Routing all internet traffic through a VPN S2S Tunnel
We have an ATP200 at our main office and want to introduce several UGS Flex 50 for branch office / home office locations. We have set up the VPN tunnels successfully, static routing is working as expected.
However, as the UGS Flex 50 are limited in the protective functionality, we want to route all the internet traffic via the ATP200 and thus the main office.
I thought I should be able to set it up in the policy control, but I just can not figure it out.
Any help would be greatly appreciated.
Best
Christian
Edit:
Ok. Obviously, I should use policy routing. But it still does not work. I followed the article below, but I am unable to reach the internet. Tracert just says connection timeout:
tracert 8.8.8.8
Routenverfolgung zu dns.google [8.8.8.8]
über maximal 30 Hops:
1 1 ms <1 ms <1 ms myrouter.local [192.168.11.1]
2 * * * Zeitüberschreitung der Anforderung.
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.
5 * * * Zeitüberschreitung der Anforderung.
https://support.zyxel.eu/hc/en-us/articles/360001440613-Policy-Routes-USG-VPN-ATP-Different-scenario-usages-configurations#two
Accepted Solution
-
Hello @CWoznik,
I would give the suggestion like @peterUK
You need two policies
One is to route the traffic from the subnet of office/home to the VPN tunnel. (At USG FLEX 50)
Another is to route the traffic which comes through the VPN tunnel from the subnet of office/home to WAN. (At ATP200)On ATP200
-Site-to-Site VPN
Local policy: 0.0.0.0/0
Remote policy: the subnet of office/home
-Policy Route
From: remote subnet of office/home
To: any
Next-Hop: WANOn USG FLEX 50
-Site-to-Site VPN
Local policy: the subnet of office/home
Remote policy: 0.0.0.0/0
-Policy Route
From: remote subnet of office/home
To: any
Next-Hop: VPN tunnel0
Zyxel Employee
All Replies
-
Not sure why you need static route?
A setup one I have done should work for you but speed will be limited going down the tunnel.
At flex 50 end change the tunnel remote policy to subnet 0.0.0.0/0
make a routing rule incoming LAN1 next hop VPN Tunnel your tunnel.
At ATP 200 end change the tunnel local policy to subnet 0.0.0.0/0
make a routing rule incoming tunnel you tunnel next hop WAN
You might need to make a rule above this for from LAN1 flex 50 to LAN1 ATP 200 subnet.
You then also need to make policy control rules
0 -
Ok I am doing something wrong then.
This is what I have now:
ATP200 side:
UGS Flex 50:
However this still does not allow me to get a working internet connection. Sure I can access the other network, but thats it. Even a ping to 1.1.1.1 fails.
0 -
On ATP you need routing rule
Incoming tunnel your tunnel
no need for source/destination
next hop WAN
SNAT outgoing-interface
0 -
Hello @CWoznik,
I would give the suggestion like @peterUK
You need two policies
One is to route the traffic from the subnet of office/home to the VPN tunnel. (At USG FLEX 50)
Another is to route the traffic which comes through the VPN tunnel from the subnet of office/home to WAN. (At ATP200)On ATP200
-Site-to-Site VPN
Local policy: 0.0.0.0/0
Remote policy: the subnet of office/home
-Policy Route
From: remote subnet of office/home
To: any
Next-Hop: WANOn USG FLEX 50
-Site-to-Site VPN
Local policy: the subnet of office/home
Remote policy: 0.0.0.0/0
-Policy Route
From: remote subnet of office/home
To: any
Next-Hop: VPN tunnel0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 142 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 224 USG FLEX H Series
- 266 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 244 Service & License
- 384 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 84 About Community
- 71 Security Highlight
