USG60 VPN Users can be seen from LAN, but LAN not from VPN Users

regle Posts: 2
edited April 2021 in Security
In advance sorry for my newby question. 

This is my configuration: 

Clients macOS

Connected via WAN1ppp
VPN connection: L2TP
VPN pool:
VPN client1 confirms address
VPN client2 confirms address
From client1, I can ping client2 and from client2 I can ping client1
Neither client 1 nor 2, can ping anything in 192.168.1.x
From 192.168.1.x I can ping and 191

At a different location with a USG60, connected without ppp, I can ping both ways.

Where is the "filter"?

In advance, thank you very much for your support

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,139  Zyxel Employee

    Hi @regle  

    As your description, the reason seems come from policy control rule dropped the packets.

    In the default setting L2PT client will able access to all of IP subnet exist on USG.

    You can make sure your rules still exist.

  • Hi Stanley, 
    Thank you so much for your support.
    I did not "tamper" with those settings:

    IPSec_VPN is:


    Really appreciate your support.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,139  Zyxel Employee
    Hi @regle

    I will send you private message for check this issue more detail.

  • obvious_hedgehog
    obvious_hedgehog Posts: 1
    edited May 2019
    Almost the same question re VPN clients and the subnet they are connected to.

    Initially, I used to set up the pool for VPN from the same subnet (LAN1) where normal clients are.
    (example: VPN pool, DHCP pool There was absolutely no conflict, the setup allowed all clients ping each other as they are in the same subnet and that was the desired state.

    The mentioned scheme was working up to firmware version 4.25 inclusively, while starting from version 4.30 and higher, as was advised by local Zyxel support, the logic changed and the VPN client MUST have their pool form separate subnet.

    It caused a pain actually, as from that time the VPN clients are no longer live in the same IP subnet.

    Is there any chance to restore the functionality re VPN, that allowed to have the VPN pool to belong to the same subnet as LAN1???

    p.s. routing policy from VPN pool subnet to LAN1 allows VPN clients to ping the LAN1 clients. But two way communication is required in fact. The requirement is that all clients in LAN1 have to be able to ping and communicate with VPN clients.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,139  Zyxel Employee

    Hi @obvious_hedgehog  

    If VPN client use the same IP subnet may cause routing issue.

    So we suggest use IP subnet not been used in interface.

Security Highlight