Jump to content


Photo

Site-to-Site VPN Problem: Firewall commands using loopback address

vpn loopback ftp TINA

  • Please log in to reply
3 replies to this topic

#1 Brandon Robbins

Brandon Robbins
  • Members
  • 4 posts

Posted 10 May 2017 - 02:33 PM

We have two sites: the primary site, and a remote site. These both have Barracuda firewalls with a TINA tunnel between them.

As part of a new policy, we're having to setup some scripts that create a PAR file on a weekly basis and FTP it to the opposite site for disaster recovery and archival.

 

We got the script working great locally, but as we moved into field testing, it immediately had an issue.

The FTP command (and ping command) that are directed to the other side of the TINA tunnel, want to try and use the loopback address of the vpn0 interface (127.0.3.1) as the source. This of course causes them to fail to connect to anything.

 

I was looking at host firewall rules, but it doesn't seem you can specify any translations, and only use original IP on them.

 

What's the proper way to resolve this?

 

Thanks in advance for any advice or tips anyone can offer.



#2 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 142 posts

Posted 10 May 2017 - 04:14 PM

Hostfirewall Rules is the right place:

under outbound create the following rule at the top (above the default block):

source:127.0.3.1

service: ftp

destination: 0.0.0.0/0

connection: explicit, Network interface, p1 (or any otherinterface you would like to have as source.for the ftp



#3 Brandon Robbins

Brandon Robbins
  • Members
  • 4 posts

Posted 11 May 2017 - 09:58 AM

Thank you very much.

I feel better knowing I was in the right place, I just completely overlooked the outbound tab at the top, however still having a problem with this.

 

I have the rule setup and it seems to be working as far as outgoing packets are concerned, but it doesn't seem to be accepted replies. I see the packets come into the other firewall and device fine, but outgoing/reply traffic seems to getting lost.

 

I think I've messed a step somewhere?



#4 Stefan Hora

Stefan Hora
  • Barracuda Guru
  • 142 posts

Posted 11 May 2017 - 10:26 AM

Hmm,

i think that are not reply packets but the ftp-data session.

 

Did you select "ftp" as Service or only Port 21 ?

Normally the ftp plugin looks in the port 21 control session to find out what data port the ftp-client and the ftp-server are planning to use and enables automatically that data-port.

Maybe there is a Bug in this plugin ...

 

Try that FORWARDING rule to allow that connections from the FTP-Server

App Redirect Rule:

source: ftp-server

service: tcp-all

destination: the IP your client is using for the connection, e.g. the p1 IP if you use that in your local Rule

local address: 127.0.3.1

 

Otherwise you can also open a case with Barracuda.