Why do we need a static route for accessing remote RADIUS on USG?

Nikriaz

When we setup an authentication through the tunnel, e.g. on remote RADIUS we should specify a static route to a remote subnet.

For example, as explained here:
https://support.zyxel.eu/hc/en-us/articles/360001475219-VPN-Configure-User-Authentication-through-a-Remote-VPN-Site#1-configure-site-a-usg-firewall-1

It works but my question is why it is so and why a routing policy does not work for RADIUS authentications?

Why this is important:
1. Static route is confusing and misleading, feeling like static route can interfere and overlap with routing policy.
2. In the routing policy we have a "Zywall" as a source. Why it isn't working for a RADIUS and what is then a purpose of "Zywall" source in a policy if it does not work anyway.
3. In case of using VTIs for fallback/balancing I need to specify a separate static route per VTI and then setup extra clients on RADIUS per VTI with their weird addresses because packets are originated from VTI now and I can't setup SNAT in the static route. This is overall inconvenient and misleading.

Zyxel_Judy

Hi @Nikriaz ,

The article demonstrates one method to configure user authentication through a remote VPN site using a "static route," where you just simply define the IP subnet and next-hop.

Alternatively, you can use a "routing policy" instead of a "static route." In this case, set the Incoming interface to ZyWALL, and enter relevant value to the routing policy.

Please be aware that the USG series has reached its EOL status. For optimal performance and support, we recommend exploring our current firewall offerings here:

https://www.zyxel.com/us/en-us/products/next-gen-firewall