FLEX100H: Domain Zone Forwarder not go through Policy-based IPsec VPN

szn
szn Posts: 16  Freshman Member
First Comment Friend Collector

As a follow-up question to:

The configuration of Site1 and Site connected through Policy Based VPN:

There is a DNS server in Site1 (Server1) for internal domain. Clients from Site1 us Zyxel1 as DNS server. Queries to local domain are properly forwarded to Server1. A Domain Zone Forwarder for local doman to Server1 query-via LAN port is configured.

For Site2 I'd like to configure that Zyxel2 from Site2 forwarded queries for Local domain to Server1 on Site1. Therefore Zyxel2 in Site has configured Domain Zone Forwarder to Server1 query-via LAN port.

However it looks that queries from Site2 for Local domain are not succefully forwarded to Server1 in Site1. Queries to non Local domains work fine.

Nslookup from client in Site2 for host in Local domain time-out.

Note that VPN is working. It looks that Zyxel2 could not route DNS request through Policy VPN. Eventhough Query-via in my opinion should define correct Source IP.

Any suggestions?

Accepted Solution

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @szn

    The behaviour you are experiencing is related to how the firewall handles local-out traffic (traffic initiated by the device itself).

    To resolve this, please consider the following steps:

    1. Switch to Route-Based VPN:
      • For scenarios involving device-initiated traffic, such as DNS queries using a Domain Zone Forwarder, it is necessary to configure a Route-Based VPN instead of a Policy-Based VPN.
      • When you set up a Route-Based VPN, the system will automatically create a VTI (Virtual Tunnel Interface).
    2. Configure Routing Rules:
      • After setting up the Route-Based VPN, ensure you manually configure the appropriate routing rules for each network that requires communication through the VPN tunnel.

    By making these adjustments, DNS queries from Site2 should be successfully routed through the VPN to Server1 in Site1.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,204  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
    Answer ✓

    Hi @szn

    The behaviour you are experiencing is related to how the firewall handles local-out traffic (traffic initiated by the device itself).

    To resolve this, please consider the following steps:

    1. Switch to Route-Based VPN:
      • For scenarios involving device-initiated traffic, such as DNS queries using a Domain Zone Forwarder, it is necessary to configure a Route-Based VPN instead of a Policy-Based VPN.
      • When you set up a Route-Based VPN, the system will automatically create a VTI (Virtual Tunnel Interface).
    2. Configure Routing Rules:
      • After setting up the Route-Based VPN, ensure you manually configure the appropriate routing rules for each network that requires communication through the VPN tunnel.

    By making these adjustments, DNS queries from Site2 should be successfully routed through the VPN to Server1 in Site1.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community