USG60 VPN Users can be seen from LAN, but LAN not from VPN Users
In advance sorry for my newby question.
This is my configuration:
Clients macOS
ZyWALL USG60
Connected via WAN1ppp
LAN: 192.168.1.1
VPN connection: L2TP
VPN pool: 192.168.10.190-199
VPN client1 confirms address 192.168.10.190
VPN client2 confirms address 192.168.10.191
From client1, I can ping client2 and from client2 I can ping client1
Neither client 1 nor 2, can ping anything in 192.168.1.x
From 192.168.1.x I can ping 192.168.10.190 and 191
At a different location with a USG60, connected without ppp, I can ping both ways.
Where is the "filter"?
In advance, thank you very much for your support
This is my configuration:
Clients macOS
ZyWALL USG60
Connected via WAN1ppp
LAN: 192.168.1.1
VPN connection: L2TP
VPN pool: 192.168.10.190-199
VPN client1 confirms address 192.168.10.190
VPN client2 confirms address 192.168.10.191
From client1, I can ping client2 and from client2 I can ping client1
Neither client 1 nor 2, can ping anything in 192.168.1.x
From 192.168.1.x I can ping 192.168.10.190 and 191
At a different location with a USG60, connected without ppp, I can ping both ways.
Where is the "filter"?
In advance, thank you very much for your support
0
All Replies
-
Hi @regle
As your description, the reason seems come from policy control rule dropped the packets.
In the default setting L2PT client will able access to all of IP subnet exist on USG.
You can make sure your rules still exist.
0 -
Hi Stanley,
Thank you so much for your support.
I did not "tamper" with those settings:
IPSec_VPN is:
And EZMODE_VPN_L2TP:
Really appreciate your support.Rainer0 -
0
-
Almost the same question re VPN clients and the subnet they are connected to.
Initially, I used to set up the pool for VPN from the same subnet (LAN1) where normal clients are.
(example: VPN pool 192.168.1.10-20, DHCP pool 192.168.1.30-100). There was absolutely no conflict, the setup allowed all clients ping each other as they are in the same subnet and that was the desired state.
The mentioned scheme was working up to firmware version 4.25 inclusively, while starting from version 4.30 and higher, as was advised by local Zyxel support, the logic changed and the VPN client MUST have their pool form separate subnet.
It caused a pain actually, as from that time the VPN clients are no longer live in the same IP subnet.
Is there any chance to restore the functionality re VPN, that allowed to have the VPN pool to belong to the same subnet as LAN1???
p.s. routing policy from VPN pool subnet to LAN1 allows VPN clients to ping the LAN1 clients. But two way communication is required in fact. The requirement is that all clients in LAN1 have to be able to ping and communicate with VPN clients.0 -
If VPN client use the same IP subnet may cause routing issue.
So we suggest use IP subnet not been used in interface.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight