USG200 - VPN on one LAN port

thisisliam

Hi All

I'm considering upgrading to a USG200 to create a site-to-site VPN between two countries ("A" & "B"). Only one device on my network (Location "B") requires the site to site VPN and must have an IP address from Location "A" (abroad), the rest of the network can remain by default on the local network in Location "B". However, I'd like to have the option, if necessary, to add more devices to the Location "A" network from Location "B" down the road.

In order to avoid using two routers at each location and opening up ports for the VPN to work I am interested if I can use the USG200 as my primary router, use my existing router in bridge-mode to create the WiFi network from one of the USG200 LAN ports, and assign the site-to-site VPN to another LAN port on the USG200, which in turn can have a switch attached if need be.

Apologies if this is a "n00b" question. I appreciate your patience with any explaining.

smb_corp_user

If set up correctly (Trigger port, VPN triggered by outbound rule), you do not need to make any changes regardless of the number of devices in your local subnet. The USG device will either run a permanent VPN connection or a triggered VPN connection (depending on your practical VPN needs).

It does not matter if you only have one computer or several computers, the VPN tunnel will run as long as you have set it to be open. You just define that your entire subnet (LAN) on your side has access to the VPN port and tunnel. Number of computers is irrelevant as long as LAN has access.

thisisliam

smb_corp_user said:

If set up correctly (Trigger port, VPN triggered by outbound rule), you do not need to make any changes regardless of the number of devices in your local subnet. The USG device will either run a permanent VPN connection or a triggered VPN connection (depending on your practical VPN needs).

It does not matter if you only have one computer or several computers, the VPN tunnel will run as long as you have set it to be open. You just define that your entire subnet (LAN) on your side has access to the VPN port and tunnel. Number of computers is irrelevant as long as LAN has access.

Thank you for explaining. The tunnel will be permanent. So basically one subnet at location “b” will be local and I’d create a separate subnet for devices requiring the VPN to location A?

Zyxel_Jeff

smb_corp_user said:

If set up correctly (Trigger port, VPN triggered by outbound rule), you do not need to make any changes regardless of the number of devices in your local subnet. The USG device will either run a permanent VPN connection or a triggered VPN connection (depending on your practical VPN needs).

It does not matter if you only have one computer or several computers, the VPN tunnel will run as long as you have set it to be open. You just define that your entire subnet (LAN) on your side has access to the VPN port and tunnel. Number of computers is irrelevant as long as LAN has access.

Thank you for explaining. The tunnel will be permanent. So basically one subnet at location “b” will be local and I’d create a separate subnet for devices requiring the VPN to location A?

Hello @thisisliam

 The answer is yes, while you create a site-to-site VPN on Zyxel firewalls, you need to define their remote and local policies which means describing the remote and local subnet between each other, as in the below example.  




VPN connection settings of the Headquarter site.

VPN connection settings of the Branch site.

About the detailed site-to-site VPN settings, you could refer to the below guide links:
An example of Site to Site VPN
IPSec VPN Site To Site
Thanks.