Ping VPN to LAN

Pas7o
Pas7o Posts: 10
Friend Collector Second Anniversary
Good morning,
I have 2 NAS: one in the company and one in my house.
I would like to make a remote backup from the company NAS to the home NAS.
On the NAS at home, I was able to set up the VPN.
Not on the company.
That’s why I wanted to create a rule in Security Policy specifying that the NAS in the company could see and reach the NAS at home.
So, in Source I put company NAS IP address and in Destination I put home NAS VPN IP address.
But it doesn’t seem to work.
What did I do wrong?
Thanks.
«1

All Replies

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Brand of the NAS devices? 
    Which technology of VPN are you using?
    Am I correct assuming that you have a Zyxel Firewall into the company?
  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    edited August 2022
    .
  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    mMontana said:
    Brand of the NAS devices? 
    Which technology of VPN are you using?
    Am I correct assuming that you have a Zyxel Firewall into the company?
    1) QNAP and Synology
    2) L2TP/IPSec
    3) Yes but it's in Nebula Control Center
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    In my personal opinion, the "remote" one (the one not behind the firewall) should call the firewall, not the NAS, acting like an L2TP client.
    Firewall (unless instructed differently) is "eating" traffic on port 500, 1701, 4500 (if necessary) and asking to nebula "what i'm gonna do with this connection?".
    Then the "remote" NAS will be a part of the L2TP Address pool, and unless configured differently, a security policy should allow the access to the "local" NAS.

    This is only one way to approach the result you want to achieve.

  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    mMontana said:
    In my personal opinion, the "remote" one (the one not behind the firewall) should call the firewall, not the NAS, acting like an L2TP client.
    Firewall (unless instructed differently) is "eating" traffic on port 500, 1701, 4500 (if necessary) and asking to nebula "what i'm gonna do with this connection?".
    Then the "remote" NAS will be a part of the L2TP Address pool, and unless configured differently, a security policy should allow the access to the "local" NAS.

    This is only one way to approach the result you want to achieve.

    Ok but to do this, you have to create a rule in Security Policy.
    How would you do it?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Pas7o
    Your scenario is initialing L2TP IPSec VPN Tunnel from your company Intranet to your NAS which behind at home gateway.
    So your home NAS is a L2TP VPN server.
    You have to create port forwarding rule on your home gateway.

    And also, go to create Security Policy rule to allow L2TP service port to your NAS IP address.

    I'm not sure what's L2TP VPN port is working on your NAS. In this example, UDP 500,4500,1701 are the standard ports of L2TP over IPSec.

    Note:
    • #1 Since L2TP server is behind NAT router, so you have to enable "NAT Traversal" function on your NAS and client. 
    • #2 The port forwarding rule will effect L2TP service on Nebula Gateway. If you can use the other public IP address for NAS L2TP service, then it could prevent this situation.
  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    Hi @Pas7o
    Your scenario is initialing L2TP IPSec VPN Tunnel from your company Intranet to your NAS which behind at home gateway.
    So your home NAS is a L2TP VPN server.
    You have to create port forwarding rule on your home gateway.

    And also, go to create Security Policy rule to allow L2TP service port to your NAS IP address.

    I'm not sure what's L2TP VPN port is working on your NAS. In this example, UDP 500,4500,1701 are the standard ports of L2TP over IPSec.

    Note:
    • #1 Since L2TP server is behind NAT router, so you have to enable "NAT Traversal" function on your NAS and client. 
    • #2 The port forwarding rule will effect L2TP service on Nebula Gateway. If you can use the other public IP address for NAS L2TP service, then it could prevent this situation.
    I don't wont open ports.
    I thought it was easier.
    Because my home NAS is under VPN.
    I can't setup the VPN in my company NAS otherwise it would have been much easier.
    I thought it was enough to create a rule in Security Policy, so that devices under VPN also be reached from LAN interfaces.
    Because now, only devices under VPN can reach devices in LAN interfaces. I wont viceversa.
  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    On QNAP it's impossible set "NAT Traversal". There isn't this option When I set VPN.
    I can enable "NAT Traversal" only on Synology.
  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Pas7o said:
    Ok but to do this, you have to create a rule in Security Policy.
    How would you do it?

    If you don't explicitly tell me what "this" means to you (which solution are you referring) I cannot think and write down an adequate (for me) security policy :/ 
  • Pas7o
    Pas7o Posts: 10
    Friend Collector Second Anniversary
    mMontana said:
    Pas7o said:
    Ok but to do this, you have to create a rule in Security Policy.
    How would you do it?

    If you don't explicitly tell me what "this" means to you (which solution are you referring) I cannot think and write down an adequate (for me) security policy :/ 
    I have 1 LAN interface (192.168.1.X) and 1 VPN (192.168.2.X).
    I setup the VPN on my PC and I can ping devices in LAN interface 192.168.1.X
    But a device in LAN interface 192.168.1.X can't ping a device under VPN
    Because, for now only devices under VPN can reach devices in LAN interfaces. I wont viceversa.

Nebula Tips & Tricks