GS1200-8 webadmin not accessible through VPN

ghemberg
ghemberg Posts: 5  Freshman Member
First Comment Second Anniversary
edited October 18 in Switch

VLANs:

  • VLAN 10 = management VLAN (10.0.10.0/24)
  • VLAN 110 = users VLAN (10.0.110.0/24)

OPNsense 24.7.6 as router/firewall

I have three ZyXEL GS1200-8 switches on my LAN (firmware version V2.00(ABME.3)C0).
IP address for one (used as example here; all 3 have same issue) of those is 10.0.10.40 with subnet mask 255.255.255.0 and gateway 10.0.10.1 (= OPNsense).
Management VID = 10.

No problem accessing the switch's webadmin from within VLAN 10:

curl http://10.0.10.40

<!DOCTYPE html>

<html>


<head>


<title>GS1200-8</title>

...

Also works from within VLAN 30 after I added a firewall rule in OPNsense to VLAN 10.

Doesn't work through a WireGuard VPN connection (OPNsense is WireGuard host):

curl http://10.0.10.40

(just hangs there)

I can see the traffic be PASSed by the firewall to the switch's IP.

I can access all other webadmin in the management VLAN (for other devices/servers in my LAN, including the webadmin for a ZyXEL GS1900-24EP switch!).

Still might be a problem with WireGuard at this point…

However, when I log on successfully to the webadmin from within VLAN 10 and then try to access the webadmin from the VPN at the same time, I get this:

curl http://10.0.10.40

<html>

<head>


<title>Message</title>


</head>

<body> 

<script type="text/javascript"> alert("If a user is logged in already, other users will not be able to access the webpage.");
</script></body>

</html>

This definitely comes from the switch!
To me, this suggests the problem must be with the switch, no?

Accepted Solution

  • ghemberg
    ghemberg Posts: 5  Freshman Member
    First Comment Second Anniversary
    Answer ✓

    You were correct: it was a problem with the firewall after all…

    Turns out I had to add a normalization rule to the OPNsense firewall (as described here) in order to prevent packet fragmentation. Weirdly, this appeared to only be an issue with the GS1200 switches in the LAN.

    Thanks for the help and sorry to have bothered you with this.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,305  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited October 21

    Hi @ghemberg,

    I would like to clarify some details with you first:

    1. Were you able to access the GS1200 via a browser when using WireGuard VPN?
    2. Have you tried other VPN software, like system native VPN, and still have this issue?
    3. What's your purpose in using curl to access the GS1200?

  • ghemberg
    ghemberg Posts: 5  Freshman Member
    First Comment Second Anniversary
    edited October 21

    Were you able to access the GS1200 via a browser when using WireGuard VPN?

    No: browser keeps "hanging" (seems to be stuck waiting for response from the switch's webserver). However, when I log on to the GS1200 from the LAN and then try to access the GS1200 from VPN at the same time, I get a popup dialog saying "If a user is logged in already, other users will not be able to access the webpage.".

    Have you tried other VPN software, like system native VPN, and still have this issue?

    This is the only VPN software I have/use, so didn't test others.

    My first instinct was also to look at a problem with the VPN or firewall.

    However, the popup "If a user is logged in already, other users will not be able to access the webpage." which I do get through the VPN connection, suggests the problem is with the switch itself (as that popup also comes from the switch).

    What's your purpose in using curl to access the GS1200?

    I used CURL only to capture responses and post them here. I have the same issues with browsers (tested both Firefox and MS Edge/Chromium from Windows 10).

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,305  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @ghemberg,

    Thanks for the detailed information. We did a local lab with the below built:

    WireGuard v0.0.20220117 on Ubuntu
    WireGuard client is Windows 10 
    LAB in LAN environment:
    Windows PC(192.168.52.10) --- (VPN:192.168.52.0/24) --- (192.168.52.1) Ubuntu (10.214.36.100) --- (10.214.36.0/24) --- GS1200-8 (10.214.36.90)

    In this lab, we can access the switch.

    Based on the result, we assume this issue is more likely related to the VPN or firewall.

  • ghemberg
    ghemberg Posts: 5  Freshman Member
    First Comment Second Anniversary
    Answer ✓

    You were correct: it was a problem with the firewall after all…

    Turns out I had to add a normalization rule to the OPNsense firewall (as described here) in order to prevent packet fragmentation. Weirdly, this appeared to only be an issue with the GS1200 switches in the LAN.

    Thanks for the help and sorry to have bothered you with this.