Connect LAN2 to LAN1 to VPN to LAN3/4

Options
StefanZ
StefanZ Posts: 191  Master Member
First Anniversary 10 Comments Friend Collector First Answer
edited June 2023 in Security

I am trying to have one of my PCs connected to my home LAN (on a FritzBox), while also having it access LAN1 of a FLEX50 and through there access VPN tunnels and the LAN beyond.

Now I am unsure how to tackle this.

Where I start:
FLEX50 properly set up with working VLAN, VPN, Rules, etc.
Config backed up, so far all works fine.

What I have done:
#1 - Set FLEX50 LAN2 interface-IP to 192.168.1.2
#2 - Block the FritzBox IP completely in/out via policy, so I don't end up with an extra DHCP in my FLEX50 networks
#3 - Added an IPv4 route on the FritzBox for 192.168.20.0/24, gateway 192.168.1.2
#4 - Connected LAN2 to the FritzBox LAN
#5 - I can now access the FLEX50 on 192.168.1.2 from the FritzBox LAN

But how do I now get the FLEX50 to answer requests to hosts in 192.168.20.0/24 and allow access?

Bridge, VTI, Policy Rules, NAT…?

Here is a diagram of my setup…

All Replies

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    Ok so 192.168.1.53 will be 192.168.1.2 everything the Flex50 sees from FritzBox will be 192.168.1.2. what I don't get is WAN interface 192.168.1.2 and LAN with 192.168.1.1 if the FritzBox is doing NAT?

    You should not need a routeing rule…

    Editing….

    Looking at it again Flex has 192.168.1.2 and you have connected it to a LAN port on FritzBox.... so here is the problem 192.168.1.53 has gateway 192.168.1.1 not gateway 192.168.1.2

    maybe if you run CMD in admin on 192.168.1.53 with

    route -p add 192.168.20.0 mask 255.255.255.0 192.168.1.2 metric 1

    or if the FritzBox can do static route you could do it that way

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 797  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @StefanZ ,

    Greeting Forum,

    If you have gateway 192.168.1.2 on Admin-PC it might not additional settings. It would be better if you could share the packets. Please kindly check

    1)There are no NAT on these two subnets.

    2)Policy route won't overwrite Direct Route.

    3)Security policy allow the traffics.

    Please provide the diag-info by private message if the issue persist.

  • StefanZ
    StefanZ Posts: 191  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    As I understand it, adding the route on the FritzBox would tell it (and its' clients on 192.168.1.0/24) to "ask 192.168.1.2 (the FLEX50) for clients in subnet 192.168.20.0/24" and the FLEX50 would provide that info.

    Looking at "Bridge", I see the "Proxy ARP" option – which sounds like it might do what I need.

    Other than that it might not be possible at all, since the FLEX is not a router per se, right?

  • PeterUK
    PeterUK Posts: 2,856  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    For a 192.168.20.x to get to 192.168.1.53 it will but 192.168.1.53 has gateway 192.168.1.1 so it will try to go out FritzBox WAN and for 192.168.1.53 to get to 192.168.20.x it will never go to FLEX50 because its gateway is 192.168.1.1.

    This is why you need static route either on PC or by FritzBox

  • zyman2008
    zyman2008 Posts: 206  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    Vary depends on the behavior of FritzBox & clients setting.

    Clients on 192.168.1.0/24 request to 192.168.20.0/24 will forward packet to default gateway 192.168.1.1, the FritzBox.

    What's FritzBox will do ?

    1. Reply ICMP redirect to clients ? Tell client the Next-Hop to 192.168.20.0/24 is 192.168.1.2
    2. Also forward the first request packet to 192.168.1.2 ? or drop the packet ?

    You need to ask the question to AVM support. or You can test can capture packet on USG FLEX 50 and client to find the answer.

    1. On 192.168.1.X client (remember to enable firewall inbound rule to allow ICMP redirect packet)
    2. On USG FLEX50 setup and start capture packet,

    interface: lan2, icmp, host ip: the client IP

    3. On 192.168.1.X client, using Wireshark and start to capture ICMP packets

    4. On 192.168.1.X client, ping 192.168.20.X

    5. Stop the Wireshark and packet capture on FLEX50.

    Check packet,

    1. Check Wireshark packet. If you got ICMP redirect from 192.168.1.1 ?
    2. Check FLEX 50 packet. If you got ICMP echo from 192.168.1.X client to 192.168.20.X. And the source MAC address is FirtzBox MAC address.

    If you got FirtzBox has both 1 & 2 behavior.

    Then on UGS FLEX 50, you just need to enable "Allow Asymmetrical Route" in Security Policy > Policy Control page.

    And setup policy control rule to allow 192.168.1.X to 192.168.20.X.

  • WJS
    WJS Posts: 143  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    it will be better if you can share packets captured in respective nodes.

Security Highlight