Allow two different internet sources to OpenVPN appliance

ACS
ACS Posts: 2
edited April 2021 in Security
Right now I have two separate WANs which I'd like to set up so that either one will allow my users to connect to our vpn. I'm testing with port 3389 because it's a little easier. The users client will try WAN1 first and then WAN2 if there is an issue.

WAN1 is on G1 and WAN2 is on G2 LAN is G3.

From my home pc (PC2) I connect to WAN2's public ip which is forwarded to PC1 and the vpn log says "ACCESS FORWARD" so I know it at least got to PC1, but it looks like it wasn't able to talk back to PC2. I'm assuming it came in WAN2, but went back out WAN1.

My thoughts are something needs to change with the policy routes, but that's just a guess.

All Replies

  • ACS
    ACS Posts: 2
    It looks like I answered my own question. I had a policy route for each wan with the next hop being WAN1 and WAN2 respectively. I added a third at the top and set the next hop to auto which seems to be working now.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,139  Zyxel Employee

    Hi @ACS

    In your scenario, the NAT rule is working on WAN1.

    So it means DRP server must response by WAN1 interface.

    If policy route forced traffic pass through by WAN2, then PC2 will drop packets.

    It is because PC2 receives response packets with unknown IP address.

Security Highlight