Subnet directed broadcast through vpn tunnel
valerio_vanni
Posts: 116 Ally Member
in Security
Setup is: a local network, with a firewall (USG-Flex), and a client connected with ipsec vpn tunnel. Or 2 local networks, connected with ipsec vpn tunnel.
Result is the same, the common thing is that there is a tunnel between sender and receiver.
Policy control is "allow and log" in both direction.
A packet is directed at the broadcast address of the remote network, and it doesn't reach its destination. It's a wake on lan broadcast call, that works inside the single network.
The only thing I see in logs is that the package reaches receiver firewall (and it's accepted).
But nothing more.
0
All Replies
-
1) Your purpose is to make VPN User can access internal network ?
2) A packet is directed at the broadcast address of the remote network, and it doesn't reach its destination.
->Does the VPN User's NIC IP conflict with the firewall ?
3) can you share the brief topology and hint IP address here ?0 -
WJS said:1) Your purpose is to make VPN User can access internal network ?2) A packet is directed at the broadcast address of the remote network, and it doesn't reach its destination.
->Does the VPN User's NIC IP conflict with the firewall ?
3) can you share the brief topology and hint IP address here ?1) Yes, they already can. Normal traffic from IP to IP is working fine. Ping, rdp, smb etc.The issue is on broadcast traffic, when a client tries to wake up a client on the remote network sending packets to remote broadcast address.Software used is mc-wol: https://www.matcode.com/wol.htmcommand is:mc-wol.exe 80:6d:97:0a:f4:d6 /a 10.10.40.2552) No, it doesn't3) We have a remote client, with Zyxel Ipsec client, variable local address and fixed assigned (locally, inside ipsec client) 192.168.5.*.On the other side, behind a USG Flex, there is a LAN with addresses 10.10.40.0/24. Firewall has LAN address 10.10.40.254.In USG Flex log, I see that packet is received and is accepted by firewall rule.priority:14, from IPSec_VPN to ZyWALL, UDP, service others, ACCEPT 192.168.5.86:3813 10.10.40.255:65535But here I see something that seems not to be OK: IPSec_VPN to ZyWALL.Why "to zywall"? it should be classified as "IPSec_VPN_to_LAN1". A packet with .255 should be broadcasted on local network, not to the device itself.
0 -
In my option, It's hard to implement on Zyxel Firewall. Layer3 device always split "Broadcast Domain" except for some router support "Directed-Broadcast".
without the feature.It will casue Magic Packet cannot through LAN interface.
0 -
This would be directed broadcast, directed to remote subnet.My aim is not to have a single broadcast domain, with firewall that detects local broadcast and forward to remote.I send broadcast to remote subnet.255, and I expect it to be broadcasted.Instead, it's received by firewall. ACCEPT... but accept to do what?
0 -
Yes ,Log accept ,but the fw didn't forward broadcast to the local lan(10.10.40.x).
In your topology ,The client send the broadcast packet dst:10.10.40.255,MAC:ff:ff:ff:ff:ff:ff. The payload contain remote host's MAC.
Here are the behaviors about Layer 3 receive Broadcast. You can find out in RFC919.
https://datatracker.ietf.org/doc/html/rfc919
Of course, turning on some functions (like Directed-Broadcast in Cisco ) can achieve the purpose, but it seems that fw does not support
0 -
Now it's clear why the packet is considered "to zywall". "Again, the gateway should consider itself a destination of the datagram".About not broadcasting, is this a recent strip down from firmware?I remember that many years ago it was working with Zyxel firewalls: remote users connected to vpn, launched a local batch file with a command like that I wrote before, their PC at the office waked up and then they could rdp into it.And I remember it worked out of the box, there wasn't anything to enable.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight