es geht um einen 1790VA mit LCOS 10.92RU3 in einem Homeoffice. Der Router hängt am lokalen LAN des Mitarbeiters (Gegenstelle INET_VIA_HO-LAN). Netze der Zentrale (192.168.21.0/24 und 192.168.21.0/24) werden via VPN (Gegenstelle ZENTRALE) geroutet, alles andere ist verboten. Clients im Homeoffice (192.168.130.16/28) nutzen den LANCOM-Router (192.168.130.17) als DNS-Server (per DHCP zugewiesen). DNS-Ziele der Windows-Domain sollen per Weiterleitung von einem Domaincontroller in der Zentrale beantwortet werden.
Der IKEv2-Tunnel zur Zentrale ist aktiv, Ziele in der Zentrale können vom Client aus erreicht werden. Leider scheint aber die Namensauflösung auf einem Windows-Client (192.168.130.19) nicht zu funktionieren:
Code: Alles auswählen
C:\>nslookup fileserver 192.168.130.17
Server: homeoffice-gw.ad.my-domain.net
Address: 192.168.130.17
*** fileserver wurde von homeoffice-gw.ad.my-domain.net nicht gefunden: Query refused.
Code: Alles auswählen
# Trace config
trace + IP-Router @ +"port: 53" +192.168.21.
trace + Firewall @ +"port: 53" +192.168.21.
trace + DNS
trace + IPv4-Host @ +53 +192.168.21.
[DNS] 2025/11/29 08:44:40,951 Devicetime: 2025/11/29 08:44:39,973
DNS Rx (INTRANET): Src-IP 192.168.130.19, RtgTag 0
Transaction ID: 0x0001
Flags: 0x0100 (Standard query, No error)
Queries
17.130.168.192.in-addr.arpa: type PTR, class IN
STD PTR for 17.130.168.192.in-addr.arpa
Name resolved to homeoffice-gw.ad.my-domain.net
[DNS] 2025/11/29 08:44:40,951 Devicetime: 2025/11/29 08:44:39,981
DNS Rx (INTRANET): Src-IP 192.168.130.19, RtgTag 0
Transaction ID: 0x0002
Flags: 0x0100 (Standard query, No error)
Queries
fileserver.ad.my-domain.net: type A, class IN
STD A for fileserver.ad.my-domain.net
DnsGetDest: Match found: forwarding fileserver.ad.my-domain.net to 192.168.21.5 192.168.21.2
Not found in local DNS database => forward to next server
[DNS] 2025/11/29 08:44:40,951 Devicetime: 2025/11/29 08:44:39,982 [info] :
query blocked by firewall rule DENY_INTERNET
=> refuse request from 192.168.130.19
[DNS] 2025/11/29 08:44:40,951 Devicetime: 2025/11/29 08:44:39,984
DNS Rx (INTRANET): Src-IP 192.168.130.19, RtgTag 0
Transaction ID: 0x0003
Flags: 0x0100 (Standard query, No error)
Queries
fileserver.ad.my-domain.net: type AAAA, class IN
STD AAAA for fileserver.ad.my-domain.net
DnsGetDest: Match found: forwarding fileserver.ad.my-domain.net to 192.168.21.5 192.168.21.2
Not found in local DNS database => forward to next server
[DNS] 2025/11/29 08:44:40,951 Devicetime: 2025/11/29 08:44:39,984 [info] :
query blocked by firewall rule DENY_INTERNET
=> refuse request from 192.168.130.19Diese Regel sollte doch nur greifen, wenn der Datenverkehr zum lokalen Internetzugang des Mitarbeiters geroutet wird.
Die Ziel-DNS-Server liegen jedoch im Netz der Zentrale, und laut Routing müsste die Anfrage über den VPN-Tunnel gehen.
Wo liegt hier mein Denkfehler bzw. warum wird die Anfrage trotzdem als "Internet-Ziel" klassifiziert?
Zum Verständnis hier noch ein Auszug aus der Konfig:
Code: Alles auswählen
set /Setup/Name "homeoffice-gw"
cd /Setup/WAN/DSL-Broadband-Peers
add "INET_VIA_HO-LAN" {SH-Time} 9999 {AC-name} "" {Servicename} "" {WAN-layer} "DHCPOE" {ATM-VPI} 0 {ATM-VCI} 0 {MAC-Type} local {user-def.-MAC} 000000000000 {DSL-ifc(s)} "DSL1" {VLAN-ID} 0 {Prio-Mapping} off {Prio-Value} 0 {S-VLAN-ID} 0 {IPv6} "" {PPPoE-MTU-1500} No
cd /Setup/TCP-IP/Network-list
add "INTRANET" {IP-Address} 192.168.130.17 {IP-Netmask} 255.255.255.240 {VLAN-ID} 0 {Interface} LAN-1 {Src-check} loose {Type} Intranet {Rtg-tag} 0 {Comment} "local intranet"
cd /Setup/IP-Router/IP-Routing-Table
add 192.168.20.0 255.255.255.0 0 0 {Peer-or-IP} "ZENTRALE" {Distance} 0 {Masquerade} No {Active} Yes {Comment} ""
add 192.168.21.0 255.255.255.0 0 0 {Peer-or-IP} "ZENTRALE" {Distance} 0 {Masquerade} No {Active} Yes {Comment} ""
add 192.168.0.0 255.255.0.0 0 0 {Peer-or-IP} "0.0.0.0" {Distance} 0 {Masquerade} No {Active} No {Comment} "template: block private networks: 192.168.x.y"
add 172.16.0.0 255.240.0.0 0 0 {Peer-or-IP} "0.0.0.0" {Distance} 0 {Masquerade} No {Active} No {Comment} "template: block private networks: 172.16-31.x.y"
add 10.0.0.0 255.0.0.0 0 0 {Peer-or-IP} "0.0.0.0" {Distance} 0 {Masquerade} No {Active} No {Comment} "template: block private network: 10.x.y.z"
add 255.255.255.255 0.0.0.0 0 0 {Peer-or-IP} "INET_VIA_HO-LAN" {Distance} 0 {Masquerade} on {Active} Yes {Comment} ""
cd /Setup/IP-Router/Firewall/Rules
# nur diese zwei Regeln, keine weiteren:
add "DENY_INTERNET" {Prot.} "ANY" {Source} "%LINTRANET" {Destination} "%HINET_VIA_HO-LAN" {Action} "INTERNET-FILTER" {LB-Policy} "" {LB-Switchover} No {Linked} No {Prio} 15 {Firewall-Rule} Yes {Stateful} Yes {Src-Tag} 0 {Rtg-tag} 0 {Comment} ""
add "WINS" {Prot.} "TCP UDP" {Source} "NETBIOS ANYHOST" {Destination} "ANYHOST" {Action} "INTERNET-FILTER" {LB-Policy} "" {LB-Switchover} No {Linked} No {Prio} 0 {Firewall-Rule} Yes {Stateful} Yes {Src-Tag} 0 {Rtg-tag} 0 {Comment} "block NetBIOS/WINS name resolution via DNS"
cd /Setup/DHCP/Network-list
add "INTRANET" {Start-Address-Pool} 0.0.0.0 {End-Address-Pool} 0.0.0.0 {Netmask} 0.0.0.0 {Broadcast-Address} 0.0.0.0 {Gateway-Address} 0.0.0.0 {DNS-Default} 0.0.0.0 {DNS-Backup} 0.0.0.0 {Operating} Yes [...]
set /Setup/DNS/Resolve-Domain No
set /Setup/DNS/Domain "my-domain.net"
cd /Setup/DNS/Sub-Domains
add "INTRANET" {Sub-Domain} "ad"
cd /Setup/DNS/DNS-Destinations
add "*.168.192.in-addr.arpa" 0 {Destination} "192.168.21.5 192.168.21.2"
add "*.ad.my-domain.net" 0 {Destination} "192.168.21.5 192.168.21.2"
add "ad.my-domain.net" 0 {Destination} "192.168.21.5 192.168.21.2"
add "*.my-domain.net" 0 {Destination} "INET_VIA_HO-LAN"
add "my-domain.net" 0 {Destination} "INET_VIA_HO-LAN"
cd /Setup/VPN/IKEv2/Peers
add "DEFAULT" {Active} Yes {SH-Time} 0 {Remote-Gateway} "" {Rtg-tag} 0 [...] {IPv4-Rules} ""
add "ZENTRALE" {Active} Yes {SH-Time} 9999 {Remote-Gateway} "ZENTRALE.my-domain.net" {Rtg-tag} 0 [...] {IPv4-Rules} "HOMEOFFICE-RULE"
cd /Setup/VPN/Networks/IPv4-Rules
add "HOMEOFFICE-RULE" {Local-Networks} "192.168.130.16/28" {Remote-Networks} "192.168.20.0/24, 192.168.21.0/24"