FLEX-to-FLEX VPN with VLANs

Options
StefanZ
StefanZ Posts: 191  Master Member
First Anniversary 10 Comments Friend Collector First Answer

I set up a FLEX50 (behind router) as client and a FLEX200 as Server (direct WAN). Works fine. As described here:

Now I started setting up VLANs on the FLEX50 and those work fine too.

But now that I am on the VLAN, I cannot connect to anything on the FLEX200 anymore.

If I plug into LAN2 of the FLEX50 (no VLAN), it works fine.

Is that related to the different subnets?
FLEX200 LAN is 192.168.10.x (no VLANs)
FLEX50 LAN is 192.168.20.x
FLEX50 VLAN is 192.168.23.x (I have several, but neither connects)

I tried to set up Policy Routes and Routing, but I am kinda lost :-)

Accepted Solution

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023 Answer ✓
    Options

    So the FLEX50 LocalPolicy SUBNET only routes 192.168.20.0/24 not even thing else like VLAN is 192.168.23.x

    I think you would need to setup another VPN on the FLEX50 per given LocalPolicy subnets

All Replies

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options

    The the VLAN in the same zone as the LAN that works?

    whats your  Local policy set too?

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023
    Options

    FLEX200 Zones
    LAN1 = lan1,vlan10,vlan1000
    LAN2 (pysical port) also works as noted – it's part of lan1 in Network/Port.
    But yeah – no VLAN makes things work as expected :-)

    FLEX50
    LocalPolicy SUBNET, 192.168.20.0/24
    RemotePolicy SUBNET, 192.168.10.0/24

    FLEX200
    LocalPolicy SUBNET, 192.168.10.0/24

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023 Answer ✓
    Options

    So the FLEX50 LocalPolicy SUBNET only routes 192.168.20.0/24 not even thing else like VLAN is 192.168.23.x

    I think you would need to setup another VPN on the FLEX50 per given LocalPolicy subnets

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Uhh OK… That comes as a surprize.
    But it also makes perfect sense! :-)
    I made the FLEX50 LocalPolicy 192.168.0.0 | 255.255.0.0 and that works!

    Guess that's not the best way to do this, but narrowing the mask shoud get me there, right?

    Thank you so much!

  • PeterUK
    PeterUK Posts: 2,848  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Tested here with USG60W and Zywall 110 all you need to do is add another Remote Access (Client Role) with the same VPN gateway and remote policy and add a new Local policy.

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Good to know, great way to make the network overlap more specific.

    If only the Zyxel GUI had a way to duplicate settings…

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,373  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @StefanZ

    As per your suggestion, duplicating the settings for a VPN rule is not recommended. This is because if there are multiple VPN gateways with the same settings in the configuration, it may cause the VPN to disconnect or traffic to be unreachable, especially for "site to site with dynamic peer". Therefore, I would recommend configuring different proposals and local/Peer IDs in different VPN rules.

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yeah well, Security Policy objects are pretty much the only objects you can duplicate. ;-)

    The GUI does a pretty good job when it comes to detecting "overlapping" settings when you enter them manually… Although I concur that some duplications might not be covered by that.

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Follow up:

    Of cause you can just widen the netmask to reach all the IPs you need.

    Instead of 255.255.255.0 I just used 255.255.0.0 and it works.

Security Highlight