Flex 100H DNS over VPN Tunnel
Freshman Member
We have a new client site setup and are trying to utilize a Flex 100H, but DNS forwarders do not seem to be going over the tunnel how we have configured these in the past.
For background, we have a Flex 200 on one end and a Flex 100H on the other. We have setup the VPN using both Route (VTI) and Policy based. In both cases, we are able to ping from a device on the 100H side to the DC/DNS Server, and vice versa. However, we are never able to ping from the 100H to the DC/DNS Server. From the Flex 200, I am able to ping a computer over the tunnel without issues.
Ultimately, we would like to be able to setup the Domain Zone Forwarder to go over the VPN tunnel and query where the domain is. When trying to set this up, there is an option to query over the VTI, but not an Auto option like there is under the Global options.
Is there a way to set this up so we do not need to have all DNS traffic sent over the VPN tunnel?
Accepted Solution
-
OK I think I have found what you have done so you will need to remove the VTI and everything for the VTI and start over not sure if this is a bug or not on FLEX H
so when setting up the VTI DO NOT change the following for Policy and yes you MUST start over
0
Guru Member
All Replies
-
To further summarize this, it appears that packets sourced from the 100H router do not get routed over the VPN tunnel.
Trying to ping an IP on the other side of the tunnel from the 'diagnostics' screen on the 100H fails, and the DNS requests from the DNS forwarder on the 100H do not get sent down the tunnel.
We have no issues with this on the FLEX series routers.
Is some other configuration needed to make this work on the H series?
0 -
Let me summarize:
Your topology:
DNS server —- USG FLEX 200 ===route-based VPN=== USG FLEX 100H
Your purpose:
Clients under 100H can resolve domains from your DNS server.
Your issue:
DNS packets won't sent to USG FLEX 200 via VPN tunnel.
My question:
- In route-based VPN configuration, have you tried to set a policy route rule to let the DNS traffic be sent to the VPN tunnel?
- Could you send the configuration of USG FLEX 100H to me via a private message?
Zyxel Melen0 -
is this what you want?
0 -
@Zyxel_Melen Correction to this - we want to set the DNS server on the client side to the 100H. The 100H has a Domain Zone Forwarder, so it should be able to send only needed DNS queries for this domain over the tunnel to the DNS server. Computers behind the 100H can communicate with the server, communication from the 100H to the server is the issue.
We have tried a Policy Route, but this did not seem to work and should not be needed as the Static Route should allow this traffic. On non-H series routers, we have used static routes, and this allows the routers to communicate to devices over a VTI without issues.
At this point, we cannot even ping the server from the 100H; we are using the built-in Network Tool to see if pings from the 100H are able to go over the VPN, but this does not seem to work no matter what interface we ping from or Security Policies we put in place. Even tried adding a 'from any - to any' Security Policy with only a destination address of the server across the tunnel, this got 0 hits during testing.
Computers behind the 100H can ping the server, and there are no firewall rules on the server blocking pings.
@PeterUK This is exactly what we have, and have used on other non-H series routers without issues in prior setups. Not sure why the 100H is not sending this traffic over the VTI.
0 -
Are the clients DNS to Zywall?
what does nslookup show from a client?
0 -
Yes we had dns server set to the router. Any nslookups to the domain name just time out.
Pinging from the 100H’s Network Tool page does not get through to the server. Computers are able to ping to server by IP so the tunnel is working appropriately for clients.0 -
your ping test is wrong you set interface to ge3 needs to be VTI
clients need to use the LAN gateway IP for DNS if they use anything else it will not work
0 -
As stated, does not matter what I set the interface to, the pings do not succeed:
DNS is set to the router for this interface:
Resolving against the router (in this case 192.168.15.1) does not succeed as the router does not seem to be able to send any traffic over the VTI.
0 -
testing here seem to be working fine packet capture on the server
Is 10.22.30.1 subnet in use other then for the VTI?
0 -
I completely recreated this using a 200H in our office, and cannot get any traffic from the 200H to a Flex 200 router. Note the traffic from computers behind the routers traverses the VPN without issue, the issue only lies with traffic sourced **FROM the router. Setup below:
Remote site LAN - 192.168.2.0/24, VTI IP - 10.20.30.2/30, Static Route sending anything destined for 10.10.1.0/24 to the VTI
Main site LAN - 10.10.1.0/24, VTI IP - 10.20.30.1/30, Static Route sending anything destined for 192.168.2.0/24 to the VTI
Both sites have Policy Controls allowing any traffic from LAN to IPSec, IPSec to LAN, and IPSec to ZyWALL.
When pinging the server from the Remote site router and doing a packet capture, we see traffic trying to go over the VTI:
When capturing traffic on the Main site router during this same time, the capture is empty.
Any other thoughts on what could be going on here?
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 293 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 253 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
