ACLs not working bi-directional

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
dwohlhaupter
Posts: 1
Joined: Thu Feb 25, 2021 10:17 am

ACLs not working bi-directional

Post by dwohlhaupter » Thu Feb 25, 2021 10:49 am

Hi all,

I have a question on how access lists work in SE.

Our setup is quite simple:
1. SecureNAT with DHCP and Virtual NAT is enabled for a hub
2. Local network is 10.0.0.0/16
3. VNI IP is 192.168.30.1
4. VPN subnet is 192.168.30.0/24

As long as no access lists have been maintained, everything works fine. But to restrict the access to some local subnets, we have created following rules:
1. Allow DHCP
2. Allow access from 192.168.30.0/24 to 10.0.10.0/24
3. Deny all

The result of above ACL is that no access to 10.0.10.0/24 is possible (no ping possible, DHCP still works). If we create an additional rule for the route back from the local subnet to VPN network, everything works fine again (ping is working):
1. Allow DHCP
2. Allow access from 192.168.30.0/24 to 10.0.10.0/24
3. Allow access from 10.0.10.0/24 to 192.168.30.0/24
4. Deny all

But in my opinion packet filtering doesn't require a rule for both directions and should work bi-directional for already established connections.

Could someone please state how ACLs are working in SE?

Thanks and best regards
Daniel

Post Reply