Force outgoing SMTP traffic to specific WAN without blocking SSL VPN local LAN
I have two WAN with two different static IP. One is for mail and the other one for everything else. I have setup NAT and policy rules to control incoming traffic correct. Now I also want to control outgoing traffic so SMTP go out via WAN2 and all other traffic is forced to WAN1. WAN1 and 2 belongs to a "Least Load First" trunk but I will not use the load balancing in this case. I have learned this can be done with "Policy Route" (SNAT) and I have setup one for SMTP traffic. I believe it works as intended (see picture below).
Now I also want to force all other traffic through WAN1 (otherwise the firewall will balance outgoing traffic between WAN1 and WAN2 but I don't want that) but if I activate the rule below my SSL VPN stop working. By that I mean I can connect to VPN but can't ping any device on my LAN1 subnet anymore. The policy route screw up the VPN route.
Any suggestion how to solve that? I tried setup a third route for SSL_VPN but I don't know how to do it properly.
Address config:
WAN1: x.x.x.1
WAN2: x.x.x.2
LAN1_subnet: 10.0.0.0/255.255.0.0
LAN1_interface: 10.0.0.1
VPN_POOL: 192.168.202.50-192.168.202.100
SSL VPN Extention local IP: 192.168.202.1
SSL VPN config:
Zone: SSL_VPN
Enable network extension (full tunnel mode): Yes
Force all client traffic to enter SSL VPN tunnel: No
NetBIOS broadcast over SSL VPN Tunnel: No
Assign IP pool: VPN_POOL (RANGE 192.168.202.50-192.168.202.100)
DNS Server 1: ZyWALL
Network list: LAN1_subnet
Policy control:
SSL_VPN_to_Device: From SSL_VPN to ZyWall (any any any any)
SSL_VPN_Outgoing: From SSL_VPN to Any (excl ZyWall) (any any any any)
WAN_to_Device: From WAN to Zywall (any any "default_allow_wan" any)
NAT
SSL VPN
Policy:
Now I also want to force all other traffic through WAN1 (otherwise the firewall will balance outgoing traffic between WAN1 and WAN2 but I don't want that) but if I activate the rule below my SSL VPN stop working. By that I mean I can connect to VPN but can't ping any device on my LAN1 subnet anymore. The policy route screw up the VPN route.
Any suggestion how to solve that? I tried setup a third route for SSL_VPN but I don't know how to do it properly.
Address config:
WAN1: x.x.x.1
WAN2: x.x.x.2
LAN1_subnet: 10.0.0.0/255.255.0.0
LAN1_interface: 10.0.0.1
VPN_POOL: 192.168.202.50-192.168.202.100
SSL VPN Extention local IP: 192.168.202.1
SSL VPN config:
Zone: SSL_VPN
Enable network extension (full tunnel mode): Yes
Force all client traffic to enter SSL VPN tunnel: No
NetBIOS broadcast over SSL VPN Tunnel: No
Assign IP pool: VPN_POOL (RANGE 192.168.202.50-192.168.202.100)
DNS Server 1: ZyWALL
Network list: LAN1_subnet
Policy control:
SSL_VPN_to_Device: From SSL_VPN to ZyWall (any any any any)
SSL_VPN_Outgoing: From SSL_VPN to Any (excl ZyWall) (any any any any)
WAN_to_Device: From WAN to Zywall (any any "default_allow_wan" any)
NAT
SSL VPN
Policy:
0
Comments
-
Please disable "Use IPv4 Policy Route to Overwrite Direct Route" on the policy route page.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight