Can't reach the SSL-VPN clients

MWS
MWS Posts: 3
First Comment
edited January 14 in USG FLEX H Series

Hi

I have the following setup:

  • Office: FritzBox > Zyxel USG Flex 100H > PCs/NAS
  • Home: FritzBox > PCs/NAS

I need to backup the office-NAS to the home-NAS (and vice-versa) and to access the office-PCs from the home-PCs via SSH. Hence, I set up an SSL-VPN on the Zyxel device and opened the necessary ports on the Fritzbox. Right now, the connection works for most of the bits I need: I can do SSH/SCP as required. I can also backup the home-NAS to the office-NAS. However, I cannot backup the office-NAS to the home-NAS. The office-NAS can "see" the home-NAS, but the backup task fails to initiate. Itsays that the connection is closed (it's a synology NAS with hyper backup).

I can't find anything useful in the logs. The only odd thing I still see is an ACCESS BLOCK for spt/dpt 53805 from 192.168.178.1 (the internal FritzBox IP) to 255.255.255.255. Not sure if that's related to it.

Any idea what is missing and how to fix it? Anything with routing?

P.S., the SSL-VPN is on 192.168.200.0 (was once on 192.168.50.0, no difference) and the LAN is 192.168.168.0. The rest is mostly default. I added the http/https/hyperbackup ports between WAN and Zywall but that shouldn't really be necessary I think.

Edit: The IP pool in the SSL-VPN tab is 192.168.200.0/24 to be exact. Besides that it's full tunnel with SNAT enabled (also tried split tunnel, no success).

All Replies

  • PeterUK
    PeterUK Posts: 3,388  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    This is likely a current limitation of these H models as you can't do routing with next hop SSL VPN.

    Do you have any routing rules setup? As maybe AUTO next hop would make this work as in you have rule with incoming LAN of NAS next hop WAN which overriders the AUTO.

  • PeterUK
    PeterUK Posts: 3,388  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 15

    Ok so after some testing with ping I think there is a way

    Make routing rule top of the list

    incoming LAN of where NAS is

    Destination Address 192.168.200.0/24

    next hop auto

    SNAT none

    Policy control

    Form LAN of where NAS is

    to any

    Destination Address 192.168.200.0/24

  • MWS
    MWS Posts: 3
    First Comment
    edited January 15

    I had no routing rules or alike at the beginning. I mostly need the VPN for the backup task (and I need the VPN to be fast), so I didn't setup anything else that would make it complicated. I tried several policies and static routes, I for example created two address objects with the LAN and the VPN IPs and added different policies, some also with auto next hop, but no success. I also tried adding some routing on the home-NAS as this was suggested in another post, also failed. I had an ASUS router with Merlin before, there I just had to add a "route ip.of.my.vpn 255.255.255.0"… Hence, I thought that should be pretty simple.

    Thanks for the info that this might be a limitation of the device. It's quite a bummer because there's also no L2TP support. So it's pretty limited in functionality. I'll go for a site-to-site VPN with another Flex 100H, unless you tell me that this also won't work :)

    P.S. The access drop from the Fritzbox is due to the Fritzbox searching for other Fritzboxes on a random port within a certain range.

    Thanks for the suggestion, fails (I tried similar rules before). I think that the ping should work also without the two policies. The office-NAS actually sees that the home-NAS is online (and I guess it checks with something like ping). It only fails once it starts the backup task. However, I don't see anything in the log. The NAS just says that "connection is closed".-