USG60. No access to one device in local network via VPN

itdesk Posts: 2  Freshman Member
First Comment
edited April 2021 in Security

My current configuration:
WAN1 x.x.x.x on port P1
WAN2 y.y.y.y on port P2
LAN1 on P3, P4, P5 ports.

I have a telephone exchange on and VoIP card in this device on I create a group called "Grupa_centrala" with those two address.

I also created two trunks:
WAN1_Trunk - WAN1 active, WAN2 passive.
WAN2_Trunk - WAN2 passive, WAN2 active.

WAN2_Trunk is as "user configured Trunk".

In Policy Route i have one rule:

user: any
schedule: none
any (Excluding ZyWall)
source: Grupa_centrala
destination: any
dscp code: any
service: any
source port: any
Next-hop: WAN1_Trunk
dscp marking: preserve
SNAT: outgoing-interface

This rule make that all 'telephone traffic' goes out via WAN1, all other traffic goes out via WAN2. And this works.

I have also configured SSL_VPN:

name: SSL_VPN
zone: SSL_VPN
user/group: VPN_users (with two users)
enable network extension (full tunnel mode): yes/active
assign ip pool: VPN_range (
network list: LAN1_SUBNET

SecuExtender connecting perfect. I get correct IP (from VPN_Range). But I cannot access telephone exchange via VPN ( and I can access other devices from local network ( But those two unfortunatly not... When I disable the one rule in Policy Routing - it works.
How this rule should look like? I try a lot of configuration but without any effects...

Could you help me?


  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Do you enable the option "Use IPv4 Policy Route to Override Direct Route" on policy route page ?
    Disable it.

  • itdesk
    itdesk Posts: 2  Freshman Member
    First Comment

    I have disabled "Use IPv4 Policy Route to Override Direct Route" and my problem was fixed... I didn't try it before. So... Problem was solved. Thank you lan31!

Security Highlight