DNS and site to site Policy-based Zywall replies

PeterUK

USG FLEX 200H V1.21(ABWV.0)ITS-24WK35-0813-240800592

So here is a quick show of the problem with Policy-based site to site with DNS

FLEX200H
local 192.168.138.0/28
remote 192.168.144.0/24

USG40 192.168.144.0/24 >192.168.255.243 > FLEX200H 192.168.255.235 > 192.168.138.2

When a IP from 192.168.144.0/24 send dns to 192.168.138.2 it goes down the tunnel but instead of going to 192.168.138.2 the FLEX200H replies when I want 192.168.138.2 to get the query and reply.

Workaround use Route-based

Zyxel_Melen

Hi @PeterUK,

May I know the DNS server setting on this interface 192.168.138.0/28? Is it custom defined or ZyWall?

PeterUK

As in 192.168.138.2 has a DNS server not by Flex200H but a device that can handle DNS which I want it to handle DNS and not the Flex200H but when a do DNS the Flex200H replies instead of sending it to 192.168.138.2

on say 192.168.144.0/24 I do nslookup grc.com 192.168.138.2 this should go to the DNS server but FLEX200H intercepts it a replies instead.

Zyxel_Melen

Hi @PeterUK,

For further investigation, could you share the configuration of FLEX 200H? Also, the DNS server setting of this client is 192.168.138.2, am I correct?

PeterUK

I send you the config when other things have been checked 192.168.138.2 has BIND being the DNS server I wish for clients to use over the tunnel

I have three tunnels but currently using the work around as said above

FLEX200H
local 192.168.138.0/28
remote 192.168.144.0/24

local 192.168.138.0/28
remote 192.168.141.0/24

local 192.168.138.0/28
remote 192.168.145.0/24

When a client from remote dose DNS to 192.168.138.2 the FLEX200H  replies with it system DNS and not to 192.168.138.2 DNS server

PeterUK

PM sent

PeterUK

All fixed I had a NAT rule for DNS with External IP to any turns out you can NAT traffic out of a tunnel.