Next Hop: VPN Tunnel Flex 100H
Freshman Member
I am looking to upgrade my home VPNs from Zywall USG 110s to Flex XXXH(P) - I had upgraded one of them this summer - and realized that I could not define a VPN tunnel as a next hop. Zyxel Customer Service then replied to a message that would be a feature supported in the October firmware - it does not seem to exist in the 1.3 release however either. What I am trying to support is this: I have SSIDs (VLANS) in each home that represent a specific country - so SSID.NET would be US, SSID.AT for Austria, SSID.ID for Indonesia and SSID.IN for India. So if you were for example on SSID.AT in a home in the US, the traffic would be routed to a home in Austria and go on the public internet there. Truthfully mainly used for streaming content - but it's sometimes useful for specific country content.
Questions:
1, Did I miss anything in 1.3 (running on a Flex 100H) where that feature has been added.
2, If it has been dropped from 1.3 - when is it coming now?
3, Is there another way to accomplish what I am trying to do
Best Answers
-
Hi @amateur_netops ,
As we mentioned above, you can establish a Route-based VPN (VTI) by following the instructions in this article, and then you can see the VPN option in Interface next-hop type.
Here is the screenshot of the H series:
0 -
Hi @amateur_netops ,
Under the current uOS design, VTI interface names cannot be modified. However, we have implemented a description field in both the interface and static route configurations that allows users to add custom identifiers for easier reference.
0
Zyxel Employee
All Replies
-
Due to changes in the product roadmap, there was no feature enabling VPN tunnels as next-hop with firmware version 1.30 for H series firewalls.
We are still evaluating this feature. When it becomes available, we will make an official announcement in the Firewall News & Releases section. Please follow this section to stay updated on new features and enhancements.
For your scenario, we can suggest following the guide to configure Site-to-Site VPN between ZLD (USG, USG FLEX) and uOS (USG FLEX H) using Route-based VPN.
Please let us know if we can be of any help.
0 -
Hmm - disappointing that the feature has not been added as previously stated by Zyxel support - it is the only reason I bought another Flex H for another home.
I don't see how the guide helps me since traffic to the internet will not go through the tunnel.
Here is a simplified scenario:
Site A has two networks - 192.168.100.X and 192.168.101.X
Site B has two networks - 192.168.110.X and 192.168.111.X
Devices on 192.168.100.X and 192.168.110.X need to communicate together - OK - Site to Site deals with that just fine
Devices on 192.168.101.X should use the public internet on Site B
Devices on 192.168.111.X should use the public internet on Site A
A site to site doesn't do much here - in my old configuration - all traffic from 192.168.101.X would be sent to 192.168.110.X - where all traffic from 101.X would go to WAN - and all traffic for 101.X would be forced back into the VPN from 110.X-101.X
How does a site to site without an ability to force traffic there help me?
0 -
Hi @amateur_netops ,
As of now, you can establish a Route-based VPN (VTI) by following the instructions in the article above. Once configured, follow these steps to add policy routes to adapt your requirement.
Site A: LAN = 192.168.101.X/24
Need to create one policy route to force redirect traffic to site B from site A.
src = 192.168.101.X
dst = any
next hop = VPN => Choose Tunnel name
Site B: LAN = 192.168.111.x/24
Need to create two policy routes:
Policy route 1: is for SNAT to Internet when the source is site A subnet 101.X
src=192.168.101.X
dst = any
next hop = WAN1 or WAN2
SNAT = outgoing interface
Policy route 2: is for routing back the subnet 101.x traffic from Internet.
src = any
dst = 192.168.101.X
next hop= VPN => Choose Tunnel name
SNAT => None
0 -
But there is no next hop=VPN - that was what I as whining about and was initially told we would get in October.
The options on the Flex are: Auto, Interface, gateway,, gateway-ip and trunk - VPN is not an option
0 -
Hi @amateur_netops ,
As we mentioned above, you can establish a Route-based VPN (VTI) by following the instructions in this article, and then you can see the VPN option in Interface next-hop type.
Here is the screenshot of the H series:
0 -
OK - got this to work - thank you. I had to delete the other connections between other subnets on those sites and also manually route them. Then I had to change MTU to 1300 on the WAN port since tracert would work but http or https did not - somewhat odd - and a little slower than I would have expected. But got it working now
0 -
Oh - is there a way to rename those vti-wizzard something things to something more meaningful. Will be a pain to keep track if I have several
0 -
Hi @amateur_netops ,
Under the current uOS design, VTI interface names cannot be modified. However, we have implemented a description field in both the interface and static route configurations that allows users to add custom identifiers for easier reference.
0
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
