Can't reach the SSL-VPN clients
Hi
I have the following setup:
- Office: FritzBox > Zyxel USG Flex 100H > PCs/NAS
- Home: FritzBox > PCs/NAS
I need to backup the office-NAS to the home-NAS (and vice-versa) and to access the office-PCs from the home-PCs via SSH. Hence, I set up an SSL-VPN on the Zyxel device and opened the necessary ports on the Fritzbox. Right now, the connection works for most of the bits I need: I can do SSH/SCP as required. I can also backup the home-NAS to the office-NAS. However, I cannot backup the office-NAS to the home-NAS. The office-NAS can "see" the home-NAS, but the backup task fails to initiate. Itsays that the connection is closed (it's a synology NAS with hyper backup).
I can't find anything useful in the logs. The only odd thing I still see is an ACCESS BLOCK for spt/dpt 53805 from 192.168.178.1 (the internal FritzBox IP) to 255.255.255.255. Not sure if that's related to it.
Any idea what is missing and how to fix it? Anything with routing?
P.S., the SSL-VPN is on 192.168.200.0 (was once on 192.168.50.0, no difference) and the LAN is 192.168.168.0. The rest is mostly default. I added the http/https/hyperbackup ports between WAN and Zywall but that shouldn't really be necessary I think.
Edit: The IP pool in the SSL-VPN tab is 192.168.200.0/24 to be exact. Besides that it's full tunnel with SNAT enabled (also tried split tunnel, no success).
All Replies
-
This is likely a current limitation of these H models as you can't do routing with next hop SSL VPN.
Do you have any routing rules setup? As maybe AUTO next hop would make this work as in you have rule with incoming LAN of NAS next hop WAN which overriders the AUTO.
0 -
Ok so after some testing with ping I think there is a way
Make routing rule top of the list
incoming LAN of where NAS is
Destination Address 192.168.200.0/24
next hop auto
SNAT none
Policy control
Form LAN of where NAS is
to any
Destination Address 192.168.200.0/24
0 -
I had no routing rules or alike at the beginning. I mostly need the VPN for the backup task (and I need the VPN to be fast), so I didn't setup anything else that would make it complicated. I tried several policies and static routes, I for example created two address objects with the LAN and the VPN IPs and added different policies, some also with auto next hop, but no success. I also tried adding some routing on the home-NAS as this was suggested in another post, also failed. I had an ASUS router with Merlin before, there I just had to add a "route ip.of.my.vpn 255.255.255.0"… Hence, I thought that should be pretty simple.
Thanks for the info that this might be a limitation of the device. It's quite a bummer because there's also no L2TP support. So it's pretty limited in functionality. I'll go for a site-to-site VPN with another Flex 100H, unless you tell me that this also won't work :)
P.S. The access drop from the Fritzbox is due to the Fritzbox searching for other Fritzboxes on a random port within a certain range.
Thanks for the suggestion, fails (I tried similar rules before). I think that the ping should work also without the two policies. The office-NAS actually sees that the home-NAS is online (and I guess it checks with something like ping). It only fails once it starts the backup task. However, I don't see anything in the log. The NAS just says that "connection is closed".-
0
Guru Member
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 924 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 213 Service & License
- 339 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 214 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 74 About Community
- 62 Security Highlight
