GS1200-8 webadmin not accessible through VPN
VLANs:
- VLAN 10 = management VLAN (10.0.10.0/24)
- VLAN 110 = users VLAN (10.0.110.0/24)
OPNsense 24.7.6 as router/firewall
I have three ZyXEL GS1200-8 switches on my LAN (firmware version V2.00(ABME.3)C0).
IP address for one (used as example here; all 3 have same issue) of those is 10.0.10.40 with subnet mask 255.255.255.0 and gateway 10.0.10.1 (= OPNsense).
Management VID = 10.
No problem accessing the switch's webadmin from within VLAN 10:
curl http://10.0.10.40
<!DOCTYPE html>
<html>
<head>
<title>GS1200-8</title>
...
Also works from within VLAN 30 after I added a firewall rule in OPNsense to VLAN 10.
Doesn't work through a WireGuard VPN connection (OPNsense is WireGuard host):
curl http://10.0.10.40
(just hangs there)
I can see the traffic be PASSed by the firewall to the switch's IP.
I can access all other webadmin in the management VLAN (for other devices/servers in my LAN, including the webadmin for a ZyXEL GS1900-24EP switch!).
Still might be a problem with WireGuard at this point…
However, when I log on successfully to the webadmin from within VLAN 10 and then try to access the webadmin from the VPN at the same time, I get this:
curl http://10.0.10.40
<html>
<head>
<title>Message</title>
</head><body>
<script type="text/javascript"> alert("If a user is logged in already, other users will not be able to access the webpage.");
</script></body>
</html>
This definitely comes from the switch!
To me, this suggests the problem must be with the switch, no?
Accepted Solution
-
You were correct: it was a problem with the firewall after all…
Turns out I had to add a normalization rule to the OPNsense firewall (as described here) in order to prevent packet fragmentation. Weirdly, this appeared to only be an issue with the GS1200 switches in the LAN.
Thanks for the help and sorry to have bothered you with this.
0
All Replies
-
Hi @ghemberg,
I would like to clarify some details with you first:
- Were you able to access the GS1200 via a browser when using WireGuard VPN?
- Have you tried other VPN software, like system native VPN, and still have this issue?
- What's your purpose in using curl to access the GS1200?
0 -
Were you able to access the GS1200 via a browser when using WireGuard VPN?
No: browser keeps "hanging" (seems to be stuck waiting for response from the switch's webserver). However, when I log on to the GS1200 from the LAN and then try to access the GS1200 from VPN at the same time, I get a popup dialog saying "If a user is logged in already, other users will not be able to access the webpage.".
Have you tried other VPN software, like system native VPN, and still have this issue?
This is the only VPN software I have/use, so didn't test others.
My first instinct was also to look at a problem with the VPN or firewall.
However, the popup "If a user is logged in already, other users will not be able to access the webpage." which I do get through the VPN connection, suggests the problem is with the switch itself (as that popup also comes from the switch).
What's your purpose in using curl to access the GS1200?
I used CURL only to capture responses and post them here. I have the same issues with browsers (tested both Firefox and MS Edge/Chromium from Windows 10).
0 -
Hi @ghemberg,
Thanks for the detailed information. We did a local lab with the below built:
WireGuard v0.0.20220117 on Ubuntu
WireGuard client is Windows 10
LAB in LAN environment:
Windows PC(192.168.52.10) --- (VPN:192.168.52.0/24) --- (192.168.52.1) Ubuntu (10.214.36.100) --- (10.214.36.0/24) --- GS1200-8 (10.214.36.90)In this lab, we can access the switch.
Based on the result, we assume this issue is more likely related to the VPN or firewall.
0 -
You were correct: it was a problem with the firewall after all…
Turns out I had to add a normalization rule to the OPNsense firewall (as described here) in order to prevent packet fragmentation. Weirdly, this appeared to only be an issue with the GS1200 switches in the LAN.
Thanks for the help and sorry to have bothered you with this.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight