WOL office machine through l2tp vpn and broadcast in the office subnet

I try to wake up some machines in the office by wol. L2TP works but udp packages sent to the office-subnet-broadcast never arrive.
What do I have to open to be able to send broadcast packeges to the office subnet.
L2TP has ip like 10.0.13.x
Office Subnet has 192.168.123.x

All Replies

  • valerio_vanni
    valerio_vanni Posts: 54
    First Comment Friend Collector
     Ally Member
    Zyxel devices don't support broadcasts directed to remote subnet.

    They are catched from receiver firewall and considered "_to_Zywall" instead of "_to_LAN/DMZ/etc".

  • mMontana
    mMontana Posts: 850
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    WebWorks said:
    What do I have to open to be able to send broadcast packages to the office subnet.
    Unfortunately... a relay. Even a RaspBerry Pi, but outside the phisical layer, most of the WOL packets are not routable. (there are some exceptions, but the "rule of thumb" i wrote up here quite matches most of the cases)
  • Zyxel devices don't support broadcasts directed to remote subnet.

    They are catched from receiver firewall and considered "_to_Zywall" instead of "_to_LAN/DMZ/etc".

    This means a security rule from IPSEC_VPN TO ZyWall, VPN-Range TO Lan1Subnet, Any_UDP Allow should solve the problem?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 337
    25 Answers First Comment Friend Collector First Anniversary
     Master Member
    Hi @WebWorks

    Thanks for your inquiry. Currently, we don't support this scenario.
  • valerio_vanni
    valerio_vanni Posts: 54
    First Comment Friend Collector
     Ally Member
    WebWorks said:
    Zyxel devices don't support broadcasts directed to remote subnet.

    They are catched from receiver firewall and considered "_to_Zywall" instead of "_to_LAN/DMZ/etc".

    This means a security rule from IPSEC_VPN TO ZyWall, VPN-Range TO Lan1Subnet, Any_UDP Allow should solve the problem?
    Security rules aren't an issue, here. Nothing is rejectred: you could set allow from everywhere to everywhere, and you'd get same result.

    The issue is that a broadcast packet is not broadcasted but is taken by Zywall itself, like a little fish going into a whale's mouth.

    Perhaps you should try with a policy route with option "overwrite direct route", but I'm not confident it will work, people from Zyxel are saying that remote broadcast is something unsupported.

    You should set up a WOL proxy: a machine on remote network that gets a normal (I mean unicast) package and then broadcasts on LAN.

Security Highlight