http / https über zentralen Standort routen

Options
Guten Tag,

an sieben Standorten betreibe ich Zyxel VPN-Router (Modelle VPN100, VPN300 und VPN1000).

Die sieben Standorte sind vollvermascht vernetzt.

Es bestehen also zwischen allen Standorten direkte Site-to-Site-Tunnel über die Zyxel-Router.

Bisher wird der Internet-Traffic (http / https) jeweils lokal abgeführt.

Nun soll der Internet-Traffic (http / https) ausschließlich über den Hauptstandort geroutet werden (Abruf öffentlicher Websites aus dem Internet über zentrales Gateway).

Dazu hatte ich über "Policy Route" an den Außenstandorten entsprechende Einträge gesetzt.

Dies hat allerdings nicht funktioniert.

Ich habe es mit und ohne Aktivierung von "Use IPv4 Policy Route to Overwrite Direct Route" probiert.

Meine Einstellungen "Policy Route" an den Außenstandorten waren:

User = any
Incomming = any
Source Address = any / alternativ auch "lokales Subnetz des Außenstandorts"
Destination Addess = any
DSCP Code = any
Schedule = none
Service = http und https

Next-Hop:

Type: VPN Tunnle
VPN Tunnle: VPN-Tunnel zwischen den beiden Standorten

DSCP Marking: preseve

Das Setzen einer Rückroute ist meiner aktuellen Meinung nach nicht notwendig, weil die Standorte die Subnetze gegenseitig kennen.

Über Tipps und / oder Links zu weiteren Infos würde ich mich sehr freuen.

Viele Grüße
Chris

Accepted Solution

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @Chris_C,
    It works by adding policy route in central site.
    Feel free to post issue there, we are delighted to assist.  =)
    ~~~policy route~~~
    Source is any
    Destination is Peer Lan subnet
    Next hop is VPN tunnel
    SNAT = None
    ~~~~~~~~~~~~~~~

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Chris,
    Welcome to Zyxel community. =)
    Are all sites site to site VPN or Site-to-site with Dynamic Peer?

  • Chris_C
    Options
    Hi! Yes, all sites are connected via Site-to-site. No Dynamic Peers.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Chris_C,

    You need to create policy route on central site to do SNAT from branch subnet to Internet.
  • Chris_C
    Options
    Hello,
    
    Thank you for your support.
    
    I appreciate very much!
    
    I tried it, but still no function.
    
    What is Next Hop? VPN tunnel of the connection?
    
    This shows the branch site settings:
    
    
    
    After your suggestion I set these attitudes on central site:
    
    
    
    I still make a mistake.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Chris_C,

    It is at Address translation, please switch from None to outgoing-interface in central site.

  • Chris_C
    Options

    Many thanks for your support.

    Now I switched SNAT on central site to "outgoing-interface".

    However nothing changed.

    The HTTPS routing rule from branch to central site works fine.

    It is possible to open central site hosted internal websites from my test branch site.

    As expected, it is currently not possible to reach internal websites hosted on other branches from my test branch.

    So this rule works, I guess.

    Issue seems located on central site, as you said before.

    Due to test purposals I set https/any/any/allow unter Policy Control on both sites.

    How about "Allow Asymmetrical Route" under "Policy Control" (disabled on both devices)?

    Does this have an impact?

    I am not really sure about the Incoming (Tunnel + Branch subnetz?) and Next-Hop settings (Interface? – we route directly to ISP instead of using PPPoE ) on central site Policy Route.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Chris_C,
    Can you send me central site startup configuration file in PM.
  • Chris_C
    Options
    Hi @Chris_C,
    Can you send me central site startup configuration file in PM.
    Hi,

    For sure! Thank you.

    Did you receive my PM with central site configuration file I send last week?
  • Chris_C
    Options
    Web gui access (Limited admin) is open now.

    Relevant information has been sent via PM.

    Thank you!

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @Chris_C,
    It works by adding policy route in central site.
    Feel free to post issue there, we are delighted to assist.  =)
    ~~~policy route~~~
    Source is any
    Destination is Peer Lan subnet
    Next hop is VPN tunnel
    SNAT = None
    ~~~~~~~~~~~~~~~

Security Highlight