external over the correct gateway.

      Maybe an option to put the internal services optionally in a NAT network instead a routed network, just like an openvpn server which you can deploy on a protected network.


      • #4
        The firewall is only able to apply the routing logic for connections going through the firewall, not connections beginning or ending on the firewall itself (such is the case for the SSL Client or Remote Administration).

        However, development will review the SSL Client (openVPN) code to determine the feasibility of modifying this service to have a functionality similar to Source Routing for NAT traffic.