FLEX-to-FLEX VPN with VLANs
Master Member
I set up a FLEX50 (behind router) as client and a FLEX200 as Server (direct WAN). Works fine. As described here:
Now I started setting up VLANs on the FLEX50 and those work fine too.
But now that I am on the VLAN, I cannot connect to anything on the FLEX200 anymore.
If I plug into LAN2 of the FLEX50 (no VLAN), it works fine.
Is that related to the different subnets?
FLEX200 LAN is 192.168.10.x (no VLANs)
FLEX50 LAN is 192.168.20.x
FLEX50 VLAN is 192.168.23.x (I have several, but neither connects)
I tried to set up Policy Routes and Routing, but I am kinda lost :-)
Accepted Solution
-
So the FLEX50 LocalPolicy SUBNET only routes 192.168.20.0/24 not even thing else like VLAN is 192.168.23.x
I think you would need to setup another VPN on the FLEX50 per given LocalPolicy subnets
0
Guru MemberAll Replies
-
The the VLAN in the same zone as the LAN that works?
whats your
Local policyset too?0 -
FLEX200 Zones
LAN1 = lan1,vlan10,vlan1000
LAN2 (pysical port) also works as noted – it's part of lan1 in Network/Port.
But yeah – no VLAN makes things work as expected :-)FLEX50
LocalPolicy SUBNET, 192.168.20.0/24
RemotePolicy SUBNET, 192.168.10.0/24FLEX200
LocalPolicy SUBNET, 192.168.10.0/240 -
So the FLEX50 LocalPolicy SUBNET only routes 192.168.20.0/24 not even thing else like VLAN is 192.168.23.x
I think you would need to setup another VPN on the FLEX50 per given LocalPolicy subnets
0 -
Uhh OK… That comes as a surprize.
But it also makes perfect sense! :-)
I made the FLEX50 LocalPolicy 192.168.0.0 | 255.255.0.0 and that works!Guess that's not the best way to do this, but narrowing the mask shoud get me there, right?
Thank you so much!
0 -
Tested here with USG60W and Zywall 110 all you need to do is add another Remote Access (Client Role) with the same VPN gateway and remote policy and add a new Local policy.
0 -
Good to know, great way to make the network overlap more specific.
If only the Zyxel GUI had a way to duplicate settings…
0 -
Hi @StefanZ
As per your suggestion, duplicating the settings for a VPN rule is not recommended. This is because if there are multiple VPN gateways with the same settings in the configuration, it may cause the VPN to disconnect or traffic to be unreachable, especially for "site to site with dynamic peer". Therefore, I would recommend configuring different proposals and local/Peer IDs in different VPN rules.
0 -
Yeah well, Security Policy objects are pretty much the only objects you can duplicate. ;-)
The GUI does a pretty good job when it comes to detecting "overlapping" settings when you enter them manually… Although I concur that some duplications might not be covered by that.
0 -
Follow up:
Of cause you can just widen the netmask to reach all the IPs you need.
Instead of 255.255.255.0 I just used 255.255.0.0 and it works.
0
Zyxel Employee
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
